manualshive.com logo in svg

H3C S3610-28P, Operation Manual, Page: 1534 / 1547

Share
Download
H3C S3610-28P Operation Manual Download Page 1534

Operation Manual – PKI 
H3C S3610&S5510 Series Ethernet Switches 

Chapter 1  PKI Configuration

 

1-14 

1.10  Configuring an Access Control Policy 

By configuring a certificate attribute-based access control policy, you can further control 

access to the server, providing additional security for the server. 

Follow these steps to configure a certificate attribute-based access control policy: 

To do… 

Use the command… 

Remarks 

Enter system view 

system-view 

— 

Create a certificate 
attribute group and enter 
its view 

pki certificate 
attribute-group 
group-name 

Required 

No certificate attribute 
group exists by default. 

Configure an attribute rule 
for the certificate issuer 
name, certificate subject 
name, or alternative 
subject name 

attribute

 

id

 

alt-subject-name

 { 

fqdn

 

ip

 } | { 

issuer-name

 | 

subject-name

 } { 

dn

 | 

fqdn

 | 

ip

 } } { 

ctn

 | 

equ

 | 

nctn

 | 

nequ

attribute-value 

Optional 

There is no restriction on 
the issuer name, 
certificate subject name 
and alternative subject 
name by default. 

Return to system view 

quit 

— 

Create a certificate 
attribute-based access 
control policy and enter its 
view 

pki certificate 
access-control-policy

 

policy-name 

Required 

No access control policy 
exists by default. 

Configure a certificate 
attribute-based access 
control rule 

rule

 [

 id 

] {

 deny

 | 

permit

 } 

group-name 

Required 

No access control rule 
exists by default.  

 

  Caution: 

A certificate attribute group must exist to be associated with a rule. 

 

1.11  Displaying and Maintaining PKI 

To do… 

Use the command… 

Remarks 

Display the contents  or 
request status of a 
certificate

 

display pki certificate 

{

 

{

 ca

 | 

local 

domain 

domain-name 

request-status 

}

 

Available in any view 

Display CRLs 

display pki crl domain 
domain-name 

Available in any view 

Summary of Contents for S3610-28P

Page 1: ...H3C S3610 S5510 Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co Ltd http www h3c com Manual Version 20081229 C 1 01 Product Version Release 5303 ...

Page 2: ...m InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice Every effort has been made in the preparation of this document to ensure accuracy of the contents but all statements information and recommendation...

Page 3: ...thernet Switches Operation Manual Release 5303 is organized as follows Part Contents 0 Product Overview Introduces the system features service features and network application of the switches 1 Login Introduces the ways to log into an Ethernet switch 2 VLAN Introduces VLAN Voice VLAN GVRP fundamental and the related configuration 3 IP Addressing and Performance Introduces IP address and IP perform...

Page 4: ...v3 IPv6 IS IS and IPv6 BGP 15 Multicast Protocol Introduces the multicast protocol related configurations 16 802 1x HABP MAC Authentication Introduces 802 1x HABP and MAC related configurations 17 AAA RADIUS HWTACACS Introduces AAA RADIUS HWTACACS and the related configurations 18 ARP Introduces ARP and the related configuration 19 DHCP Introduces DHCP and the related configuration 20 ACL Introduc...

Page 5: ... and the related configuration 35 OAM Introduces ethernet OAM configuration 36 DLDP Introduces DLDP and the related configuration 37 RRPP Introduces RRPP and the related configuration 38 SSL HTTPS Introduces SSL and HTTPS configuration 39 PKI Introduces PKI and related configuration 40 Appendix Lists the acronyms used in this manual Conventions The manual uses the following conventions I Command c...

Page 6: ...d sign can be entered 1 to n times A line starting with the sign is comments II GUI conventions Convention Description Button names are inside angle brackets For example click OK Window names menu items data table and field names are inside square brackets For example pop up the New User window Multi level menus are separated by forward slashes For example File Create Folder III Symbols Convention...

Page 7: ...pplications 4 1 4 1 H3C S3610 Series Ethernet Switches Networking Applications 4 1 4 1 1 Broadband Ethernet Access for Residential Communities 4 1 4 1 2 Application in Networks of Branches or Small to Medium Sized Enterprises 4 1 4 1 3 Application in Large Enterprise and Campus Networks 4 2 4 1 4 IPv4 IPv6 Hybrid Networking 4 3 4 2 H3C S5510 Series Ethernet Switches Networking Applications 4 4 4 2...

Page 8: ...o product version upgrade or some other reasons Therefore the contents in the CD ROM may not be the latest version This manual serves the purpose of user guide only Unless otherwise noted all the information in the document set does not claim or imply any warranty For the latest software documentation go to the H3C website 1 2 H3C Website To query and download the documentation for this version go...

Page 9: ...eries Ethernet Switches Chapter 1 Obtaining the Documentation 1 2 1 3 Software Release Notes With software upgrade new software features may be added You can acquire the information about the newly added software features through software release notes ...

Page 10: ... 5303 For details refer to Table 2 1 Table 2 1 Added features in Release 5303 Features Location VLAN check 02 VLAN MAC Address Synchronization 04 QinQ BPDU Tunneling VLAN ignore Transparent BPDU Transmission BPDU Tagging Function 09 MSTP EAD Fast Deployment Configuration 16 802 1x HABP MAC Authentication Configure burst traffic in port group view Traffic mirroring to CPU 21 QoS 2 2 Document List T...

Page 11: ...litan area networks MANs and to meet the requirements at the access layer Supporting IPv4 IPv6 double stack they offer abundant service features and routing functionalities 3 2 Switch Models Table 3 1 lists the models in the H3C S3610 series Table 3 1 Models in the H3C S3610 series Model Power supply unit PSU Number service ports Number of 100 Mbps ports Number of 1 000 Mbps uplink ports Console p...

Page 12: ...nding ports on S3610 series Model Combo port Corresponding port 49 53 50 54 51 55 S3610 52M AC S3610 52M DC 52 56 Table 3 3 lists the models in the S5510 series Table 3 3 Models in the S5510 series Model Power supply unit PSU Number of service ports Port Console port H3C S5510 24P AC AC input 28 24 10 100 1000 Mbps electrical 4 Gigabit SFP Combo port 1 H3C S5510 24P DC DC input 28 24 10 100 1000 M...

Page 13: ...Features of S3610 S5510 series Ethernet switches Part Feature 01 Login z Logging into a switch through the Console port z Logging into a switch by using Telnet through an Ethernet port z Logging into a switch by using Modem through the Console port z Logging into a switch through Web or NMS 02 VLAN z IEEE 802 1Q compliant virtual local area network VLAN z Port based VLAN z VLAN check z Protocol ba...

Page 14: ...nt BPDU transmission z BPDU Tagging Function 10 IPv6 z IPv6 basic configuration z Ping IPv6 Traceroute IPv6 z Manual IPv6 tunnel z Configuring IPv4 compatible with the IPv6 tunnel z 6to4 tunnel z ISATAP tunnel z IPv4 IPv6 double protocol stacks 11 Routing Overview Provide an overview of IPv4 IPv6 routing and routing table display and maintenance 12 IPv4 Routing z Static route z Routing information...

Page 15: ...ei terminal access controller access control system HWTACACS 18 ARP z Configuring ARP entries manually z Gratuitous ARP z ARP source suppression z Proxy ARP 19 DHCP z DHCP server z DHCP relay z DHCP Snooping z Applying option184 in DHCP server function z Applying option82 in DHCP server DHCP relay function 20 ACL z IPv4 basic ACLs z IPv4 advanced ACLs z Layer 2 ACLs z IPv4 user defined ACLs z IPv6...

Page 16: ...Center z System logs z Alarms in different severities z Debugging information output 30 System Maintaining and Debugging z Configuring command levels z Configuring online help for command lines z Configuring system time z Displaying and configuring system device state 31 NQA z Network Quality Analyzer NQA 32 VRRP z IPv4 based Virtual Router Redundancy Protocol VRRP z IPv6 based VRRP 33 SSH z Secur...

Page 17: ... users and uplinked to a core Layer 3 switch through a GE extension module to connect to the MAN backbone MAN Backbone Core layer Distribution layer Community building access layer Corridor access layer S9500 S7500 Series S3610 Series S3610 Series L2 Switch L2 Switch FE FE FE FE GE GE Figure 4 1 Community Ethernet access networking with H3C S3610 series 4 1 2 Application in Networks of Branches or...

Page 18: ...e 4 1 3 Application in Large Enterprise and Campus Networks In a large enterprise or campus network the H3C S3610 series are located at the convergence layer They are downlinked to Layer 2 switches S3100 Series for example and uplinked to a layer 3 switch through GE interfaces These switches together provide a network wide intranet solution that covers gigabit to backbone and 100 Mbps to desktop ...

Page 19: ...ries Server cluster PC PC Figure 4 3 H3C S3610 series application in large enterprise and campus network 4 1 4 IPv4 IPv6 Hybrid Networking Full IPv4 networking and full IPv6 networking are similar At the early stage of IPv6 implementation however IPv4 IPv6 hybrid networks are common This gives full play to the IPv4 IPv6 dual stack and IPv6 over IPv4 tunneling features provided by the H3C S3610 ser...

Page 20: ...hernet Switches Networking Applications 4 2 1 Broadband Ethernet Access for Residential Communities An H3C S5510 series Ethernet switch can operate on the distribution layer of a broadband MAN You can connect it to a backbone router or Layer 3 switch in the uplink direction through its GigabitEthernet optical ports and connect it to Layer 2 Layer 3 devices operating as the portal devices of commun...

Page 21: ...In the branches of a small medium sized or large enterprises you can use H3C S5510 series Ethernet switches as the backbone layer devices In this case network devices can connect to an S5510 Ethernet switch in the following ways z Connecting the Layer 2 Layer 3 Ethernet switches such as S3026 3526 Ethernet switches of workgroups to GigabitEthernet optical ports or electrical interfaces z Connectin...

Page 22: ...n layer devices in the networks of large enterprises and campus networks In this case you can connect an S5510 Ethernet switch to a backbone router or Layer 3 switches through its GigabitEthernet optical ports or electrical ports and connect Layer 2 or Layer 3 devices in workgroups to the GigabitEthernet optical ports or electrical ports of the S5510 Ethernet switch S3100 series Workgroup S5510 se...

Page 23: ...d networks are common This gives full play to the IPv4 IPv6 dual stack and IPv6 over IPv4 tunneling features provided by the H3C S5510 series and enables flexible networking IPv4 backbone Layer 3 switch 6to4 tunnel 6to4 tunnel IPv4 server IPv6 server S5510 series S5510 series S3100 series S3100 series IPv4 Host IPv6 Host IPv4 Host IPv4 Host IPv6 Host Figure 4 8 Network diagram for using H3C S5510 ...

Page 24: ...onfiguration with Authentication Mode Being Password 2 10 2 5 1 Configuration Procedure 2 10 2 5 2 Configuration Example 2 12 2 6 Console Port Login Configuration with Authentication Mode Being Scheme 2 14 2 6 1 Configuration Procedure 2 14 2 6 2 Configuration Example 2 17 Chapter 3 Logging in Through Telnet 3 1 3 1 Introduction 3 1 3 1 1 Common Configuration 3 1 3 1 2 Telnet Configurations for Di...

Page 25: ... 1 Overview 7 1 7 2 Configuring Source IP Address for Telnet Service Packets 7 1 7 3 Displaying the source IP address Interface Specified for Telnet Packets 7 2 Chapter 8 Controlling Login Users 8 1 8 1 Introduction 8 1 8 2 Controlling Telnet Users 8 1 8 2 1 Prerequisites 8 1 8 2 2 Controlling Telnet Users by Source IP Addresses 8 1 8 2 3 Controlling Telnet Users by Source and Destination IP Addre...

Page 26: ...1 2 1 Supported User Interfaces S3610 S5510 series Ethernet switch supports two types of user interfaces AUX and VTY Table 1 1 Description on user interface User interface Applicable user Port used Description AUX Users logging in through the Console port Console port Each switch can accommodate one AUX user VTY Telnet users and SSH users Ethernet port Each switch can accommodate up to five VTY us...

Page 27: ... is not locked by default Specify to send messages to all user interfaces a specified user interface send all number type number Optional Execute this command in user view Disconnect a specified user interface free user interface type number Optional Execute this command in user view Enter system view system view Set the banner header incoming legal login shell motd text Optional Set a system name...

Page 28: ...the screen length 0 command to disable the function to display information in pages Make terminal services available shell Optional By default terminal services are available in all user interfaces Set the display type of a terminal terminal type ansi vt100 Optional By default the terminal display type is ANSI The device must use the same type of display as the terminal If the terminal uses VT 100...

Page 29: ...into an S3610 S5510 series Ethernet switch through its Console port only To log into an Ethernet switch through its Console port the related configuration of the user terminal must be in accordance with that of the Console port Table 2 1 lists the default settings of a Console port Table 2 1 The default settings of a Console port Setting Default Baud rate 9 600 bps Flow control Off Check mode No c...

Page 30: ...he Console port launch a terminal emulation utility such as Terminal in Windows 3 X or HyperTerminal in Windows 9X Windows 2000 Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally the parameters of a terminal are configured as those listed in Table 2 1 Figure 2 2 Create a connection Figure 2 3 Specify the port used to establish ...

Page 31: ...ssfully completes POST power on self test The prompt such as H3C appears after the user presses the Enter key z You can then configure the switch or check the information about the switch by executing commands You can also acquire help by type the character Refer to the following chapters for information about the commands 2 3 Console Port Login Configuration 2 3 1 Common Configuration Table 2 2 l...

Page 32: ...o the AUX user interface Optional By default commands of level 3 are available to the users logging into the AUX user interface Define a shortcut key for aborting tasks Optional The default shortcut key combination for aborting tasks is Ctrl C Define a shortcut key for starting terminal sessions Optional By default pressing Enter key starts the terminal session Make terminal services available Opt...

Page 33: ...gurations for Different Authentication Modes Table 2 3 lists Console port login configurations for different authentication modes Table 2 3 Console port login configurations for different authentication modes Authenticatio n mode Console port login configuration Description None Perform common configuration Perform common configuration for Console port login Optional Refer to section 2 3 1 Common ...

Page 34: ...The user name and password of a local user are configured on the switch z The user name and password of a remote user are configured on the DADIUS server Refer to user manual of RADIUS server for more Manage AUX users Set service type for AUX users Required Scheme Perform common configuration Perform common configuration for Console port login Optional Refer to section 2 3 1 Common Configuration f...

Page 35: ...onal The default data bits of a Console port is 8 Configure the command level available to users logging into the user interface user privilege level level Optional By default commands of level 3 are available to users logging into the AUX user interface Define a shortcut key for starting terminal sessions activation key character Optional By default pressing Enter key starts the terminal session ...

Page 36: ...nd level available to users logging into a switch depends on both the authentication mode none command and the user privilege level level command as listed in the following table Table 2 4 Determine the command level A Scenario Authentication mode User type Command Command level The user privilege level level command not executed Level 3 None authentication m ode none Users logging in through Cons...

Page 37: ... user logging in through the Console port H3C ui aux0 authentication mode none Specify commands of level 2 are available to the user logging into the AUX user interface H3C ui aux0 user privilege level 2 Set the baud rate of the Console port to 19 200 bps H3C ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 H3C ui aux0 screen length 30 Set the maximum number of comm...

Page 38: ...assword authentication Set the local password set authentication password cipher simple password Required Set the baud rate speed speed value Optional The default baud rate of an AUX port also the Console port is 9 600 bps Set the check mode parity even mark none odd space Optional By default the check mode of a Console port is set to none that is no check bit Set the stop bits stopbits 1 1 5 2 Op...

Page 39: ...fer size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time for the user interface idle timeout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the...

Page 40: ... need to limit the Console user at the following aspects z The user is authenticated against the local password when logging in through the Console port z The local password is set to 123456 in plain text z The commands of level 2 are available to users logging into the AUX user interface z The baud rate of the Console port is 19 200 bps z The screen can contain up to 30 lines z The history comman...

Page 41: ...0 user privilege level 2 Set the baud rate of the Console port to 19 200 bps H3C ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 H3C ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 H3C ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes H3C ui aux0 idle timeout 6 Afte...

Page 42: ...specify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to the AAA RADIUS HWTACACS module for more z Configure the user name and password accordingly on the AAA server Refer to the user manual of AAA server Create a local user Enter local user view local user user...

Page 43: ...vailable to users logging into the user interface user privilege level level Optional By default commands of level 3 are available to users logging into the AUX user interface Define a shortcut key for starting terminal sessions activation key character Optional By default pressing Enter key starts the terminal session Define a shortcut key for aborting tasks escape key default character Optional ...

Page 44: ...meout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Note that the level the commands of which are available to users logging into a sw...

Page 45: ...ommand authorization Users logging into the Console port and pass AAA RADIUS or local authentication The user privilege level level command is executed and the service type terminal level level command specifies the available command level Determined by the service type terminal level level command 2 6 2 Configuration Example I Network requirements Assume the switch is configured to allow you to l...

Page 46: ... authentication password to 123456 in plain text H3C luser guest password simple 123456 Set the service type to Terminal Specify commands of level 2 are available to the user logging into the AUX user interface H3C luser guest service type terminal level 2 H3C luser guest quit Enter AUX user interface view H3C user interface aux 0 Configure to authenticate the user logging in through the Console p...

Page 47: ...of the AUX user interface to 6 minutes H3C ui aux0 idle timeout 6 After the above configuration to ensure a successful login the console user needs to change the corresponding configuration of the terminal emulation program running on the PC to make the configuration consistent with that on the switch Refer to section 2 2 Setting Up the Connection to the Console Port for more ...

Page 48: ...d other settings are configured Refer to Table 3 2 and Table 3 3 Telnet is running Telnet terminal The IP address of the management VLAN of the switch is available Note z After you log into the switch through Telnet you can issue commands to the switch by way of pasting session text which cannot exceed 2000 bytes and the pasted commands must be in the same view otherwise the switch may not execute...

Page 49: ...shortcut key combination for aborting tasks is Ctrl C Make terminal services available Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can contain Optional By default the screen can contain up to 24 lines Set history command buffer size Optional By default the history command buffer can contain up to 10 commands VTY terminal con...

Page 50: ... to perform local authentication or RADIUS authentication AAA configuration specifies whether to perform local authentication or RADIUS authentication Optional Local authentication is performed by default Refer to the AAA RADIUS HWTACACS module for more Configure user name and password Configure user names and passwords for local remote users Required z The user name and password of a local user a...

Page 51: ...ser interfaces Configure the protocols to be supported by the VTY user interface protocol inbound all ssh telnet Optional By default both Telnet protocol and SSH protocol are supported Set the command that is automatically executed when a user logs into the user interface auto execute command text Optional By default no command is automatically executed when a user logs into a user interface Defin...

Page 52: ...tes You can use the idle timeout 0 command to disable the timeout function Note that if you configure not to authenticate the users the command level available to users logging into a switch depends on both the authentication mode none command and the user privilege level level command as listed in Table 3 4 Table 3 4 Determine the command level when users logging into switches are not authenticat...

Page 53: ...ration procedure Enter system view and enable the Telnet service H3C system view H3C telnet server enable Enter VTY 0 user interface view H3C user interface vty 0 Configure not to authenticate Telnet users logging into VTY 0 H3C ui vty0 authentication mode none Specify commands of level 2 are available to users logging into VTY 0 H3C ui vty0 user privilege level 2 Configure Telnet protocol is supp...

Page 54: ...to users logging into the user interface user privilege level level Optional By default commands of level 0 are available to users logging into VTY user interface Configure the protocol to be supported by the user interface protocol inbound all ssh telnet Optional By default both Telnet protocol and SSH protocol are supported Set the command that is automatically executed when a user logs into the...

Page 55: ...ser interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Note that if you configure to authenticate the users in the password mode the command level available to users logging into a switch depends on ...

Page 56: ...agram Figure 3 2 Network diagram for Telnet configuration with the authentication mode being password III Configuration procedure Enter system view and enable the Telnet service H3C system view H3C telnet server enable Enter VTY 0 user interface view H3C user interface vty 0 Configure to authenticate users logging into VTY 0 using the local password H3C ui vty0 authentication mode password Set the...

Page 57: ...cal AAA scheme is applied If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to the AAA RADIUS HWTACACS module for more z Configure the use...

Page 58: ... Set the command that is automatically executed when a user logs into the user interface auto execute command text Optional By default no command is automatically executed when a user logs into a user interface Define a shortcut key for aborting tasks escape key default character Optional The default shortcut key combination for aborting tasks is Ctrl C Make terminal services available shell Optio...

Page 59: ...a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Note that if you configure to authenticate the users in the scheme mode the command level available to users logging into a switch depends on the authentication mode scheme command authorization command the user privilege level l...

Page 60: ... command level Determined by the service type command The user privilege level level command is not executed and the service type command does not specify the available command level The user privilege level level command is not executed and the service type command specifies the available command level Level 0 The user privilege level level command is executed and the service type command does no...

Page 61: ... Configuration Example I Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging into VTY 0 z Configure the name of the local user to be guest z Set the authentication password of the local user to 123456 in plain text z Set the service type of VTY users to Telnet z Configure to authenticate users logging into VTY 0 in sc...

Page 62: ...n mode scheme Configure Telnet protocol is supported H3C ui vty0 protocol inbound telnet Set the maximum number of lines the screen can contain to 30 H3C ui vty0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 H3C ui vty0 history command max size 20 Set the timeout time to 6 minutes H3C ui vty0 idle timeout 6 3 5 Telnet Connection Establishment 3 5 1 ...

Page 63: ...g to different authentication modes for them Refer to section 3 2 Telnet Configuration with Authentication Mode Being None section 3 3 Telnet Configuration with Authentication Mode Being Password and section 3 4 Telnet Configuration with Authentication Mode Being Scheme for more By default Telnet users need to pass the password authentication to login Step 3 Connect your PC to the Switch as shown ...

Page 64: ...out the commands Note z A Telnet connection will be terminated if you delete or modify the IP address of the VLAN interface in the Telnet session z By default commands of level 0 are available to Telnet users authenticated by password Refer to the System Maintenance and Debugging module for information about command hierarchy 3 5 2 Telnetting to Another Switch from the Current Switch You can Telne...

Page 65: ...e switch operating as the Telnet client Step 3 Execute the following command on the switch operating as the Telnet client H3C telnet xxxx Where xxxx is the IP address or the host name of the switch operating as the Telnet server You can use the ip host to assign a host name to a switch Step 4 Enter the password If the password is correct the CLI prompt such as H3C appears If all VTY user interface...

Page 66: ...ng into a switch using a modem Item Requirement The PC can communicate with the modem connected to it The modem is properly connected to PSTN Administrator side The telephone number of the switch side is available The modem is connected to the Console port of the switch properly The modem is properly configured The modem is properly connected to PSTN and a telephone set Switch side The authenticat...

Page 67: ...e corresponding configuration on the switch is the same as those when logging into the switch locally through its Console port except that z When you log in through the Console port using a modem the baud rate of the Console port is usually set to a value lower than the transmission speed of the modem Otherwise packets may get lost z Other settings of the Console port such as the check mode the st...

Page 68: ... following configuration on the modem directly connected to the switch AT F Restore the factory settings ATS0 1 Configure to answer automatically after the first ring AT D Ignore DTR signal AT K0 Disable flow control AT R1 Ignore RTS signal AT S0 Set DSR to high level by force ATEQ1 W Disable the modem from returning command response and the result save the changes You can verify your configuratio...

Page 69: ...nection by using modems Step 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 4 2 and Figure 4 3 Note that you need to set the telephone number to that of the modem directly connected to the switch Figure 4 2 Set the telephone number ...

Page 70: ... such as H3C appears You can then configure or manage the switch You can also enter the character at anytime for help Refer to the following chapters for information about the configuration commands Note If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Refer to the System Maintenance and Debugging module for information about comma...

Page 71: ... IP address of the management VLAN of the switch is configured The route between the switch and the network management terminal is available Refer to the module IP Addressing and Performance and IP Routing for more Switch The user name and password for logging into the Web based network management system are configured IE is available PC operating as the network management terminal The IP address ...

Page 72: ...ur PC and the switch as shown in the following figure Figure 5 1 Establish an HTTP connection between your PC and the switch Step 4 Log into the switch through IE Launch IE on the Web based network management terminal your PC and enter the IP address of the management VLAN interface of the switch here it is http 10 153 17 82 Make sure the route between the Web based network management terminal and...

Page 73: ...te this command in system view The Web server is started by default Start the Web server ip http enable Required Execute this command in system view 5 4 Displaying Web Users After the above configurations execute the display command in any view to display the information about Web users and thus to verify the configuration effect Table 5 2 Display information about Web users To do Use the command ...

Page 74: ...NMS and the agent To log into a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 6 1 Requirements for logging into a switch through an NMS Item Requirement The IP address of the management VLAN of the switch is configured The route between the NMS and the switch is available Refer to the module IP Addressing and Performance and IP Routing for mor...

Page 75: ...he switch is used to transmit packets between the Telnet client and the Telnet server This conceals the IP address of the actual interface used As a result external attacks are guarded and the security is improved On the other hand you can configure the Telnet server to accept only Telnet service packets with specific source IP addresses to make sure specific users can log into the switch 7 2 Conf...

Page 76: ...pe interface number Optional Not specified by default Note To perform the configurations listed in Table 7 1 and Table 7 2 make sure that z The IP address specified is that of the local device z The interface specified exists z If a source IP address or source interface is specified you need to make sure that the route between the IP addresses or interface of both sides is reachable 7 3 Displaying...

Page 77: ...dresses Through Layer 2 ACLs Section 8 2 4 Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACLs Section 8 3 2 Controlling Network Management Users by Source IP Addresses By source IP addresses Through basic ACLs Section 8 4 2 Controlling Web Users by Source IP Addresses WEB Disconnect Web users by force By executing commands in CLI Section 8 4 3 Disconnec...

Page 78: ...ed The inbound keyword specifies to filter the users trying to Telnet to the current switch The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch 8 2 3 Controlling Telnet Users by Source and Destination IP Addresses Controlling Telnet users by source and destination IP addresses is achieved by applying advanced ACLs which are numbered from 3000 t...

Page 79: ...ng Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs which are numbered from 4000 to 4999 Refer to the ACL module for information about defining an ACL To do Use the command Remarks Enter system view system view Create a basic ACL or enter basic ACL view acl number acl number match order config auto As for the acl number command the config keyword is specified by default De...

Page 80: ...nfig H3C acl basic 2000 rule 1 permit source 10 110 100 52 0 H3C acl basic 2000 rule 2 permit source 10 110 100 46 0 H3C acl basic 2000 rule 3 deny source any H3C acl basic 2000 quit Apply the ACL H3C user interface vty 0 4 H3C ui vty0 4 acl 2000 inbound 8 3 Controlling Network Management Users by Source IP Addresses You can manage a S3610 S5510 series Ethernet switch through network management so...

Page 81: ...m view system view Create a basic ACL or enter basic ACL view acl number acl number match order config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule rule id permit deny source sour addr sour wildcard any time range time name fragment logging Required Quit to system view quit Apply the ACL while configuring the SNMP community name snmp a...

Page 82: ...mmunity command take effect in the network management systems that adopt SNMPv1 or SNMPv2c Similarly as SNMP group name and SNMP user name are features of SNMPv2c and the higher SNMP versions the specified ACLs in the commands that configure SNMP group names the snmp agent group command and the snmp agent group v3 command and SNMP user names the snmp agent usm user command and the snmp agent usm u...

Page 83: ...om the IP addresses of 10 110 100 52 and 10 110 100 46 to access the switch H3C snmp agent community read h3c acl 2000 H3C snmp agent group v2c h3cgroup acl 2000 H3C snmp agent usm user v2c h3cuser h3cgroup acl 2000 8 4 Controlling Web Users by Source IP Address You can manage a S3610 S5510 series Ethernet switch remotely through Web Web users can access a switch through HTTP connections You need ...

Page 84: ...s specified by default Define rules for the ACL rule rule id permit deny source sour addr sour wildcard any time range time name fragment logging Required Quit to system view quit Apply the ACL to control Web users ip http acl acl number Optional 8 4 3 Disconnecting a Web User by Force The administrator can disconnect a Web user by force using the related command To do Use the command Remarks Disc...

Page 85: ...rolling Web users using ACLs III Configuration procedure Define a basic ACL H3C system view H3C acl number 2030 match order config H3C acl basic 2030 rule 1 permit source 10 110 100 52 0 H3C acl basic 2030 rule 2 deny source any Apply the ACL to only permit the Web users sourced from the IP address of 10 110 100 52 to access the switch H3C ip http acl 2030 ...

Page 86: ...figuring a Protocol Based VLAN 1 12 1 6 Configuring IP Subnet Based VLAN 1 13 1 6 1 Introduction 1 13 1 6 2 Configuring an IP Subnet Based VLAN 1 13 1 7 Displaying and Maintaining VLAN 1 14 1 8 VLAN Configuration Example 1 15 Chapter 2 Voice VLAN Configuration 2 1 2 1 Introduction to Voice VLAN 2 1 2 1 1 Voice VLAN Modes on a Port 2 2 2 1 2 Security Mode and Normal Mode for the Voice VLAN 2 4 2 2 ...

Page 87: ...5 3 2 GVRP Configuration Task List 3 5 3 3 Configuring GVRP 3 5 3 3 1 Enabling GVRP 3 5 3 3 2 Configuring GARP Timers 3 6 3 4 Displaying and Maintaining GVRP 3 7 3 5 GVRP Configuration Examples 3 8 3 5 1 GVRP Configuration Example I 3 8 3 5 2 GVRP Configuration Example II 3 9 3 5 3 GVRP Configuration Example III 3 10 ...

Page 88: ...edium is shared in an Ethernet network performance may degrade as the number of hosts on the network is increasing If the number of the hosts in the network reaches a certain level problems caused by collisions broadcasts and so on emerge which may cause the network operating improperly In addition to the function that suppresses collisions which can also be achieved by interconnecting LANs virtua...

Page 89: ...nance much easier and more flexible 1 1 2 VLAN Fundamental To enable packets being distinguished by the VLANs they belong to The VLAN tag fields used to identify VLANs are added to packets As common switches operate on the data link layer of the OSI model they only process data link layer encapsulation information and the VLAN tag thus needs to be inserted to the data link layer encapsulation The ...

Page 90: ...n length and with its value ranging from 0 to 4095 identifies the ID of the VLAN a packet belongs to As VLAN IDs of 0 and 4095 are reserved by the protocol the value of this field actually ranges from 1 to 4094 A network device determines the VLAN to which a packet belongs to by the VLAN ID field the packet carries The VLAN Tag determines the way a packet is processed For more information refer to...

Page 91: ...y create or remove reserved VLANs which are reserved for specific functions z Dynamic VLANs cannot be removed using the undo vlan command z If a VLAN has a QoS policy configured the VLAN cannot be removed z If a VLAN is configured as a remote probe VLAN for remote port mirroring it cannot be removed using the undo vlan command unless its remote probe VLAN configuration is removed 1 3 Basic VLAN In...

Page 92: ...ddress mask mask length sub Optional Not configured by default Specify the descriptive string for the VLAN interface description text Optional VLAN interface name is used by default for example Vlan interface1 Interface Bring up the VLAN interface undo shutdown Optional By default a VLAN interface is up The state of a VLAN interface also depends on the states of the ports in the VLAN If all the po...

Page 93: ...rid and Trunk port z A Hybrid port allows packets of multiple VLANs to be sent without the Tag label z A Trunk port only allows packets from the default VLAN to be sent without the Tag label II Default VLAN You can configure the default VLAN for a port By default VLAN 1 is the default VLAN for all ports However this can be changed as needed z An Access port only belongs to one VLAN Therefore its d...

Page 94: ... the packet with the default VLAN ID z Receive the packet if the VLAN ID is the same as the default VLAN ID and the VLAN ID is in the list of permitted VLANs of the port z Receive the packet if the VLAN ID is not the same as the default VLAN ID but is allowed to pass through the port z Discard the packet if the VLAN ID is neither the same as the default VLAN ID nor allowed to pass through the port...

Page 95: ...ew Enter VLAN view vlan vlan id Required If the specified VLAN does not exist this command be created first creates the VLAN before entering its view Add an Access port to the current VLAN port interface list Required By default system will add all ports to VLAN 1 Follow these steps to configure the Access port based VLAN in Ethernet port view port group view To do Use the command Remarks Enter sy...

Page 96: ...Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enter Ethernet port view or port group view Enter port group view port group manual port group name aggregation agg id Use either command In Ethernet port view the subsequent configurations only apply to the current port in port group view the subsequent configurations apply to all ports in the...

Page 97: ...gure the Hybrid port based VLAN To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enter Ethernet port view or port group view Enter port group view port group manual port group name aggregation agg id Use either command In Ethernet port view the subsequent configurations only apply to the current port in port group view t...

Page 98: ...isable VLAN check vlan check disable Enable VLAN check undo vlan check disable Configure either command as needed Enabled by default 1 5 Protocol Based VLAN Configuration 1 5 1 Introduction to Protocol Based VLAN Note Protocol based VLANs are only applicable to Hybrid ports In this approach inbound packets are assigned with different VLAN IDs based on their protocol type and encapsulation format T...

Page 99: ... 2 Configuring a Protocol Based VLAN Follow these steps to configure a protocol based VLAN To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Required If the specified VLAN does not exist this command creates the VLAN and then enters its view Configure the protocol based VLAN and specify the protocol template protocol vlan protocol index at ipv4 ipv6 ipx ether...

Page 100: ...ot set etype id in ethernetii etype etype id to 0x0800 0x809b 0x8137 or 0x86dd Otherwise the encapsulation format of the matching packets will be the same as that of the IPv4 IPX AppleTalk and IPv6 packets respectively z Do not configure a VLAN as both a protocol based VLAN and a voice VLAN Because a protocol based VLAN requires that the inbound packets on the Hybrid port are untagged packets wher...

Page 101: ...roup view port group manual port group name aggregation agg id Use either command In Ethernet port view the subsequent configurations only apply to the current port in port group view the subsequent configurations apply to all ports in the port group Configure port link type as Hybrid port link type hybrid Required Allow an IP subnet based VLAN to pass through the current Hybrid port port hybrid v...

Page 102: ...in any view Display the IP subnet based VLAN information and IP subnet index of specified ports display ip subnet vlan interface interface type interface number to interface type interface number all Available in any view Clear the statistics on a VLAN interface reset counters interface Vlan interface vlan interface id Available in user view 1 8 VLAN Configuration Example I Network requirements z ...

Page 103: ...k permit vlan 2 6 to 50 100 Please wait Done 2 Configure Device B following similar steps as that of Device A IV Verification Verifying the configuration of Device A is similar to that of Device B So only Device A is taken for example here Display the information about Ethernet 1 0 1 of Device A to verify the above configurations DeviceA display interface ethernet 1 0 1 Ethernet1 0 1 current state...

Page 104: ...ottles 0 CRC 0 frame 0 overruns 0 aborts ignored parity errors Output total packets bytes broadcasts multicasts pauses Output normal 0 packets 0 bytes 0 broadcasts 0 multicasts 0 pauses Output 0 output errors underruns buffer failures 0 aborts 0 deferred 0 collisions 0 late collisions lost carrier no carrier The output above shows that z The port is a Trunk port Port link type trunk z The default ...

Page 105: ...e traffic improving transmission priority and ensuring voice quality A device determines whether a received packet is a voice packet by checking its source MAC address Packets containing source MAC addresses that comply with the voice device Organizationally Unique Identifier OUI for short addresses are regarded as voice traffic and are forwarded to the voice VLAN You can configure the OUI address...

Page 106: ...omatically add the port into the Voice VLAN and apply ACL rules and configure the packet precedence An aging time can be configured for the voice VLAN The system will remove a port from the voice VLAN if no voice packet is received from it after the aging time The adding and removing of ports are automatically realized by the system z In manual mode administrators add the IP phone access port to t...

Page 107: ...Hybrid not supported Access not supported Trunk supported provided that the default VLAN of the access port exists and is not the voice VLAN and that the access port belongs to the default VLAN Tagged voice traffic Hybrid supported provided that the default VLAN of the access port exists and is not the voice VLAN and is in the list of tagged VLANs whose packets can pass through the access port Acc...

Page 108: ...allowed to go through a certain port 2 1 2 Security Mode and Normal Mode for the Voice VLAN Ports that have the voice VLAN feature enabled can be divided into two modes based on their filtering mechanisms applied to inbound packets z Security mode only voice packets with source OUI MAC addresses can pass through the inbound port with the voice VLAN feature enabled other non voice packets will be d...

Page 109: ...default OUI addresses of different vendors Enable the voice VLAN feature globally voice vlan vlan id enable Required Enter Ethernet port view interface interface type interface number Configure the port voice VLAN mode as automatic voice vlan mode auto Optional Automatic mode by default Different voice VLAN modes can be configured on different ports independent of one another Enable the voice VLAN...

Page 110: ...terface interface type interface number Configure the working mode as manual undo voice vlan mode auto Required Disabled by default Access port Refer to Configuring an Access Port Based VLAN Trunk port Refer to Configuring a Trunk Port Based VLAN Add the ports in manual mode to the voice VLAN Hybrid port Refer to Configuring a Hybrid Port Based VLAN Use one of the three approaches After you add an...

Page 111: ...and Maintaining Voice VLAN To do Use the command Remarks Display the voice VLAN state display voice vlan state Available in any view Display the OUI addresses currently supported by system display voice vlan oui Available in any view 2 4 Voice VLAN Configuration Examples 2 4 1 Automatic Voice VLAN Mode Configuration Example I Network requirement z Create VLAN 2 and configure it as a voice VLAN wit...

Page 112: ...00 0000 as the legal address of the voice VLAN DeviceA voice vlan mac address 0011 2200 0000 mask ffff ff00 0000 Enable the voice VLAN feature globally DeviceA voice vlan 2 enable Configure the voice VLAN mode on Ethernet 1 0 1 as automatic Optional by default the voice VLAN mode on a port is automatic mode DeviceA interface ethernet 1 0 1 DeviceA Ethernet1 0 1 voice vlan mode auto Configure Ether...

Page 113: ...f00 0000 Pingtel phone 00e0 7500 0000 ffff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3com phone Display the current Voice VLAN state DeviceA display voice vlan state Voice VLAN status ENABLE Voice VLAN ID 2 Voice VLAN security mode Security Voice VLAN aging time 100 minutes Voice VLAN enabled port and its mode PORT MODE Ethernet1 0 1 AUTO DeviceA 2 4 2 Manual Voice VLAN Mode Configurat...

Page 114: ...DeviceA voice vlan mac address 0011 2200 0000 mask ffff ff00 0000 description test Create VLAN 2 Enable voice VLAN feature for it DeviceA vlan 2 DeviceA vlan2 quit DeviceA voice vlan 2 enable Configure Ethernet 1 0 1 to work in manual mode DeviceA interface ethernet 1 0 1 DeviceA Ethernet1 0 1 undo voice vlan mode auto Configure Ethernet 1 0 1 as a Hybrid port DeviceA Ethernet1 0 1 port link type ...

Page 115: ...fff ff00 0000 Cisco phone 0004 0d00 0000 ffff ff00 0000 Avaya phone 0011 2200 0000 ffff ff00 0000 test 0060 b900 0000 ffff ff00 0000 Philips NEC phone 00d0 1e00 0000 ffff ff00 0000 Pingtel phone 00e0 7500 0000 ffff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3com phone Display the current voice VLAN state DeviceA display voice vlan state Voice VLAN status ENABLE Voice VLAN ID 2 Voice VLA...

Page 116: ...f does not exist on a device as an entity GARP compliant participants are known as GARP applications One example is GVRP When a GARP participant is present on a port on your device the port is regarded as a GARP participant I GARP messages and timers 1 GARP messages GARP participants exchange information through the following three types of messages Join message Leave message and LeaveAll message ...

Page 117: ...s a join timer to set the sending interval If the first Join message is not acknowledged after the interval defined by the Join timer the GARP participant sends the second Join message z Leave timer Starts upon receipt of a Leave message sent for deregistering some attribute information If no Join message is received before this timer expires the GARP participant removes the attribute information ...

Page 118: ...ith a particular multicast MAC address as destination Based on this address a device can identify to which GVRP application GVRP for example should a GARP PDU be delivered III GARP message format The following figure illustrates the GARP message format Figure 3 1 GARP message format Table 3 1 describes the GARP message fields Table 3 1 Description on the GARP message fields Field Description Value...

Page 119: ...s local database about active VLAN members and through which port they can be reached It thus ensures that all GVRP participants on a bridged LAN maintain the same VLAN registration information The VLAN registration information propagated by GVRP includes both manually configured local static entries and dynamic entries from other devices GVRP provides the following three registration types on a p...

Page 120: ...mers Optional 3 3 Configuring GVRP 3 3 1 Enabling GVRP Follow these steps to enable GVRP on a trunk port To do Use the command Remarks Enter system view system view Enable GVRP globally gvrp Required Globally disabled by default Enter Ethernet port view interface interface type interface number Enter Ethernet port view or port group view Enter port group view port group aggregation agg id manual p...

Page 121: ...view interface interface type interface number Enter Ethernet port view or port group view Enter port group view port group manual port group name aggregation agg id Use either command In Ethernet port view the subsequent configurations only apply to the current port in port group view the subsequent configurations apply to all ports in the port group Configure the hold timer join timer and leave ...

Page 122: ...able in any view Display GARP timers for specified or all ports display garp timer interface interface list Available in any view Display the local VLAN information maintained by GVRP display gvrp local vlan interface interface type interface number Available in any view Display the current GVRP state display gvrp state interface interface type interface number vlan vlan id Available in any view D...

Page 123: ...p Configure port Ethernet 1 0 1 as a Trunk port allowing all VLANs to pass DeviceA interface ethernet 1 0 1 DeviceA Ethernet1 0 1 port link type trunk DeviceA Ethernet1 0 1 port trunk permit vlan all Enable GVRP on Ethernet 1 0 1 the Trunk port DeviceA Ethernet1 0 1 gvrp DeviceA Ethernet1 0 1 quit Create VLAN 2 a static VLAN DeviceA vlan 2 2 Configure Device B Enable GVRP globally DeviceB system v...

Page 124: ...twork requirements Configure GVRP for dynamic VLAN information registration and update among devices Specify fixed GVRP registration on Device A and normal GVRP registration on Device B II Network diagram Figure 3 3 Network diagram for GVRP configuration III Configuration procedure 1 Configure Device A Enable GVRP globally DeviceA system view DeviceA gvrp Configure port Ethernet 1 0 1 as a Trunk p...

Page 125: ...unk permit vlan all Enable GVRP on Ethernet 1 0 1 DeviceB Ethernet1 0 1 gvrp DeviceB Ethernet1 0 1 quit Create VLAN 3 a static VLAN Sysname vlan 3 3 Verify the configuration Display dynamic VLAN information on Device A DeviceA display vlan dynamic No dynamic vlans exist Display dynamic VLAN information on Device B DeviceB display vlan dynamic Now the following dynamic VLAN exist s 2 3 5 3 GVRP Con...

Page 126: ...et1 0 1 gvrp registration forbidden DeviceA Ethernet1 0 1 quit Create VLAN 2 a static VLAN DeviceA vlan 2 2 Configure Device B Enable GVRP globally DeviceB system view DeviceB gvrp Configure port Ethernet 1 0 1 as a Trunk port allowing all VLANs to pass DeviceB interface ethernet 1 0 1 DeviceB Ethernet1 0 1 port link type trunk DeviceB Ethernet1 0 1 port trunk permit vlan all Enable GVRP on Ethern...

Page 127: ... Addressing 1 7 Chapter 2 IP Performance Configuration 2 1 2 1 IP Performance Overview 2 1 2 2 Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network 2 1 2 2 1 Enabling Reception of Directed Broadcasts to a Directly Connected Network 2 2 2 2 2 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network 2 2 2 2 3 Configuration Example 2 3 2 3 Configu...

Page 128: ...s 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1 1 for the address just mentioned Each IP address breaks down into two parts z Net id First several bits of the IP address defining a network also known as class bits z Host id Identifies a host on a network F...

Page 129: ...ss 255 255 255 255 1 1 2 Special Case IP Addresses The following IP addresses are for special use and they cannot be used as host IP addresses z IP address with an all zero net ID Identifies a host on the local network For example IP address 0 0 0 16 indicates the host with a host ID of 16 on the local network z IP address with an all zero host ID Identifies a network z IP address with an all one ...

Page 130: ...ll ones are not assignable to hosts The same is true of subnetting When designing your network you should note that subnetting is somewhat a tradeoff between subnets and accommodated hosts For example a Class B network can accommodate 65 534 216 2 Of the two deducted Class B addresses one with an all one host id is the broadcast address and the other with an all zero host id is the network address...

Page 131: ... command Remarks Enter system view system view Enter interface view interface interface type interface number Assign an IP address to the interface ip address ip address mask mask length sub Required No IP address is assigned by default Caution z The primary IP address you assigned to the interface can overwrite the old one if there is any z An interface cannot be configured with a secondary IP ad...

Page 132: ...tch z Set the switch as the gateway on all hosts II Network diagram Vlan int1 172 16 1 1 24 172 16 2 1 24 sub 172 16 1 0 24 172 16 1 2 24 172 16 2 0 24 172 16 2 2 24 Host A Host B Switch Figure 1 3 Network diagram for IP addressing configuration III Configuration procedure Assign a primary IP address and a secondary IP address to VLAN interface 1 Switch system view Switch interface vlan interface ...

Page 133: ...24 Use the ping command to verify the connectivity between the switch and the hosts on the subnet 172 16 2 0 24 Switch ping 172 16 2 2 PING 172 16 2 2 56 data bytes press CTRL_C to break Reply from 172 16 2 2 bytes 56 Sequence 1 ttl 255 time 25 ms Reply from 172 16 2 2 bytes 56 Sequence 2 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 3 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56...

Page 134: ...isplaying and Maintaining IP Addressing To do Use the command Remarks Display information about a specified or all Layer 3 interfaces display ip interface interface type interface number Display brief information about a specified or all Layer 3 interfaces display ip interface brief interface type interface number Available in any view ...

Page 135: ... MSS of the interface z Enabling the SYN Cookie feature and protection against Naptha attack z Configuring TCP timers z Configuring the TCP buffer size z Enabling ICMP error packets sending 2 2 Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network Directed broadcasts refer to broadcast packets sent to a specific network In the destination IP address of a directed...

Page 136: ...led from receiving directed broadcasts 2 2 2 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network Follow these steps to enable the device to forward directed broadcasts To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enable the interface to forward directed broadcasts ip forward broadcast acl acl numbe...

Page 137: ...warding directed broadcasts III Configuration procedure z Configure Switch A Enable Switch A to receive directed broadcasts SwitchA system view SwitchA ip forward broadcast Configure IP addresses for VLAN interface 3 and VLAN interface 2 SwitchA interface vlan interface 3 SwitchA Vlan interface3 ip address 1 1 1 2 24 SwitchA Vlan interface3 quit SwitchA interface vlan interface 2 SwitchA Vlan inte...

Page 138: ...e SYN ACK message the originator returns an ACK message Thus the TCP connection is established Malicious attackers may mount SYN Flood attacks during TCP connection establishment Attackers send SYN messages to the server to establish TCP connections but they never make any response to SYN ACK messages As a result a large amount of TCP semi connections are established resulting in heavy resource co...

Page 139: ...a so as to exhaust the memory resource of the server As a result the server cannot process normal services The protection against Naptha attack reduces the risk of the server being attacked by accelerating the aging of TCP connections in a state After the protection against Naptha attack is enabled the device periodically checks the number of TCP connections in each state If it detects that the nu...

Page 140: ...er If no response packets are received within the synwait timer timeout the TCP connection is not successfully created z finwait timer When the TCP connection is in FIN_WAIT_2 state finwait timer will be started If no FIN packets are received within the timer timeout the TCP connection will be terminated If FIN packets are received the TCP connection state changes to TIME_WAIT If non FIN packets a...

Page 141: ...direct packets to the source host and notify it to reselect a correct next hop router to send the subsequent packets if the following conditions are satisfied z The receiving and forwarding interfaces are the same z The selected route has not been created or modified by ICMP redirect packet z The selected route is not the default route of the device z There is no source route option in the packet ...

Page 142: ...rectly connected the device will send the source a source routing failure ICMP error packet z When forwarding a packet if the MTU of the sending interface is smaller than the packet but the packet has been set Don t Fragment the device will send the source a fragmentation needed and Don t Fragment DF set ICMP error packet II Disadvantage of sending ICMP error packets Although sending ICMP error pa...

Page 143: ...aintaining IP Performance To do Use the command Remarks Display current TCP connection state display tcp status Display TCP connection statistics display tcp statistics Display UDP statistics display udp statistics Display IP packets statistics display ip statistics Display ICMP flows statistics display icmp statistics Display socket information display ip socket socktype sock type task id socket ...

Page 144: ...thernet Switches Chapter 2 IP Performance Configuration 2 10 To do Use the command Remarks Clear statistics of IP packets reset ip statistics Clear statistics of TCP connections reset tcp statistics Clear statistics of UDP flows reset udp statistics Available in user view ...

Page 145: ... 3 Configuring Selective QinQ 1 4 1 4 Configuring MAC Address Synchronization 1 5 1 5 Configuring the TPID to Be Used in the Outer Tag 1 6 1 6 QinQ Configuration Example 1 6 Chapter 2 BPDU Tunneling Configuration 2 1 2 1 Introduction to BPDU Tunneling 2 1 2 1 1 Why BPDU Tunneling 2 1 2 1 2 How BPDU Tunneling Works 2 1 2 2 Configuring BPDU Isolation 2 3 2 3 Configuring BPDU Transparent Transmission...

Page 146: ...ustomer networks private networks so that the Ethernet frames will travel across the service provider s backbone network public network with double VLAN tags The inner VLAN tag is the customer network VLAN tag while the outer one is the VLAN tag assigned by the service provider to the customer In the public network frames are forwarded based on the outer VLAN tag only with the source MAC address l...

Page 147: ...LAN VPN feature enabled on a port when a frame arrives at the port the switch will tag it with the port s default VLAN tag regardless of whether the frame is tagged or untagged If the received frame is already tagged this frame becomes a double tagged frame if it is an untagged frame it is tagged with the port s default VLAN tag 2 Selective QinQ Selective QinQ is a more flexible VLAN based impleme...

Page 148: ...lar vendor to allow interoperability with the devices of that vendor The TPID in an Ethernet frame has the same position with the protocol type field in a frame without a VLAN tag To avoid problems in packet forwarding and handling in the network you cannot set the TPID value to any of the values in the table below Table 1 1 Reserved protocol type values Protocol type Value ARP 0x0806 PUP 0x0200 R...

Page 149: ...ature allows adding different outer VLAN tags based on different inner VLAN tags With selective QinQ configured on a port the device will add different outer VLAN tags based on the inner VLAN tags frames with a VLAN ID out of the range specified in the raw vlan id inbound command will be forwarded unchanged Follow these steps to configure selective QinQ To do Use the command Remarks Enter system v...

Page 150: ...k port for transmission When the returned packet arrives at the uplink port the switch searches the MAC address table of the outer VLAN for the packet s downlink MAC address but can find none As a result the switch will broadcast the packet in the outer VLAN This not only consumes bandwidth resources but also brings about security risks in the network To address the problem the S3610 S5510 series ...

Page 151: ...e interface type interface number Enter Ethernet port view or port group view Enter interface group view port group manual port group name aggregation agg id Required Use either command Configurations made in Ethernet port view will take effect on the current port only configurations made in port group view will take effect on all ports in the port group Configure the TPID value to be used in the ...

Page 152: ...to each other through VLAN 2000 of the provider network II Network diagram Public Network VLAN1000 VLAN2000 TPID 0x8200 Customer A Customer B Customer C Provider A Provider B Eth1 0 1 Trunk Eth1 0 2 Access Eth1 0 3 Eth1 0 1 Eth1 0 2 Access Figure 1 3 Network diagram for QinQ configuration III Configuration procedure Note With this configuration the user must allow the QinQ packets to pass between ...

Page 153: ...ound 20 ProviderA Ethernet1 0 1 vid 2000 quit ProviderA Ethernet1 0 1 quit z Configuration on Ethernet 1 0 2 Configure VLAN 1000 as the default VLAN of the port ProviderA interface ethernet 1 0 2 ProviderA Ethernet1 0 2 port access vlan 1000 Enable basic QinQ so that the port tags frames from VLAN 10 with an outer tag with the VLAN ID of 1000 ProviderA Ethernet1 0 2 qinq enable ProviderA Ethernet1...

Page 154: ...LAN 2000 as the default VLAN of the port ProviderB interface ethernet 1 0 2 ProviderB Ethernet1 0 2 port access vlan 2000 Enable basic QinQ so as to tag frames from VLAN 20 with an outer tag with the VLAN ID of 2000 ProviderB Ethernet1 0 2 qinq enable 3 Configuration on devices on the public network As third party devices are deployed between Provider A and Provider B what we discuss here is only ...

Page 155: ...e network This prevents each network from correctly calculating its spanning tree As a result when redundant links exist in a network data loops will unavoidably occur By allowing each network to have its own spanning tree while running STP BPDU tunneling can resolve this problem z BPDU tunneling can isolate BPDUs of different customer networks so that one network is not affected by others while c...

Page 156: ...ks BPDU input output device BPDU input output device Service provider network Figure 2 1 Network hierarchy of BPDU tunneling z At the BPDU input side the device changes the destination MAC address of a BPDU from a customer network from 0x0180 C200 0000 to a special multicast MAC address 0x010F E200 0003 by default In the service provider s network the modified BPDUs are forwarded as data packets i...

Page 157: ...up Enable BPDU tunneling for the port s bpdu tunnel dot1q enable Required Disabled by default Note z BPDU tunneling must be enabled globally before the BPDU tunnel configuration for a port can take effect z The BPDU tunneling feature is incompatible with the GVRP feature so these two features cannot be enabled at the same time For introduction to GVRP refer to VLAN Configuration z The BPDU tunneli...

Page 158: ... on the port s bpdu tunnel dot1q stp Required Disabled by default Note z BPDU tunneling must be enabled globally before the BPDU tunnel configuration for a port can take effect z The BPDU tunneling feature is incompatible with the GVRP feature so these two features cannot be enabled at the same time For introduction to GVRP refer to VLAN Configuration z The BPDU tunneling feature is incompatible w...

Page 159: ... network access devices z Provider A Provider B and Provider C are service provider network access devices which are interconnected through configured trunk ports The configuration is required to satisfy the following requirements z Geographically dispersed customer network devices Customer A Customer C and Customer D can implement consistent spanning tree calculation across the service provider n...

Page 160: ...1 0 2 ProviderB Ethernet1 0 2 port access vlan 4 ProviderB Ethernet1 0 2 undo ntdp enable ProviderB Ethernet1 0 2 bpdu tunnel dot1q enable 3 Configuration on Provider C Configure BPDU transparent transmission on Ethernet 1 0 3 ProviderC system view ProviderC interface ethernet 1 0 3 ProviderC Ethernet1 0 3 port access vlan 2 ProviderC Ethernet1 0 3 stp disable ProviderC Ethernet1 0 3 undo ntdp ena...

Page 161: ...7 Note When STP works stably on the customer network if Customer A acts as the root bridge the ports of Customer C and Customer D connected with Provider C can receive BPDUs from Customer A Since BPDU isolation is enabled on Customer B the port that connects Customer B to Provider B cannot receive BPDUs from Customer A ...

Page 162: ...Ratio for an Ethernet Port 1 6 1 1 7 Setting the Interval for Collecting Ethernet Port Statistics 1 6 1 1 8 Enabling the Forwarding of Jumbo Frames 1 7 1 1 9 Enabling Loopback Detection on an Ethernet Port 1 7 1 1 10 Configuring the Cable Type for an Ethernet Port 1 8 1 1 11 Testing the Cable on an Ethernet Port 1 9 1 2 Maintaining and Displaying an Ethernet port 1 9 Chapter 2 Port Isolation Confi...

Page 163: ...Optional Testing the Cable on an Ethernet Port Optional 1 1 1 Configuring a Combo Port I Introduction to Combo port A Combo port is formed by two Ethernet ports on the panel one of which is an optical port and the other is an electrical port For the two ports forming a Combo port only one works at a given time They are TX SFP multiplexed You can specify a Combo port to operate as an electrical por...

Page 164: ...al ports refer to the installation manual 1 1 2 Performing Basic Ethernet port Configuration Three types of duplex modes are available to Ethernet ports z Full duplex mode full Ports operating in this mode can send and receive packets simultaneously z Half duplex mode half Ports operating in this mode can either send or receive packets at a given time z Auto negotiation mode auto Ports operating i...

Page 165: ... a small form factor pluggable SFP port that uses a 100 Mbps module the duplex mode can only be configured as full and the port rate can only be 100 Mbps for a SFP port that uses a 1000 Mbps module the duplex mode can only be configured as auto or full and the port rate can be determined through auto negotiation or be 1000 Mbps 1 1 3 Configuring Flow Control on an Ethernet Port When flow control i...

Page 166: ...test the hardware functions of an Ethernet port To perform external loopback testing on an Ethernet port you need to install a loopback plug on the Ethernet port In this case packets sent from the port are received by the same port Follow these steps to enable Ethernet port loopback testing To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface typ...

Page 167: ...on port groups A link aggregation port group is automatically created together with the creation of a link aggregation group and cannot be created by users through command line input Adding or deleting of ports in a link aggregation port group can only be achieved through operations on the link aggregation group Follow these steps to enter port group view To do Use the command Remarks Enter system...

Page 168: ...t group view port group manual port group name aggregation agg id Use either command If configured in Ethernet port view this feature takes effect on the current port only if configured in port group view this feature takes effect on all ports in the port group Configure broadcast storm suppression ratio broadcast suppression ratio Optional By default all broadcast traffic is allowed to pass throu...

Page 169: ... Port The purpose of loopback detection is to detect loops on a port When loopback detection is enabled on an Ethernet port the device will routinely check whether the ports have any external loopback If it detects a loopback on a port the device will turn that port under loopback detection mode z If loops are detected on a port that is of access type the port will be shutdown Meanwhile trap messa...

Page 170: ...Loopback detection on a given port is enabled only after the loopback detection enable command has been issued in both system view and the port view of the port z Loopback detection on all ports will be disabled after the issuing of the undo loopback detection enable command under system view 1 1 10 Configuring the Cable Type for an Ethernet Port Note The optical ports of combo ports do not suppor...

Page 171: ...n Ethernet port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Test the current operating state of the cable connected to the port virtual cable test Required 1 2 Maintaining and Displaying an Ethernet port To do Use the command Remarks Display the current state of a specified port and related information display inter...

Page 172: ...and Remarks Display the current ports of a specified type display port hybrid trunk Available in any view Display the information about a manual port group or all the port groups display port group manual all name port group name Available in any view Display the information about the loopback function display loopback detection Available in any view ...

Page 173: ...number of the ports an isolation group can contain is not limited Note z When a port in an aggregation group is configured as the ordinary port for some isolation group the other ports of the aggregation group can be added to the isolation group as ordinary ports but cannot be configured as uplink ports z When a port in an aggregation group is configured as the uplink port for some isolation group...

Page 174: ...p Figure 2 1 Connectivity of layer 2 data between ports inside and outside an isolation group on a device supporting uplink port Note The arrows in the above figure indicate the transmission direction of Layer 2 data 2 2 Configuring an Isolation Group 2 2 1 Adding a Port to an Isolation Group Follow these steps to add a port to an isolation group To do Use the command Remarks Enter system view sys...

Page 175: ...nk port port isolate uplink port group Required An isolation group has no uplink port by default Note z An isolation group can have only one uplink port When a user configures multiple ports as the uplink port only the last one prevails z When a port has already been configured as an ordinary port for an isolation group it cannot be configured as an uplink port and vice versa 2 3 Displaying and Ma...

Page 176: ...evice Add ports Ethernet 1 0 1 Ethernet 1 0 2 and Ethernet 1 0 3 to the isolation group Device system view Device interface ethernet 1 0 1 Device Ethernet1 0 1 port isolate enable Device Ethernet1 0 1 quit Device interface ethernet 1 0 2 Device Ethernet1 0 2 port isolate enable Device Ethernet1 0 2 quit Device interface ethernet 1 0 3 Device Ethernet1 0 3 port isolate enable Configure port Etherne...

Page 177: ...ation Manual Port Correlation Configuration H3C S3610 S5510 Series Ethernet Switches Chapter 2 Port Isolation Configuration 2 5 Group ID 1 Uplink port Ethernet1 0 4 Ethernet1 0 1 Ethernet1 0 2 Ethernet1 0 3 ...

Page 178: ... aggregation 1 4 1 3 Load Sharing in a Link Aggregation Group 1 5 1 4 Service Loop Group 1 6 1 5 Aggregation Port Group 1 7 Chapter 2 Link Aggregation Configuration 2 1 2 1 Configuring Link Aggregation 2 1 2 1 1 Configuring a Manual Link Aggregation Group 2 1 2 1 2 Configuring a Static LACP Link Aggregation Group 2 2 2 1 3 Configuring an Aggregation Group Name 2 3 2 1 4 Configuring a Service Loop ...

Page 179: ...t sends LACPDUs to notify the remote system of its system LACP priority system MAC address port LACP priority port number and operational key Upon receipt of an LACPDU the remote system compares the received information with the information received on other ports to determine the ports that can operate as selected ports This allows the two systems to reach agreement on the states of the related p...

Page 180: ...trict priority SP queuing Weighted round robin WRR queuing Weighted fair queuing WFQ Port priority Port trust mode GVRP GVRP state on ports enabled or disabled GVRP registration type GARP timers Q in Q State of Q in Q enabled or disabled Added outer VLAN tag Policy of appending outer VLAN tag according to inner VLAN IDs BPDU tunnel BPDU tunnel state on ports enabled or disabled BPDU tunnel state f...

Page 181: ...ort with the highest priority in the up state as the reference port of the aggregation group Port priority descends in the following order full duplex high speed full duplex low speed half duplex high speed and half duplex low speed If multiple ports are of the same priority the one with the lowest port number is the reference port z Ports in the up state with the same speed duplex mode link state...

Page 182: ...n port group where you can make configuration for all member ports When the configuration of some port in a manual aggregation group changes the system does not remove the aggregation instead it re sets the selected unselected state of the member ports and re selects a master port 1 2 2 Static LACP link aggregation I Overview Static aggregations are created manually After you add a port to a stati...

Page 183: ...n static aggregation Like in a manual aggregation group in a static LACP aggregation group only ports with configurations consistent with those of the reference port can become selected These configurations include port rate duplex mode link state and other basic configurations described in Consistency Considerations for Ports in an Aggregation You need to maintain the basic configurations of thes...

Page 184: ...ce ID Caution The arrived broadcasts multicasts unknown unicasts may be distributed over different selected ports if they have different VLAN IDs source ports or source devices if they are only different in source MAC address they are forwarded out the same port 1 4 Service Loop Group You can create a service loop group by creating a manual aggregation group of service loop ports first and then sp...

Page 185: ...urations Their configuration consistency requires administrative maintenance which is troublesome after you change some configuration To simplify configuration port groups are provided allowing you to configure for all ports in individual groups at one time One example of port groups is aggregation port group Upon creation or removal of a link aggregation group an aggregation port group which cann...

Page 186: ...ual Link Aggregation Group Follow these steps to create a manual aggregation group and add an Ethernet port to it To do Use the command Remarks Enter system view system view Create a manual aggregation group link aggregation group agg id mode manual Required Enter Ethernet port view interface interface type interface number Assign the Ethernet port to the aggregation group port link aggregation gr...

Page 187: ...Changing system LACP priority can affect the selected unselected state of the ports in the group Create a static LACP aggregation group link aggregation group agg id mode static Required Enter Ethernet port view interface interface type interface number Configure the port LACP priority lacp port priority port priority Optional 32768 by default Changing port LACP priority can affect the selected un...

Page 188: ...ster port is unselected 2 1 3 Configuring an Aggregation Group Name Follow these steps to configure a name for an aggregation group To do Use the command Remarks Enter system view system view Configure a name for a link aggregation group link aggregation group agg id description agg name Required None is configured by default 2 1 4 Configuring a Service Loop Group Follow these steps to configure a...

Page 189: ...egation port group view port group aggregation agg id Caution In aggregation port group view you can configure aggregation related settings such as STP VLAN QoS GVRP Q in Q BPDU tunnel MAC address learning but cannot add or remove member ports 2 2 Displaying and Maintaining Link Aggregation To do Use the command Remarks Display the local system ID display lacp system id Available in any view Displ...

Page 190: ...iguration Example I Network requirements Device A aggregates ports Ethernet 1 0 1 through Ethernet 1 0 3 to form one link connected to Device B and performs load sharing among these ports Create a tunnel service loop group and add port Ethernet 1 0 1 to the group II Network diagram Figure 2 1 Network diagram for link aggregation configuration III Configuration procedure Note This example only desc...

Page 191: ...ts Ethernet 1 0 1 through Ethernet 1 0 3 to the group DeviceA interface ethernet 1 0 1 DeviceA Ethernet1 0 1 port link aggregation group 1 DeviceA Ethernet1 0 1 interface ethernet 1 0 2 DeviceA Ethernet1 0 2 port link aggregation group 1 DeviceA Ethernet1 0 2 interface ethernet 1 0 3 DeviceA Ethernet1 0 3 port link aggregation group 1 3 Configure a service loop group Create a manual aggregation gr...

Page 192: ...duction to MAC Address Table 1 1 1 2 Configuring MAC Address Table Management 1 2 1 2 1 Configuring MAC Address Entries 1 2 1 2 2 Configuring MAC Address Aging Timer 1 3 1 2 3 Configuring the Maximum Number of MAC Addresses an Ethernet Port or a Port Group Can Learn 1 4 1 3 Displaying and Maintaining MAC Address Table Management 1 4 1 4 MAC Address Table Management Configuration Example 1 5 ...

Page 193: ...rding Each entry in this table contains the MAC address of a connected device to which port this device is connected and to which VLAN the port belongs A MAC address table consists of two types of entries static and dynamic Static entries are manually configured and never age out Dynamic entries can be manually configured or dynamically learned and may age out The following is how a switch learns ...

Page 194: ...ed the frame will be dropped 4 Upon receipt of the response the device adds an entry in the MAC address table indicating from which port the frames destined for the MAC address should be sent 5 Forward subsequent frames destined for the same MAC address directly from the hardware 6 Discard the frames which cannot reach the destination MAC address Port 1 Port 2 MAC address Port MAC A 1 MAC B 1 MAC ...

Page 195: ...rt 1 2 2 Configuring MAC Address Aging Timer The MAC address table on your device is available with an aging mechanism for dynamic entries to prevent its resources from being exhausted Set the aging timer appropriately a long aging interval may cause the MAC address table to retain outdated entries and fail to accommodate latest network changes a short interval may result in removal of valid entri...

Page 196: ...Enter port group view port group aggregation agg id manual port group name Required Use either command to configure on a port or ports in a group Configure the maximum number of MAC addresses that can be learned on an Ethernet port or port group or configure whether frames with unknown destination MAC addresses can be forwarded or not after the upper limit is reached mac address max mac count coun...

Page 197: ... dynamic MAC address entries z Add a static entry 000f e235 dc71 for port Ethernet 1 0 1 in VLAN 1 II Configuration procedure Add a static MAC address entry Sysname system view Sysname mac address static 000f e235 dc71 interface ethernet 1 0 1 vlan 1 Set the aging timer for dynamic MAC address entries to 500 seconds Sysname mac address timer aging 500 Display the MAC address entry for port Etherne...

Page 198: ...uard Overview 1 1 1 2 Configuring a Static Binding Entry 1 1 1 3 Configuring Port Filtering 1 2 1 4 Displaying IP Source Guard 1 2 1 5 IP Source Guard Configuration Examples 1 3 1 5 1 Static Binding Entry Configuration Example 1 3 1 5 2 Port Filtering Configuration Example 1 5 1 6 Troubleshooting 1 6 1 6 1 Failed to Configure Static Binding Entries and Port Filtering 1 6 ...

Page 199: ... illegal IP addresses and MAC addresses from traveling through improving the network security IP source guard filters packets based on two types of binding entries z IP port binding entry A port permits packets with source IP addresses among its IP port binding entries z MAC IP port binding entry A port permits packets with source MAC address and source IP address pairs among its MAC IP port bindi...

Page 200: ...iguring Port Filtering Port filtering allows IP source guard to filter packets based on the MAC IP port binding entries created and maintained by DHCP snooping Follow these steps to configure port filtering To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure port filtering ip check source ip address mac address Requir...

Page 201: ...he source IP address of 192 168 0 3 can pass z On port Ethernet 1 0 1 of Switch A only IP packets with the source MAC address of 00 01 02 03 04 06 and the source IP address of 192 168 0 1 can pass z On port Ethernet 1 0 1 of Switch B only IP packets with the source MAC address of 00 01 02 03 04 06 and the source IP address of 192 168 0 1 can pass z On port Ethernet 1 0 2 of Switch B only IP packet...

Page 202: ...erface ethernet 1 0 1 SwitchB Ethernet1 0 1 user bind ip address 192 168 0 1 mac address 0001 0203 0406 SwitchB Ethernet1 0 1 quit Configure port Ethernet 1 0 2 of Switch B to allow only IP packets with the source MAC address of 00 01 02 03 04 07 and the source IP address of 192 168 0 2 to pass SwitchB interface ethernet 1 0 2 SwitchB Ethernet1 0 2 user bind ip address 192 168 0 2 mac address 0001...

Page 203: ...0 1 of Switch A to prevent attacks from clients using fake source IP addresses to the DHCP server Note For detailed configuration of DHCP Server refer to DHCP Configuration in this manual II Network diagram Figure 1 2 Network diagram for configuring port filtering III Configuration procedure 1 Configure Switch A Configure port filtering on port Ethernet 1 0 1 SwitchA system view SwitchA interface ...

Page 204: ...ical with the dynamic entries that port Ethernet 1 0 1 has obtained SwitchA display dhcp snooping DHCP Snooping is enabled The client binding table for all untrusted ports Type D Dynamic S Static Type IP Address MAC Address Lease VLAN Interface D 192 168 0 1 0001 0203 0406 86335 1 Ethernet1 0 1 As you see port Ethernet 1 0 1 has obtained the dynamic entries generated by DHCP Snooping after it is c...

Page 205: ...e Ports 1 29 1 3 11 Configuring Whether Ports Connect to Point to Point Links 1 30 1 3 12 Configuring the Mode a Port Uses to Recognize Send MSTP Packets 1 31 1 3 13 Enabling the Output of Port State Transition Information 1 33 1 3 14 Enabling the MSTP Feature 1 33 1 4 Configuring Leaf Nodes 1 34 1 4 1 Configuring an MST Region 1 34 1 4 2 Configuring the Work Mode of MSTP 1 34 1 4 3 Configuring th...

Page 206: ...ion Example 1 46 1 9 Configuring Protection Functions 1 46 1 9 1 Configuration prerequisites 1 47 1 9 2 Enabling BPDU Guard 1 47 1 9 3 Enabling Root Guard 1 48 1 9 4 Enabling Loop Guard 1 49 1 9 5 Enabling TC BPDU Attack Guard 1 50 1 10 Configuring the Function of Transmitting BPDUs Transparently 1 51 1 11 Configuring the Function of Tagging BPDUs 1 52 1 12 Displaying and Maintaining MSTP 1 52 1 1...

Page 207: ...re This avoids proliferation and infinite recycling of packets that would occur in a loop network and prevents deterioration of the packet processing capability of network devices caused by duplicate packets received In the narrow sense STP refers to the STP protocol defined in IEEE 802 1d in the broad sense it refers to the STP protocol defined in IEEE 802 1d and various enhanced spanning tree pr...

Page 208: ...ed bridge and designated port The following table describes a designated bridge and a designated port Table 1 1 Description of designated bridge and designated port Classification Designated bridge Designated port For a device The device directly connected with this device and responsible for forwarding BPDUs The port through which the designated bridge forwards BPDUs to this device For a LAN The ...

Page 209: ...w STP works STP identifies the network topology by transmitting configuration BPDUs between network devices Configuration BPDUs contain sufficient information for network devices to complete the spanning tree calculation Important fields in a configuration BPDU include z Root bridge ID consisting of root bridge priority and MAC address z Root path cost the cost of the shortest path to the root bri...

Page 210: ...on BPDU Each device sends out its configuration BPDU and receives configuration BPDUs from other devices The process of selecting the optimum configuration BPDU is as follows Table 1 2 Selection of the optimum configuration BPDU Step Description 1 Upon receiving a configuration BPDU on a port the device performs the following processing z If the received configuration BPDU has a lower priority tha...

Page 211: ...assumes itself to be the root bridge with the root bridge ID being its own device ID By exchanging configuration BPDUs the devices compare one another s root bridge ID The device with the smallest root bridge ID is elected as the root bridge z Selection of the root port and designated ports The process of selecting the root port and designated ports is as follows Table 1 3 Selection of the root po...

Page 212: ...DU so that the port will only receive BPDUs but not send any and will not forward data Note When the network topology is stable only the root port and designated ports forward traffic while other ports are all in the blocked state they only receive STP packets but do not forward user traffic Once the root bridge the root port on each non root bridge and designated ports have been successfully elec...

Page 213: ...uration BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the configuration received message and discards the received configuration BPDU z Port AP2 receives the configuration BPDU of Device C 2 0 2 CP1 Device A finds that the BPDU of the local port 0 0 0 AP2 is superior to the received configuration BPDU and discards the received conf...

Page 214: ...iguration BPDU BP1 0 0 0 AP1 BP2 1 0 1 BP2 Device B z Device B compares the configuration BPDUs of all its ports and determines that the configuration BPDU of BP1 is the optimum configuration BPDU Then it uses BP1 as the root port the configuration BPDUs of which will not be changed z Based on the configuration BPDU of BP1 and the path cost of the root port 5 Device B calculates a designated port ...

Page 215: ... AP2 Designated port CP2 0 10 2 CP2 z Next port CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to its old one Device C launches a BPDU update process z At the same time port CP1 receives configuration BPDUs periodically from Device A Device C does not launch an update process after comparison CP1 0 0 0 AP2 CP2 0 5 1 BP2 Device ...

Page 216: ...t sends out this configuration BPDU through the designated port z If the configuration BPDU received on the designated port has a lower priority than the configuration BPDU of the local port the port will immediately send out its better configuration BPDU in response z If a path becomes faulty the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs...

Page 217: ...n propagated throughout the network z Hello time is the time interval at which a device sends hello packets to the surrounding devices to ensure that the paths are fault free z Max age is a parameter used to determine whether a configuration BPDU held by the device has expired A configuration BPDU beyond the max age will be discarded 1 1 2 Introduction to MSTP I Why MSTP 1 Disadvantages of STP and...

Page 218: ...ning tree 2 Features of MSTP The multiple spanning tree protocol MSTP overcomes the shortcomings of STP and RSTP In addition to support for rapid network convergence it also allows data flows of different VLANs to be forwarded along their own paths thus providing a better load sharing mechanism for redundant links For description about VLANs refer to VLAN Configuration in the Access Volume MSTP fe...

Page 219: ...mapping configuration z They have the same MSTP revision level configuration and z They are physically linked with one another For example all the devices in region A0 in Figure 1 4 have the same MST region configuration z The same region name z The same VLAN to instance mapping VLAN 1 is mapped to MST instance 1 VLAN 2 to MST instance 2 and the rest to the command and internal spanning tree CIST ...

Page 220: ...ns in a switched network If you regard each MST region as a device the CST is a spanning tree calculated by these devices through STP or RSTP For example the red lines in Figure 1 4 describe the CST 5 CIST Jointly constituted by ISTs and the CST the CIST is a single spanning tree that connects all devices in a switched network In Figure 1 4 for example the ISTs in all MST regions plus the inter re...

Page 221: ...third party s device that supports boundary port recognition the third party s device may malfunction in recognizing a boundary port 10 Roles of ports In the MSTP calculation process port roles include root port designated port master port alternate port backup port and so on z Root port a port responsible for forwarding data to the root bridge z Designated port a port responsible for forwarding d...

Page 222: ...evice C form a loop z Port 3 and port 4 of device D connect downstream to other MST regions 11 Port states In MSTP port states fall into the following tree z Forwarding the port learns MAC addresses and forwards user traffic z Learning the port learns MAC addresses but does not forward user traffic z Discarding the port neither learns MAC addresses nor forwards user traffic Note When in different ...

Page 223: ...root bridge of the CIST MSTP generates an IST within each MST region through calculation and at the same time MSTP regards each MST region as a single device and generates a CST among these MST regions through calculation The CST and ISTs constitute the CIST of the entire network 2 MSTI calculation Within an MST region MSTP generates different spanning tree instances for different VLANs based on t...

Page 224: ...configure MSTP Task Remarks Configuring an MST Region Required Specifying the Root Bridge or a Secondary Root Bridge Optional Configuring the Work Mode of MSTP Device Optional Configuring the Priority of the Current Device Optional Configuring the Maximum Hops of an MST Region Optional Configuring the Network Diameter of a Switched Network Optional Configuring Timers of MSTP Optional Configuring t...

Page 225: ...nal Configuring Leaf Nodes Enabling the MSTP Feature Required Performing mCheck Optional Configuring the VLAN Ignore Feature Optional Configuring Digest Snooping Optional Configuring No Agreement Check Optional Configuring Protection Functions Optional Configuring the Function of Transmitting BPDUs Transparently Optional Configuring the Function of Tagging BPDUs Optional Note If both GVRP and MSTP...

Page 226: ...l Use either command All VLANs in an MST region are mapped to MST instance 0 by default Configure the MSTP revision level of the MST region revision level level Optional 0 by default Activate MST region configuration manually active region configuration Required Display all the configuration information of the MST region check region configuration Optional Display the currently effective MST regio...

Page 227: ...ped to instance 1 and VLAN 20 through VLAN 30 to instance 2 Sysname system view Sysname stp region configuration Sysname mst region region name info Sysname mst region instance 1 vlan 2 to 10 Sysname mst region instance 2 vlan 20 to 30 Sysname mst region revision level 1 Sysname mst region active region configuration 1 3 2 Specifying the Root Bridge or a Secondary Root Bridge MSTP can determine th...

Page 228: ...oot bridge or a secondary root bridge of another instance However the same device cannot be the root bridge and a secondary root bridge in the same instance at the same time z There is one and only one root bridge in effect in a spanning tree instance If two or more devices have been designated to be root bridges of the same spanning tree instance MSTP will select the device with the lowest MAC ad...

Page 229: ...unable to recognize MSTP packets For hybrid networking with legacy STP devices and full interoperability with RSTP compliant devices MSTP supports three work modes STP compatible mode RSTP mode and MSTP mode z In STP compatible mode all ports of the device send out STP BPDUs z In RSTP mode all ports of the device send out RSTP BPDUs If the device detects that it is connected with a legacy STP devi...

Page 230: ...of the device z During root bridge selection if all devices in a spanning tree have the same priority the one with the lowest MAC address will be selected as the root bridge of the spanning tree II Configuration example Set the device priority in MST instance 1 to 4096 Sysname system view Sysname stp instance 1 priority 4096 1 3 5 Configuring the Maximum Hops of an MST Region By setting the maximu...

Page 231: ... 20 by default Note A larger maximum hops setting means a larger size of the MST region Only the maximum hops configured on the regional root bridge can restrict the size of the MST region II Configuration example Set the maximum hops of the MST region to 30 Sysname system view Sysname stp max hops 30 1 3 6 Configuring the Network Diameter of a Switched Network Any two stations in a switched netwo...

Page 232: ...er 6 1 3 7 Configuring Timers of MSTP MSTP involves three timers forward delay hello time and max age You can configure these three parameters for MSTP to calculate spanning trees I Configuration procedure Follow these steps to configure the timers of MSTP To do Use the command Remarks Enter system view system view Configure the forward delay timer stp timer forward delay centi seconds Optional 1 ...

Page 233: ...ds to the device burden and causes waste of network resources We recommend that you use the default setting z If the max age time setting is too small the network devices will frequently launch spanning tree calculation and may take network congestion to a link failure if the max age setting is too large the network may fail to timely detect link failures and fail to timely launch spanning tree ca...

Page 234: ...ening the timeout time I Configuration procedure Follow these steps to configure the timeout factor To do Use the command Remarks Enter system view system view Configure the timeout factor of the device stp timer factor number Optional 3 by default Note z Timeout time timeout factor 3 hello time z Typically we recommend that you set the timeout factor to 5 or 6 or 7 for a stable network II Configu...

Page 235: ...m transmission rate setting of a port is too big the port will send a large number of MSTP packets within each hello time thus using excessive network resources We recommend that you use the default setting II Configuration example Set the maximum transmission rate of port Ethernet 1 0 1 to 5 Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 stp transmit limit 5 1 3 10 Con...

Page 236: ...from another port it will become a non edge port again In this case you must reset the port before you can configure it to be an edge port again z If a port directly connects to a user terminal configure it to be an edge port and enable BPDU guard for it This enables the port to transition to the forwarding state while ensuring network security II Configuration example Configure Ethernet 1 0 1 to ...

Page 237: ...nt to point link Note z In the case of link aggregation every port in the aggregation group can be configured to connect to a point to point link If a port works in auto negotiation mode and the negotiation result is full duplex this port can be configured as connecting to a point to point link z If a port is configured as connecting to a point to point link the setting takes effect for the port i...

Page 238: ...roup manual port group name aggregation agg id Required Use either command Configurations made in Ethernet interface view will take effect on the current port only configurations made in port group view will take effect on all ports in the port group Configure the mode the port uses to recognize send MSTP packets stp compliance auto dot1s legacy Optional auto by default Note z In MSTP mode if a po...

Page 239: ...rt log all instance instance id Optional Whether this function is enabled by default depends on the specific device model 1 3 14 Enabling the MSTP Feature I Configuration procedure Follow these steps to enable the MSTP feature To do Use the command Remarks Enter system view system view Enable the MSTP feature for the device stp enable Required Whether a device is MSTP enabled by default depends on...

Page 240: ...4 1 Configuring an MST Region Refer to Configuring an MST Region in the section about root bridge configuration 1 4 2 Configuring the Work Mode of MSTP Refer to Configuring the Work Mode of MSTP Device in the section about root bridge configuration 1 4 3 Configuring the Timeout Factor Refer to Configuring Timers of MSTP in the section about root bridge configuration 1 4 4 Configuring the Maximum T...

Page 241: ...tes the default path cost for ports based on a private standard Follow these steps to specify a standard for the device to use when calculating the default path cost To do Use the command Remarks Enter system view system view Specify a standard for the device to use when calculating the default path cost of the link connected with the device stp pathcost standard dot1d 1998 dot1t legacy Optional l...

Page 242: ...ink speed is the sum of the link speed values of the non blocked ports in the aggregated link II Configuring Path Costs of Ports Follow these steps to configure the path cost of ports To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Enter Ethernet interface view or port group view Enter port group view port group ma...

Page 243: ...in different MST instances and the same port can play different roles in different MST instances so that data of different VLANs can be propagated along different physical paths thus implementing per VLAN load balancing You can set port priority values based on the actual networking requirements I Configuration procedure Follow these steps to configure the priority of a port or a group of ports To...

Page 244: ...Configuring Whether Ports Connect to Point to Point Links in the section about root bridge configuration 1 4 9 Configuring the Mode a Port Uses to Recognize Send MSTP Packets Refer to Configuring the Mode a Port Uses to Recognize Send MSTP Packets in the section about root bridge configuration 1 4 10 Enabling Output of Port State Transition Information Refer to Enabling the Output of Port State Tr...

Page 245: ... to perform global mCheck To do Use the command Remarks Enter system view system view Perform mCheck stp mcheck Required II Performing mCheck in Ethernet interface view Follow these steps to perform mCheck in Ethernet interface view To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Perform mCheck stp mcheck Required ...

Page 246: ...s the traffic of VLAN 2 to pass through Switch A and Switch B run MSTP Switch A is the root bridge and port A and port C on it are designated ports Port B on Switch B is the root port and port D is the blocked port Traffic on VLAN 2 is blocked Enabling the VLAN Ignore feature for a VLAN can make ports of the VLAN forward packets normally rather than comply with the calculated result of MSTP 1 6 1 ...

Page 247: ...nabled VLAN SwitchB display stp ignored vlan STP Ignored VLAN 2 1 7 Configuring Digest Snooping As defined in IEEE 802 1s interconnected devices are in the same region only when the region related configuration domain name revision level VLAN to instance mappings on them is identical An MSTP enabled device identifies devices in the same MST region via checking the configuration ID in BPDU packets ...

Page 248: ...interface type interface number Enter Ethernet interface or port group view Enter port group view port group manual port group name aggregation agg id Required Use either command Configurations made in Ethernet interface view will take effect on the current port only configurations made in port group view will take effect on all ports in the port group Enable digest snooping on the interface or po...

Page 249: ...obally and on associated ports to make it take effect It is recommended to enable the feature on all associated ports first and then globally making all configured ports take effect and disable the feature globally to disable it on all associated ports z It is not recommended to enable Digest Snooping on the MST region edge port to avoid loops z It is recommended to enable Digest Snooping first an...

Page 250: ...ts Both RSTP and MSTP switches can perform rapid transition operation on a designated port only when the port receives an agreement packet from the downstream switch The differences between RSTP and MSTP switches are z For MSTP the downstream device s root port sends an agreement packet only after it receives an agreement packet from the upstream device z For RSTP the down stream device sends an a...

Page 251: ... to transit rapidly and can only change to the forwarding state after a period twice the Forward Delay In this case you can enable the No Agreement Check feature on the downstream device s port to perform rapid state transition 1 8 1 Configuration Prerequisites z A device is the upstream one that is connected to another vendor s MSTP supported device via a point to point link z Configure the same ...

Page 252: ...ce A connects to a third party s device that has different MSTP implementation Both switches are in the same region z Another vendor s device is the regional root bridge and Device A is the downstream device II Network diagram Figure 1 11 No Agreement Check configuration III Configuration procedure Enable No Agreement Check on Ethernet 1 0 1 of Switch A DeviceA system view DeviceA interface Ethern...

Page 253: ...onnect directly with user terminals such as PCs or file servers In this case the access ports are configured as edge ports to allow rapid transition of these ports When these ports receive configuration BPDUs the system will automatically set these ports as non edge ports and start a new spanning tree calculation process This will cause a change of network topology Under normal conditions these po...

Page 254: ...t bridge may receive a configuration BPDU with a higher priority In this case the current legal root bridge will be superseded by another device causing undesired change of the network topology As a result of this kind of illegal topology change the traffic that should go over high speed links is drawn to low speed links resulting in network congestion To prevent this situation from happening MSTP...

Page 255: ...ure depends on the specific device model z We recommend that you enable loop guard if your device supports this function By keeping receiving BPDUs from the upstream device a device can maintain the state of the root port and other blocked ports However due to link congestion or unidirectional link failures these ports may fail to receive BPDUs from the upstream device In this case the downstream ...

Page 256: ...device will receive a larger number of TC BPDUs within a short time and frequent deletion operations bring a big burden to the device and hazard network stability With the TC BPDU guard function enabled the device limits the maximum number of times of immediately deleting forwarding address entries within 10 seconds after it receives TC BPDUs to the value set with the stp tc protection threshold c...

Page 257: ...nfigure the function of transmitting BPDUs transparently To do Use the command Remarks Enter system view System view Enter port view interface interface type interface number Enable the function of transmitting BPDUs transparently stp bpdu transparent forwa rding Required Return to system view quit Enable the function of transmitting BPDUs transparently in the specified VLAN s stp bpdu transparent...

Page 258: ...y other VLAN to the MSTI z When CIST information does not need calculating you can use the stp bpdu tagged cist ignore command on the corresponding port to enable the function of ignoring CIST information in tagged BPDUs With this feature enabled on a port the port will be blocked by STP if it receives BPDUs from any other MST region and the port will be unblocked if it has not received BPDUs of a...

Page 259: ...ce interface list Available in user view 1 13 MSTP Configuration Example 1 13 1 MSTP Configuration Example I Network requirements Configure MSTP so that packets of different VLANs are forwarded along different spanning trees The specific configuration requirements are as follows z All devices on the network are in the same MST region z Packets of VLAN 10 are forwarded along MST region 1 those of V...

Page 260: ...A Enter MST region view DeviceA system view DeviceA stp region configuration Configure the region name VLAN to instance mappings and revision level of the MST region DeviceA mst region region name example DeviceA mst region instance 1 vlan 10 DeviceA mst region instance 3 vlan 30 DeviceA mst region instance 4 vlan 40 DeviceA mst region revision level 0 Activate MST region configuration manually De...

Page 261: ...DeviceB mst region instance 1 vlan 10 DeviceB mst region instance 3 vlan 30 DeviceB mst region instance 4 vlan 40 DeviceB mst region revision level 0 Activate MST region configuration manually DeviceB mst region active region configuration DeviceB mst region quit Define Device B as the root bridge of MST instance 3 DeviceB stp instance 3 root primary View the MST region configuration information t...

Page 262: ... MST instance 4 DeviceC stp instance 4 root primary View the MST region configuration information that has taken effect DeviceC display stp region configuration Oper configuration Format selector 0 Region name example Revision level 0 Instance Vlans Mapped 0 1 to 9 11 to 29 31 to 39 41 to 4094 1 10 3 30 4 40 4 Configuration on Device D Enter MST region view DeviceD system view DeviceD stp region c...

Page 263: ...Transparently I Network requirements z Switch A and Switch B are interconnected through a VPN network which permits only tagged packets to pass through z Ethernet 1 0 1 and Ethernet 1 0 2 of Switch A and Ethernet 1 0 3 and Ethernet 1 0 4 of Switch B are assigned to VLAN 10 z Perform spanning tree calculations only on Switch A so as to eliminate data loops in VLAN 10 II Network diagram VPN Eth 1 0 ...

Page 264: ...et 1 0 4 Switch B system view Switch B interface Ethernet1 0 3 Switch B Ethernet1 0 3 stp bpdu transparent forwarding Switch B Ethernet1 0 3 quit Switch B interface Ethernet1 0 4 Switch B Ethernet1 0 4 stp bpdu transparent forwarding Switch B Ethernet1 0 4 quit Switch B stp bpdu transparent forwarding vlan 10 1 13 3 Configuration Example for the Function of Tagging BPDUs I Network requirements z S...

Page 265: ...2 vlan 20 Switch A mst region active region configuration Switch A mst region quit Enable the function of tagging BPDUs on Ethernet 1 0 1 and Ethernet 1 0 2 of Switch A Switch A interface Ethernet 1 0 1 Switch A Ethernet1 0 1 stp bpdu tagged Switch A Ethernet1 0 1 quit Switch A interface Ethernet 1 0 2 Switch A Ethernet1 0 2 stp bpdu tagged Switch A Ethernet1 0 2 quit 2 Configuration on Switch B C...

Page 266: ...n 1 60 Enable the function of tagging BPDUs on Ethernet 1 0 3 and Ethernet 1 0 4 of Switch B Switch B interface Ethernet1 0 3 Switch B Ethernet1 0 3 stp bpdu tagged Switch B Ethernet1 0 3 quit Switch B interface Ethernet1 0 4 Switch B Ethernet1 0 4 stp bpdu tagged Switch B Ethernet1 0 4 quit ...

Page 267: ...RA Message 1 16 1 4 4 Configuring the Number of Attempts to Send an NS Message for DAD 1 19 1 5 Configuring PMTU Discovery 1 19 1 5 1 Configuring a Static PMTU for a Specified IPv6 Address 1 19 1 5 2 Configuring the Aging Time for PMTU 1 19 1 6 Configuring IPv6 TCP Properties 1 20 1 7 Configuring IPv6 FIB Based Forwarding 1 21 1 8 Configuring ICMPv6 Packet Sending 1 21 1 8 1 Configuring the Maximu...

Page 268: ...Example 3 7 3 4 Configuring Automatic IPv4 Compatible IPv6 Tunnel 3 10 3 4 1 Configuration Prerequisites 3 10 3 4 2 Configuration Procedure 3 11 3 4 3 Configuration Example 3 13 3 5 Configuring 6to4 Tunnel 3 15 3 5 1 Configuration Prerequisites 3 15 3 5 2 Configuration Procedure 3 16 3 5 3 Configuration Example 3 18 3 6 Configuring ISATAP Tunnel 3 21 3 6 1 Configuration Prerequisites 3 21 3 6 2 Co...

Page 269: ...ration z IPv6 Configuration Example z Troubleshooting IPv6 Basics Configuration Note The term router or the router icon in this document refers to a router in a generic sense or a Layer 3 Ethernet switch running a routing protocol 1 1 IPv6 Overview Internet Protocol Version 6 IPv6 also called IP next generation IPng was designed by the Internet Engineering Task Force IETF as the successor to Inter...

Page 270: ...arison between IPv4 packet header format and basic IPv6 packet header format II Adequate address space The source and destination IPv6 addresses are both 128 bits 16 bytes long IPv6 can provide 3 4 x 1038 addresses to completely meet the requirements of hierarchical address division as well as allocation of public and private addresses III Hierarchical address structure IPv6 adopts the hierarchica...

Page 271: ...exchange between neighbor nodes on the same link The group of ICMPv6 messages takes the place of Address Resolution Protocol ARP message Internet Control Message Protocol version 4 ICMPv4 router discovery message and ICMPv4 redirection message to provide a series of other functions VIII Flexible extension headers IPv6 cancels the Options field in IPv4 packets but introduces multiple extension head...

Page 272: ...ess in any of the notations and prefix length is a decimal number indicating how many bits from the utmost left of an IPv6 address are the address prefix II IPv6 address classification IPv6 addresses fall into three types unicast address multicast address and anycast address z Unicast address An identifier for a single interface similar to an IPv4 unicast address A packet sent to a unicast address...

Page 273: ...service providers The type of address allows efficient route prefix aggregation to restrict the number of global routing entries z The link local address is used for communication between link local nodes in neighbor discovery and stateless autoconfiguration Routers must not forward any packets with link local source or destination addresses to other links z IPv6 unicast site local addresses are s...

Page 274: ...0 0 0 1 FFXX XXXX Where FF02 0 0 0 0 1 FF is permanent and consists of 104 bits and XX XXXX is the last 24 bits of an IPv6 unicast or anycast address V Interface identifier in IEEE EUI 64 format Interface identifiers in IPv6 unicast addresses are used to identify interfaces on a link and they are required to be unique on that link Interface identifiers in IPv6 unicast addresses are currently requi...

Page 275: ...ssage 136 When the link layer changes the local node initiates an NA message to notify neighbor nodes of the node information change Router solicitation RS message 133 After started a node sends an RS message to request the router for an address prefix and other configuration information for the purpose of autoconfiguration Used to respond to an RS message Router advertisement RA message 134 With ...

Page 276: ...e A and unicasts an NA message containing its link layer address 3 Node A acquires the link layer address of node B from the NA message II Neighbor reachability detection After node A acquires the link layer address of its neighbor node B node A can verify whether node B is reachable according to NS and NA messages 1 Node A sends an NS message whose destination address is the IPv6 address of node ...

Page 277: ... prefix discovery means that a node locates the neighboring routers and learns the prefix of the network where the host is located and other configuration parameters from the received RA message Stateless address autoconfiguration means that a node automatically configures an IPv6 address according to the information obtained through router prefix discovery The router prefix discovery is implement...

Page 278: ...elect a better next hop to forward packets similar to the ICMP redirection function in IPv4 The gateway will send an IPv6 ICMP redirect message when the following conditions are satisfied z The receiving interface is the forwarding interface z The selected route itself is not created or modified by an IPv6 ICMP redirect message z The selected route is not the default route z The forwarded IPv6 pac...

Page 279: ...o the destination host is determined 1 1 5 Introduction to IPv6 DNS In the IPv6 network a Domain Name System DNS supporting IPv6 converts domain names into IPv6 addresses instead of IPv4 addresses However just like an IPv4 DNS an IPv6 DNS also covers static domain name resolution and dynamic domain name resolution The function and implementation of these two types of domain name resolution are the...

Page 280: ...6 1 2 IPv6 Basics Configuration Task List Complete the following tasks to perform IPv6 basics configuration Task Remarks Configuring Basic IPv6 Functions Required Configuring IPv6 NDP Optional Configuring PMTU Discovery Optional Configuring IPv6 TCP Properties Optional Configuring IPv6 FIB Based Forwarding Optional Configuring ICMPv6 Packet Sending Optional Configuring IPv6 DNS Optional 1 3 Config...

Page 281: ...he interface z Manual assignment IPv6 link local addresses can be assigned manually Follow these steps to configure an IPv6 unicast address To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Manually assign an IPv6 address ipv6 address ipv6 address prefix length ipv6 address prefix lengt h Configure an IPv6 aggregatabl e globa...

Page 282: ...pv6 address auto link local command However if an IPv6 site local address or aggregatable global unicast address is already configured for an interface the interface still has a link local address because the system automatically generates one for the interface If no IPv6 site local address or aggregatable global unicast address is configured the interface has no link local address z The manually ...

Page 283: ...pe port number belongs to the VLAN specified by vlan id After a static neighbor entry is configured the device relates the VLAN interface to an IPv6 address to uniquely identify a static neighbor entry 1 4 2 Configuring the Maximum Number of Neighbors Dynamically Learned The device can dynamically acquire the link layer address of a neighbor node and add it into the neighbor table through NS and N...

Page 284: ...ame link can perform stateless autoconfiguration operations M flag This field determines whether hosts use the stateful autoconfiguration to acquire IPv6 addresses If the M flag is set to 1 hosts use the stateful autoconfiguration to acquire IPv6 addresses Otherwise hosts use the stateless autoconfiguration to acquire IPv6 addresses that is hosts configure IPv6 addresses according to their own lin...

Page 285: ...ighbor reachable within the time of Reachable Time Follow these steps to configure parameters related to an RA message To do Use the command Remarks Enter system view system view Configure the current hop limit ipv6 nd hop limit value Optional 64 by default Enter interface view interface interface type interface number Disable the RA message suppression undo ipv6 nd ra halt Optional By default RA ...

Page 286: ...configuration Set the O flag bit to 1 ipv6 nd autoconfig other flag Optional By default the O flag bit is set to 0 that is hosts acquire other information through stateless autoconfiguration Configure the router lifetime in RA messages ipv6 nd ra router lifetime value Optional 1 800 seconds by default Set the retrans timer ipv6 nd ns retrans timer value Optional By default the local interface send...

Page 287: ...Optional 1 by default When the value argument is set to 0 DAD is disabled 1 5 Configuring PMTU Discovery 1 5 1 Configuring a Static PMTU for a Specified IPv6 Address You can configure a static PMTU for a specified destination IPv6 address When a source host sends packets through an interface it compares the interface MTU with the static PMTU of the specified destination IPv6 address If the packet ...

Page 288: ... establishment fails z finwait timer When the IPv6 TCP connection status is FIN_WAIT_2 the finwait timer is triggered If no packet is received before the finwait timer expires the IPv6 TCP connection is terminated If a FIN packet is received the IPv6 TCP connection status becomes TIME_WAIT If other packets are received the finwait timer is reset from the last received packet and the connection is ...

Page 289: ... based on the HASH algorithm ipv6 fib loadbalance type hash based Configure the IPv6 FIB load sharing mode Configure the load sharing based on polling undo ipv6 fib loadbalance type hash based Optional By default the load sharing based on polling is adopted that is each equivalent route is used in turn to forward packets 1 8 Configuring ICMPv6 Packet Sending 1 8 1 Configuring the Maximum ICMPv6 Er...

Page 290: ...ted 1 8 2 Enable Sending of Multicast Echo Replies If hosts are capable of relying multicast echo requests Host A can attack Host B by sending an echo request with the source being Host B to a multicast address then all the hosts in the multicast group will send echo replies to Host B Therefore a device is disabled from replying multicast echo requests by default Follow these steps to enable sendi...

Page 291: ...o that you only need to enter some fields of a domain name and the system can automatically add the preset suffix for address resolution The system can support at most 10 DNS suffixes Follow these steps to configure dynamic IPv6 domain name resolution To do Use the command Remarks Enter system view system view Enable the dynamic domain name resolution function dns resolve Required Disabled by defa...

Page 292: ...erface type interface number Display neighbor information display ipv6 neighbors ipv6 address all dynamic interface interface type interface number static vlan vlan id begin exclude include text Available in any view Display the total number of neighbor entries satisfying the specified conditions display ipv6 neighbors all dynamic interface interface type interface number static vlan vlan id count...

Page 293: ...l IPv6 UDP packets reset udp ipv6 statistics Available in user view Note The display dns domain command is the same as the one of IPv4 DNS For details about the commands refer to DNS Commands 1 11 IPv6 Configuration Example I Network requirements Two switches are directly connected through two Ethernet ports The Ethernet ports belong to VLAN 2 Configure different types of IPv6 addresses for VLAN i...

Page 294: ...pv6 nd ra halt z Configuration on Switch B Enable the IPv6 packet forwarding function SwitchB system view SwitchB ipv6 Configure VLAN interface 2 to automatically generate a link local address SwitchB interface vlan interface 2 SwitchB Vlan interface2 ipv6 address auto link local Configure an EUI 64 address for VLAN interface 2 SwitchB Vlan interface2 ipv6 address 2001 64 eui 64 Configure an aggre...

Page 295: ...is 2001 64 3001 2 subnet is 3001 64 Joined group address es FF02 1 FF00 2 FF02 1 FF00 1 FF02 2 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses From Switch A ping the link local address EUI 64 address and aggregatable global unicast address respectivel...

Page 296: ...ak Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 1 hop limit 255 time 40 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 2 hop limit 255 time 70 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 3 hop limit 255 time 60 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 4 hop limit 255 time 60 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 5 hop limit 255 time 60 ms 2001 20F E2F...

Page 297: ...guration I Symptom The peer IPv6 address cannot be pinged II Solution z Use the display current configuration command in any view or the display this command in system view to check that the IPv6 packet forwarding function is enabled z Use the display ipv6 interface command in any view to check that the IPv6 address of the interface is correct and that the interface is up z Use the debugging ipv6 ...

Page 298: ...or an IPv6 node to be compatible with an IPv4 node is to maintain a complete IPv4 stack A network node that supports both IPv4 and IPv6 is called a dual stack node A dual stack node configured with an IPv4 address and an IPv6 address can have both IPv4 and IPv6 packets transmitted For an upper layer application supporting both IPv4 and IPv6 either TCP or UDP can be selected at the transport layer ...

Page 299: ... to enable IPv4 IPv6 dual stack supporting by using the switch mode dual ipv4 ipv6 command Otherwise IPv6 packets cannot be forwarded even if dual stack is enabled 2 2 2 Configuring Dual Stack You must enable the IPv6 packet forwarding function before dual stack Otherwise the device cannot forward IPv6 packets even if IPv6 addresses are configured for interfaces Follow these steps to configure dua...

Page 300: ... format ipv6 address ipv6 address prefix le ngth eui 64 Use either command By default no local address or global unicast address is configured on an interface Automatically create an IPv6 link local address ipv6 address auto link local Configure an IPv6 address on the interface Configure IPv6 link local address Manually specify an IPv6 link local address ipv6 address ipv6 address link local Option...

Page 301: ...over the network A tunnel is a virtual point to point connection In practice the virtual interface that supports only point to point connections is called tunnel interface One tunnel provides one channel to transfer encapsulated packets Packets can be encapsulated and decapsulated at both ends of a tunnel Tunneling refers to the whole process from data encapsulation to data transfer to data decaps...

Page 302: ...he device at the destination end decapsulates the packet if the destination address of the encapsulated packet is the device itself 4 The destination device forwards the packet according to the destination address in the decapsulated IPv6 packet If the destination address is the device itself the device forwards the IPv6 packet to the upper layer protocol for processing II Configured tunnel and au...

Page 303: ...s are adopted at both ends of such a tunnel The address format is 0 0 0 0 0 0 a b c d 96 where a b c d represents an embedded IPv4 address The tunnel destination is automatically determined by the embedded IPv4 address which makes it easy to create a tunnel for IPv6 over IPv4 However because an automatic IPv4 compatible IPv6 tunnel must use IPv4 compatible IPv6 addresses and it is still dependent ...

Page 304: ... IPv6 routers or between a host and an IPv6 router over an IPv4 network Figure 3 2 Principle of ISATAP tunnel IV Expedite termination For a tunnel packet arriving at the device if the source IP address matches the address of the expedite termination subnet the hardware driver sends the packet to an IPv6 tunnel protocol engine to forward or sends it to the CPU for processing If the tunnel packet ne...

Page 305: ...unnel 3 3 1 Configuration Prerequisites IP addresses are configured for interfaces such as the VLAN interface and loopback interface on the device These interfaces serve as the source interfaces of tunnel interfaces to ensure that the tunnel destination addresses are reachable 3 3 2 Configuration Procedure Follow these steps to configure an IPv6 manual tunnel To do Use the command Remarks Enter sy...

Page 306: ...IPv6 global unicast address or site local address is configured Specify the IPv6 manual tunnel mode tunnel protocol ipv6 ipv4 Required By default the tunnel mode is manual The same tunnel type should be configured at both ends of the tunnel Otherwise packet delivery will fail Configure a source address or interface for the tunnel source ip address interface type interface number Required By defaul...

Page 307: ...next hop to the tunnel interface number or network address at the local end of the tunnel Such configurations must be performed at both ends of the tunnel z Before configuring dynamic routes you must enable the dynamic routing protocol on the tunnel interfaces at both ends For related configurations refer to IPv6 Routing Configuration z The destination address of the route configured on the tunnel...

Page 308: ...t 1 0 2 SwitchA vlan100 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 ip address 192 168 100 1 255 255 255 0 SwitchA Vlan interface100 quit Configure a manual IPv6 tunnel SwitchA interface tunnel 0 SwitchA Tunnel0 ipv6 address 3001 1 64 SwitchA Tunnel0 source vlan interface 100 SwitchA Tunnel0 destination 192 168 50 1 SwitchA Tunnel0 tunnel protocol ipv6 ipv4 Configure the tu...

Page 309: ...rotocol ipv6 ipv4 Configure the tunnel to reference link aggregation group 1 in tunnel interface view SwitchB Tunnel0 aggregation group 1 IV Configuration verification After the above configurations display the status of the tunnel interfaces on Switch A and Switch B respectively SwitchA display ipv6 interface tunnel0 Tunnel0 current state UP Line protocol current state UP IPv6 is enabled link loc...

Page 310: ... hop limit 64 time 31 ms Reply from 3001 2 bytes 56 Sequence 2 hop limit 64 time 16 ms Reply from 3001 2 bytes 56 Sequence 3 hop limit 64 time 1 ms Reply from 3001 2 bytes 56 Sequence 4 hop limit 64 time 15 ms Reply from 3001 2 bytes 56 Sequence 5 hop limit 64 time 15 ms 3001 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 15 31 ms 3 4 Configu...

Page 311: ...ddress ipv6 address ipv6 address link local Optional By default after an interface is configured with a local IPv6 address or global unicast address the link local address is generated automatically ipv6 address ipv6 address prefix length ipv6 address prefix length Configure an IPv6 address for the tunnel interface Configure a local IPv6 address or global unicast address ipv6 address ipv6 address ...

Page 312: ...nel interface Configure the service loop group ID to be referenced by the tunnel interface aggregation group aggregation group id Required By default no link aggregation group ID is referenced Enable the expedite termination function expediting enable Optional By default the expedite termination function is disabled Configure an address and mask for the expedite termination subnet expediting subne...

Page 313: ...ss the destination IP address of the packet instead of the IPv4 address of the tunnel destination and set the next hop to the tunnel interface number or network address at the local end of the tunnel Such a route must be configured at both ends of the tunnel z Before referencing a link aggregation group on the tunnel interface to receive and send packets make sure that the aggregation group has be...

Page 314: ... an automatic IPv4 comptabile IPv6 tunnel SwitchA interface Tunnel 0 SwitchA Tunnel0 ipv6 address 2 1 1 1 96 SwitchA Tunnel0 source Vlan interface 100 SwitchA Tunnel0 tunnel protocol ipv6 ipv4 auto tunnel Configure service loop group 1 to be referenced by the tunnel in tunnel interface view SwitchA Tunnel0 aggregation group 1 2 Configuration on SwitchB Enable the IPv6 forwarding function SwitchB s...

Page 315: ...dress of the tunnel peer from Router A SwitchA ping ipv6 2 1 1 2 PING 2 1 1 2 56 data bytes press CTRL_C to break Reply from 2 1 1 2 bytes 56 Sequence 1 hop limit 255 time 219 ms Reply from 2 1 1 2 bytes 56 Sequence 2 hop limit 255 time 15 ms Reply from 2 1 1 2 bytes 56 Sequence 3 hop limit 255 time 31 ms Reply from 2 1 1 2 bytes 56 Sequence 4 hop limit 255 time 31 ms Reply from 2 1 1 2 bytes 56 S...

Page 316: ...x length eui 64 Required Use either command By default no IPv6 global unicast address or site local address is configured for the tunnel interface ipv6 address auto link local Configure an IPv6 address for the tunnel interface Configure an IPv6 link local address ipv6 address ipv6 address link local Optional By default a link local address will automatically be generated when an IPv6 global unicas...

Page 317: ...face on a device the slot of the tunnel interface should be that of the source interface namely the interface sending packets In this way the forwarding efficiency can be improved z If the addresses of the tunnel interfaces at the two ends of a tunnel are not in the same network segment a forwarding route through the tunnel to the peer must be configured so that the encapsulated packet can be forw...

Page 318: ...m for a 6to4 tunnel III Configuration procedure z Configuration on Switch A Enable IPv6 SwitchA system view SwitchA ipv6 Configure a link aggregation group Disable STP on the port before adding it into the link aggregation group SwitchA link aggregation group 1 mode manual SwitchA link aggregation group 1 service type tunnel SwitchA interface Ethernet 1 0 1 SwitchA Ethernet1 0 1 stp disable Switch...

Page 319: ...ource vlan interface 100 SwitchA Tunnel0 tunnel protocol ipv6 ipv4 6to4 SwitchA Tunnel0 quit Configure the tunnel to reference link aggregation group 1 in tunnel interface view SwitchA Tunnel0 aggregation group 1 SwitchA Tunnel0 quit Configure a static route whose destination address is 2002 16 and next hop is the tunnel interface SwitchA ipv6 route static 2002 16 tunnel0 z Configuration on Switch...

Page 320: ...the 6to4 tunnel SwitchB interface tunnel 0 SwitchB Tunnel0 ipv6 address 2002 0501 0101 1 64 SwitchB Tunnel0 source vlan interface 100 SwitchB Tunnel0 tunnel protocol ipv6 ipv4 6to4 SwitchB Tunnel0 quit Configure the tunnel to reference link aggregation group 1 in tunnel interface view SwitchB Tunnel0 aggregation group 1 SwitchB Tunnel0 quit Configure a static route whose destination address is 200...

Page 321: ...quired By default the IPv6 forwarding function is disabled Create a tunnel interface and enter tunnel interface view interface tunnel number Required By default there is no tunnel interface on the device ipv6 address ipv6 address prefix length ipv6 address prefix leng th Configure an IPv6 global unicast address or site local address ipv6 address ipv6 address prefix leng th eui 64 Required Use eith...

Page 322: ... the tunnel source ip address interface type interface number Required By default no source address or interface is configured for the tunnel Reference a link aggregation group aggregation group aggregation group id Required By default no link aggregation group ID is referenced Enable the expedite termination function expediting enable Optional By default the expedite termination function is disab...

Page 323: ...tunnel interface number or network address at the local end of the tunnel Such a route must be configured at both ends of the tunnel z Before referencing a link aggregation group on the tunnel interface to receive and send packets make sure that the aggregation group has been configured Otherwise the tunnel interface will not be up to communicate 3 6 3 Configuration Example I Network requirements ...

Page 324: ...l0 ipv6 address 2001 1 64 eui 64 Switch Tunnel0 source vlan interface 101 Switch Tunnel0 tunnel protocol ipv6 ipv4 isatap Configure the tunnel to reference link aggregation group 1 in tunnel interface view Switch Tunnel0 aggregation group 1 Disable the RA suppression so that hosts can acquire information such as the address prefix from the RA message released by the ISATAP switch Switch Tunnel0 un...

Page 325: ...Interface 2 Automatic Tunneling Pseudo Interface Guid 48FCE3FC EC30 E50E F1A7 71172AEEE3AE does not use Neighbor Discovery uses Router Discovery routing preference 1 EUI 64 embedded IPv4 address 2 1 1 2 router link layer address 2 1 1 1 preferred global 2001 5efe 2 1 1 2 life 29d23h59m46s 6d23h59m46s public preferred link local fe80 5efe 2 1 1 2 life infinite link MTU 1500 true link MTU 65515 curr...

Page 326: ...configuration of related parameters such as tunnel source address tunnel destination address and tunnel type the tunnel interface is still not up Solution Follow the steps below 1 The common cause is that the physical interface of the tunnel source is not up Use the display interface tunnel or display ipv6 interface tunnel commands to view whether the physical interface of the tunnel source is up ...

Page 327: ... 1 1 1 1 1 Routing 1 1 1 1 2 Routing Through a Routing Table 1 1 1 2 Routing Protocol Overview 1 3 1 2 1 Static Routing and Dynamic Routing 1 3 1 2 2 Classification of Dynamic Routing Protocols 1 3 1 2 3 Routing Protocols and Routing Priority 1 4 1 2 4 Load Balancing and Route Backup 1 5 1 2 5 Sharing of Routing Information 1 6 1 3 Displaying and Maintaining a Routing Table 1 6 ...

Page 328: ... through routers Upon receiving a packet a router finds an optimal route based on the destination address and forwards the packet to the next router in the path until the packet reaches the last router which forwards the packet to the intended destination host 1 1 2 Routing Through a Routing Table I Routing table Routing tables play a key role in routing Each router maintains a routing table and e...

Page 329: ...erface is configured its address will be the IP address of the next hop z Priority for the route Routes to the same destination but having different nexthops may have different priorities and be found by various routing protocols or manually configured The optimal route is the one with the highest priority with the smallest metric Routes can be divided into two categories by destination z Subnet r...

Page 330: ...table networks with simple topologies Its major drawback is that you must perform routing configuration again whenever the network topology changes it cannot adjust to network changes by itself Dynamic routing is based on dynamic routing protocols which can detect network topology changes and recalculate the routes accordingly Therefore dynamic routing is suitable for large networks Its disadvanta...

Page 331: ...ed and calculated III Type of the destination address z Unicast routing protocols RIP OSPF BGP and IS IS z Multicast routing protocols PIM SM and PIM DM This chapter focuses on unicast routing protocols For information on multicast routing protocols refer to the Multicast Protocol Configuration IV Version of IP protocol IPv4 routing protocols RIP OSPFv2 BGP4 and IS IS IPv6 routing protocols RIPng ...

Page 332: ...an be configured with a different priority z IPv4 and IPv6 routes have their own respective routing tables 1 2 4 Load Balancing and Route Backup I Load balancing In multi route mode a routing protocol can be configured with multiple equal cost routes to the same destination These routes have the same priority and will all be used to accomplish load balancing if there is no route with a higher prio...

Page 333: ...ibution mechanism For detailed information refer to the description about route redistribution in each routing protocol 1 3 Displaying and Maintaining a Routing Table To do Use the command Remarks Display brief information about the active routes in the routing table display ip routing table vpn instance vpn instance name verbose begin exclude include regular expression Display information about r...

Page 334: ...pv6 address prefix length longer match verbose Display routing information permitted by an IPv6 ACL display ipv6 routing table acl acl6 number verbose Display routing information permitted by an IPv6 prefix list display ipv6 routing table ipv6 prefix ipv6 prefix name verbose Display IPv6 routing information of a routing protocol display ipv6 routing table protocol protocol inactive verbose Display...

Page 335: ...Configuring RIP Basic Functions 2 6 2 2 1 Configuration Prerequisites 2 6 2 2 2 Configuration Procedure 2 6 2 3 Configuring RIP Route Control 2 8 2 3 1 Configuring an Additional Routing Metric 2 8 2 3 2 Configuring RIPv2 Route Summarization 2 9 2 3 3 Disabling Host Route Reception 2 10 2 3 4 Advertising a Default Route 2 10 2 3 5 Configuring Inbound Outbound Route Filtering 2 11 2 3 6 Configuring ...

Page 336: ...3 1 Prerequisites 3 23 3 3 2 Configuration Procedure 3 23 3 4 Configuring OSPF Area Parameters 3 24 3 4 1 Prerequisites 3 24 3 4 2 Configuration Procedure 3 25 3 5 Configuring OSPF Network Types 3 25 3 5 1 Prerequisites 3 26 3 5 2 Configuring the OSPF Network Type for an Interface 3 26 3 5 3 Configuring an NBMA Neighbor 3 26 3 5 4 Configuring a Router Priority for an OSPF Interface 3 27 3 6 Config...

Page 337: ... Capability 3 42 3 8 2 Configuring the OSPF GR Helper 3 43 3 8 3 Triggering OSPF Graceful Restart 3 44 3 9 Displaying and Maintaining OSPF 3 45 3 10 OSPF Configuration Examples 3 46 3 10 1 Configuring OSPF Basic Functions 3 46 3 10 2 Configuring an OSPF Stub Area 3 50 3 10 3 Configuring an OSPF NSSA Area 3 53 3 10 4 Configuring OSPF DR Election 3 55 3 10 5 Configuring OSPF Virtual Links 3 60 3 10 ...

Page 338: ...c Host Name Mapping 4 31 4 5 8 Configuring IS IS Authentication 4 32 4 5 9 Configuring LSDB Overload Tag 4 33 4 5 10 Logging the Adjacency Changes 4 33 4 5 11 Enabling an Interface to Send Small Hello Packets 4 34 4 5 12 Enabling SNMP Trap 4 34 4 6 Configuring IS IS GR 4 34 4 7 Displaying and Maintaining IS IS 4 35 4 8 IS IS Configuration Example 4 37 4 8 1 IS IS Basic Configuration 4 37 4 8 2 DIS...

Page 339: ...Peer Groups 5 34 5 7 3 Configuring BGP Community 5 35 5 7 4 Configuring a BGP Route Reflector 5 35 5 7 5 Configuring a BGP Confederation 5 36 5 8 Configuring BGP GR 5 37 5 9 Displaying and Maintaining BGP 5 38 5 9 1 Displaying BGP 5 38 5 9 2 Resetting BGP Connections 5 39 5 9 3 Clearing BGP Information 5 39 5 10 BGP Configuration Examples 5 40 5 10 1 BGP Basic Configuration 5 40 5 10 2 BGP and IGP...

Page 340: ...figuring a Routing Policy 6 6 6 4 1 Prerequisites 6 6 6 4 2 Creating a Routing Policy 6 6 6 4 3 Defining if match Clauses for the Routing Policy 6 7 6 4 4 Defining apply Clauses for the Routing Policy 6 9 6 5 Displaying and Maintaining the Routing Policy 6 10 6 6 Routing Policy Configuration Example 6 10 6 6 1 Applying Routing Policy When Redistributing IPv4 Routes 6 10 6 7 Troubleshooting Routing...

Page 341: ...d usage of static routes can improve network performance and ensure bandwidth for important network applications The disadvantage of using static routes is that they cannot adapt to network topology changes If a fault or a topological change occurs in the network the routes will be unreachable and the network breaks In this case the network administrator has to modify the static routes manually 1 ...

Page 342: ...the destination address of the packet The system can find the corresponding link layer address and forward the packet only after the next hop address is specified When specifying the output interface note that z If the output interface is a NULL 0 or loopback interface there is no need to configure the next hop address z You are not recommended to specify a broadcast interface such as a VLAN inter...

Page 343: ...preference preference value tag tag value description description text Configure a static route ip route static vpn instance s vpn instance name 1 6 dest address mask mask length gateway address bfd control packet echo packet public interface type interface number gateway address bfd control packet echo packet vpn instance d vpn instance name gateway address bfd control packet echo packet preferen...

Page 344: ...FD session otherwise the BFD function cannot work To implement BFD with the echo packet mode the BFD function can work without the remote end needing to create any BFD session z If route oscillation occurs enabling BFD may make the oscillation more severe Be cautious for use of this kind 1 3 Displaying and Maintaining Static Routes To do Use the command Remarks Display the current configuration in...

Page 345: ...tch B SwitchB system view SwitchB ip route static 1 1 2 0 255 255 255 0 1 1 4 1 SwitchB ip route static 1 1 3 0 255 255 255 0 1 1 5 6 Configure a default route on Switch C SwitchC system view SwitchC ip route static 0 0 0 0 0 0 0 0 1 1 5 5 3 Configure the hosts The default gateways for the three hosts A B and C are 1 1 2 3 1 1 6 1 and 1 1 3 1 respectively The configuration procedure is omitted 4 D...

Page 346: ...y the IP routing table of Switch B SwitchB display ip routing table Routing Tables Public Destinations 10 Routes 10 Destination Mask Proto Pre Cost NextHop Interface 1 1 2 0 24 Static 60 0 1 1 4 1 Vlan500 1 1 3 0 24 Static 60 0 1 1 5 6 Vlan600 1 1 4 0 30 Direct 0 0 1 1 4 2 Vlan500 1 1 4 2 32 Direct 0 0 127 0 0 1 InLoop0 1 1 5 0 30 Direct 0 0 1 1 5 5 Vlan600 1 1 5 5 32 Direct 0 0 127 0 0 1 InLoop0 ...

Page 347: ... applicable to complex networks RIP is still widely used in practical networking due to easier implementation configuration and maintenance than OSPF and IS IS 2 1 1 RIP Working Mechanism I Basic concepts RIP is a distance vector routing protocol using UDP packets for exchanging information through port 520 RIP uses a hop count to measure the distance to a destination The hop count is known as the...

Page 348: ...uppressed state In the suppressed state only routes which come from the same neighbor and whose metric is less than 16 will be received by the router to replace unreachable routes z The garbage collect timer defines the interval from when the metric of a route becomes 16 to when it is deleted from the routing table During the garbage collect timer length RIP advertises the route with the routing m...

Page 349: ...st only RIPv1 protocol messages do not carry mask information which means it can only recognize routing information of natural networks such as Class A B C That is why RIPv1 does not support discontiguous subnets RIPv2 is a classless routing protocol Compared with RIPv1 RIPv2 has the following advantages z Supporting route tags Route tags are used in routing policies to flexibly control routes z S...

Page 350: ...or a host address z Metric Cost of the route II RIPv2 message format The format of RIPv2 message is similar with RIPv1 Figure 2 2 shows it Figure 2 2 RIPv2 Message Format The differences from RIPv1 are stated as following z Version Version of RIP For RIPv2 the value is 0x02 z Route Tag Route Tag z IP Address Destination IP address It could be a natural network address subnet address or host addres...

Page 351: ...hentication is adopted Note z RFC 1723 only defines plain text authentication For information about MD5 authentication refer to RFC2082 RIPv2 MD5 Authentication z With RIPv1 you can configure the authentication mode in interface view However the configuration will not take effect because RIPv1 does not support authentication 2 1 5 Supported RIP Features The current implementation supports the foll...

Page 352: ...twork network address Required Disabled by default Note z If you make some RIP configurations in interface view before enabling RIP those configurations will take effect after RIP is enabled z RIP runs only on the interfaces residing on the specified networks Therefore you need to specify the network after enabling RIP to validate RIP on a specific interface z You can enable RIP on all interfaces ...

Page 353: ...rsion otherwise it uses the RIP version configured on it z With RIPv1 configured an interface sends RIPv1 broadcasts and can receive RIPv1 broadcasts and RIPv1 unicasts z With RIPv2 configured a multicast interface sends RIPv2 multicasts and can receive RIPv2 unicasts broadcasts and multicasts z With RIPv2 configured a broadcast interface sends RIPv2 broadcasts and can receive RIPv1 unicasts and b...

Page 354: ...ity for RIP z Configuring RIP Route Redistribution Before configuring RIP routing feature complete the following tasks z Configure an IP address for each interface and make sure all neighboring routers are reachable to each other z Configure RIP basic functions 2 3 1 Configuring an Additional Routing Metric An additional routing metric can be added to the metric of an inbound or outbound RIP route...

Page 355: ...ble RIPv2 route automatic summarization if you want to advertise all subnet routes Follow these steps to enable RIPv2 route automatic summarization To do Use the command Remarks Enter system view System view Enter RIP view rip process id vpn instance vpn instance name Enable RIPv2 automatic route summarization summary Optional Enabled by default II Advertising a summary route You can configure RIP...

Page 356: ... case you can disable RIP from receiving host routes to save network resources Follow these steps to disable RIP from receiving host routes To do Use the command Remarks Enter system view System view Enter RIP view rip process id vpn instance vpn instance name Disable RIP from receiving host routes undo host route Required Enabled by default Note RIPv2 can be disabled from receiving host routes bu...

Page 357: ...eps to configure route filtering To do Use the command Remarks Enter system view system view Enter RIP view rip process id vpn instance vpn instance name Configure the filtering of incoming routes filter policy acl number gateway ip prefix name ip prefix ip prefix name gateway ip prefix name import interface type interface number Required Not configured by default Configure the filtering of outgoi...

Page 358: ...ptional 100 by default 2 3 7 Configuring RIP Route Redistribution Follow these steps to configure RIP route redistribution To do Use the command Remarks Enter system view system view Enter RIP view rip process id vpn instance vpn instance name Configure a default metric for redistributed routes default cost value Optional The default metric of a redistributed route is 0 by default Redistribute rou...

Page 359: ...garbage collect timer are 30s 180s 120s and 120s respectively Note Based on network performance you need to make RIP timers of RIP routers identical to each other to avoid unnecessary traffic or route oscillation 2 4 2 Configuring Split Horizon and Poison Reverse Note If both split horizon and poison reverse are configured only the poison reverse function takes effect I Enabling split horizon The ...

Page 360: ...erface number Enable poison reverse rip poison reverse Required Disabled by default 2 4 3 Configuring the Maximum Number of Load Balanced Routes Follow these steps to configure the maximum number of load balanced routes To do Use the command Remarks Enter system view system view Enter RIP view rip process id vpn instance vpn instance name Configure the maximum number of load balanced routes maximu...

Page 361: ...he same network segment RIP discards the message For a message received on a serial interface RIP checks whether the source address of the message is the IP address of the peer interface If not RIP discards the message Follow these steps to enable source IP address check on incoming RIP updates To do Use the command Remarks Enter system view system view Enter RIP view rip process id vpn instance v...

Page 362: ...st or multicast links you need to manually specify RIP neighbors If a specified neighbor is not directly connected you must disable source address check on incoming updates Follow these steps to specify a RIP neighbor To do Use the command Remarks Enter system view system view Enter RIP view rip process id vpn instance vpn instance name Specify a RIP neighbor peer ip address Required Not specified...

Page 363: ...s id vpn instance vpn instance name Display all active routes in RIP database display rip process id database Display RIP interface information display rip process id interface interface type interface number Display routing information about a specified RIP process display rip process id route statistics ip address mask mask length peer ip address Available in any view Clear the statistics of a R...

Page 364: ... 0 0 0 SwitchB rip 1 quit Display the RIP routing table of Switch A SwitchA display rip 1 route Route Flags R RIP T TRIP P Permanent A Aging S Suppressed G Garbage collect Peer 192 168 1 2 on Vlan interface100 Destination Mask Nexthop Cost Tag Flags Sec 10 0 0 0 8 192 168 1 2 1 0 RA 11 From the routing table you can find RIPv1 uses natural mask 3 Configure RIP version Configure RIPv2 on Switch A S...

Page 365: ... running on Switch B which communicates with Switch A through RIP100 and with Switch C through RIP 200 Configure route redistribution on Switch B letting the two RIP processes redistribute routes from each other Set the cost of redistributed routes from RIP 200 to 3 Configure a filtering policy on Switch B to filter out the route 4 1 1 1 24 from RIP200 making the route not advertised to Switch A I...

Page 366: ...n Switch C SwitchC system view SwitchC rip 200 SwitchC rip 200 network 3 0 0 0 SwitchC rip 200 network 4 0 0 0 SwitchC rip 200 network 5 0 0 0 SwitchC rip 200 version 2 SwitchC rip 200 undo summary Display the routing table of Switch A SwitchA display ip routing table Routing Tables Public Destinations 6 Routes 6 Destination Mask Proto Pre Cost NextHop Interface 1 1 1 0 24 Direct 0 0 1 1 1 1 Vlan1...

Page 367: ...p0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 4 Configure an filtering policy to filter redistributed routes Define ACL 2000 and reference it to a filtering policy to filter routes redistributed from RIP 200 on Switch B SwitchB acl number 2000 SwitchB acl basic 2000 rule deny source 4 1 1 1 0 0 0 255 SwitchB acl basic 2000 rule permit SwitchB acl basic 2000 quit SwitchB rip 100 SwitchB rip 100 filt...

Page 368: ...rent configuration command to check RIP configuration z Use the display rip command to check whether some interface is disabled 2 7 2 Route Oscillation Occurred Symptom When all links work well route oscillation occurs on the RIP network After displaying the routing table you may find some routes appear and disappear in the routing table intermittently Analysis In the RIP network make sure all the...

Page 369: ...oute Control z Configuring OSPF Network Optimization z Configuring OSPF Graceful Restart z Displaying and Maintaining OSPF z OSPF Configuration Examples z Troubleshooting OSPF Configuration Note z The term router in this document refers to a router in a generic sense or an Ethernet switch running routing protocols z The value ranges of the parameters of the commands in this manual use the ranges a...

Page 370: ...ket multicasting on some types of links 3 1 1 Basic Concepts I Autonomous System A set of routers using the same routing protocol to exchange routing information constitute an Autonomous System AS II OSPF route computation OSPF route computation is described as follows z Based on the network topology around itself each router generates Link State Advertisements LSA and sends them to other routers ...

Page 371: ...eeded LSAs to the neighbor z LSAck link state acknowledgment packet Acknowledges received LSU packets It contains the headers of received LSAs a packet can acknowledge multiple LSAs V LSA types OSPF sends routing information in LSAs which as defined in RFC 2328 have the following types z Router LSA Type 1 LSA originated by all routers flooded throughout a single area only This LSA describes the co...

Page 372: ...lo packet via the OSPF interface and the router that receives the hello packet checks parameters carried in the packet If parameters of the two routers match they become neighbors Adjacency A relationship formed between selected neighboring routers for the purpose of exchanging routing information Not every pair of neighboring routers become adjacent which depends on network types Only by synchron...

Page 373: ...elong to one OSPF area 2 Area Border Router ABR An area border router belongs to more than two areas one of which must be the backbone area It connects the backbone area to a non backbone area The connection between an area border router and the backbone area can be physical or logical 3 Backbone Router At least one interface of a backbone router must be attached to the backbone area Therefore all...

Page 374: ...vity to the backbone area z The backbone area itself must maintain connectivity In practice due to physical limitations the requirements may not be satisfied In this case configuring OSPF virtual links is a solution A virtual link is established between two area border routers via a non backbone area and is configured on both ABRs to take effect The area that provides the non backbone area interna...

Page 375: ...a stub area does not distribute Type 5 LSAs into the area so the routing table size and amount of routing information in this area are reduced significantly You can configure the stub area as a totally stub area where the ABR advertises neither the destinations in other areas nor the external routes Stub area configuration is optional and not every area is eligible to be a stub area In general a s...

Page 376: ...to Area 1 Like stub areas virtual links cannot transit NSSA areas Figure 3 5 NSSA area VI Route summarization Route summarization An ABR or ASBR summarizes routes with the same prefix with a single route and distribute it to other areas Via route summarization routing information across areas and the size of routing tables on routers will be reduced improving calculation speed of routers For examp...

Page 377: ...ble with the cost of an OSPF internal route The cost from a router to the destination of the Type 1 external route the cost from the router to the corresponding ASBR the cost from the ASBR to the destination of the external route A Type 2 external route is an EGP route which has low credibility so OSPF considers the cost from the ASBR to the destination of the Type 2 external route is much bigger ...

Page 378: ...A networks are fully meshed non broadcast and multi access P2MP networks are not required to be fully meshed z It is required to elect the DR and BDR on NBMA networks while DR and BDR are not available on P2MP networks z NBMA is the default network type while P2MP is a conversion from other network types such as NBMA in general z On NBMA networks packets are unicast and neighbors are configured ma...

Page 379: ...f an interface determines its qualification for DR BDR election Interfaces attached to the network and having priorities higher than 0 are election candidates The election votes are hello packets Each router sends the DR elected by itself in a hello packet to all the other routers If two routers on the network declare themselves as the DR the router with the higher DR priority wins If DR prioritie...

Page 380: ... DD LSR LSU and LSAck respectively z Packet length Total length of the OSPF packet in bytes including the header z Router ID ID of the advertising router z Area ID ID of the area where the advertising router resides z Checksum Checksum of the message z Autype Authentication type from 0 to 2 corresponding with non authentication simple plaintext authentication and MD5 authentication respectively z ...

Page 381: ...ted with the router s sending interface If two routers have different network masks they cannot become neighbors z HelloInterval Interval for sending hello packets If two routers have different intervals they cannot become neighbors z Rtr Pri Router priority A value of 0 means the router cannot become the DR BDR z RouterDeadInterval Time before declaring a silent router down If two routers have di...

Page 382: ...et to 1 if more DD Packets are to follow z MS Master Slave The Master Slave bit When set to 1 it indicates that the router is the master during the database exchange process Otherwise the router is the slave z DD Sequence Number Used to sequence the collection of database description packets for ensuring reliability and intactness of DD packets between the master and slave The initial value is set...

Page 383: ...D Determined by LSA type z Advertising Router ID of the router that sent the LSA V LSU packet LSU Link State Update packets are used to send the requested LSAs to peers and each packet carries a collection of LSAs The LSU packet format is shown below Figure 3 13 LSU packet format VI LSAck packet LSAack Link State Acknowledgment packets are used to acknowledge received LSU packets contents includin...

Page 384: ...er as shown in the following figure Figure 3 15 LSA header format Major fields z LS age Time in seconds elapsed since the LSA was originated A LSA ages in the LSDB added by 1 per second but does not in transmission z LS type Type of the LSA z Link State ID The contents of this field depend on the LSA s type z LS sequence number Used by other routers to judge new and old LSAs z LS checksum Checksum...

Page 385: ...er of router links interfaces to the area described in the LSA z Link ID Determined by Link type z Link Data Determined by Link type z Type Link type A value of 1 indicates a point to point link to a remote router a value of 2 indicates a link to a transit network a value of 3 indicates a link to a stub network a value of 4 indicates a virtual link z TOS Number of different TOS metrics given for t...

Page 386: ...including the DR itself 3 Summary LSA Network summary LSAs Type 3 LSAs and ASBR summary LSAs Type 4 LSAs are originated by ABRs Other than the difference in the Link State ID field the format of type 3 and 4 summary LSAs is identical Figure 3 18 Summary LSA format Major fields z Link State ID For a Type 3 LSA it is an IP address outside the area for a type 4 LSA it is the router ID of an ASBR outs...

Page 387: ...route the Link State ID is always set to Default Destination 0 0 0 0 and the Network Mask is set to 0 0 0 0 z Network Mask The IP address mask for the advertised destination z E External Metric The type of the external metric value which is set to 1 for type 2 external routes and set to 0 for type 1 external routes Refer to Route types for description about external route types z metric The metric...

Page 388: ...teractions between different routing protocols Multiple OSPF processes can use the same RID An interface of a router can only belong to a single OSPF process II Authentication OSPF supports authentication on packets Only packets that pass the authentication are received If hello packets cannot pass authentication no neighbor relationship can be established The authentication type for interfaces at...

Page 389: ...le upon receiving the responses from neighbors After reestablishing a neighbor relationship the GR Restarter will synchronize the LSDB and exchange routing information with all adjacent GR capable neighbors After that the GR Restarter will update its own routing table and forwarding table based on the new routing information and remove the stale routes In this way the OSPF routing convergence is c...

Page 390: ...e LSA Minimum Repeat Arrival Interval Optional Specifying the LSA Generation Interval Optional Disabling Interfaces from Sending OSPF Packets Optional Configuring Stub Routers Optional Configuring OSPF Authentication Optional Adding the Interface MTU into DD Packets Optional Configuring the Maximum Number of External LSAs in LSDB Optional Making External Route Selection Rules Defined in RFC1583 Co...

Page 391: ...onfigure an OSPF process to run in a specified VPN instance to configure an association between the two The configurations for routers in an area are performed on the area basis Wrong configurations may cause communication failures even routing information block or routing loops between neighboring routers Follow these steps to configure OSPF basic functions To do Use the command Remarks Enter sys...

Page 392: ...s residing on the AS boundary you can configure them as stub areas to further reduce the size of routing tables on routers in these areas and the number of LSAs A stub area cannot redistribute routes and for this reason NSSA was introduced In NSSA areas Type 7 LSAs NSSA External LSAs can be advertised Type 7 LSAs originate from the ASBR in a NSSA area When arriving at the ABR in the NSSA area thes...

Page 393: ...ults to 1 Configure a virtual link vlink peer router id hello seconds retransmit seconds trans delay seconds dead seconds simple plain cipher password md5 hmac md5 key id plain cipher password Optional Configured on both ends of a virtual link Note that hello and dead parameters must be identical on both ends of the link Advertise a host route host advertise ip address cost Optional Not advertised...

Page 394: ...g neighboring nodes accessible with each other at network layer z OSPF basic functions 3 5 2 Configuring the OSPF Network Type for an Interface Follow these steps to configure the OSPF network type for an interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure a network type ospf network type broadcast nbma p2mp...

Page 395: ...ce type interface number Configure a router priority for the interface ospf dr priority priority Optional The default router priority is 1 Note The DR priority configured with the ospf dr priority command and the one with the peer command have the following differences z The former is for actual DR election z The latter is to indicate whether a neighbor has the election right or not If you configu...

Page 396: ...OSPF areas on an ABR To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Enter OSPF area view area area id Required Configure ABR route summarization abr summary ip address mask mask length advertise not advertise cost cost Required Available on an ABR only Not configured by default Follow these steps to configu...

Page 397: ... by default Note Since OSPF is a link state based interior gateway protocol routing information is contained in LSAs However OSPF cannot filter LSAs Using the filter policy import command is to filter routes computed by OSPF and only routes not filtered out are installed into the routing table 3 6 4 Configuring ABR Type 3 LSA Filtering Follow these steps to configure Type 3 LSA filtering on an ABR...

Page 398: ...re a bandwidth reference value To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Configure a bandwidth reference value bandwidth reference value Optional The value defaults to 100 Mbps Note If no OSPF cost is configured for an interface OSPF computes the cost automatically Interface OSPF cost Bandwidth referen...

Page 399: ...f process id router id router id vpn instance instance name Configure the maximum number of equivalent load balanced routes maximum load balancing maximum Optional 4 by default 3 6 8 Configuring a Priority for OSPF A router may run multiple routing protocols and it sets a priority for each protocol When a route found by several routing protocols the route found by the protocol with the highest pri...

Page 400: ...equired Not configured by default Configure OSPF to filter redistributed routes before advertisement filter policy acl number ip prefix ip prefix name export protocol process id Optional Not configured by default Redistribute a default route default route advertise always cost cost type type route policy route policy name default route advertise summary cost cost Optional Not redistributed by defa...

Page 401: ...ork Optimization You can optimize your OSPF network in the following ways z Change OSPF packet timers to adjust the OSPF network convergence speed and network load On low speed links you need to consider the delay time for sending LSAs on interfaces z Change the interval for SPF calculation to reduce resource consumption caused by frequent network changes z Configure OSPF authentication to meet hi...

Page 402: ... and defaults to 30 seconds on P2MP and NBMA interfaces Specify the poll interval ospf timer poll seconds Optional The poll interval defaults to 120 seconds Specify the dead interval ospf timer dead seconds Optional The default dead interval is 40 seconds on P2P Broadcast interfaces and 120 seconds on P2MP and NBMA interfaces Specify the retransmission interval ospf timer retransmit interval Optio...

Page 403: ...anges frequently a large amount of network resources will be occupied reducing the working efficiency of routers You can adjust the SPF calculation interval for the network to reduce negative influence Follow these steps to configure SPF calculation interval To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Sp...

Page 404: ... 1000 milliseconds Note The interval set with the lsa arrival interval command should be smaller or equal to the interval set with the lsa generation interval command 3 7 6 Specifying the LSA Generation Interval With this feature configured you can protect network resources and routers from being over consumed due to frequent network changes Follow these steps to configure the LSA generation inter...

Page 405: ...cesses can disable the same interface from sending OSPF packets Use of the silent interface command disables only the interfaces associated with the current process rather than interfaces associated with other processes z After an OSPF interface is set to silent other interfaces on the router can still advertise direct routes of the interface in Router LSAs but no OSPF packet can be advertised for...

Page 406: ...ed Not configured by default Note A stub router has nothing to do with a stub area 3 7 9 Configuring OSPF Authentication By supporting packet authentication OSPF receives packets that pass the authentication only so failed packets cannot establish neighboring relationships Follow these steps to configure OSPF authentication To do Use the command Remarks Enter system view system view Enter OSPF vie...

Page 407: ... into DD Packets Generally when an interface sends a DD packet it adds 0 into the Interface MTU field of the DD packet rather than the interface MTU Follow these steps to add the interface MTU into DD packets To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enable OSPF to add the interface MTU into DD packets ospf mtu enable...

Page 408: ...e them compatible To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Required Make RFC1583 compatible rfc1583 compatible Optional Compatible by default 3 7 13 Logging Neighbor State Changes Follow these steps to enable the logging of neighbor state changes To do Use the command Remarks Enter system view system ...

Page 409: ...atechange viriftxretransmit virnbrstatechange Optional Enabled by default Enter OSPF view ospf process id router id router id vpn instance instance name Enable messages logging enable log config error state Optional Not enabled by default 3 7 15 Enabling the Advertisement and Reception of Opaque LSAs With this feature enabled the OSPF router can receive and advertise Type 9 Type 10 and Type 11 opa...

Page 410: ...of opaque LSAs opaque capability enable Required Disabled by default Enable the IETF standard Graceful Restart capability for OSPF graceful restart ietf Optional Disabled by default Configure the Graceful Restart interval for OSPF graceful restart interval timer Optional 120 seconds by default Note z A device configured with the graceful restart ietf command can act as a GR Restarter and GR Helper...

Page 411: ...ul restart ietf command can act as a GR Restarter and GR Helper at the same time z A device not configured with the graceful restart ietf command can act as a GR Helper only 3 8 2 Configuring the OSPF GR Helper Follow these steps to configure the OSPF GR Helper To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name...

Page 412: ...trigger OSPF Graceful Restart Ensure that these routers are enabled with the following capabilities first z LLS link local signaling z OOB out of band re synchronization z Opaque LSA advertisement z IETF GR capability Follow these steps to trigger OSPF Graceful Restart To do Use the command Remarks Trigger OSPF Graceful Restart reset ospf process id process graceful restart Required Available in u...

Page 413: ...peer statistics Display next hop information display ospf process id nexthop Display routing table information display ospf process id routing interface interface type interface number nexthop nexthop address Display virtual link information display ospf process id vlink Display OSPF request queue information display ospf process id request queue interface type interface number neighbor id Display...

Page 414: ... process id redistribution Available in user view 3 10 OSPF Configuration Examples Note These examples only cover commands for OSPF configuration 3 10 1 Configuring OSPF Basic Functions I Network requirements As shown in the following figure all switches run OSPF The AS is split into three areas in which Switch A and Switch B act as ABRs to forward routing information between areas After configura...

Page 415: ...ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 192 168 0 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 area 2 SwitchB ospf 1 area 0 0 0 2 network 192 168 2 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 2 quit SwitchB ospf 1 quit Configure Switch C SwitchC system view SwitchC ospf SwitchC ospf 1 area 1 SwitchC ospf 1 area 0 0 0 1 network 192 168 1 0 0 0 0 255 SwitchC ospf 1 ar...

Page 416: ...e Normal State Full Mode Nbr is Slave Priority 1 DR 192 168 0 1 BDR 172 16 1 1 MTU 0 Dead timer due in 39 sec Neighbor is up for 00 07 32 Authentication Sequence 0 Display OSPF routing information on Switch A SwitchA display ospf routing OSPF Process 1 with Router ID 192 168 0 1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 172 16 1 0 24 1563 Stub 192 168 1 2 172 ...

Page 417: ...28 28 80000001 3124 Sum Net 192 168 0 0 192 168 0 1 630 28 80000001 1562 Display OSPF routing information on Switch D SwitchD display ospf routing OSPF Process 1 with Router ID 192 168 2 2 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 172 16 1 0 24 4687 Inter area 192 168 2 1 192 168 2 1 0 0 0 2 172 17 1 0 24 1 Stub 172 17 1 1 192 168 2 2 0 0 0 2 192 168 1 0 24 46...

Page 418: ...on between areas Switch D acts as the ASBR to redistribute routes static routes It is required to configure Area 1 as a Stub area reducing LSAs to this area without affecting route reachability II Network diagram Figure 3 22 Network diagram for OSPF Stub area configuration III Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure OSPF basic functions refer to Configur...

Page 419: ...0 24 4687 Inter area 192 168 1 1 192 168 0 1 0 0 0 1 192 168 1 0 24 1562 Stub 192 168 1 2 172 16 1 1 0 0 0 1 192 168 2 0 24 4686 Inter area 192 168 1 1 192 168 0 1 0 0 0 1 192 168 0 0 24 3124 Inter area 192 168 1 1 192 168 0 1 0 0 0 1 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 200 0 0 0 8 10 Type2 1 192 168 1 1 172 17 1 1 Routing for NSSAs Destination Cost Type Tag NextHop AdvRou...

Page 420: ...0 24 1 Stub 172 16 1 1 172 16 1 1 0 0 0 1 172 17 1 0 24 68660 Inter area 192 168 1 1 192 168 0 1 0 0 0 1 192 168 1 0 24 1562 Stub 192 168 1 2 172 16 1 1 0 0 0 1 192 168 2 0 24 68659 Inter area 192 168 1 1 192 168 0 1 0 0 0 1 192 168 0 0 24 67097 Inter area 192 168 1 1 192 168 0 1 0 0 0 1 Total Nets 6 Intra Area 2 Inter Area 4 ASE 0 NSSA 0 Note When Switch C resides in the Stub area a default route...

Page 421: ...y one default external route 3 10 3 Configuring an OSPF NSSA Area I Network requirements The following figure shows an AS is split into three areas where all switches run OSPF Switch A and Switch B act as ABRs to forward routing information between areas Switch D acts as the ASBR to redistribute routes static routes It is required to configure Area 1 as an NSSA area and configure Router C as the A...

Page 422: ...o configure the nssa command with the keyword default route advertise no summary on Switch A an ABR to reduce the routing table size on NSSA routers On other NSSA routers using the nssa command is ok Display OSPF routing information on Switch C SwitchC display ospf routing OSPF Process 1 with Router ID 172 16 1 1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 0 0 0...

Page 423: ...192 168 0 2 0 0 0 2 192 168 2 0 24 1562 Stub 192 168 2 2 172 17 1 1 0 0 0 2 192 168 0 0 24 3124 Inter area 192 168 2 1 192 168 0 2 0 0 0 2 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 100 0 0 0 8 10 Type2 1 192 168 2 1 192 168 0 1 Routing for NSSAs Destination Cost Type Tag NextHop AdvRouter Total Nets 6 Intra Area 2 Inter Area 3 ASE 1 NSSA 0 Note You can see on Switch D an externa...

Page 424: ... Configure Switch A SwitchA system view Switch A router id 1 1 1 1 Switch A ospf Switch A ospf 1 area 0 Switch A ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 SwitchA ospf 1 area 0 0 0 0 quit SwitchA ospf 1 quit Configure Switch B SwitchB system view SwitchB router id 2 2 2 2 SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 qu...

Page 425: ...ne Priority 1 DR 192 168 1 4 BDR 192 168 1 3 MTU 0 Dead timer due in 38 sec Neighbor is up for 00 01 31 Authentication Sequence 0 Router ID 3 3 3 3 Address 192 168 1 3 GR State Normal State Full Mode Nbr is Master Priority 1 DR 192 168 1 4 BDR 192 168 1 3 MTU 0 Dead timer due in 31 sec Neighbor is up for 00 01 28 Authentication Sequence 0 Router ID 4 4 4 4 Address 192 168 1 4 GR State Normal State...

Page 426: ... 168 1 4 Vlan interface1 s neighbors Router ID 1 1 1 1 Address 192 168 1 1 GR State Normal State Full Mode Nbr is Slave Priority 100 DR 192 168 1 4 BDR 192 168 1 3 MTU 0 Dead timer due in 31 sec Neighbor is up for 00 11 17 Authentication Sequence 0 Router ID 2 2 2 2 Address 192 168 1 2 GR State Normal State Full Mode Nbr is Slave Priority 0 DR 192 168 1 4 BDR 192 168 1 3 MTU 0 Dead timer due in 35...

Page 427: ...imer due in 39 sec Neighbor is up for 00 01 40 Authentication Sequence 0 Router ID 2 2 2 2 Address 192 168 1 2 GR State Normal State 2 Way Mode None Priority 0 DR 192 168 1 1 BDR 192 168 1 3 MTU 0 Dead timer due in 35 sec Neighbor is up for 00 01 44 Authentication Sequence 0 Router ID 3 3 3 3 Address 192 168 1 3 GR State Normal State Full Mode Nbr is Slave Priority 2 DR 192 168 1 1 BDR 192 168 1 3...

Page 428: ...f interface OSPF Process 1 with Router ID 2 2 2 2 Interfaces Area 0 0 0 0 IP Address Type State Cost Pri DR BDR 192 168 1 2 Broadcast DROther 1 0 192 168 1 1 192 168 1 3 Note The interface state DROther means the interface is not the DR BDR 3 10 5 Configuring OSPF Virtual Links I Network requirements In the following figure Area 2 has no direct connection to Area 0 and Area 1 acts as the Transit A...

Page 429: ... ospf 1 area 1 SwitchA ospf 1 area 0 0 0 1 network 192 168 1 0 0 0 0 255 SwitchA ospf 1 area 0 0 0 1 quit Configure Switch B SwitchB system view SwitchB ospf 1 router id 2 2 2 2 SwitchB ospf 1 area 1 SwitchB ospf 1 area 0 0 0 1 network 192 168 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 1 quit SwitchB ospf 1 area 2 SwitchB ospf 1 area 0 0 0 2 network 172 16 0 0 0 0 255 255 SwitchB ospf 1 area 0 0 0 2 ...

Page 430: ... 0 0 0 1 quit SwitchA ospf 1 quit Configure Switch B SwitchB ospf 1 SwitchB ospf 1 area 1 SwitchB ospf 1 area 0 0 0 1 vlink peer 1 1 1 1 SwitchB ospf 1 area 0 0 0 1 quit Display OSPF routing information on Switch A SwitchA display ospf routing OSPF Process 1 with Router ID 1 1 1 1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 172 16 1 1 16 1563 Inter 192 168 1 2 2...

Page 431: ...ch C Switch B Router ID 1 1 1 1 Router ID 2 2 2 2 Router ID 3 3 3 3 Figure 3 26 Network diagram for OSPF based GR configuration III Configuration procedure 1 Configure Switch A SwitchA system view SwitchA interface vlan interface 100 SwitchA Vlan interface100 ip address 192 1 1 1 255 255 255 0 SwitchA Vlan interface100 quit SwitchA router id 1 1 1 1 SwitchA ospf 100 SwitchA ospf 100 enable link lo...

Page 432: ... SwitchC ospf 100 SwitchC ospf 100 enable link local signaling SwitchC ospf 100 enable out of band resynchronization SwitchC ospf 100 area 0 SwitchC ospf 100 area 0 0 0 0 network 192 1 1 0 0 0 0 255 SwitchC ospf 100 area 0 0 0 0 quit 4 Verify the configuration After the configurations on Switch A Switch B and Switch C are completed and the switches are running steadily perform OSPF GR on Switch A ...

Page 433: ... other areas If a router connects to more than one area at least one area must be connected to the backbone The backbone cannot be configured as a Stub area In a Stub area all routers cannot receive external routes and all interfaces connected to the Stub area must belong to the Stub area III Solution 1 Use the display ospf peer command to display neighbors 2 Use the display ospf interface command...

Page 434: ...ual use the ranges assuming the switch operate in the default mode When the switch operates in the IPv4 IPv6 dual stack or the MCE mode the value ranges of some parameters may vary For the operating modes of the switch refer to the parts discussing IPv6 configuration or MCE 4 1 IS IS Overview Intermediate System to Intermediate System IS IS is a dynamic routing protocol designed by the Internation...

Page 435: ... Link State Packet LSP Each IS can generate a LSP which contains all the link state information of the IS z Network Protocol Data Unit NPDU An NPDU is a network layer protocol packet in ISO which is equivalent to an IP packet in TCP IP z Designated IS On a broadcast network the designated router is also known as the designated IS or a pseudonode z Network service access point NSAP The NSAP is the ...

Page 436: ...ter ID the system ID in IS IS can be obtained in the following way z Extend each decimal number of the IP address to 3 digits by adding 0s from the left like 168 010 001 001 z Divide the extended IP address into 3 sections with 4 digits in each section to get the System ID 1680 1000 1001 There are other methods to define a system ID Just make sure it can uniquely identify a host or router 4 SEL Th...

Page 437: ... The Level 1 router only establishes the neighbor relationship with Level 1 and Level 1 2 routers in the same area The LSDB maintained by the Level 1 router contains the local area routing information It directs the packets out of the area to the nearest Level 1 2 router 2 Level 2 router The Level 2 router establishes the neighbor relationships with the Level 2 and Level 1 2 routers in the same or...

Page 438: ...Area 1 is a set of Level 2 routers called backbone network The other four areas are non backbone networks connected to the backbone through Level 1 2 routers Figure 4 2 IS IS topology Figure 4 3 shows another network topology running the IS IS protocol The Level 1 2 routers connect the Level 1 and Level 2 routers and also form the IS IS backbone together with the Level 2 routers There is no area d...

Page 439: ...y type by configuring the routing hierarchy on the interface For example the level 1 interface can only establish Level 1 adjacency while the level 2 interface can only establish Level 2 adjacency By having this function you can prevent the Level 1 hello packets from propagating to the Level 2 backbone through the Lever 1 2 router This can result in bandwidth saving IV Route leaking An IS IS routi...

Page 440: ...k such as PPP HDLC Note For the Non Broadcast Multi Access NBMA network such as ATM you need to configure point to point or broadcast network on its configured subinterfaces IS IS does not run on Point to Multipoint P2MP links II DIS and pseudonodes On an IS IS broadcast network a router has to be selected as the Designated Intermediate System DIS The Level 1 and Level 2 DISs are selected respecti...

Page 441: ...odes can reduce LSPs the resources used by SPF and simplify the network topology Note On IS IS broadcast networks all routers are adjacent with each other The DIS is responsible for the synchronization of their LSDBs 4 1 4 IS IS PDU Format I PDU header format The IS IS packets are encapsulated into link layer frames The Protocol Data Unit PDU consists of two parts the headers and the variable leng...

Page 442: ...ecific headers present in bytes z Version Protocol ID Extension Set to 1 0x01 z ID Length The length of the NSAP address and NET ID z R Reserved Set to 0 z PDU Type For detail information refer to Table 4 1 z Version Set to 1 0x01 z Maximum Area Address Maximum number of area addresses supported Table 4 1 PDU type Type PDU Type Acronym 15 Level 1 LAN IS IS hello PDU L1 LAN IIH 16 Level 2 LAN IS IS...

Page 443: ...dcast networks where the blue fields are the common header Figure 4 7 L1 L2 LAN IIH format z Reserved Circuit Type The first 6 bits are reserved with value 0 The last 2 bits indicates router types 00 means reserved 01 indicates L1 10 indicates L2 and 11 indicates L1 2 z Source ID The system ID of the router advertising the hello packet z Holding Time If no hello packets are received from a neighbo...

Page 444: ...ime PDU length Local Circuit ID Variable length fields 1 ID length 2 2 1 Figure 4 8 P2P IIH format Instead of the priority and LAN ID fields in the LAN IIH the P2P IIH has a Local Circuit ID field IV LSP packet format The Link State PDUs LSP carries link state information There are two types Level 1 LSP and Level 2 LSP The Level 2 LSP is sent by the Level 2 router and the Level 1 LSP is sent by th...

Page 445: ...enerated by the L1 L1 router only related with L1 LSP indicates that the router generating the LSP is connected with multiple areas z OL LSDB Overload Indicates that the LSDB is not complete because the router is running out of system resources In this condition other routers will not send packets to the overloaded router except packets destined to the networks directly connected to the router For...

Page 446: ...d Level 2 PSNP CSNP covers the summary of all LSPs in the LSDB to synchronize the LSDB between neighboring routers On broadcast networks CSNP is sent by the DIS periodically 10s by default On point to point networks CSNP is only sent during the first adjacency establishment The CSNP packet format is shown in Figure 4 11 Intradomain routing protocol discriminator Reserved Version R ID length Versio...

Page 447: ...Protocol ID extension Length indicator Maximum area address R R PDU type No of Octets 1 1 1 1 1 1 1 1 PDU length Source ID Variable length fields 2 ID length 1 Figure 4 12 L1 L2 PSNP format VI CLV The variable fields of PDU are composed of multiple Code Length Value CLV triplets Figure 4 13 shows the CLV format Figure 4 13 CLV format Table 4 2 shows different PDUs contain different CLVs Table 4 2 ...

Page 448: ...IS process to work in concert with a group of interfaces This means that a router can run multiple IS IS processes and each process corresponds to a unique group of interfaces For routers supporting VPN each IS IS process is associated with a designated VPN instance Thus the VPN instance is also associated with interfaces corresponding to the process II IS IS Graceful Restart Note For detailed GR ...

Page 449: ...er field allowing a maximum of only 256 fragments to be generated by an IS IS router limits the amount of link information that the IS IS router can advertise The LSP fragment extension feature allows an IS IS router to generate more LSP fragments Up to 50 additional virtual systems can be configured on the router with each virtual system capable of generating 256 LSP fragments to enable the IS IS...

Page 450: ...ink state information in the extended LSP fragments advertised by the virtual systems z Mode 2 This mode is recommended in a network where all the routers support LSP fragment extension In this mode all the IS IS routers in the network know which originating system the LSPs generated by the virtual systems belong to therefore no limitation is imposed on the link state information of the extended L...

Page 451: ...S z RFC 3373 Three Way Handshake for IS IS Point to Point Adjacencies z RFC 3567 Intermediate System to Intermediate System IS IS Cryptographic Authentication z RFC 3719 Recommendations for Interoperable Networks using IS IS z RFC 3786 Extending the Number of IS IS LSP Fragments Beyond the 256 Limit z RFC 3787 Recommendations for Interoperable IP Networks using IS IS z RFC 3847 Restart signaling f...

Page 452: ...erface to Send Small Hello Packets Optional Tuning and Optimizing IS IS Network Enabling SNMP Trap Optional Configuring IS IS GR Optional 4 3 Configuring IS IS Basic Functions 4 3 1 Configuration Prerequisites Before the configuration configure an IP address for each interface and make sure all nodes are reachable 4 3 2 Configuration Procedure Follow these steps to configure IS IS basic functions ...

Page 453: ...isis circuit level level 1 level 1 2 level 2 Optional The default type is level 1 2 Note If a router s type is configured as Level 1 or Level 2 the type of interfaces must be the same which cannot be changed using the isis circuit level command However an interface s type can be changed with this command when the router s type is Level 1 2 for the establishment of a specific level adjacency 4 4 Co...

Page 454: ...ink cost in descending order of interface costs z Interface cost Assign a link cost for a single interface z Global cost Assign a link cost for all interfaces z Automatically calculated cost Calculate the link cost based on the bandwidth of an interface Interface cost defaults to 10 I Configure an IS IS cost for an interface Follow these steps to configure an interface s cost To do Use the command...

Page 455: ...bal IS IS cost circuit cost value level 1 level 2 Required Not specified by default III Enable automatic IS IS cost calculation Follow these steps to enable automatic IS IS cost calculation To do Use the command Remarks Enter system view system view Enter IS IS view isis process id vpn instance vpn instance name Specify an IS IS cost style cost style narrow wide wide compatible compatible narrow c...

Page 456: ...rface cost is 40 if the interface bandwidth is in the range of 156 M to 622 M the interface cost is 30 if the interface bandwidth is in the range of 623 M to 2500 M the interface cost is 20 and the default interface cost of 10 is used for any other bandwidths 4 4 4 Configuring the Maximum Number of Equal Cost Routes If there are more than one equal cost routes to the same destination the traffic c...

Page 457: ...default Note The cost of the summary route is the lowest cost among those summarized routes 4 4 6 Advertising a Default Route Follow these steps to advertise a default route To do Use the command Remarks Enter system view system view Enter IS IS view isis process id vpn instance vpn instance name Advertise a default route default route advertise route policy route policy name level 1 level 2 level...

Page 458: ... view Enter IS IS view isis process id vpn instance vpn instance name Redistribute routes from another routing protocol import route isis process id ospf process id rip process id bgp allow ibgp direct static cost cost cost type external internal level 1 level 1 2 level 2 route policy route policy name tag tag Required No route is redistributed by default If no level is specified routes are redist...

Page 459: ...es from Level 2 to Level 1 Other routing policies specified for route reception and redistribution does not affect the route leaking 4 5 Tuning and Optimizing IS IS Network 4 5 1 Configuration Prerequisites Before the configuration accomplish the following tasks first z Configure an IP address on each interface and make sure all nodes are reachable z Configure basic IS IS functions 4 5 2 Configuri...

Page 460: ...r interface view interface interface type interface number Specify the interval between hello packets isis timer hello seconds level 1 level 2 Optional 10 seconds by default Specify the number of hello packets within the time for receiving the specified hello packets if no hello packets are received on the interface the neighbor is considered dead isis timer holding multiplier value level 1 level ...

Page 461: ...it applies to the level z On a point to point link if there is no response to a LSP sent by the local router within the specified retransmission interval the LSP is considered lost and the same LSP will be retransmitted On broadcast links responses to the sent LSPs are not required z The interval between hello packets sent by the DIS is 1 3 the hello interval set by the isis timer hello command 4 ...

Page 462: ... LSP refresh interval timer lsp refresh seconds Optional 900 seconds by default Specify the maximum LSP aging time timer lsp max age seconds Optional 1200 seconds by default Specify LSP generation interval timer lsp generation maximum interval initial interval incremental interval level 1 level 2 Optional 2 seconds by default Enable the LSP flash flooding function flash flood flood count flooding ...

Page 463: ...cess enabled must not be less than 512 otherwise LSP fragment extension will not take effect z At least one virtual system needs to be configured for the router to generate extended LSP fragments 4 5 6 Configuring SPF Parameters When the LSDB changes in an IS IS network a routing calculation starts If the changes happen frequently it will take a lot of system resources You can set the interval for...

Page 464: ...m view system view Enter IS IS view isis process id vpn instance vpn instance name Assign a local host name is name sys name Required No name is assigned by default This command also enables the mapping between the local system ID and host name Assign a remote host name and create a mapping between the host name and a system ID is name map sys id map sys name Optional One system ID only maps to on...

Page 465: ...t in order to authenticate neighbors All interfaces within a network must share the same authentication password at the same level Follow these steps to configure the authentication function To do Use the command Remarks Enter system view system view Enter IS IS view isis process id vpn instance vpn instance name Specify the area authentication mode area authentication m ode simple md5 password ip...

Page 466: ...olate a router from the IS IS network by setting the overload tag Follow these steps to configure the LSDB overload tag To do Use the command Remarks Enter system view system view Enter IS IS view isis process id vpn instance vpn instance name Configure the overload tag set overload on startup start from nbr system id timeout nbr timeout allow interlevel external Required Not configured by default...

Page 467: ...nce name Enable SNMP Trap is snmp traps enable Required Enabled by default 4 6 Configuring IS IS GR An ISIS restart may cause the termination of the adjacencies between a restarting router and its neighbors resulting in a transient network disconnection IS IS Graceful Restart can help to solve this problem by notifying its neighbors its restarting state to allow them to reestablish the adjacency w...

Page 468: ... these steps to configure GR on the GR Restarter and GR Helper respectively To do Use the command Remarks Enter system view system view Enable IS IS and enter IS IS view isis process id vpn instance vpn instance name Required Disabled by default Enable the GR capability for IS IS graceful restart Required Disabled by default Set the Graceful Restart interval graceful restart interval timer Require...

Page 469: ...ailable in any view Display IS IS routing information display isis route ipv4 level 1 level 2 verbose process id vpn instance vpn instance name Available in any view Display SPF calculation log information display isis spf log process id vpn instance vpn instance name Available in any view Display the statistics about an IS IS process display isis statistics level 1 level 2 level 1 2 process id vp...

Page 470: ...h D is in area 20 II Network diagram Figure 4 14 Network diagram for IS IS basic configuration III Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure IS IS Configure Switch A SwitchA system view SwitchA isis 1 SwitchA isis 1 is level level 1 SwitchA isis 1 network entity 10 0000 0000 0001 00 SwitchA isis 1 quit SwitchA interface vlan interface 100 SwitchA Vlan inte...

Page 471: ...witchC interface vlan interface 300 SwitchC Vlan interface300 isis enable 1 SwitchC Vlan interface300 quit Configure Switch D SwitchD system view SwitchD isis 1 SwitchD isis 1 is level level 2 SwitchD isis 1 network entity 20 0000 0000 0004 00 SwitchD isis 1 quit SwitchD interface vlan interface 100 SwitchD Vlan interface100 isis enable 1 SwitchD Vlan interface100 quit SwitchD interface vlan inter...

Page 472: ...b60 988 68 0 0 0 0000 0000 0002 00 00 0x00000008 0xe651 1189 68 0 0 0 0000 0000 0002 01 00 0x00000005 0xd2b3 1188 55 0 0 0 0000 0000 0003 00 00 0x00000014 0x194a 1190 111 1 0 0 0000 0000 0003 01 00 0x00000002 0xabdb 995 55 0 0 0 Self LSP Self LSP Extended ATT Attached P Partition OL Overload SwitchC display isis lsdb Database information for ISIS 1 Level 1 Link State Database LSPID Seq Num Checksu...

Page 473: ... ATT P OL 0000 0000 0003 00 00 0x00000013 0xc73d 1003 100 0 0 0 0000 0000 0004 00 00 0x0000003c 0xd647 1194 84 0 0 0 0000 0000 0004 01 00 0x00000002 0xec96 1007 55 0 0 0 Self LSP Self LSP Extended ATT Attached P Partition OL Overload Display the IS IS routing information of each switch Level 1 switches should have a default route with the next hop being the Level 1 2 switch The Level 2 switch shou...

Page 474: ...4 10 NULL Vlan100 Direct D L 10 1 2 0 24 10 NULL Vlan200 Direct D L Flags D Direct R Added to RM L Advertised in LSPs U Up Down Bit Set ISIS 1 IPv4 Level 2 Forwarding Table IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags 192 168 0 0 24 10 NULL Vlan300 Direct D L 10 1 1 0 24 10 NULL Vlan100 Direct D L 10 1 2 0 24 10 NULL Vlan200 Direct D L 172 16 0 0 16 20 NULL Vlan300 192 168 0 2 R Fl...

Page 475: ...e in IS IS area 10 on a broadcast network Ethernet Switch A and Switch B are Level 1 2 switches Switch C is a Level 1 switch and Switch D is a Level 2 switch Change the DIS priority of Switch A to make it selected as the Level 1 2 DIS router II Network diagram Figure 4 15 Network diagram for DIS selection III Configuration procedure 1 Configure an IP address for each interface omitted 2 Enable IS ...

Page 476: ...isis enable 1 SwitchC Vlan interface100 quit Configure Switch D SwitchD system view SwitchD isis 1 SwitchD isis 1 network entity 10 0000 0000 0004 00 SwitchD isis 1 is level level 2 SwitchD isis 1 quit SwitchD interface vlan interface 100 SwitchD Vlan interface100 isis enable 1 SwitchD Vlan interface100 quit Display information about IS IS neighbors of Switch A SwitchA display isis peer Peer infor...

Page 477: ...terfaces of Switch C SwitchC display isis interface Interface information for ISIS 1 Interface Vlan interface100 Id IPV4 State IPV6 State MTU Type DIS 001 Up Down 1497 L1 L2 Yes No Display information about IS IS interfaces of Switch D SwitchD display isis interface Interface information for ISIS 1 Interface Vlan interface100 Id IPV4 State IPV6 State MTU Type DIS 001 Up Down 1497 L1 L2 No Yes Note...

Page 478: ... System Id 0000 0000 0002 Interface Vlan interface100 Circuit Id 0000 0000 0001 01 State Up HoldTime 28s Type L2 L1L2 PRI 64 System Id 0000 0000 0004 Interface Vlan interface100 Circuit Id 0000 0000 0001 01 State Up HoldTime 30s Type L2 PRI 64 Display information about IS IS interfaces of Switch A SwitchA display isis interface Interface information for ISIS 1 Interface Vlan interface100 Id IPV4 S...

Page 479: ... for ISIS 1 Interface Vlan interface100 Id IPV4 State IPV6 State MTU Type DIS 001 Up Down 1497 L1 L2 No No Display information about IS IS neighbors and interfaces of Switch D SwitchD display isis peer Peer information for ISIS 1 System Id 0000 0000 0001 Interface Vlan interface100 Circuit Id 0000 0000 0001 01 State Up HoldTime 9s Type L2 PRI 100 System Id 0000 0000 0002 Interface Vlan interface10...

Page 480: ...witches ensuring that Switch A Switch B and Switch C can communicate with each other at layer 3 and dynamic route update can be implemented among them with IS IS The configuration procedure is omitted here 2 Configure IS IS Graceful Restart Enable IS IS Graceful Restart on Switch A and configure the Graceful Restart Interval SwitchA system view SwitchA isis 1 SwitchA isis 1 graceful restart Switch...

Page 481: ...it Supported Total Number of Interfaces 1 Restart Status RESTARTING T3 Timer Status Remaining Time 65535 T2 Timer Status Remaining Time 59 Interface Vlan1 T1 Timer Status Remaining Time 1 RA Not Received Complete CSNP Not Received Number of T1 Pre Expiry 0 IS IS 1 Level 2 Restart Status Restart Interval 150 SA Bit Supported Total Number of Interfaces 1 Restart Status RESTARTING T3 Timer Status Rem...

Page 482: ...ment z The value ranges of the parameters of the commands in this manual use the ranges assuming the switch operate in the default mode When the switch operates in the IPv4 IPv6 dual stack or the MCE mode the value ranges of some parameters may vary For the operating modes of the switch refer to the parts discussing IPv6 configuration and MCE 5 1 BGP Overview Three early versions of BGP are BGP 1 ...

Page 483: ...mation with other BGP speakers When a BGP speaker receives a new route or a route better than the current one from another AS it will advertise the route to all the other BGP speakers in the local AS BGP speakers call each other peers and several associated peers form a peer group BGP runs on a router in one of the following two modes z IBGP Interior BGP z EBGP External BGP BGP is called IBGP when...

Page 484: ...5 2 BGP open message format z Version This 1 byte unsigned integer indicates the protocol version number of the message The current BGP version is 4 z My Autonomous System This 2 byte unsigned integer indicates the Autonomous System number of the sender z Hold Time When establishing peer relationship two parties negotiate an identical hold time If no Keepalive or Update is received from a peer aft...

Page 485: ...tal length of the Path Attributes field in bytes A value of 0 indicates that no Network Layer Reachability Information field is present in this Update message z Path Attributes List of path attributes related to NLRI Each path attribute is a triple attribute type attribute length attribute value of variable length BGP uses these attributes to avoid routing loops perform routing and protocol extens...

Page 486: ...Must be recognized by all BGP routers and must be included in every update message Routing information error occurs without this attribute z Well known discretionary Can be recognized by all BGP routers and optional to be included in every update message as needed z Optional transitive Transitive attribute between ASs A BGP router not supporting this attribute can still receive routes with this at...

Page 487: ...k command have the IGP attribute z EGP Has the second highest priority Routes obtained via EGP have the EGP attribute z incomplete Has the lowest priority The source of routes with this attribute is unknown which does not mean such routes are unreachable The routes redistributed from other routing protocols have the incomplete attribute 2 AS_PATH AS_PATH is a well known mandatory attribute This at...

Page 488: ... are the same As shown in the above figure the BGP router in AS50 gives priority to the route passing AS40 for sending information to the destination 8 0 0 0 In some applications you can apply a routing policy to control BGP route selection by modifying the AS_PATH length By configuring an AS path filtering list you can filter routes based on AS numbers contained in the AS_PATH attribute 3 NEXT_HO...

Page 489: ...ancing information refer to BGP Route Selection Figure 5 7 NEXT_HOP attribute 4 MED MULTI_EXIT_DISC The MED attribute is exchanged between two neighboring ASs each of which does not advertise the attribute to any other AS Similar with metrics used by IGP MED is used to determine the best route for traffic going into an AS When a BGP router obtains multiple routes to the same destination but with d...

Page 490: ... that is selected according to LOCAL_PREF EBGP Router B Router A Router C Router D D 8 0 0 0 NEXT_HOP 3 1 1 1 LOCAL_PREF 200 IBGP IBGP IBGP EBGP 2 1 1 1 8 0 0 0 LOCAL_PREF 100 NEXT_HOP 2 1 1 1 LOCAL_PREF 100 LOCAL_PREF 200 3 1 1 1 AS 20 AS 10 Figure 5 9 LOCAL_PREF attribute 6 COMMUNITY The COMMUNITY attribute is used to simplify routing policy usage and ease management and maintenance It is a coll...

Page 491: ... route with the smallest ORIGINATOR_ID z Select the route advertised by the router with the smallest Router ID Note z CLUSTER_IDs of route reflectors form a CLUSTER_LIST If a route reflector receives a route that contains its own CLUSTER ID in the CLUSTER_LIST the router discards the route to avoid routing loops z If load balancing is configured the system selects available routes to implement loa...

Page 492: ...e the same AS_PATH ORIGIN LOCAL_PREF and MED z BGP load balancing is applicable between EBGPs between IBGPs and between confederations z If multiple routes to the same destination are available BGP selects routes for load balancing according to the configured maximum number of load balanced routes Figure 5 10 Network diagram for BGP load balancing In the above figure Router D and Router E are IBGP...

Page 493: ...GP Synchronization The routing information synchronization between IBGP and IGP is for avoidance of giving wrong directions to routers outside of the local AS If a non BGP router works in an AS a packet forwarded via the router may be discarded due to an unreachable destination As shown in Figure 5 11 Router E learned a route of 8 0 0 0 8 from Router D via BGP Then Router E sends a packet to Route...

Page 494: ...curs the routing protocol sends an update to its neighbor and then the neighbor needs to recalculate routes and modify the routing table Therefore frequent route flaps consume large bandwidth and CPU resources even affect normal operation of the network In most cases BGP is used in complex networks where route changes are very frequent To solve the problem caused by route flaps BGP uses route damp...

Page 495: ...red with identical commands The peer group feature simplifies configuration of this kind When a peer is added into a peer group the peer enjoys the same route update policy as the peer group to improve route distribution efficiency Caution If an option is configured both for a peer and for the peer group the latest configuration takes effect IV Community A peer group makes peers in it enjoy the sa...

Page 496: ...rs act as clients connecting to the route reflector The route reflector forwards reflects routing information between clients BGP connections between clients need not be established The router neither a route reflector nor a client is a non client which has to establish connections to the route reflector and non clients as shown below Client Client Client Route Reflector Non Client Non Client Clus...

Page 497: ...more bandwidth resources You can use related commands to disable route reflection in this case Note After route reflection is disabled between clients routes between a client and a non client can still be reflected VI Confederation Confederation is another method to deal with growing IBGP connections in ASs It splits an AS into multiple sub ASs In each sub AS IBGP peers are fully meshed and EBGP c...

Page 498: ... 6 BGP GR Note For GR Graceful Restart information refer to BFD GR Configuration 1 To establish a BGP session with a peer a BGP GR Restarter sends an OPEN message with GR capability to the peer 2 Upon receipt of this message the peer is aware that the sending router is capable of Graceful Restart and sends an OPEN message with GR Capability to the GR Restarter to establish a GR session If neither ...

Page 499: ...xtended attributes In BGP 4 the three types of attributes for IPv4 namely NLRI NEXT_HOP and AGGREGATOR contains the IP address of the speaker generating the summary route are all carried in updates To support multiple network layer protocols BGP 4 puts information about network layer into NLRI and NEXT_HOP MP BGP introduced two path attributes z MP_REACH_NLRI Multiprotocol Reachable NLRI for adver...

Page 500: ... Capability for BGP 4 z RFC2439 BGP Route Flap Damping z RFC1997 BGP Communities Attribute z RFC2796 BGP Route Reflection z RFC3065 Autonomous System Confederations for BGP z draft ietf idr restart 08 Graceful Restart Mechanism for BGP 5 2 BGP Configuration Task List Complete the following tasks to configure BGP Task Remarks Configuring BGP Basic Functions Required Configuring BGP Route Redistribu...

Page 501: ...P z Since BGP employs TCP you need to specify IP addresses of peers which may not be neighboring routers z Using logical links can also establish BGP peer relationships z In general IP addresses of loopback interfaces are used to improve stability of BGP connections 5 3 1 Prerequisites The neighboring nodes are accessible to each other at the network layer 5 3 2 Configuration Procedure Follow thes...

Page 502: ...eer change Optional Enabled by default Enable the logging of peer state changes for a peer or peer group peer group name ip address log change Optional Enabled by default Specify a preferred value for routes from a peer or peer group peer group name ip address preferred value value Optional The preferred value defaults to 0 Specify the source interface for establishing TCP connections to a peer or...

Page 503: ...sh TCP connections to the peers when using the outbound interfaces of the best routes as the source interfaces z In general direct physical links should be available between EBGP peers If not you can use the peer ebgp max hop command to establish a TCP connection over multiple hops between two peers You need not use this command for directly connected EBGP peers which employ loopback interfaces fo...

Page 504: ... a network to the BGP routing table network ip address mask mask length short cut route policy route policy name Optional Not injected by default Note z The ORIGIN attribute of routes redistributed using the import route command is Incomplete z The ORIGIN attribute of networks advertised into the BGP routing table with the network command is IGP These networks must exist in the local IP routing ta...

Page 505: ...o route summarization is configured by default Choose either as needed if both are configured the manual route summarization takes effect 5 4 4 Advertising a Default Route to a Peer or Peer Group Follow these steps to advertise a default route to a peer or peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Advertise a default route to a peer or peer...

Page 506: ...ort Reference an AS path ACL to filter routing information to a peer peer group peer group name ip address as path acl as path acl number export Reference an IP prefix list to filer routing information to a peer peer group peer group name ip address ip prefix ip prefix name export Required to choose any Not configured by default You can configure a filtering policy as needed If several filtering p...

Page 507: ...icy as needed If several filtering policies are configured they are applied in the following sequence z filter policy import z peer filter policy import z peer as path acl import z peer ip prefix import z peer route policy import Only routes passing the first policy can they go to the next and only routes passing all the configured policies can they be received Specify the maximum number of routes...

Page 508: ...stem view Enter BGP view bgp as number Configure BGP route dampening dampening half life reachable half life unreachable reuse suppress ceiling route policy route policy name Optional Not configured by default 5 5 Configuring BGP Route Attributes 5 5 1 Prerequisites Before configuring this task you have configured BGP basic functions 5 5 2 Configuration Procedure You can configure BGP route attrib...

Page 509: ...nt as med Optional Not enabled by default Enable the comparison of MED of routes from each AS bestroute compare med Optional Not enabled by default Configure the MED attribute Enable the comparison of MED of routes from confederation peers bestroute med confederation Optional Not enabled by default Specify the router as the next hop of routes to a peer peer group peer group name ip address next ho...

Page 510: ... default the router takes AS_PATH as a factor for best route selection Specify a fake AS number for a peer peer group peer group name ip address fake as as number Optional Not specified by default This command is only applicable to an EBGP peer or peer group Substitute local AS number for the AS number of a peer peer group in the AS_PATH attribute peer group name ip address substitute as Optional ...

Page 511: ...Ss can only find the fake AS number z The peer substitute as command is used only in specific networking environments Inappropriate use of the command may cause routing loops 5 6 Tuning and Optimizing BGP Networks This task involves the following parts 1 Configure BGP timers After establishing a BGP connection two routers send keepalive messages periodically to each other to keep the connection If...

Page 512: ...nfiguring this task you have configured BGP basic functions 5 6 2 Configuration Procedure Follow these steps to tune and optimize BGP networks To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Configure keepalive interval and holdtime timer keepalive keepalive hold holdtime Configure BGP timers Configure keepalive interval and holdtime for a peer peer group p...

Page 513: ... policy peer group name ip address keep all routes Optional Not kept by default Return to user view return Perform manual soft reset on BGP connections refresh bgp all ip address group group name external internal export import Required Enter system view system view Configure BGP soft reset Enter BGP view bgp as number Enable the clearing of the direct EBGP session on any interface that becomes do...

Page 514: ... Configuring a Large Scale BGP Network In a large scale BGP network configuration and maintenance become difficult due to large numbers of BGP peers In this case configuring peer groups makes management easier and improves route distribution efficiency Peer group includes IBGP peer group where peers belong to the same AS and EBGP peer group where peers belong to different ASs If peers in an EBGP g...

Page 515: ...group name as number as number Configu re a pure EBGP peer group Add a peer into the group peer ip address group group name as number as number Optional You can add multiple peers into the group The system will create these peers automatically and specify the local AS number as their AS in BGP view Create an EBGP peer group group group name external Specify a peer and the AS number for the peer pe...

Page 516: ...tes advertised to a peer peer group peer group name ip address route policy route policy name export Required Not configured by default Note z When configuring BGP community you need to configure a routing policy to define the community attribute and apply the routing policy to route advertisement z For routing policy configuration refer to Routing Policy Configuration 5 7 4 Configuring a BGP Rout...

Page 517: ...ly one route reflector and the router ID is used to identify the cluster You can configure multiple route reflectors to improve network stability In this case you need to specify the same cluster ID for these route reflectors to avoid routing loops 5 7 5 Configuring a BGP Confederation Follow these steps to configure a BGP confederation To do Use the command Remarks Enter system view system view E...

Page 518: ...ly act as a GR Helper Follow these steps to configure BGP GR To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enable GR Capability for BGP graceful restart Required Disabled by default Configure the maximum time allowed for the peer to reestablish a BGP session graceful restart timer restart timer Optional 150 seconds by default Configure the maximum time to...

Page 519: ...l number Display BGP CIDR routing information display bgp routing table cidr Display BGP routing information matching the specified BGP community display bgp routing table community aa nn 1 13 no advertise no export no export subconfed whole match Display routing information matching a BGP community list display bgp routing table community list basic community list number whole match adv community...

Page 520: ...d Remarks Reset all BGP connections reset bgp all Reset the BGP connections to an AS reset bgp as number Reset the BGP connection to a peer reset bgp ip address flap info Reset all EBGP connections reset bgp external Reset the BGP connections to a peer group reset bgp group group name Reset all IBGP connections reset bgp internal Reset all IPv4 unicast BGP connections reset bgp ipv4 all Available ...

Page 521: ... 200 1 1 2 24 Vlan int500 9 1 2 2 24 Switch B Vlan int400 9 1 1 1 24 Switch C Vlan int500 9 1 2 1 24 Vlan int200 200 1 1 1 24 Vlan int300 9 1 3 2 24 Vlan int300 9 1 3 1 24 Figure 5 16 Network diagram for BGP basic configuration on switches III Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure IBGP connections Configure Switch B SwitchB system view SwitchB bgp 6500...

Page 522: ...GP routing table SwitchA bgp network 8 0 0 0 SwitchA bgp quit Configure Switch B SwitchB bgp 65009 SwitchB bgp peer 200 1 1 2 as number 65008 SwitchB bgp quit Display BGP peer information on Switch B SwitchB display bgp peer BGP local router ID 2 2 2 2 Local AS number 65009 Total number of peers 3 Peers in established state 3 Peer V AS MsgRcvd MsgSent OutQ PrefRcv Up Down State 9 1 1 2 4 65009 56 ...

Page 523: ...nal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn 8 0 0 0 200 1 1 2 0 0 65008i Display the BGP routing table on Switch C SwitchC display bgp routing table Total Number of Routes 1 BGP Local router ID is 3 3 3 3 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal ...

Page 524: ... Routes 4 BGP Local router ID is 3 3 3 3 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn i 8 0 0 0 200 1 1 2 0 100 0 65008i i 9 1 1 0 24 9 1 3 1 0 100 0 i 9 1 3 0 24 9 1 3 1 0 100 0 i 200 1 1 0 9 1 3 1 0 100 0 You can find the route 8 0 0 0 becomes valid with the next hop being Switch A Ping 8 1 1 ...

Page 525: ...for BGP and IGP synchronization III Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure OSPF omitted 3 Configure the EBGP connection Configure Switch A SwitchA system view SwitchA bgp 65008 SwitchA bgp router id 1 1 1 1 SwitchA bgp peer 3 1 1 1 as number 65009 Inject network 8 1 1 0 24 to the BGP routing table SwitchA bgp network 8 1 1 0 24 SwitchA bgp quit Configur...

Page 526: ...om BGP on Switch B SwitchB ospf SwitchB ospf 1 import route bgp SwitchB ospf 1 quit Display routing table information on Switch C SwitchC display ip routing table Routing Tables Public Destinations 7 Routes 7 Destination Mask Proto Pre Cost NextHop Interface 8 1 1 0 24 O_ASE 150 1 9 1 1 1 Vlan300 9 1 1 0 24 Direct 0 0 9 1 1 2 Vlan300 9 1 1 2 32 Direct 0 0 127 0 0 1 InLoop0 9 1 2 0 24 Direct 0 0 9 ...

Page 527: ...2 1 bytes 56 Sequence 1 ttl 254 time 15 ms Reply from 9 1 2 1 bytes 56 Sequence 2 ttl 254 time 31 ms Reply from 9 1 2 1 bytes 56 Sequence 3 ttl 254 time 47 ms Reply from 9 1 2 1 bytes 56 Sequence 4 ttl 254 time 46 ms Reply from 9 1 2 1 bytes 56 Sequence 5 ttl 254 time 47 ms 9 1 2 1 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 15 37 47 ms 5 10 3...

Page 528: ...1 1 as number 65009 SwitchA bgp peer 200 1 2 1 as number 65009 Inject route 8 0 0 0 8 to BGP routing table SwitchA bgp network 8 0 0 0 255 0 0 0 SwitchA bgp quit Configure Switch B SwitchB system view SwitchB bgp 65009 SwitchB bgp router id 2 2 2 2 SwitchB bgp peer 200 1 1 2 as number 65008 SwitchB bgp peer 9 1 1 2 as number 65009 SwitchB bgp network 9 1 1 0 255 255 255 0 SwitchB bgp quit Configur...

Page 529: ...ailable and the one with the next hop being 200 1 1 1 is the optimal because the ID of Switch B is smaller 3 Configure loading balancing Configure Switch A SwitchA bgp 65008 SwitchA bgp balance 2 SwitchA bgp quit Display the routing table on Switch A SwitchA display bgp routing table Total Number of Routes 3 BGP Local router ID is 1 1 1 1 Status codes valid best d damped h history i internal s sup...

Page 530: ...Prf PrefVal Path Ogn 8 0 0 0 0 0 0 0 0 0 i 9 1 1 0 24 200 1 2 1 0 0 65009i 200 1 1 1 100 0 65009i From the above information you can find the route with the next hop 200 1 2 1 is the best route because its MED 0 is smaller than the MED 100 of the other route with the next hop 200 1 1 1 Switch B 5 10 4 BGP Community Configuration I Network requirements Switch B establishes EBGP connections with Swi...

Page 531: ...SwitchB bgp peer 200 1 2 1 as number 10 SwitchB bgp peer 200 1 3 2 as number 30 SwitchB bgp quit Configure Switch C SwitchC system view SwitchC bgp 30 SwitchC bgp router id 3 3 3 3 SwitchC bgp peer 200 1 3 1 as number 20 SwitchC bgp quit Display the BGP routing table on Switch B SwitchB display bgp routing table 9 1 1 0 BGP local router ID 2 2 2 2 Local AS number 20 Paths 1 available 1 best BGP ro...

Page 532: ...route policy comm_policy permit node 0 SwitchA route policy apply community no export SwitchA route policy quit Apply the routing policy SwitchA bgp 10 SwitchA bgp peer 200 1 2 2 route policy comm_policy export SwitchA bgp peer 200 1 2 2 advertise community Display the routing table on Switch B SwitchB display bgp routing table 9 1 1 0 BGP local router ID 2 2 2 2 Local AS number 20 Paths 1 availab...

Page 533: ... from Switch C II Network diagram Figure 5 20 Network diagram for BGP route reflector configuration III Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure BGP connections Configure Switch A SwitchA system view SwitchA bgp 100 SwitchA bgp router id 1 1 1 1 SwitchA bgp peer 192 1 1 2 as number 200 Inject network 1 0 0 0 8 to the BGP routing table SwitchA bgp network ...

Page 534: ... Switch C SwitchC bgp 200 SwitchC bgp peer 193 1 1 2 reflect client SwitchC bgp peer 194 1 1 2 reflect client SwitchC bgp quit 4 Verify the above configuration Display the BGP routing table on Switch B SwitchB display bgp routing table Total Number of Routes 1 BGP Local router ID is 2 2 2 2 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Net...

Page 535: ... Vlan int400 Vlan int500 Vlan int100 Vlan int100 Vlan int200 Vlan int100 Vlan int100 Vlan int200 Device Interface IP address Device Interface IP address Switch A Vlan int100 200 1 1 1 24 Switch D Vlan int100 10 1 3 2 24 Vlan int200 10 1 1 1 24 Vlan int200 10 1 5 1 24 Vlan int300 10 1 2 1 24 Switch E Vlan int100 10 1 4 2 24 Vlan int400 10 1 3 1 24 Vlan int200 10 1 5 2 24 Vlan int500 10 1 4 1 24 Swi...

Page 536: ...gp quit Configure Switch C SwitchC system view SwitchC bgp 65003 SwitchC bgp router id 3 3 3 3 SwitchC bgp confederation id 200 SwitchC bgp confederation peer as 65001 65002 SwitchC bgp peer 10 1 2 1 as number 65001 SwitchC bgp quit 3 Configure IBGP connections in AS65001 Configure Switch A SwitchA bgp 65001 SwitchA bgp peer 10 1 3 2 as number 65001 SwitchA bgp peer 10 1 3 2 next hop local SwitchA...

Page 537: ...p router id 6 6 6 6 SwitchF bgp peer 200 1 1 1 as number 200 SwitchF bgp network 9 1 1 0 255 255 255 0 SwitchF bgp quit 5 Verify above configuration Display the routing table on Switch B SwitchB display bgp routing table Total Number of Routes 1 BGP Local router ID is 2 2 2 2 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop ME...

Page 538: ...D display bgp routing table 9 1 1 0 BGP local router ID 4 4 4 4 Local AS number 65001 Paths 1 available 1 best BGP routing table entry information of 9 1 1 0 24 From 10 1 3 1 1 1 1 1 Relay Nexthop 0 0 0 0 Original nexthop 10 1 3 1 AS path 100 Origin igp Attribute value MED 0 localpref 100 pref val 0 pre 255 State valid internal best Not advertised to any peers yet 5 10 7 BGP Path Selection Configu...

Page 539: ...election configuration III Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure OSPF on Switch B C and D Configure Switch B SwitchB system view SwitchB ospf SwitchB ospf area 0 SwitchB ospf 1 area 0 0 0 0 network 192 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 network 194 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 quit Configure Switch C SwitchC ...

Page 540: ... SwitchB bgp quit Configure Switch C SwitchC bgp 200 SwitchC bgp peer 193 1 1 1 as number 100 SwitchC bgp peer 195 1 1 1 as number 200 SwitchC bgp quit Configure Switch D SwitchD bgp 200 SwitchD bgp peer 194 1 1 2 as number 200 SwitchD bgp peer 195 1 1 2 as number 200 SwitchD bgp quit 4 Configure attributes for route 1 0 0 0 8 making Switch D give priority to the route learned from Switch C z Conf...

Page 541: ...tes 2 BGP Local router ID is 194 1 1 1 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn i 1 0 0 0 193 1 1 1 50 100 0 100i i 192 1 1 1 100 100 0 100i You can find route 1 0 0 0 8 is the optimal z Configure different local preferences on Switch B and C for route 1 0 0 0 8 making Switch D give priority...

Page 542: ...Troubleshooting BGP 5 11 1 No BGP Peer Relationship Established I Symptom Display BGP peer information using the display bgp peer command The state of the connection to a peer cannot become established II Analysis To become BGP peers any two routers need to establish a TCP session using port 179 and exchange open messages successfully III Solution 1 Use the display current configuration command to...

Page 543: ...ual IPv4 Routing H3C S3610 S5510 Series Ethernet Switches Chapter 5 BGP Configuration 5 62 7 Use the display tcp status command to check the TCP connection 8 Check whether an ACL disabling TCP port 179 is configured ...

Page 544: ...ction to Routing Policy 6 1 1 Routing Policy and Policy Routing A routing policy is used on the router for route inspection filtering attributes modifying when routes are received advertised or redistributed Policy routing is a routing mechanism based on the user defined policies This chapter describes only routing policy configuration and usage refer to IP Unicast Policy Routing Configuration in ...

Page 545: ...ing information advertised by certain routers will be received An IP prefix list is identified by name Each IP prefix list can comprise multiple items and each item which is identified by an index number can specify a matching range in the network prefix format The index number indicates the matching sequence of items in the IP prefix list During matching the router compares the packet with the it...

Page 546: ...f match clauses on a node is in logical AND relationship Only when the matching conditions specified by all the if match clauses on the node are satisfied can routing information pass the node The apply clauses specify the actions to be performed after the node is passed concerning the attribute settings for routing information 6 1 3 Routing Policy Application A routing policy is applied in two wa...

Page 547: ...item Follow these steps to define an IPv4 prefix list To do Use the command Remarks Enter system view system view Define an IPv4 prefix list ip ip prefix ip prefix name index index number permit deny ip address mask length greater equal min mask length less equal max mask length Required Not defined by default Note If all items are set to the deny mode no routes can pass the IPv4 prefix list There...

Page 548: ...d by number During matching the relation between items is logic OR that is if routing information matches one of these items it passes the community list Follow these steps to define a community list To do Use the command Remarks Enter system view system view Define a basic community list ip community list basic comm list num deny permit community number list internet no advertise no export no exp...

Page 549: ...cy can comprise multiple nodes each node contains z if match clauses Define the match criteria that routing information must satisfy The matching objects are some attributes of routing information z apply clauses Specify the actions performed after specified match criteria are satisfied concerning attribute settings for passed routing information 6 4 1 Prerequisites Before configuring this task yo...

Page 550: ...lter routing information routing information that does not meet any node s conditions cannot pass the routing policy If all nodes of the routing policy are set using the deny keyword no routing information can pass it 6 4 3 Defining if match Clauses for the Routing Policy Follow these steps to define if match clauses for a route policy To do Use the command Remarks Enter system view system view En...

Page 551: ...interface number 1 1 6 Optional Not configured by default Match routes having the specified route type if match route type internal external type1 external type2 external type1or2 is is level 1 is is level 2 nssa external type1 nssa external type2 nssa external type1or2 Optional Not configured by default Match RIP OSPF or IS IS routes having the specified tag value if match tag value Optional Not ...

Page 552: ...ttribute for BGP routes apply community none additive community number 1 16 aa nn 1 16 internet no export subconfed no export no advertise additive Optional Not set by default Set a cost for routes apply cost value Optional Not set by default Set a cost type for routes apply cost type external internal type 1 type 2 Optional Not set by default Set the extended community attribute for BGP routes ap...

Page 553: ...o Use the command Remarks Display BGP AS path ACL information display ip as path as path number Display BGP community list information display ip community list basic community list number adv community list number Display BGP extended community list information display ip extcommunity list ext comm list number Display IPv4 prefix list statistics display ip ip prefix ip prefix name Display routing...

Page 554: ...1 Network diagram for routing policy application to route redistribution III Configuration procedure 1 Specify IP addresses for interfaces omitted 2 Configure IS IS Configure Switch C SwitchC system view SwitchC isis SwitchC isis 1 is level level 2 SwitchC isis 1 network entity 10 0000 0000 0001 00 SwitchC isis 1 quit SwitchC interface vlan interface 200 SwitchC Vlan interface200 isis enable Switc...

Page 555: ... OSPF and redistribute routes from IS IS SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 192 168 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 import route isis 1 SwitchB ospf 1 quit Display OSPF routing table on Switch A to view redistributed routes SwitchA display ospf routing OSPF Process 1 with Router ID 192 168 1 1 Routing Tables Routing for Network Dest...

Page 556: ... 2002 SwitchB route policy apply tag 20 SwitchB route policy quit SwitchB route policy isis2ospf permit node 30 SwitchB route policy quit 6 Apply the routing policy to route redistribution Configure Switch B apply the routing policy when redistributing routes SwitchB ospf SwitchB ospf 1 import route isis 1 route policy isis2ospf SwitchB ospf 1 quit Display the OSPF routing table on Switch A You ca...

Page 557: ... IPv4 Routing Information Filtering Failure I Symptom Filtering routing information failed while routing protocol runs normally II Analysis At least one item of the IP prefix list should be configured as permit mode and at least one node in the Route policy should be configured as permit mode III Processing procedure 1 Use the display ip ip prefix command to display IP prefix list information 2 Us...

Page 558: ...FD Basic Functions 1 6 1 3 1 Configuration Prerequisites 1 6 1 3 2 Configuration Procedure 1 6 1 4 Configuring BFD for Static Routing 1 7 1 5 Enabling BFD Trap 1 8 1 6 Displaying and Maintaining BFD 1 8 1 7 BFD Configuration Examples 1 9 1 7 1 Configuring BFD for Static Routing 1 9 Chapter 2 GR 2 1 2 1 Introduction to Graceful Restart 2 1 2 2 Basic Concepts in Graceful Restart 2 1 2 3 Graceful Res...

Page 559: ...DH synchronous digital hierarchy transmission system alarms z If no hardware detection signals are provided or failures cannot be detected through hardware detection signals the network uses the hello mechanism of a routing protocol for failure detection which has a slower failure detection rate of more than one second In Gigabit data transmission such a rate will cause a large quantity of data to...

Page 560: ...ism After a BFD session is established if no BFD control packet is received from the neighbor within the BFD interval BFD sets the session state to down and notifies it to the protocol concerned Upon receiving the link failure notification from BFD the application layer protocol considers the neighbor down Note No detection time resolution is defined in the BFD draft At present most devices suppor...

Page 561: ...s a BFD session is established unless a protocol needs to explicitly verify the connectivity Note z At present only the asynchronous mode is supported z At present BFD can be implemented in the Echo mode for static routes only and in a way different from that defined in the BFD draft z When a BFD session operates in the Echo mode the session is independent of the operation mode V Dynamic BFD param...

Page 562: ... future use z State Sta Current BFD session state Its value can be 0 for AdminDown 1 for Down 2 for Init and 3 for Up z Demand D If set to 1 it means the transmitting protocol wishes to operate in the query mode if set to 0 it means the transmitting protocol ignores the query mode or cannot operate in the query mode z Poll P If it is set to 1 the transmitting protocol requests the connection ackno...

Page 563: ...ultiple BFD sessions between two protocols z Your Discriminator It is the discriminator received from the corresponding remote protocol This field reflects the received value of My Discriminator or returns 0 if that value is unknown z Desired Min Tx Interval Minimum interval at which the local protocol wishes to send BFD control packets in milliseconds z Required Min Rx Interval Interval at which ...

Page 564: ... 2 Configuration Procedure Follow these steps to configure BFD session parameters To do Use the command Remarks Enter system view system view Specify a BFD session initiation mode bfd session init mode active passive Optional active by default Configure the source IP address of echo packets bfd echo source ip ip address Optional Enter interface view interface interface type interface number Config...

Page 565: ... with the local device as the nexthop and enable BFD on the peer device z Use echo packets to establish a session These echo messages use the local device interface address as the destination and are directly forwarded back to the local device after being sent to the nexthop without being processed by the BFD processes Follow these steps to configure BFD for static routes To do Use the command Rem...

Page 566: ...nly one end when the echo mode is used z For static route configuration refer to Static Routing Configuration in IPv4 Routing 1 5 Enabling BFD Trap Follow these steps to enable BFD trap To do Use the command Remarks Enter system view system view Enable BFD trap snmp agent trap enable bfd Optional Enabled by default 1 6 Displaying and Maintaining BFD To do Use the command Remarks Display informatio...

Page 567: ...Switch A and enable BFD on it Implement BFD through BFD echo packets SwitchA system view SwitchA bfd echo source ip 123 1 1 1 SwitchA interface vlan interface 10 SwitchA vlan interface10 bfd min echo receive interval 300 SwitchA vlan interface10 bfd detect multiplier 7 SwitchA vlan interface10 quit SwitchA ip route static 120 1 1 1 24 10 1 1 100 bfd echo packet SwitchA quit Enable BFD debugging on...

Page 568: ...g information The neighbors will help the restarting device to update its routing information and to restore it to the state prior to the restart in minimal time The routing and forwarding remain highly stable across the restart the packet forwarding path remains the same and the whole system can forward IP packets continuously Hence it is called Graceful Restart 2 2 Basic Concepts in Graceful Res...

Page 569: ...for a period as specified by the GR Time 2 3 Graceful Restart Communication Procedure Configure a device as GR Restarter in a network This device and its GR Helper must support GR or be GR capable Thus when GR Restarter restarts its GR Helper can know its restart process Note z In some cases GR Restarter and GR Helper can replace with each other z If a router is to act as a Graceful Restarter it m...

Page 570: ...r restarting Figure 2 2 Restarting process for the GR Restarter As illustrated in Figure 2 2 The GR Helper detects that the GR Restarter has restarted its routing protocol and assumes that it will recover within the GR Time Before the GR Time expires the GR Helper will neither terminate the session with the GR Restarter nor delete the topology or routing information of the latter 3 GR Restarter si...

Page 571: ...2 4 the GR Restarter obtains the necessary topology and routing information from all its neighbors through the GR sessions between them and calculates its own routing table based on this information 2 4 Graceful Restart Mechanism for Several Commonly Used Protocols The switch supports Graceful Restart for Boarder Gateway Protocol BGP Open Shortest Path First OSPF and Intermediate System to Interme...

Page 572: ... RIPng Basic Functions 2 4 2 2 1 Configuration Prerequisites 2 4 2 2 2 Configuration Procedure 2 4 2 3 Configuring RIPng Route Control 2 5 2 3 1 Configuring an Additional Routing Metric 2 5 2 3 2 Configuring RIPng Route Summarization 2 5 2 3 3 Advertising a Default Route 2 6 2 3 4 Configuring a RIPng Route Filtering Policy 2 6 2 3 5 Configuring a Priority for RIPng 2 6 2 3 6 Configuring RIPng Rout...

Page 573: ...5 7 Configuring OSPFv3 Route Redistribution 3 9 3 6 Tuning and Optimizing an OSPFv3 Network 3 10 3 6 1 Prerequisites 3 10 3 6 2 Configuring OSPFv3 Timers 3 10 3 6 3 Configuring the DR Priority for an Interface 3 11 3 6 4 Ignoring MTU Check for DD Packets 3 12 3 6 5 Disable Interfaces from Sending OSPFv3 Packets 3 12 3 6 6 Enable the Logging on Neighbor State Changes 3 13 3 7 Displaying and Maintai...

Page 574: ...ising a Default Route to a Peer Peer Group 5 9 5 4 4 Configuring Route Distribution Policy 5 9 5 4 5 Configuring Route Reception Policy 5 10 5 4 6 Configuring IPv6 BGP and IGP Route Synchronization 5 11 5 4 7 Configuring Route Dampening 5 12 5 5 Configuring IPv6 BGP Route Attributes 5 12 5 5 1 Prerequisites 5 12 5 5 2 Configuring IPv6 BGP Preference and Default LOCAL_PREF and NEXT_HOP Attributes 5...

Page 575: ...3 6 2 1 Prerequisites 6 3 6 2 2 Defining an IPv6 Prefix List 6 3 6 2 3 Defining an AS Path List 6 4 6 2 4 Defining a Community List 6 4 6 2 5 Defining an Extended Community List 6 5 6 3 Configuring a Routing Policy 6 5 6 3 1 Prerequisites 6 5 6 3 2 Creating a Routing Policy 6 6 6 3 3 Defining if match Clauses for the Routing Policy 6 6 6 3 4 Defining apply Clauses for the Routing Policy 6 8 6 4 Di...

Page 576: ...he tunnel interfaces successfully 1 1 Introduction to IPv6 Static Routing Static routes are special routes that are manually configured by network administrators They work well in simple networks Configuring and using them properly can improve the performance of networks and guarantee enough bandwidth for important applications However static routes also have shortcomings any topology changes coul...

Page 577: ...onfigure an IPv6 static route To do Use the commands Remarks Enter system view System view Configure an IPv6 static route ipv6 route static ipv6 address prefix length interface type interface number nexthop address preference preference value Required The default preference of IPv6 static routes is 60 1 3 Displaying and Maintaining IPv6 Static Routes To do Use the command Remarks Display IPv6 stat...

Page 578: ...onfigure IPv6 static routes Configure the default IPv6 static route on Switch A SwitchA system view SwitchA ipv6 SwitchA ipv6 route static 0 4 2 Configure two IPv6 static routes on Switch B SwitchB system view SwitchB ipv6 SwitchB ipv6 route static 1 64 4 1 SwitchB ipv6 route static 3 64 5 1 Configure the default IPv6 static route on Switch C SwitchC system view SwitchC ipv6 SwitchC ipv6 route sta...

Page 579: ... 64 Protocol Direct NextHop 1 1 Preference 0 Interface Vlan100 Cost 0 Destination 1 1 128 Protocol Direct NextHop 1 Preference 0 Interface InLoop0 Cost 0 Destination 4 64 Protocol Direct NextHop 4 1 Preference 0 Interface Vlan200 Cost 0 Destination 4 1 128 Protocol Direct NextHop 1 Preference 0 Interface InLoop0 Cost 0 Destination FE80 10 Protocol Direct NextHop Preference 0 Interface NULL0 Cost 0...

Page 580: ...ng Configuration 1 5 bytes 56 Sequence 3 hop limit 254 time 62 ms Reply from 3 1 bytes 56 Sequence 4 hop limit 254 time 63 ms Reply from 3 1 bytes 56 Sequence 5 hop limit 254 time 63 ms 3 1 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 62 62 63 ms ...

Page 581: ... Multicast address RIPng uses FF02 9 as the link local multicast address z Destination Prefix 128 bit destination address prefix z Next hop 128 bit IPv6 address z Source address RIPng uses FE80 10 as the link local source address 2 1 1 RIPng Working Mechanism RIPng is a routing protocol based on the distance vector D V algorithm RIPng uses UDP packets to exchange routing information through port 5...

Page 582: ...ed Each time a route entry is modified the routing time is set to 0 z Route tag Identifies the route used in routing policy to control routing information 2 1 2 RIPng Packet Format I Basic format A RIPng packet consists of a header and multiple route table entries RTEs The maximum number of RTEs in a packet depends on the MTU of the sending interface Figure 2 1 shows the packet format of RIPng Fig...

Page 583: ...from neighbors The receiving RIPng router processes RTEs in the request If there is only one RTE with the IPv6 prefix and prefix length both being 0 and with a metric value of 16 the RIPng router will respond with the entire routing table information in response messages If there are multiple RTEs in the request message the RIPng router will examine each RTE update its metric and send the requeste...

Page 584: ...ace configurations such as assigning an IPv6 address 2 2 1 Configuration Prerequisites Before the configuration accomplish the following tasks first z Enable IPv6 packet forwarding z Configure an IP address for each interface and make sure all nodes are reachable 2 2 2 Configuration Procedure Follow these steps to configure the basic RIPng functions To do Use the command Remarks Enter system view ...

Page 585: ...The outbound additional metric is added to the metric of a sent route the route s metric in the routing table is not changed The inbound additional metric is added to the metric of a received route before the route is added into the routing table so the route s metric is changed Follow these steps to configure an inbound outbound additional routing metric To do Use the command Remarks Enter system...

Page 586: ...tised routing information as needed For filtering outbound routes you can also specify a routing protocol from which to filter routing information redistributed Follow these steps to configure a RIPng route filtering policy To do Use the command Remarks Enter system view system view Enter RIPng view ripng process id Configure a filter policy to filter incoming routes filter policy acl6 number ipv6...

Page 587: ...t Optional By default the default metric of redistributed routes is 0 Redistribute routes from another routing protocol import route protocol process id allow ibgp cost cost route policy route policy name Required No route redistribution is configured by default 2 4 Tuning and Optimizing the RIPng Network This section describes how to tune and optimize the performance of the RIPng network as well ...

Page 588: ... the following defaults z 30 seconds for the update timer z 180 seconds for the timeout timer z 120 seconds for the suppress timer z 120 seconds for the garbage collect timer Note When adjusting RIPng timers you should consider the network performance and perform unified configurations on routers running RIPng to avoid unnecessary network traffic increase or route oscillation 2 4 2 Configuring Spl...

Page 589: ... is set to 16 That is to say the route is unreachable Follow these steps to configure poison reverse To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enable the poison reverse function ripng poison reverse Required Disabled by default 2 4 3 Configuring Zero Field Check on RIPng Packets Some fields in the RIPng packet must be...

Page 590: ...by default 2 5 Displaying and Maintaining RIPng To do Use the command Remarks Display configuration information of a RIPng process display ripng process id Available in any view Display routes in the RIPng database display ripng process id database Available in any view Display the routing information of a specified RIPng process display ripng process id route Available in any view Display RIPng i...

Page 591: ...nterface100 ripng 1 enable SwitchA Vlan interface100 quit SwitchA interface vlan interface 400 SwitchA Vlan interface400 ripng 1 enable SwitchA Vlan interface400 quit Configure Switch B SwitchB system view SwitchB ipv6 SwitchB ripng 1 SwitchB ripng 1 quit SwitchB interface vlan interface 200 SwitchB Vlan interface200 ripng 1 enable SwitchB Vlan interface200 quit SwitchB interface vlan interface 10...

Page 592: ...6 Sec Dest 2 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 6 Sec Peer FE80 20F E2FF FE00 100 on Vlan interface200 Dest 3 64 via FE80 20F E2FF FE00 100 cost 1 tag 0 A 11 Sec Dest 4 64 via FE80 20F E2FF FE00 100 cost 1 tag 0 A 11 Sec Dest 5 64 via FE80 20F E2FF FE00 100 cost 1 tag 0 A 11 Sec Display the routing table of Switch A SwitchA display ripng 1 route Route Flags A Aging S Suppressed G Garbag...

Page 593: ... Garbage collect Peer FE80 20F E2FF FE23 82F5 on Vlan interface100 Dest 1 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 2 Sec Dest 2 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 2 Sec Peer FE80 20F E2FF FE00 100 on Vlan interface200 Dest 4 64 via FE80 20F E2FF FE00 100 cost 1 tag 0 A 5 Sec Dest 5 64 via FE80 20F E2FF FE00 100 cost 1 tag 0 A 5 Sec SwitchA display ripng 1 route Route Flags A Aging ...

Page 594: ... and compliant with RFC2740 OSPF for IPv6 Identical parts between OSPFv3 and OSPFv2 z 32 bits router ID and area ID z Packets Hello DD Data Description LSR Link State Request LSU Link State Update LSAck Link State Acknowledgment z Mechanisms for finding neighbors and establishing adjacencies z Mechanisms for LSA flooding and aging Differences between OSPFv3 and OSPFv2 z OSPFv3 now runs on a per li...

Page 595: ...inated by ABRs Area Border Routers and flooded throughout the LSA s associated area Each Inter Area Prefix LSA describes a route with IPv6 address prefix to a destination outside the area yet still inside the AS an inter area route z Inter Area Router LSAs Similar to Type 4 LSA of OSPFv2 originated by ABRs and flooded throughout the LSA s associated area Each Inter Area Router LSA describes a rout...

Page 596: ...y If no response is received after retransmission interval elapses the router will send again the LSA The retransmission interval must be longer than the round trip time of the LSA in between II LSA delay time Each LSA has an age in the local LSDB incremented by 1 per second but an LSA is not aged on transmission You need to add an LSA delay time into the age time before transmission which is impo...

Page 597: ... Costs for OSPFv3 Interfaces Optional Configuring the Maximum Number of OSPFv3 Load balanced Routes Optional Configuring a Priority for OSPFv3 Optional Configuring OSPFv3 Routing Information Management Configuring OSPFv3 Route Redistribution Optional Configuring OSPFv3 Timers Optional Configuring the DR Priority for an Interface Optional Ignoring MTU Check for DD Packets Optional Disable Interface...

Page 598: ...ltiple OSPFv3 processes you need to specify a router ID for each process z You need to specify a router ID manually which is necessary to make OSPFv3 work 3 4 Configuring OSPFv3 Area Parameters The stub area and virtual link support of OSPFv3 has the same principle and application environments with OSPFv2 Splitting an OSPFv3 AS into multiple areas reduces the number of LSAs on networks and extends...

Page 599: ...annot delete an OSPFv3 area directly Only when you remove all configurations in area view and all interfaces attached to the area become down can the area be removed automatically z All routers attached to a stub area must be configured with the stub command The keyword no summary is only available on the ABR z If you use the stub command with the keyword no summary on an ABR the ABR distributes a...

Page 600: ...1 Prerequisites z Enable IPv6 packet forwarding z Configure OSPFv3 basic functions 3 5 2 Configuring OSPFv3 Route Summarization Follow these steps to configure route summarization between areas To do Use the command Remarks Enter system view system view Enter OSPFv3 view ospfv3 process id Enter OSPFv3 area view area area id Configure a summary route abr summary ipv6 address prefix length not adver...

Page 601: ...ltered can be added into the local routing table 3 5 4 Configuring Link Costs for OSPFv3 Interfaces You can configure OSPFv3 link costs for interfaces to adjust routing calculation Follow these steps to configure the link cost for an OSPFv3 interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure the cost for the...

Page 602: ...view system view Enter OSPFv3 view ospfv3 process id Configure a priority for OSPFv3 preference ase route policy route policy name preference Optional By default the priority of OSPFv3 interval routes is 10 and priority of OSPFv3 external routes is 150 3 5 7 Configuring OSPFv3 Route Redistribution Follow these steps to configure OSPFv3 route redistribution To do Use the command Remarks Enter syste...

Page 603: ...r However if the import route command is not configured executing the filter policy export command does not take effect 3 6 Tuning and Optimizing an OSPFv3 Network This section describes configurations of OSPFv3 timers interface DR priority MTU check ignorance for DD packets disabling interfaces from sending OSPFv3 packets OSPFv3 timers z Packet timer Specified to adjust topology convergence speed...

Page 604: ...Configure the LSA transmission delay ospfv3 trans delay seconds instance instance id Optional Defaults to 1 second Return to system view quit Enter OSPFv3 view ospfv3 process id Configure the SPF timer spf timers delay interval hold interval Optional By default delay interval is 5 seconds and hold interval is 10 seconds Note z The dead interval set on neighboring interfaces cannot be so short Othe...

Page 605: ... check MTU in DD packets in order to improve efficiency Follow these steps to ignore MTU check for DD packets To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Ignore MTU check for DD packets ospfv3 mtu ignore instance instance id Required Not ignored by default 3 6 5 Disable Interfaces from Sending OSPFv3 Packets Follow thes...

Page 606: ...lent direct routes of the interface can still be advertised in Intra Area Prefix LSAs via other interfaces but other OSPFv3 packets cannot be advertised Therefore no neighboring relationship can be established on the interface This feature can enhance the adaptability of OSPFv3 networking 3 6 6 Enable the Logging on Neighbor State Changes Follow these steps to enable the logging on neighbor state ...

Page 607: ... OSPFv3 neighbor information display ospfv3 process id area area id peer interface type interface number verbose peer router id Display OSPFv3 neighbor statistics display ospfv3 peer statistic Display OSPFv3 routing table information display ospfv3 process id routing ipv6 address prefix length ipv6 address prefix length abr routes asbr routes all statistics Display OSPFv3 area topology information...

Page 608: ...ea 2 Switch A Vlan int100 2001 2 64 Vlan int100 2001 1 64 Vlan int300 2001 3 1 64 Vlan int200 2001 1 2 64 Switch C Vlan int400 2001 2 1 64 Vlan int400 2001 2 2 64 Switch B Vlan int200 2001 1 1 64 Switch D Stub Figure 3 2 Network diagram for OSPFv3 area configuration III Configuration procedure 1 Configure IPv6 addresses for interfaces omitted 2 Configure OSPFv3 basic functions Configure Switch A S...

Page 609: ...er id 3 3 3 3 SwitchC ospfv3 1 quit SwitchC interface vlan interface 100 SwitchC Vlan interface100 ospfv3 1 area 0 SwitchC Vlan interface100 quit SwitchC interface vlan interface 400 SwitchC Vlan interface400 ospfv3 1 area 2 SwitchC Vlan interface400 quit Configure Switch D SwitchD system view SwitchD ipv6 SwitchD ospfv3 SwitchD ospfv3 1 router id 4 4 4 4 SwitchD ospfv3 1 quit SwitchD interface Vl...

Page 610: ...stance ID 4 4 4 4 1 Full DR 00 00 38 Vlan400 0 Display OSPFv3 routing table information on Switch D SwitchD display ospfv3 routing E1 Type 1 external route IA Inter area route I Intra area route E2 Type 2 external route Seleted route OSPFv3 Router with ID 4 4 4 4 Process 1 Destination 2001 64 Type IA Cost 2 NextHop FE80 F40D 0 93D0 1 Interface Vlan400 Destination 2001 1 64 Type IA Cost 3 NextHop F...

Page 611: ...oute E2 Type 2 external route Seleted route OSPFv3 Router with ID 4 4 4 4 Process 1 Destination 0 Type IA Cost 11 NextHop FE80 F40D 0 93D0 1 Interface Vlan400 Destination 2001 64 Type IA Cost 2 NextHop FE80 F40D 0 93D0 1 Interface Vlan400 Destination 2001 1 64 Type IA Cost 3 NextHop FE80 F40D 0 93D0 1 Interface Vlan400 Destination 2001 2 64 Type I Cost 1 NextHop directly connected Interface Vlan40...

Page 612: ...nected Interface Vlan400 3 8 2 Configuring OSPFv3 DR Election I Network requirements In the following figure z The priority of Switch A is 100 the highest priority on the network so it will be the DR z The priority of Switch C is 2 the second highest priority on the network so it will be the BDR z The priority of Switch B is 0 so it cannot become the DR z RouterD has the default priority 1 II Netw...

Page 613: ...itchB Vlan interface200 quit Configure Switch C SwitchC system view SwitchC ipv6 SwitchC ospfv3 SwitchC ospfv3 1 router id 3 3 3 3 SwitchC ospfv3 1 quit SwitchC interface vlan interface 100 SwitchC Vlan interface100 ospfv3 1 area 0 SwitchC Vlan interface100 quit Configure Switch D SwitchD system view SwitchD ipv6 SwitchD ospfv3 SwitchD ospfv3 1 router id 4 4 4 4 SwitchD ospfv3 1 quit SwitchD inter...

Page 614: ... VLAN interface 100 as 100 on Switch A SwitchA interface Vlan interface 100 SwitchA Vlan interface100 ospfv3 dr priority 100 SwitchA Vlan interface100 quit Configure the DR priority of VLAN interface 200 as 0 on Switch B SwitchB interface vlan interface 200 SwitchB Vlan interface200 ospfv3 dr priority 0 SwitchB Vlan interface200 quit Configure the DR priority of Switch C as 2 SwitchC interface Vla...

Page 615: ...0 0 4 4 4 4 1 Full DROther 00 00 37 Vlan200 0 Display neighbor information on Switch D You can find Switch A becomes the DR SwitchD display ospfv3 peer OSPFv3 Area ID 0 0 0 0 Process 1 Neighbor ID Pri State Dead Time Interface Instance ID 1 1 1 1 100 Full DR 00 00 34 Vlan100 0 2 2 2 2 0 2 Way DROther 00 00 34 Vlan200 0 3 3 3 3 2 Full Backup 00 00 32 Vlan100 0 3 9 Troubleshooting OSPFv3 Configurati...

Page 616: ...ast one area must be connected to the backbone The backbone cannot be configured as a Stub area In a Stub area all routers cannot receive external routes and all interfaces connected to the Stub area must be associated with the Stub area III Solution 1 Use the display ospfv3 peer command to display OSPFv3 neighbors 2 Use the display ospfv3 interface command to display OSPFv3 interface information ...

Page 617: ... IS go to these sections for information you are interested in z Introduction to IPv6 IS IS z Configuring IPv6 IS IS Basic Functions z Configuring IPv6 IS IS Routing Information Control z Displaying and Maintaining IPv6 IS IS z IPv6 IS IS Configuration Example 4 1 Introduction to IPv6 IS IS The IS IS routing protocol Intermediate System to Intermediate System intra domain routing information excha...

Page 618: ...ally z Configure IP addresses for interfaces and make sure all neighboring nodes are reachable z Enable IS IS 4 2 2 Configuration Procedure Follow these steps to configure the basic functions of IPv6 IS IS To do Use command to Remarks Enter system view system view Enable an IS IS process and enter IS IS view isis process id vpn instance vpn instance name Required Not enabled by default Configure t...

Page 619: ...ptional 15 by default Configure an IPv6 IS IS summary route ipv6 summary ipv6 prefix prefix length avoid feedback generate_null0_route level 1 level 1 2 level 2 tag tag Optional Not configured by default Generate an IPv6 IS IS default route ipv6 default route advertise level 1 level 2 level 1 2 route policy route policy name Optional No IPv6 default route is defined by default Configure IPv6 IS IS...

Page 620: ...r Optional 4 by default Note The ipv6 filter policy export command usually used in combination with the ipv6 import route command filters redistributed routes when advertising them to other routers If no protocol is specified routes redistributed from all routing protocols are filtered before advertisement If a protocol is specified only routes redistributed from the routing protocol are filtered ...

Page 621: ...sis peer verbose process id vpn instance vpn instanc name Available in any view Display IPv6 IS IS routing information display isis route ipv6 level 1 level 2 verbose process id Available in any view Display SPF log information display isis spf log process id vpn instance vpn instance name Available in any view Display the statistics of the IS IS process display isis statistics level 1 level 2 lev...

Page 622: ...re 4 1 Network diagram for IPv6 IS IS basic configuration III Configuration procedure 1 Configure IPv6 addresses for interfaces omitted 2 Configure IPv6 IS IS Configure Switch A SwitchA system view SwitchA isis 1 SwitchA isis 1 is level level 1 SwitchA isis 1 network entity 10 0000 0000 0001 00 SwitchA isis 1 ipv6 enable SwitchA isis 1 quit SwitchA interface vlan interface 100 SwitchA Vlan interfa...

Page 623: ...ace 200 SwitchC Vlan interface200 isis ipv6 enable 1 SwitchC Vlan interface200 quit SwitchC interface vlan interface 300 SwitchC Vlan interface300 isis ipv6 enable 1 SwitchC Vlan interface300 quit Configure Switch D SwitchD system view SwitchD isis 1 SwitchD isis 1 is level level 2 SwitchD isis 1 network entity 20 0000 0000 0004 00 SwitchD isis 1 ipv6 enable SwitchD isis 1 quit SwitchD interface v...

Page 624: ...asic Functions z Controlling Route Distribution and Reception z Configuring IPv6 BGP Route Attributes z Tuning and Optimizing IPv6 BGP Networks z Configuring a Large Scale IPv6 BGP Network z Displaying and Maintaining IPv6 BGP Configuration z IPv6 BGP Configuration Examples z Troubleshooting IPv6 BGP Configuration 5 1 IPv6 BGP Overview BGP 4 manages only IPv4 routing information thus other network...

Page 625: ...lishing TCP Connections Optional Allowing the establishment of a Non Direct EBGP connection Optional Configuring a Description for a Peer Peer Group Optional Disabling Session Establishment to a Peer Peer Group Optional Configuring IPv6 BGP Basic Functions Logging Peer State Changes Optional Configuring IPv6 BGP Route Redistribution Optional Advertising a Default Route to a Peer Peer Group Optiona...

Page 626: ...ional 5 3 Configuring IPv6 BGP Basic Functions 5 3 1 Prerequisites Before configuring this task you need to z Specify IP addresses for interfaces z Enable IPv6 Note You need create a peer group before configuring basic functions for it For related information refer to Configuring IPv6 BGP Peer Group 5 3 2 Configuring an IPv6 Peer Follow these steps to configure an IPv6 peer To do Use the command R...

Page 627: ...ter IPv6 address family view ipv6 family Add a local route into IPv6 BGP routing table network ipv6 address prefix length short cut route policy route policy name Required Not added by default 5 3 4 Configuring a Preferred Value for Routes from a Peer Peer Group Follow these steps to configure a preferred value for routes received from a peer peer group To do Use the command Remarks Enter system v...

Page 628: ...eferred value refer to the peer ipv6 group name ipv6 address route policy route policy name import export command and the apply preferred value preferred value command 5 3 5 Specifying the Source Interface for Establishing TCP Connections Follow these steps to specify the source interface for establishing TCP connections to a BGP peer or peer group To do Use the command Remarks Enter system view s...

Page 629: ...es as the source interfaces 5 3 6 Allowing the establishment of a Non Direct EBGP connection Follow these steps to allow the establishment of EBGP connection to a non directly connected peer peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Enter IPv6 address family view ipv6 family Allow the establishment of EBGP connection to a non direc...

Page 630: ...o a Peer Peer Group Follow these steps to disable session establishment to a peer peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Enter IPv6 address family view ipv6 family Disable session establishment to a peer peer group peer ipv6 group name ipv6 address ignore Optional Not disabled by default 5 3 9 Logging Peer State Changes Follow t...

Page 631: ...on and route dampening 5 4 1 Prerequisites Before configuring this task you have z Enabled the IPv6 function z Configured the IPv6 BGP basic functions 5 4 2 Configuring IPv6 BGP Route Redistribution Follow these steps to configure IPv6 BGP route redistribution and filtering To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv6 address family view ipv6 ...

Page 632: ...oup peer ipv6 group name ipv6 address default route advertise route policy route policy name Required Not advertised by default Note With the peer default route advertise command used the local router advertises a default route with itself as the next hop to the specified peer peer group regardless of whether the default route is available in the routing table 5 4 4 Configuring Route Distribution ...

Page 633: ...filer routes advertised to a peer peer group peer ipv6 group name ipv6 address ipv6 prefix ipv6 prefix name export Required Not specified by default Note z Members of a peer group must have the same outbound route policy with the peer group z IPv6 BGP advertises routes passing the specified policy to peers Using the protocol argument can filter only the specified protocol routes If no protocol spe...

Page 634: ... upper limit of address prefixes imported from a peer peer group peer ipv6 group name ipv6 address route limit limit percentage Optional By default no limit on prefixes Note z Only routes passing the specified policy can be added into the local IPv6 BGP routing table z Members of a peer group can have different inbound route policies 5 4 6 Configuring IPv6 BGP and IGP Route Synchronization With th...

Page 635: ...w bgp as number Required Enter IPv6 address family view ipv6 family Configure IPv6 BGP route dampening parameters dampening half life reachable half life unreachable reuse suppress ceiling route policy route policy name Optional Not configured by default 5 5 Configuring IPv6 BGP Route Attributes This section describes how to use IPv6 BGP route attributes to modify BGP routing policy These attribut...

Page 636: ...ault local preference value Optional The value defaults to 100 Advertise routes to a peer peer group with the local router as the next hop peer ipv6 group name ipv6 address next hop local Required By default the feature is available for routes advertised to the EBGP peer peer group but not available to the IBGP peer peer group Note z To make sure an IBGP peer can find the correct next hop you can ...

Page 637: ...nfigured by default Prioritize MED values of routes from confederation peers bestroute med confederation Optional Not configured by default 5 5 4 Configuring the AS_PATH Attribute Follow these steps to configure the AS_PATH attribute To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Enter IPv6 address family view ipv6 family Allow the local AS number...

Page 638: ... their holdtime values taking the shorter one as the common holdtime If the holdtime is 0 neither keepalive massage is sent nor holdtime is checked z IPv6 BGP connection soft reset After modifying a route selection policy you have to reset IPv6 BGP connections to make the new one take effect causing a short time disconnection The current IPv6 BGP implementation supports the route refresh feature t...

Page 639: ...ional The keepalive interval defaults to 60 seconds holdtime defaults to 180 seconds Configure the interval for sending the same update to a peer peer group peer ipv6 group name ipv6 address route update interval seconds Optional The interval for sending the same update to an IBGP peer or an EBGP peer defaults to 15 seconds or 30 seconds Note z Timers configured using the timer command have lower ...

Page 640: ...icy peer ipv6 group name ipv6 address keep all routes Optional Not saved by default Return to user view return Soft reset BGP connections manually refresh bgp ipv6 all ipv6 address group ipv6 group name external internal export import Required Note If the peer keep all routes command is used all routes from the peer peer group will be saved regardless of whether the filtering policy is available T...

Page 641: ...P peer group In a peer group all members enjoy a common policy Using the community attribute can make a set of IPv6 BGP routers in multiple ASs enjoy the same policy because sending of community between IPv6 BGP peers is not limited by AS To guarantee connectivity between IBGP peers you need to make them fully meshed but it becomes unpractical when there are too many IBGP peers Using route reflect...

Page 642: ...up To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Not enabled by default Enter IPv6 address family view ipv6 family Create an EBGP peer group group ipv6 group name external Required Configure the AS number for the peer group peer ipv6 group name as number as number Required Not configured by default Add an IPv6 peer into the peer group peer ipv6 a...

Page 643: ...eer group you need to create a peer and specify its AS number that can be different from AS numbers of other peers but you cannot specify AS number for the EBGP peer group 5 7 3 Configuring IPv6 BGP Community I Advertise community attribute to a peer peer group Follow these steps to advertise community attribute to a peer peer group To do Use the command Remarks Enter system view system view Enter...

Page 644: ... BGP community you need to configure a routing policy to define the community attribute and apply the routing policy to route advertisement 5 7 4 Configuring an IPv6 BGP Route Reflector Follow these steps to configure an IPv6 BGP route reflector To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Enter IPv6 address family view ipv6 family Configure the...

Page 645: ...ed routing information display bgp ipv6 network Display IPv6 BGP AS path information display bgp ipv6 paths as regular expression Display IPv6 BGP peer peer group information display bgp ipv6 peer ipv6 group name log info ipv6 address log info verbose Display IPv6 BGP routing table information display bgp ipv6 routing table ipv6 address prefix length Display IPv6 BGP routing information matching a...

Page 646: ...ngth statistic Display IPv6 BGP routing information matching a regular expression display bgp ipv6 routing table regular expression as regular expression Display IPv6 BGP routing statistics display bgp ipv6 routing table statistic 5 8 2 Resetting IPv6 BGP Connections To do Use the command Remarks Perform soft reset on IPv6 BGP connections refresh bgp ipv6 ipv6 address all external group ipv6 group...

Page 647: ...ng figure are all IPv6 BGP switches Between Switch A and Switch B is an EBGP connection Switch B Switch C and Switch D are IBGP fully meshed II Network diagram Figure 5 1 IPv6 BGP basic configuration network diagram III Configuration procedure 1 Configure IPv6 addresses for interfaces omitted 2 Configure IBGP connections Configure Switch B SwitchB system view SwitchB ipv6 SwitchB bgp 65009 SwitchB...

Page 648: ... bgp ipv6 family SwitchD bgp af ipv6 peer 9 1 1 as number 65009 SwitchD bgp af ipv6 peer 9 2 1 as number 65009 SwitchD bgp af ipv6 quit SwitchD bgp quit 3 Configure the EBGP connection Configure Switch A SwitchA system view SwitchA ipv6 SwitchA bgp 65008 SwitchA bgp router id 1 1 1 1 SwitchA bgp ipv6 family SwitchA bgp af ipv6 peer 10 1 as number 65009 SwitchA bgp af ipv6 quit SwitchA bgp quit Con...

Page 649: ... state 2 Peer V AS MsgRcvd MsgSent OutQ PrefRcv Up Down State 9 3 1 4 65009 4 4 0 0 00 02 18 Established 9 2 2 4 65009 4 5 0 0 00 01 52 Established Switch A and B established an EBGP connection Switch B C and D established IBGP connections with each other 5 9 2 IPv6 BGP Route Reflector Configuration I Network requirements Switch B receives an EBGP update and sends it to Switch C which is configure...

Page 650: ...tchB bgp ipv6 family SwitchB bgp af ipv6 peer 100 1 as number 100 SwitchB bgp af ipv6 peer 101 1 as number 200 SwitchB bgp af ipv6 peer 101 1 next hop local Configure Switch C SwitchC system view SwitchC ipv6 SwitchC bgp 200 SwitchC bgp router id 3 3 3 3 SwitchC bgp ipv6 family SwitchC bgp af ipv6 peer 101 2 as number 200 SwitchC bgp af ipv6 peer 102 2 as number 200 Configure Switch D SwitchD syst...

Page 651: ...s any two routers need to establish a TCP session using port 179 and exchange open messages successfully III Processing steps 1 Use the display current configuration command to verify the peer s AS number 2 Use the display bgp ipv6 peer command to verify the peer s IPv6 address 3 If the loopback interface is used check whether the peer connect interface command is configured 4 If the peer is not d...

Page 652: ...o filter routing information For example a router receives or advertises only routing information that matches the criteria of a routing policy a routing protocol redistributes routes from another protocol only routes matching the criteria of a routing policy and modifies some attributes of these routes to satisfy its needs using the routing policy To implement a routing policy you need to define ...

Page 653: ...bute field to identify a community A community list specifies matching conditions based on the community attribute V Extended community list Extended community list extcommunity list applies to IPv6 BGP only It is used for Route Target extcommunity for VPN VI Routing policy A routing policy is used to match against some attributes in given routing information and modify the attributes of the infor...

Page 654: ...ix list can comprise multiple items Each item specifies a matching address range in the form of network prefix which is identified by index number During matching the system compares the route to each item in the ascending order of index number If one item is matched the route passes the IP prefix list without needing to match the next item Follow these steps to define an IPv6 prefix list To do Us...

Page 655: ...ACL Follow these steps to define an AS path ACL To do Use the command Remarks Enter system view system view Define an AS path ACL ip as path as path number deny permit regular expression Required Not defined by default 6 2 4 Defining a Community List You can define multiple items for a community list that is identified by number During matching the relation between items is logic OR that is if rou...

Page 656: ...g a Routing Policy A routing policy is used to filter routing information according to some attributes and modify some attributes of the routing information that matches the routing policy Match criteria can be configured using filters above mentioned A routing policy can comprise multiple nodes each node contains z if match clauses Define the match criteria that routing information must satisfy T...

Page 657: ... can neither pass the node nor go to the next node If route information cannot match any if match clause of the node it will go to the next node for a match z When a routing policy is defined with more than one node at least one node should be configured with the permit keyword If the routing policy is used to filter routing information routing information that does not meet any node s conditions ...

Page 658: ...lt Match routes having specified outbound interface s if match interface interface type interface number 1 16 Optional Not configured by default Match routes having the specified route type if match route type internal external type1 external type2 external type1or2 is is level 1 is is level 2 nssa external type1 nssa external type2 nssa external type1or2 Optional Not configured by default Match t...

Page 659: ...attribute for IPv6 BGP routes apply community none additive community number 1 16 aa nn 1 16 internet no export subconfed no export no advertise additive Optional Not set by default Set a cost for routes apply cost value Optional Not set by default Set a cost type for routes apply cost type external internal type 1 type 2 Optional Not set by default Set the extended community attribute for IPv6 BG...

Page 660: ...g the Routing Policy To do Use the command Remarks Display IPv6 BGP AS path ACL information display ip as path as path number Display IPv6 BGP community list information display ip community list basic community list number adv community list number Display IPv6 BGP extended community list information display ip extcommunity list ext comm list number Display IPv6 prefix list statistics display ip ...

Page 661: ... view SwitchA ipv6 SwitchA interface vlan interface 100 SwitchA Vlan interface100 ipv6 address 10 1 32 SwitchA Vlan interface100 quit SwitchA interface vlan interface 200 SwitchA Vlan interface200 ipv6 address 11 1 32 SwitchA Vlan interface200 quit Enable RIPng on VLAN interface 100 SwitchA interface vlan interface 100 SwitchA Vlan interface100 ripng 1 enable SwitchA Vlan interface100 quit Configu...

Page 662: ...ripng 1 route Route Flags A Aging S Suppressed G Garbage collect Peer FE80 7D58 0 CA03 1 on Vlan interface 100 Dest 10 32 via FE80 7D58 0 CA03 1 cost 1 tag 0 A 18 Sec Dest 20 32 via FE80 7D58 0 CA03 1 cost 1 tag 0 A 8 Sec Dest 40 32 via FE80 7D58 0 CA03 1 cost 1 tag 0 A 3 Sec 6 6 Troubleshooting Routing Policy Configuration 6 6 1 IPv4 Routing Information Filtering Failure I Symptom Filtering routi...

Page 663: ...mation failed while routing protocol runs normally II Analysis At least one item of the IPv6 prefix list should be configured as permit mode and at least one node of the Route policy should be configured as permit mode III Processing procedure 1 Use the display ip ipv6 prefix command to display IP prefix list information 2 Use the display route policy command to display routing policy information ...

Page 664: ...otocols and Standards 2 6 2 2 IGMP Snooping Configuration Task List 2 6 2 3 Configuring Basic Functions of IGMP Snooping 2 8 2 3 1 Configuration Prerequisites 2 8 2 3 2 Enabling IGMP Snooping 2 8 2 3 3 Configuring the Version of IGMP Snooping 2 8 2 4 Configuring IGMP Snooping Port Functions 2 9 2 4 1 Configuration Prerequisites 2 9 2 4 2 Configuring Aging Timers for Dynamic Ports 2 9 2 4 3 Configu...

Page 665: ... 3 3 Configuring Basic Functions of MLD Snooping 3 7 3 3 1 Configuration Prerequisites 3 7 3 3 2 Enabling MLD Snooping 3 7 3 3 3 Configuring the Version of MLD Snooping 3 8 3 4 Configuring MLD Snooping Port Functions 3 8 3 4 1 Configuration Prerequisites 3 8 3 4 2 Configuring Aging Timers for Dynamic Ports 3 9 3 4 3 Configuring Static Ports 3 10 3 4 4 Configuring Simulated Joining 3 10 3 4 5 Confi...

Page 666: ...ments in IGMPv3 5 4 5 1 5 Protocols and Standards 5 6 5 2 IGMP Configuration Task List 5 6 5 3 Configuring Basic Functions of IGMP 5 7 5 3 1 Configuration Prerequisites 5 7 5 3 2 Enabling IGMP 5 7 5 3 3 Configuring IGMP Versions 5 8 5 3 4 Configuring a Static Member of a Multicast Group 5 8 5 3 5 Configuring a Multicast Group Filter 5 9 5 4 Adjusting IGMP Performance 5 9 5 4 1 Configuration Prereq...

Page 667: ...SM 6 30 6 4 1 PIM SSM Configuration Task List 6 30 6 4 2 Configuration Prerequisites 6 30 6 4 3 Enabling PIM SM 6 31 6 4 4 Configuring the SSM Group Range 6 31 6 5 Configuring PIM Common Information 6 32 6 5 1 PIM Common Information Configuration Task List 6 32 6 5 2 Configuration Prerequisites 6 33 6 5 3 Configuring a PIM Filter 6 33 6 5 4 Configuring PIM Hello Options 6 34 6 5 5 Configuring PIM ...

Page 668: ...A Message Filtering Rule 7 15 7 5 5 Configuring SA Message Cache 7 16 7 6 Displaying and Maintaining MSDP 7 16 7 7 MSDP Configuration Examples 7 17 7 7 1 Example of Leveraging BGP Routes 7 17 7 7 2 Anycast RP Configuration Example 7 23 7 7 3 Static RPF Peer Configuration Example 7 27 7 8 Troubleshooting MSDP 7 31 7 8 1 MSDP Peers Stay in Down State 7 31 7 8 2 No SA Entries in the Router s SA Cache...

Page 669: ... Multicast Forwarding Table Size 8 9 8 3 8 Tracing a Multicast Path 8 10 8 4 Displaying and Maintaining Multicast Routing and Forwarding 8 11 8 5 Configuration Examples 8 12 8 5 1 Multicast Static Route Configuration 8 12 8 6 Troubleshooting Multicast Routing and Forwarding 8 14 8 6 1 Multicast Static Route Failure 8 14 8 6 2 Multicast Data Fails to Reach Receivers 8 15 ...

Page 670: ...sue of point to multipoint data transmission By allowing high efficiency point to multipoint data transmission over a network multicast greatly saves network bandwidth and reduces network load With the multicast technology a network operator can easily provide new value added services such as live Webcasting Web TV distance learning telemedicine Web radio real time videoconferencing and other band...

Page 671: ...o the number of hosts that need the information If a large number of users need the information the information source needs to send a copy of the same information to each of these users This means a tremendous pressure on the information source and the network bandwidth As we can see from the information transmission process unicast is not suitable for batch transmission of information II Broadca...

Page 672: ...o specific hosts moreover broadcast transmission is a significant usage of network resources III Multicast As discussed above the unicast and broadcast techniques are unable to provide point to multipoint data transmissions with the minimum network consumption The multicast technique has solved this problem When some hosts on the network need multicast information the multicast source Source in th...

Page 673: ...stributed an increase of the number of hosts will not remarkably add to the network load z Over broadcast As multicast data is sent only to the receivers that need it multicast uses the network bandwidth reasonably and brings no waste of network resources and enhances network security 1 1 2 Roles in Multicast The following roles are involved in multicast transmission z An information sender is ref...

Page 674: ... or joins another group Note z A multicast source does not necessarily belong to a multicast group Namely a multicast source is not necessarily a multicast data receiver z A multicast source can send data to multiple multicast groups at the same time and multiple multicast sources can send data to the same multicast group at the same time 1 1 3 Advantages and Applications of Multicast I Advantages...

Page 675: ...del uses a multicast address range that is different from that of the ASM model and dedicated multicast forwarding paths are established between receivers and the specified multicast sources 1 3 Multicast Architecture IP multicast addresses the following questions z Where should the multicast source transmit information to multicast addressing z What receivers exist on the network host registratio...

Page 676: ...es can be used by routing protocols and for topology searching protocol maintenance and so on Commonly used permanent group addresses are listed in Table 1 3 A packet destined for an address in this block will not be forwarded beyond the local subnet regardless of the Time to Live TTL value in the IP header 224 0 1 0 to 238 255 255 255 Globally scoped group addresses This block includes two types ...

Page 677: ...uration Protocol DHCP server relay agent 224 0 0 13 All Protocol Independent Multicast PIM routers 224 0 0 14 Resource Reservation Protocol RSVP encapsulation 224 0 0 15 All Core Based Tree CBT routers 224 0 0 16 Designated Subnetwork Bandwidth Management SBM 224 0 0 17 All SBMs 224 0 0 18 Virtual Router Redundancy Protocol VRRP II IPv6 Multicast Addresses As defined in RFC 4291 the format of an I...

Page 678: ...e local scope 2 Link local scope 4 Admin local scope 5 Site local scope 6 7 9 through D Unassigned 8 Organization local scope E Global scope III Ethernet multicast MAC addresses When a unicast IP packet is transmitted over Ethernet the destination MAC address is the MAC address of the receiver When a multicast packet is transmitted over Ethernet however the destination address is a multicast MAC a...

Page 679: ...t As a result 32 multicast IPv4 addresses map to the same MAC address Therefore in Layer 2 multicast forwarding a device may receive some multicast data addressed for other IPv4 multicast groups and such redundant data needs to be filtered by the upper layer 2 IPv6 multicast MAC addresses The high order 16 bits of an IPv6 multicast MAC address are 0x3333 and the low order 32 bits are the low order...

Page 680: ...z IGMP Snooping IGMP multicast VLAN PIM and MSDP are for IPv4 MLD Snooping MLD IPv6 multicast VLAN and IPv6 PIM are for IPv6 This section provides only general descriptions about applications and functions of the Layer 2 and Layer 3 multicast protocols in a network For details of these protocols refer to the respective chapters I Layer 3 multicast protocols Layer 3 multicast protocols include mult...

Page 681: ...bution trees within an AS so as to deliver multicast data to receivers Among a variety of mature intra domain multicast routing protocols protocol independent multicast PIM is a popular one Based on the forwarding mechanism PIM comes in two modes dense mode often referred to as PIM DM and sparse mode often referred to as PIM SM z An inter domain multicast routing protocol is used for delivery of m...

Page 682: ...d extra burden on the Layer 3 device 1 4 Multicast Packet Forwarding Mechanism In a multicast model a multicast source sends information to the host group identified by the multicast group address in the destination address field of IP multicast packets Therefore to deliver multicast packets to receivers located in different parts of the network multicast routers on the forwarding path usually nee...

Page 683: ...ing IGMP Snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups 2 1 1 Principle of IGMP Snooping By analyzing received IGMP messages a Layer 2 device running IGMP Snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings As shown in Figure 2 1 when IGMP Snooping is not runn...

Page 684: ...r port A router port is a port on the Ethernet switch that leads switch towards the Layer 3 multicast device DR or IGMP querier In the figure Ethernet 1 0 1 of Switch A and Ethernet 1 0 1 of Switch B are router ports The switch registers all its local router ports including static and dynamic router ports in its router port list z Member port A member port is a port on the Ethernet switch that lea...

Page 685: ...essages and actions Timer Description Message before expiry Action after expiry Router port aging timer For each router port the switch sets a timer initialized to the aging time of the route port IGMP general query of which the source address is not 0 0 0 0 or PIM hello The switch removes this port from its router port list Member port aging timer When a port joins a multicast group the switch se...

Page 686: ...ces z Upon receiving an IGMP query a multicast group member host responds with an IGMP report z When intended to join a multicast group a host sends an IGMP report to the multicast router to announce that it is interested in the multicast information addressed to that group Upon receiving an IGMP report the switch forwards it through all the router ports in the VLAN resolves the address of the rep...

Page 687: ...s a group specific IGMP leave group message on a member port it first checks whether a forwarding table entry for that group exists and if one exists whether its outgoing port list contains that port z If the forwarding table entry does not exist or if its outgoing port list does not contain the port the switch discards the IGMP leave group message instead of forwarding it to any port z If the for...

Page 688: ...normal way 2 In only PIM is enabled on the switch z The switch broadcasts IGMP messages as unknown messages in the VLAN z Upon receiving a PIM hello message the switch will maintain the corresponding router port 3 When IGMP is disabled on the switch or when IGMP forwarding entries are cleared by using the reset igmp group command z If PIM is disabled the switch clears all its Layer 2 multicast ent...

Page 689: ...onfiguring Maximum Multicast Groups that Can Be Joined on a Port Optional Configuring an IGMP Snooping Policy Configuring Multicast Group Replacement Optional Note z Configurations made in IGMP Snooping view are effective for all VLANs while configurations made in VLAN view are effective only for ports belonging to the current VLAN For a given VLAN a configuration made in IGMP Snooping view is eff...

Page 690: ... Disabled by default Return to system view quit Enter VLAN view vlan vlan id Enable IGMP Snooping in the VLAN igmp snooping enable Required Disabled by default Note z IGMP Snooping must be enabled globally before it can be enabled in a VLAN z After enabling IGMP Snooping in a VLAN you cannot enable IGMP and or PIM on the corresponding VLAN interface and vice versa z When you enable IGMP Snooping i...

Page 691: ...tatic Ports 2 4 Configuring IGMP Snooping Port Functions 2 4 1 Configuration Prerequisites Before configuring IGMP Snooping port functions complete the following tasks z Enable IGMP Snooping in the VLAN or enable IGMP on the desired VLAN interface z Configure the corresponding port groups Before configuring IGMP Snooping port functions prepare the following data z Aging time of router ports z Agin...

Page 692: ...rts in a VLAN Follow these steps to configure aging timers for dynamic ports in a VLAN To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure router port aging time igmp snooping router aging time interval Optional 105 seconds by default Configure member port aging time igmp snooping host aging time interval Optional 260 seconds by default 2 4 3 Configur...

Page 693: ...does not respond to queries from the IGMP querier when static G or S G joining is enabled or disabled on a port the port does not send an unsolicited IGMP report or an IGMP leave group message z Static member ports and static router ports never age out To remove such a port you need to use the corresponding command 2 4 4 Configuring Simulated Joining Generally a host running IGMP responds to IGMP ...

Page 694: ...ed by default Note z Each simulated host is equivalent to an independent host For example when receiving an IGMP query the simulated host corresponding to each configuration responds respectively z The IGMP version of a simulated host is the same as the IGMP Snooping version current running on the device z Unlike a static member port a port configured as a simulated member host will age out like a...

Page 695: ... Ethernet port view interface interface type interface number Enter the corresponding view Enter port group view port group manual port group name aggregation agg id Required Use either command Enable fast leave processing igmp snooping fast leave vlan vlan list Required Disabled by default Caution If fast leave processing is enabled on a port to which more than one host is attached when one host ...

Page 696: ... the Layer 2 switch will act as the IGMP Snooping querier to send IGMP queries thus allowing multicast forwarding entries to be established and maintained at the data link layer Follow these steps to enable IGMP Snooping querier To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Enable IGMP Snooping querier igmp snooping querier Required Disabled by default Ca...

Page 697: ...c queries the maximum response time equals to the IGMP last member query interval I Configuring IGMP queries and responses globally Follow these steps to configure IGMP queries and responses globally To do Use the command Remarks Enter system view system view Enter IGMP Snooping view igmp snooping Configure the maximum response time to IGMP general queries max response time interval Optional 10 se...

Page 698: ...st forwarding entries from being correctly created at the data link layer and cause multicast traffic forwarding failure in the end When a Layer 2 device acts as an IGMP Snooping querier to avoid the aforesaid problem you are commended to configure a non all zero IP address as the source IP address of IGMP queries Follow these steps to configure source IP address of IGMP queries To do Use the comm...

Page 699: ...an actual application when a user requests a multicast program the user s host initiates an IGMP report Upon receiving this report message the switch checks the report against the configured ACL rule If the port on which the report was heard can join this multicast group the switch adds an entry for this port in the IGMP Snooping forwarding table otherwise the switch drops this report message Any ...

Page 700: ...data refers to multicast data for which no entries exist in the IGMP Snooping forwarding table When the switch receives such multicast traffic z With the function of dropping unknown multicast data enabled the switch drops all the unknown multicast data received z With the function of dropping unknown multicast data disabled the switch floods unknown multicast data in the VLAN which the unknown mu...

Page 701: ...nooping view igmp snooping Enable IGMP report suppression report aggregation Optional Enabled by default 2 6 5 Configuring Maximum Multicast Groups that Can Be Joined on a Port By configuring the maximum number of multicast groups that can be joined on a port you can limit the number of multicast programs on demand available to users thus to regulate traffic on the port Follow these steps to confi...

Page 702: ...exceed the number configured for the switch or the port In addition in some specific applications a multicast group newly joined on the switch needs to replace an existing multicast group automatically A typical example is channel switching namely by joining a new multicast group a user automatically switches from the current multicast group to the new one To address such situations you can enable...

Page 703: ...to configure the maximum number of multicast groups allowed on a port refer to Configuring Maximum Multicast Groups that Can Be Joined on a Port before configuring multicast group replacement Otherwise the multicast group replacement functionality will not take effect 2 7 Displaying and Maintaining IGMP Snooping To do Use the command Remarks View the information of IGMP Snooping forwarding table e...

Page 704: ...joins 2 8 IGMP Snooping Configuration Examples 2 8 1 Configuring Simulated Joining I Network requirements As shown in Figure 2 3 Router A connects to the multicast source through Ethernet 1 0 2 and to Switch A through Ethernet 1 0 1 Router A is the IGMP querier on the subnet Perform the following configuration so that multicast data can be forwarded through Ethernet 1 0 3 and Ethernet 1 0 4 even i...

Page 705: ...net1 0 2 quit 3 Configure Switch A Enable IGMP Snooping globally SwitchA system view SwitchA igmp snooping SwitchA igmp snooping quit Create VLAN 100 assign Ethernet 1 0 1 through Ethernet 1 0 4 to this VLAN and enable IGMP Snooping in the VLAN SwitchA vlan 100 SwitchA vlan100 port ethernet 1 0 1 to ethernet 1 0 4 SwitchA vlan100 quit SwitchA vlan100 igmp snooping enable SwitchA vlan100 igmp snoop...

Page 706: ...Ethernet 1 0 3 and Ethernet 1 0 4 of Switch A is listening to multicast streams that the multicast source 1 1 1 1 sends to the multicast group 224 1 1 1 0 0 0 0 224 1 1 1 2 8 2 Static Router Port Configuration I Network requirements z As shown in Figure 2 4 Router A connects to a multicast source Source through Ethernet 1 0 2 and to Switch A through Ethernet 1 0 1 z IGMP is to run between Router A...

Page 707: ...interrupted during this process II Network diagram Source 1 1 1 1 24 Router A IGMP querier Eth1 0 1 10 1 1 1 24 Eth1 0 2 1 1 1 2 24 Switch A Switch C Switch B Eth1 0 1 Eth1 0 2 Eth1 0 2 Host C Host B Host A Receiver Receiver Eth1 0 5 Figure 2 4 Network diagram for static router port configuration III Configuration procedure 1 Configure the IP address of each interface Configure an IP address and s...

Page 708: ...ble SwitchA vlan100 quit Configure Ethernet 1 0 3 to be a static router port SwitchA interface ethernet 1 0 3 SwitchA Ethernet1 0 3 igmp snooping static router port vlan 100 SwitchA Ethernet1 0 3 quit 4 Configure Switch B Enable IGMP Snooping globally SwitchB system view SwitchB igmp snooping SwitchB igmp snooping quit Create VLAN 100 assign Ethernet 1 0 1 and Ethernet 1 0 2 to this VLAN and enabl...

Page 709: ... 01 30 Eth1 0 3 S IP group s the following ip group s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Attribute Host Port Host port s total 1 port Eth1 0 2 D 00 03 23 MAC group s MAC group address 0100 5e01 0101 Host port s total 1 port Eth1 0 2 As shown above Ethernet 1 0 3 of Switch A has become a static router port 2 8 3 IGMP Snooping Querier Configuration I Network requirem...

Page 710: ...tchA igmp snooping SwitchA igmp snooping quit Create VLAN 100 and add Ethernet 1 0 1 and Ethernet 1 0 2 to VLAN 100 SwitchA vlan 100 SwitchA vlan100 port ethernet 1 0 1 ethernet 1 0 2 Enable IGMP Snooping in VLAN 100 and configure the IGMP Snooping querier feature SwitchA vlan100 igmp snooping enable SwitchA vlan100 igmp snooping querier Set the source IP address of IGMP general queries and group ...

Page 711: ...n this VLAN SwitchC vlan 100 SwitchC vlan100 port ethernet 1 0 1 to ethernet 1 0 3 SwitchC vlan100 igmp snooping enable 4 Verify the configuration View the IGMP message statistics on Switch C SwitchC vlan100 display igmp snooping statistics Received IGMP general queries 3 Received IGMPv1 reports 0 Received IGMPv2 reports 4 Received IGMP leaves 0 Received IGMPv2 specific queries 0 Sent IGMPv2 speci...

Page 712: ... Symptom Although a multicast group policy has been configured to allow hosts to join specific multicast groups the hosts can still receive multicast data addressed to other multicast groups II Analysis z The ACL rule is incorrectly configured z The multicast group policy is not correctly applied z Certain ports have been configured as static member ports of multicasts groups and this configuratio...

Page 713: ... S3610 S5510 Series Ethernet Switches Chapter 2 IGMP Snooping Configuration 2 31 whether this configuration conflicts with the configured multicast group policy If any conflict exists remove the port as a static member of the multicast group ...

Page 714: ...Snooping MLD Snooping is an IPv6 multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups 3 1 1 Introduction to MLD Snooping By analyzing received MLD messages a Layer 2 device running MLD Snooping establishes mappings between ports and multicast MAC addresses and forwards IPv6 multicast data based on these mappings As shown in Figure 3 1 when MLD S...

Page 715: ... a port on the Ethernet switch that leads switch towards the Layer 3 multicast device DR or MLD querier In the figure Ethernet 1 0 1 of Switch A and Ethernet 1 0 1 of Switch B are router ports The switch registers all its local router ports including static and dynamic router ports in its router port list z Member port A member port also known as IPv6 multicast group member port is a port on the E...

Page 716: ...e before expiry Action after expiry Router port aging timer For each router port the switch sets a timer initialized to the aging time of the route port MLD general query of which the source address is not 0 0 or IPv6 PIM hello The switch removes this port from its router port list Member port aging timer When a port joins an IPv6 multicast group the switch sets a timer for the port which is initi...

Page 717: ...t responds with an MLD report z When intended to join an IPv6 multicast group a host sends an MLD report to the multicast router to announce that it is interested in the multicast information addressed to that IPv6 multicast group Upon receiving an MLD report the switch forwards it through all the router ports in the VLAN resolves the address of the reported IPv6 multicast group and performs the f...

Page 718: ...ch does not know whether any other hosts attached to the port are still listening to that IPv6 multicast group address the switch does not immediately removes the port from the outgoing port list of the forwarding table entry for that group instead it resets the member port aging timer for the port Upon receiving an MLD done message from a host the MLD querier resolves from the message the address...

Page 719: ... Optional Configuring Aging Timers for Dynamic Ports Optional Configuring Static Ports Optional Configuring Simulated Joining Optional Configuring MLD Snooping Port Functions Configuring Fast Leave Processing Optional Enabling MLD Snooping Querier Optional Configuring MLD Queries and Responses Optional Configuring MLD Snooping Querier Configuring Source IPv6 Addresses of MLD Queries Optional Confi...

Page 720: ...the current port group For a given port a configuration made in MLD Snooping view is effective only if the same configuration is not made in Ethernet port view or port group view 3 3 Configuring Basic Functions of MLD Snooping 3 3 1 Configuration Prerequisites Before configuring the basic functions of MLD Snooping complete the following tasks z Configure the corresponding VLANs Before configuring ...

Page 721: ...flooded in the VLAN z MLD Snooping version 2 can process MLDv1 and MLDv2 messages Follow these steps to configure the version of MLD Snooping To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the version of MLD Snooping mld snooping version version number Optional Version 1 by default Caution If you switch MLD Snooping from version 2 to version 1 th...

Page 722: ...ing timer of the port for that group expires If IPv6 multicast group memberships change frequently you can set a relatively small value for the member port aging timer and vice versa I Configuring aging timers for dynamic ports globally Follow these steps to configure aging timers for dynamic ports globally To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld sno...

Page 723: ... static group ipv6 group address source ip ipv6 source address vlan vlan id Required Disabled by default Configure the port s as static router port s mld snooping static router port vlan vlan id Required Disabled by default Note z The IPv6 static S G joining function is available only if a valid IPv6 multicast source address is specified and MLD Snooping version 2 is currently running on the switc...

Page 724: ...w system view Enter Ethernet port view interface interface type interface number Enter the corresponding view Enter port group view port group manual port group name aggregation agg id Required Use either command Configure simulated joining mld snooping host join ipv6 group address source ip ipv6 source address vlan vlan id Required Disabled by default Note z Each simulated host is equivalent to a...

Page 725: ...ist Required Disabled by default II Configuring fast leave processing on a port or a group of ports Follow these steps to configure fast leave processing on a port or a group of ports To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enter the corresponding view Enter port group view port group manual port group name aggr...

Page 726: ...sending periodic MLD general queries so that all Layer 3 multicast devices can establish and maintain multicast forwarding entries thus to forward multicast traffic correctly at the network layer This router or Layer 3 switch is called MLD querier However a Layer 2 multicast switch does not support MLD and therefore cannot send MLD general queries by default By enabling MLD Snooping querier on a L...

Page 727: ...eport to the corresponding IPv6 multicast group An appropriate setting of the maximum response time for MLD queries allows hosts to respond to queries quickly and avoids burstiness of MLD traffic on the network caused by reports simultaneously sent by a large number of hosts when the corresponding timers expire simultaneously z For MLD general queries you can configure the maximum response time to...

Page 728: ...tional 1 second by default Caution Make sure that the MLD query interval is greater than the maximum response time for MLD general queries otherwise undesired deletion of IPv6 multicast members may occur 3 5 4 Configuring Source IPv6 Addresses of MLD Queries This configuration allows you to change the source IPv6 address of MLD queries Follow these steps to configure source IPv6 addresses of MLD q...

Page 729: ...s available to different users In an actual application when a user requests a multicast program the user s host initiates an MLD report Upon receiving this report message the switch checks the report against the configured ACL rule If the port on which the report was heard can join this IPv6 multicast group the switch adds an entry for this port in the MLD Snooping forwarding table otherwise the ...

Page 730: ...gured by default namely hosts can join any IPv6 multicast group 3 6 3 Configuring Dropping Unknown IPv6 Multicast Data Unknown IPv6 multicast data refers to IPv6 multicast data for which no forwarding entries exist in the MLD Snooping forwarding table When the switch receives such IPv6 multicast traffic z With the function of dropping unknown IPv6 multicast data enabled the switch drops all unknow...

Page 731: ...rk Follow these steps to configure MLD report suppression To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Enable MLD report suppression report aggregation Optional Enabled by default 3 6 5 Configuring Maximum Multicast Groups that that Can Be Joined on a Port By configuring the maximum number of IPv6 multicast groups that can be joined on a port or ...

Page 732: ...ed the number configured for the switch or the port In addition in some specific applications an IPv6 multicast group newly joined on the switch needs to replace an existing IPv6 multicast group automatically A typical example is channel switching namely by joining the new multicast a user automatically switches from the current IPv6 multicast group to the one To address this situation you can ena...

Page 733: ... sure to configure the maximum number of IPv6 multicast groups allowed on a port refer to Configuring Maximum Multicast Groups that that Can Be Joined on a Port before configuring IPv6 multicast group replacement Otherwise the IPv6 multicast group replacement functionality will not take effect 3 7 Displaying and Maintaining MLD Snooping To do Use the command Remarks View the information about MLD ...

Page 734: ...0 2 and to Switch A through Ethernet 1 0 1 Router A is the MLD querier on the subnet Perform the following configuration so that multicast data can be forwarded through Ethernet 1 0 3 and Ethernet 1 0 4 even if Host A and Host B temporarily stop receiving IPv6 multicast data for some unexpected reasons II Network diagram Source Router A Switch A Receiver Receiver Host B Host A Host C Eth1 0 1 Eth1...

Page 735: ...net 1 0 1 through Ethernet 1 0 4 to this VLAN and enable MLD Snooping in the VLAN SwitchA vlan 100 SwitchA vlan100 port ethernet 1 0 1 to ethernet 1 0 4 SwitchA vlan100 mld snooping enable SwitchA vlan100 quit Enable simulated S G joining on Ethernet 1 0 3 and Ethernet 1 0 4 SwitchA interface ethernet 1 0 3 SwitchA Ethernet1 0 3 mld snooping host join ff1e 101 vlan 100 SwitchA Ethernet1 0 3 quit S...

Page 736: ...Router Port Configuration I Network requirements z As shown in Figure 3 4 Router A connects to an IPv6 multicast source Source through Ethernet 1 0 2 and to Switch A through Ethernet 1 0 1 z MLD is to run between Router A and Switch A and MLD Snooping is to run on Switch A Switch B and Switch C with Router A acting as the MLD querier z Suppose STP runs on the network To avoid data loops the forwar...

Page 737: ...h C Switch B Eth1 01 E t h 1 0 2 E t h 1 0 3 E t h 1 0 1 Eth1 0 2 E t h 1 0 1 Eth1 0 2 Host C Host B Host A Receiver Receiver E t h 1 0 3 E t h 1 0 4 Eth1 0 5 Figure 3 4 Network diagram for static router port configuration III Configuration procedure 1 Configure the IPv6 address of each interface Configure an IP address and prefix length for each interface as per Figure 3 4 2 Configure Router A En...

Page 738: ...1 0 3 mld snooping static router port vlan 100 SwitchA Ethernet1 0 3 quit 4 Configure Switch B Enable MLD Snooping globally SwitchB system view SwitchB mld snooping SwitchB mld snooping quit Create VLAN 100 assign Ethernet 1 0 1 and Ethernet 1 0 2 to this VLAN and enable MLD Snooping in the VLAN SwitchB vlan 100 SwitchB vlan100 port ethernet 1 0 1 ethernet 1 0 2 SwitchB vlan100 mld snooping enable...

Page 739: ...0 1 D 00 01 30 Eth1 0 3 S IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Attribute Host Port Host port s total 1 port Eth1 0 2 D 00 03 23 MAC group s MAC group address 3333 0000 0101 Host port s total 1 port Eth1 0 2 As shown above Ethernet 1 0 3 of Switch A has become a static router port 3 8 3 MLD Snooping Querier Configuration I Network requirement...

Page 740: ... 1 and Ethernet 1 0 2 to VLAN 100 SwitchA vlan 100 SwitchA vlan100 port ethernet 1 0 1 ethernet 1 0 2 Enable MLD Snooping in VLAN 100 and configure the MLD Snooping querier feature SwitchA vlan100 mld snooping enable SwitchA vlan100 mld snooping querier 2 Configure Switch B Enable MLD Snooping globally SwitchB system view SwitchB mld snooping SwitchB mld snooping quit Create VLAN 100 add Ethernet ...

Page 741: ... Received MLD general queries 3 Received MLDv1 specific queries 0 Received MLDv1 reports 4 Received MLD dones 0 Sent MLDv1 specific queries 0 Received MLDv2 reports 0 Received MLDv2 reports with right and wrong records 0 Received MLDv2 specific queries 0 Received MLDv2 specific sg queries 0 Sent MLDv2 specific queries 0 Sent MLDv2 specific sg queries 0 Received error MLD messages 0 Switch C receiv...

Page 742: ...ast group policy is not correctly applied z Certain ports have been configured as static member ports of IPv6 multicasts groups and this configuration conflicts with the configured IPv6 multicast group policy III Solution 1 Use the display acl ipv6 command to check the configured IPv6 ACL rule Make sure that the IPv6 ACL rule conforms to the IPv6 multicast group policy to be implemented 2 Use the ...

Page 743: ...AN This results in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 4 1 Before and after multicast VLAN is enabled on the Layer 2 device To solve this problem you can enable the multicast VLAN feature on Switch A namely configure the VLANs to which these hosts belong as sub VLANs of a multicast VLAN on the Layer 2 device and enable Layer 2 multicast in the mul...

Page 744: ... VLANs of the multicast VLAN must not be multicast VLANs z The VLANs to be configured as the sub VLANs of the multicast VLAN must not be sub VLANs of another multicast VLAN z The number of sub VLANs of the multicast VLAN must not exceed the system defined limit an S3610 or S5510 series Ethernet switch supports up to 16 multicast VLANs and supports up to 1000 sub VLANs for each multicast VLAN The t...

Page 745: ...s required on Switch A Router A is the IGMP querier z Switch A s Ethernet 1 0 1 belongs to VLAN 1024 Ethernet 1 0 2 through Ethernet 1 0 4 belong to VLAN 11 through VLAN 13 respectively and Host A through Host C are attached to Ethernet 1 0 2 through Ethernet 1 0 4 of Switch A z Configure the multicast VLAN feature so that Router A just sends multicast data to VLAN 1024 rather than to each VLAN wh...

Page 746: ...0 2 RouterA Ethernet1 0 2 pim dm RouterA Ethernet1 0 2 quit 3 Configure Switch A Enable IGMP Snooping globally SwitchA system view SwitchA igmp snooping SwitchA igmp snooping quit Create VLAN 11 and assign Ethernet 1 0 2 to this VLAN SwitchA vlan 11 SwitchA vlan11 port ethernet 1 0 2 SwitchA vlan11 quit The configuration for VLAN 12 and VLAN 13 is similar to the configuration for VLAN 11 Create VL...

Page 747: ...Operation Manual Multicast Protocol H3C S3610 S5510 Series Ethernet Switches Chapter 4 Multicast VLAN Configuration 4 5 SwitchA display multicast vlan multicast vlan 1024 s subvlan list Vlan 11 13 ...

Page 748: ...ew As a TCP IP protocol responsible for IP multicast group member management the Internet Group Management Protocol IGMP is used by IP hosts to establish and maintain their multicast group memberships to immediately neighboring multicast routers 5 1 1 IGMP Versions So far there are three IGMP versions z IGMPv1 documented in RFC 1112 z IGMPv2 documented in RFC 2236 z IGMPv3 documented in RFC 3376 A...

Page 749: ...uired to determine which router will act as the IGMP querier on the subnet In IGMPv1 the designated router DR elected by a multicast routing protocol such as PIM serves as the IGMP querier Note For more information about DR refer to DR election Figure 5 1 Joining multicast groups Assume that Host B and Host C are expected to receive multicast data addressed to multicast group G1 while Host A is ex...

Page 750: ... the G1 and G2 multicast forwarding entries exist on the IGMP router the router forwards the multicast data to the local subnet and then the receivers on the subnet receive the data As IGMPv1 does not specifically define a Leave Group message upon leaving a multicast group an IGMPv1 host stops sending reports with the destination address being the address of that multicast group If no member of a ...

Page 751: ...3 One of the remaining members if any on the subnet of the group being queried should send a membership report within the maximum response time set in the query messages 4 If the querier receives a membership report for the group within the maximum response time it will maintain the memberships of the group otherwise the querier will assume that no hosts on the subnet are still interested in multi...

Page 752: ...ted as S2 G Thus only multicast data from Source 1 will be delivered to Host B II Enhancements in query and report capabilities 1 Query message carrying the source addresses IGMPv3 supports not only general queries feature of IGMPv1 and group specific queries feature of IGMPv2 but also group and source specific queries z A general query does not carry a group address nor a source address z A group...

Page 753: ...e list z BLOCK indicates that the Source Address fields in this Group Record contain a list of the sources that the system no longer wishes to hear from for packets sent to the specified multicast address If the change was to an Include source list these are the addresses that were deleted from the list if the change was to an Exclude source list these are the addresses that were added to the list...

Page 754: ...ring the basic functions of IGMP complete the following tasks z Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer z Configure PIM DM or PIM SM Before configuring the basic functions of IGMP prepare the following data z IGMP version z Multicast group and multicast source addresses for static group member configuration z ACL rule for mult...

Page 755: ...ollow these steps to configure an IGMP version on an interface To do Use the command Description Enter system view system view Enter Ethernet port view interface interface type interface number Configure an IGMP version on the interface igmp version version number Optional IGMPv2 by default 5 3 4 Configuring a Static Member of a Multicast Group After an interface is configured as a static member o...

Page 756: ...n IGMP view are effective on all interfaces while configurations performed in Ethernet port view are effective on the current interface only z If the same feature is configured in both IGMP view and Ethernet port view the configuration performed in Ethernet port view is given priority regardless of the configuration sequence 5 4 1 Configuration Prerequisites Before adjusting IGMP performance compl...

Page 757: ...messages are directly passed to the upper layer protocol no matter whether the IGMP messages carry the Router Alert option or not z To enhance the device performance and avoid unnecessary costs and also for the consideration of protocol security you can configure the device to discard IGMP messages that do not carry the Router Alert option I Configuring IGMP packet options globally Follow these st...

Page 758: ...ket losses on a network Therefore a greater value of the robustness variable makes the IGMP querier more robust but results in a longer multicast group timeout time Upon receiving an IGMP query general query or group specific query a host starts a delay timer for each multicast group it has joined This timer is initialized to a random value in the range of 0 to the maximum response time which is d...

Page 759: ...y default Configure the IGMP last member query interval Last member query inte rval interval Optional 1 second by default Configure the other querier present interval timer other querier present interval Optional For the system default see Note below II Configuring IGMP query and response parameters on an interface Follow these steps to configure IGMP query and response parameters on an interface ...

Page 760: ...e other querier present interval is greater than the IGMP query interval otherwise the IGMP querier may change frequently on the network z Make sure that the IGMP query interval is greater than the maximum response time for IGMP general queries otherwise multicast group members may be wrongly removed z The configurations of the maximum response time for IGMP general queries the IGMP last member qu...

Page 761: ...ng entries of static joins Caution The reset igmp group command may cause an interruption of receivers reception of multicast data 5 6 IGMP Configuration Example I Network requirements z Receivers receive VOD information through the multicast mode Receivers of different organizations form stub networks N1 and N2 and Host A and Host C are receivers in N1 and N2 respectively z Switch A in the PIM ne...

Page 762: ...he switches Ensure the network layer interoperation among Switch A Switch B and Switch C on the PIM network and dynamic update of routing information among the switches through a unicast routing protocol The detailed configuration steps are omitted here 2 Enable IP multicast routing and enable IGMP on the host side interfaces Enable IP multicast routing on Switch A and enable IGMP version 3 on VLA...

Page 763: ...figuration and running status on each switch interface For example View IGMP information on VLAN interface 200 of Switch B SwitchB display igmp interface vlan interface 200 Vlan interface200 10 110 2 1 IGMP is enabled Current IGMP version is 2 Value of query interval for IGMP in seconds 60 Value of other querier timeout for IGMP in seconds 125 Value of maximum query response time for IGMP in secon...

Page 764: ...ace is abnormal Typically this is because the shutdown command has been executed on the interface or the interface connection is incorrect or no correct IP address has been configured on the interface 5 Check that no ACL rule has been configured to restrict the host from joining the multicast group G Carry out the display current configuration interface command to check whether the igmp group poli...

Page 765: ...urrent configuration command to view the IGMP configuration information on the interfaces 2 Carry out the display igmp interface command on all routers on the same subnet to check the IGMP related timer settings Make sure that the settings are consistent on all the routers 3 Use the display igmp interface command to check whether the routers are running the same version of IGMP ...

Page 766: ...les generated by any unicast routing protocol such as routing information protocol RIP open shortest path first OSPF intermediate system to intermediate system IS IS or border gateway protocol BGP Independent of the unicast routing protocols running on the device multicast routing can be implemented as long as the corresponding multicast routing entries are created through unicast routes PIM uses ...

Page 767: ... periodically that is pruned branches resume multicast forwarding when the pruned state times out and then data is re flooded down these branches and then are pruned again z When a new receiver on a previously pruned branch joins a multicast group to reduce the join latency PIM DM uses a graft mechanism to resume data forwarding to that branch Generally speaking the multicast forwarding path is a ...

Page 768: ...2 Then nodes without receivers downstream are pruned A router having no receivers downstream sends a prune message to the upstream node to tell the upstream node to delete the corresponding interface from the outgoing interface list in the S G entry and stop forwarding subsequent packets addressed to that multicast group down to this node Note z An S G entry contains the multicast source address S...

Page 769: ...ns a multicast group to reduce the join latency PIM DM uses a graft mechanism to resume data forwarding to that branch The process is as follows 1 The node that needs to receive multicast data sends a graft message hop by hop toward the source as a request to join the SPT again 2 Upon receiving this graft message the upstream node puts the interface on which the graft was received into the forward...

Page 770: ...s 224 0 0 13 through the interface on which the packet was received The assert message contains the following information the multicast source address S the multicast group address G and the preference and metric of the unicast route to the source By comparing these parameters either Router A or Router B becomes the unique forwarder of the subsequent S G packets on the multi access subnet The comp...

Page 771: ...ed to a specific multicast group the router connected to this receiver sends a join message to the RP corresponding to that multicast group The path along which the message goes hop by hop to the RP forms a branch of the RPT z When a multicast source sends a multicast packet to a multicast group the router directly connected with the multicast source first registers the multicast source with the R...

Page 772: ... messages to the RP the DR at the multicast source side sends register messages to the RP Note z A DR is elected on a multi access subnet by means of comparison of the priorities and IP addresses carried in hello messages An elected DR is substantially meaningful to PIM SM PIM DM itself does not require a DR However if IGMPv1 runs on any multi access network in a PIM DM domain a DR must be elected...

Page 773: ... To lessen the RP burden and optimize the topological structure of the RPT each multicast group should have its own RP Therefore a bootstrap mechanism is needed for dynamic RP election For this purpose a bootstrap router BSR should be configured As the administrative core of a PIM SM domain the BSR collects advertisement messages C RP Adv messages from candidate RPs C RPs and chooses the appropria...

Page 774: ...hen a receiver joins a multicast group G it uses an IGMP message to inform the directly connected DR 2 Upon getting the receiver information the DR sends a join message which is hop by hop forwarded to the RP corresponding to the multicast group 3 The routers along the path from the DR to the RP form an RPT branch Each router on this branch generates a G entry in its forwarding table The means any...

Page 775: ...egistration The purpose of multicast source registration is to inform the RP about the existence of the multicast source Figure 6 6 Multicast registration As shown in Figure 6 6 the multicast source registers with the RP as follows 1 When the multicast source S sends the first multicast packet to a multicast group G the DR directly connected with the multicast source upon receiving the multicast p...

Page 776: ...ir forwarding table and thus an SPT branch is established 2 Subsequently the receiver side DR sends a prune message hop by hop to the RP Upon receiving this prune message the RP forwards it toward the multicast source thus to implement RPT to SPT switchover After the RPT to SPT switchover multicast data can be directly sent from the source to the receivers PIM SM builds SPTs through RPT to SPT swi...

Page 777: ...scope region must be geographically independent of every other one as shown in Figure 6 7 Figure 6 7 Relationship between BSR admin scope regions and the global scope zone in geographic space BSR admin scope regions are geographically separated from one another Namely a router must not serve different BSR admin scope regions In other words different BSR admin scope regions contain different router...

Page 778: ...bal scope zone are as follows z The global scope zone and each BSR admin scope region have their own C RPs and BSR These devices are effective only in their respective admin scope regions Namely the BSR election and RP election are implemented independently within each admin scope region z Each BSR admin scope region has its own boundary The multicast information such as C RP Adv messages and BSR ...

Page 779: ... multicast source discovery protocol MSDP for discovering sources in other PIM domains Compared with the ASM model the SSM model only needs the support of IGMPv3 and some subsets of PIM SM The operation mechanism of PIM SSM can be summarized as follows z Neighbor discovery z DR election z SPT building I Neighbor discovery PIM SSM uses the same neighbor discovery mechanism as in PIM DM and PIM SM R...

Page 780: ...ith the source S as its root and receivers as its leaves This SPT is the transmission channel in PIM SSM z If not the PIM SM process is followed the DR needs to send a G join message to the RP and a multicast source registration process is needed Note In PIM SSM the channel concept is used to refer to a multicast group and the channel subscription concept is used to refer to a join message 6 1 7 P...

Page 781: ...yer Before configuring PIM DM prepare the following data z The interval between state refresh messages z Minimum time to wait before receiving a new refresh message z TTL value of state refresh messages z Graft retry period 6 2 3 Enabling PIM DM With PIM DM enabled a router sends hello messages periodically to discover PIM neighbors and processes messages from PIM neighbors When deploying a PIM DM...

Page 782: ...y timeout of pruned interfaces the router directly connected with the multicast source periodically sends an S G state refresh message which is forwarded hop by hop along the initial multicast flooding path of the PIM DM domain to refresh the prune timer state of all the routers on the path A router may receive multiple state refresh messages within a short time of which some may be duplicated mes...

Page 783: ...te refresh messages state refresh ttl ttl value Optional 255 by default 6 2 6 Configuring PIM DM Graft Retry Period In PIM DM graft is the only type of message that uses the acknowledgment mechanism In a PIM DM domain if a router does not receive a graft ack message from the upstream router within the specified time after it sends a graft message the router keeps sending new graft messages at a co...

Page 784: ...g a BSR Configuring global C BSR parameters Optional Configuring a static RP Optional Configuring a C RP Optional Enabling auto RP Optional Configuring an RP Configuring C RP timers Optional Configuring PIM SM Register Messages Optional Disabling RPT to SPT Switchover Optional Configuring PIM Common Information Optional 6 3 2 Configuration Prerequisites Before configuring PIM SM complete the follo...

Page 785: ... SM enabled a router sends hello messages periodically to discover PIM neighbors and processes messages from PIM neighbors When deploying a PIM SM domain you are recommended to enable PIM SM on all interfaces of non border routers border routers are PIM enabled routers located on the boundary of BSR admin scope regions Follow these steps to enable PIM SM To do Use the command Remarks Enter system ...

Page 786: ... as a C BSR make sure that router is PIM SM enabled The BSR election process is as follows z Initially every C BSR assumes itself to be the BSR of this PIM SM domain and uses its interface IP address as the BSR address to send bootstrap messages z When a C BSR receives the bootstrap message of another C BSR it first compares its own priority with the other C BSR s priority carried in the message T...

Page 787: ...l address range and thus this kind of attacks can be prevented The above mentioned preventive measures can partially protect the security of BSRs in a network However if a legal BSR is controlled by an attacker the above mentioned problem will also occur Follow these steps to complete basic C BSR configuration To do Use the command Remarks Enter system view system view Enter PIM view pim Configure...

Page 788: ...Rs are elected from multitudinous C BSRs to serve different multicast groups The C RPs in a BSR admin scope region send C RP Adv messages to only the corresponding BSR The BSR summarizes the advertisement messages into an RP set and advertises it to all the routers in the BSR admin scope region All the routers use the same algorithm to get the RP addresses corresponding to specific multicast group...

Page 789: ...es throughout the network periodically Any C BSR that receives a bootstrap message maintains the BSR state for a configurable period of time BSR state timeout during which no BSR election takes place When the BSR state times out a new BSR election process will be triggered among the C BSRs Follow these steps to configure global C BSR parameters To do Use the command Remarks Enter system view syste...

Page 790: ...ter is manually configured the system will use the configured value Caution In configuration make sure that the bootstrap interval is smaller than the bootstrap timeout time 6 3 5 Configuring an RP An RP can be manually configured or dynamically elected through the BSR mechanism For a large PIM network static RP configuration is a tedious job Generally static RP configuration is just a backup mean...

Page 791: ...alculate the mappings between specific group ranges and the corresponding RPs based on the RP set We recommend that you configure C RPs on backbone routers To guard against C RP spoofing you need to configure a legal C RP address range and the range of multicast groups to be served on the BSR In addition because every C BSR has a chance to become the BSR you need to configure the same filtering po...

Page 792: ...RP auto rp enable Optional Disabled by default IV Configuring C RP timers To enable the BSR to distribute the RP set information within the PIM SM domain C RPs must periodically send C RP Adv messages to the BSR The BSR learns the RP set information from the received messages and encapsulates its own IP address together with the RP set information in its bootstrap messages The BSR then floods the ...

Page 793: ...on the entire register messages However to reduce the workload of encapsulating data in register messages and for the sake of interoperability this method of checksum calculation is not recommended When receivers stop receiving multicast data addressed to a certain multicast group through the RP that is the RP stops serving the receivers of a specific multicast group or when the RP formally starts...

Page 794: ...l Optional 60 seconds by default Configure the probe time probe interval interval Optional 5 seconds by default Note Typically you need to configure the above mentioned parameters on the receiver side DR and the RP only Since both the DR and RP are elected however you should carry out these configurations on the routers that may win the DR election and on the C RPs that may win RP elections 6 3 7 ...

Page 795: ... carry out these configurations on the routers that may win the DR election and on the C RPs that may win RP elections 6 4 Configuring PIM SSM Note The PIM SSM model needs the support of IGMPv3 Therefore be sure to enable IGMPv3 on PIM routers with multicast receivers 6 4 1 PIM SSM Configuration Task List Complete these tasks to configure PIM SSM Task Remarks Enabling PIM SM Required Configuring t...

Page 796: ...t routing multicast routing enable Required Disable by default Enter Ethernet port view interface interface type interface number Enable PIM SM pim sm Required Disabled by default Caution All the interfaces of the same router must work in the same PIM mode 6 4 4 Configuring the SSM Group Range As for whether the information from a multicast source is delivered to the receivers based on the PIM SSM...

Page 797: ...a member of a multicast group in the SSM group range sends an IGMPv1 or IGMPv2 report message the device does not trigger a G join 6 5 Configuring PIM Common Information Note For the configuration tasks described in this section z Configurations performed in PIM view are effective to all interfaces while configurations performed in Ethernet port view are effective to the current interface only z I...

Page 798: ... value z Prune delay global value interface level value z Prune override interval global value interface level value z Hello interval global value interface level value z Maximum delay between hello message interface level value z Assert timeout time global value interface value z Join prune interval global value interface level value z Join prune timeout global value interface value z Multicast s...

Page 799: ...mer times out if the router has received no hello message from a neighbor it assumes that this neighbor has expired or become unreachable You can configure this parameter on all routers in the PIM domain If you configure different values for this timer on different neighboring routers the largest value will take effect z LAN_Prune_Delay the delay of prune messages on a multi access network This op...

Page 800: ...that the status of the upstream neighbor is lost or the upstream neighbor has changed In this case it triggers a join message for state update If you disable join suppression namely enable neighbor tracking the upstream router will explicitly track which downstream routers are joined to it The join suppression feature should be enabled or disabled on all PIM routers on the same subnet I Configurin...

Page 801: ...Configuring PIM Common Timers PIM routers discover PIM neighbors and maintain PIM neighboring relationships with other routers by periodically sending out hello messages Upon receiving a hello message a PIM router waits a random period which is equal to or smaller than the maximum delay between hello messages before sending out a hello message This avoids collisions that occur when multiple PIM ro...

Page 802: ...time holdtime join prune interval Optional 210 seconds by default Configure the multicast source lifetime source lifetime interval Optional 210 seconds by default II Configuring PIM common timers on an interface Follow these steps to configure PIM common timers on an interface To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface nu...

Page 803: ...Use the command Remarks Enter system view system view Enter PIM view pim Configure the maximum size of a join prune message jp pkt size packet size Optional 8 100 bytes by default Configure the maximum number of S G entries in a join prune message jp queue size queue size Optional 1 020 by default 6 6 Displaying and Maintaining PIM To do Use the command Remarks View the BSR information in the PIM ...

Page 804: ...ting table group address mask mask length mask source address mask mask length mask incoming interface interface type interface number register outgoing interface include exclude match interface type interface number register mode mode type flags flag value fsm Available in any view View the RP information display pim rp info group address Available in any view Reset PIM control message counters r...

Page 805: ...n t 1 0 2 V l a n i n t 1 0 3 V l a n i n t 1 0 3 Device Interface IP address Device Interface IP address Switch A Vlan int100 10 110 1 1 24 Switch D Vlan int300 10 110 5 1 24 Vlan int103 192 168 1 1 24 Vlan int103 192 168 1 2 24 Switch B Vlan int200 10 110 2 1 24 Vlan int101 192 168 2 2 24 Vlan int101 192 168 2 1 24 Vlan int102 192 168 3 2 24 Switch C Vlan int200 10 110 2 2 24 Vlan int102 192 168...

Page 806: ...B and Switch C is similar to that on Switch A Enable IP multicast routing on Switch D and enable PIM DM on each interface SwitchD system view SwitchD multicast routing enable SwitchD interface vlan interface 300 SwitchD Vlan interface300 pim dm SwitchD Vlan interface300 quit SwitchD interface vlan interface 103 SwitchD Vlan interface103 pim dm SwitchD Vlan interface103 quit SwitchD interface vlan ...

Page 807: ...c flooding Switches on the SPT path Switch A and Switch D have their S G entries Host A registers with Switch A and a G entry is generated on Switch A You can use the display pim routing table command to view the PIM routing table information on each switch For example View the PIM routing table information on Switch A SwitchA display pim routing table Total 1 G entry 1 S G entry 225 1 1 1 Protoco...

Page 808: ...multicast The receiver groups of different organizations form stub networks and one or more receiver hosts exist in each stub network The entire PIM domain operates in the sparse mode not divided into different BSR admin scope regions z Host A and Host C are multicast receivers in two stub networks z Switch D connects to the network that comprises the multicast source Source through VLAN interface...

Page 809: ... 24 Figure 6 11 Network diagram for PIM SM domain configuration III Configuration procedure 1 Configure the interface IP addresses and unicast routing protocol for each switch Configure the IP address and subnet mask for each interface as per Figure 6 11 Detailed configuration steps are omitted here Configure the OSPF protocol for interoperation among the switches in the PIM SM domain Ensure the n...

Page 810: ... BSR and a C RP Configure the service scope of RP advertisements and the positions of the C BSR and C RP on Switch E SwitchE system view SwitchE acl number 2005 SwitchE acl basic 2005 rule permit source 225 1 1 0 0 0 0 255 SwitchE acl basic 2005 quit SwitchE pim SwitchE pim c bsr vlan interface 102 SwitchE pim c rp vlan interface 102 group policy 2005 SwitchE pim quit 4 Verify the configuration Ca...

Page 811: ...ority 0 Hash mask length 30 State Elected Scope Not scoped Uptime 00 00 18 Next BSR message scheduled at 00 01 52 Candidate BSR Address 192 168 9 2 Priority 0 Hash mask length 30 State Pending Scope Not scoped Candidate RP 192 168 9 2 Vlan interface102 Priority 0 HoldTime 150 Advertisement Interval 60 Next advertisement scheduled at 00 00 48 To view the RP information discovered on a switch use th...

Page 812: ... PIM routing table information on Switch A SwitchA display pim routing table Total 1 G entry 1 S G entry 225 1 1 1 RP 192 168 9 2 Protocol pim sm Flag WC UpTime 00 13 46 Upstream interface Vlan interface102 Upstream neighbor 192 168 9 2 RPF prime neighbor 192 168 9 2 Downstream interface s information Total number of downstreams 1 1 Vlan interface100 Protocol pim sm UpTime 00 13 46 Expires 10 110 ...

Page 813: ...ol pim sm UpTime 00 13 16 Expires 00 03 22 6 7 3 PIM SSM Configuration Example I Network requirements z Receivers receive VOD information through multicast The receiver groups of different organizations form stub networks and one or more receiver hosts exist in each stub network The entire PIM domain operates in the SSM mode z Host A and Host C are multicast receivers in two stub networks z Switch...

Page 814: ...8 2 2 24 Switch C Vlan int200 10 110 2 2 24 Vlan int102 192 168 9 2 24 Vlan int104 192 168 3 1 24 Vlan int105 192 168 4 1 24 Figure 6 12 Network diagram for PIM SSM configuration III Configuration procedure 1 Configure the interface IP addresses and unicast routing protocol for each switch Configure the IP address and subnet mask for each interface as per Figure 6 12 Detailed configuration steps a...

Page 815: ...E is also similar to that on Switch A except that it is not necessary to enable IGMP on the corresponding interfaces on these two switches 3 Configure the SSM group range Configure the SSM group range to be 232 1 1 0 24 one Switch A SwitchA acl number 2000 SwitchA acl basic 2000 rule permit source 232 1 1 0 0 0 0 255 SwitchA acl basic 2000 quit SwitchA pim SwitchA pim ssm policy 2000 SwitchA pim q...

Page 816: ...5 100 232 1 1 1 Protocol pim ssm Flag UpTime 00 13 25 Upstream interface Vlan interface101 Upstream neighbor 192 168 1 2 RPF prime neighbor 192 168 1 2 Downstream interface s information Total number of downstreams 1 1 Vlan interface100 Protocol pim ssm UpTime 00 13 25 Expires The information on Switch B and Switch C is similar to that on Switch A View the PIM routing table information on Switch D...

Page 817: ...enabled on the router s RPF interface to the multicast source the router cannot create S G entries z When a multicast router receives a multicast packet it searches the existing unicast routing table for the optimal route to the RPF check object The outgoing interface of this route will act as the RPF interface and the next hop will be taken as the RPF neighbor The RPF interface completely relies ...

Page 818: ...configurations are correct 6 8 2 Multicast Data Abnormally Terminated on an Intermediate Router I Symptom An intermediate router can receive multicast data successfully but the data cannot reach the last hop router An interface on the intermediate router receives data but no corresponding S G entry is created in the PIM routing table II Analysis z If a multicast forwarding boundary has been config...

Page 819: ...nformation Use the display pim rp info command to check whether the RP information is consistent on all routers 3 Check the configuration of static RPs Use the display pim rp info command to check whether the same static RP address has been configured on all the routers in the entire network 6 8 4 No Unicast Route Between BSR and C RPs in PIM SM I Symptom C RPs cannot unicast advertise messages to...

Page 820: ...e RP and the BSR and whether a route is available between the RP and the BSR Make sure that each C RP has a unicast route to the BSR the BSR has a unicast route to each C RP and all the routers in the entire network have a unicast route to the RP 2 Check the RP and BSR information PIM SM needs the support of the RP and BSR Use the display pim bsr info command to check whether the BSR information i...

Page 821: ...multicast source information in other PIM SM domains In the basic PIM SM mode a multicast source registers only with the RP in the local PIM SM domain and the multicast source information of a domain is isolated from that of another domain As a result the RP is aware of the source information only within the local domain and a multicast distribution tree is built only within the local domain to de...

Page 822: ...M SM router MSDP peers created on PIM SM routers that assume different roles function differently 1 MSDP peers on RPs z Source side MSDP peer the MSDP peer nearest to the multicast source Source typically the source side RP like RP 1 The source side RP creates SA messages and sends the messages to its remote MSDP peer to notify the MSDP peer of the locally registered multicast source information A...

Page 823: ...mically elected from C RPs To enhance network robustness a PIM SM network typically has more than one C RP As the RP election result is unpredictable MSDP peering relationships should be built among all C RPs so that the winner C RP is always on the MSDP interconnection map while loser C RPs will assume the role of common PIM SM routers on the MSDP interconnection map II Implementing inter domain ...

Page 824: ...ce address S the multicast group address G and the address of the RP which has created this SA message namely RP 1 3 On MSDP peers each SA message is subject to a reverse path forwarding RPF check and multicast policy based filtering so that only SA messages that have arrived along the correct path and passed the filtering are received and forwarded This avoids delivery loops of SA messages In add...

Page 825: ...elies on RPs in other PIM SM domains The receivers can override the RPs in other domains and directly join the multicast source based SPT III RPF check rules for SA messages As shown in Figure 7 3 there are five autonomous systems in the network AS 1 through AS 5 with IGP enabled on routers within each AS and EBGP as the interoperation protocol among different ASs Each AS contains at least one PIM...

Page 826: ... SA message is from an MSDP peer RP 2 in the same AS and the MSDP peer is the next hop on the optimal path to the source side RP RP 3 accepts the message and forwards it to other peers RP 4 and RP 5 3 When RP 4 and RP 5 receive the SA message from RP 3 Because the SA message is from an MSDP peer RP 3 in the same mesh group RP 4 and RP 5 both accept the SA message but they do not forward the messag...

Page 827: ... MSDP peers Anycast RP refers to such an application that enables load balancing and redundancy backup between two or more RPs within a PIM SM domain by configuring the same IP address for and establishing MSDP peering relationships between these RPs As shown in Figure 7 4 within a PIM SM domain a multicast source sends multicast data to multicast group G and Receiver is a member of the multicast ...

Page 828: ... the SPT rooted at Source The significance of Anycast RP is as follows z Optimal RP path A multicast source registers with the nearest RP so that an SPT with the optimal path is built a receiver joins the nearest RP so that an RPT with the optimal path is built z Load balancing between RPs Each RP just needs to maintain part of the source group information within the PIM SM domain and forward part...

Page 829: ...est Messages Optional Configuring an SA Message Filtering Rule Optional Configuring SA Messages Related Parameters Configuring SA Message Cache Optional 7 3 Configuring Basic Functions of MSDP Note All the configuration tasks should be carried out on RPs in PIM SM domains and each of these RPs acts as an MSDP peer 7 3 1 Configuration Prerequisites Before configuring the basic functions of MSDP com...

Page 830: ...he local MSDP peer and that of the remote MSDP peer An MSDP peer connection must be created on both devices that are a pair of MSDP peers Follow these steps to create an MSDP peer connection To do Use the command Remarks Enter system view system view Enter MSDP view msdp Create an MSDP peer connection peer peer address connect interface interface type interface number Required No MSDP peer connect...

Page 831: ...ete the following tasks z Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer z Configuring basic functions of MSDP Before configuring an MSDP peer connection prepare the following data z Description information of MSDP peers z Name of an MSDP mesh group z MSDP peer connection retry interval 7 4 2 Configuring MSDP Peer Description With th...

Page 832: ...for multiple MSDP peers you can create a mesh group with these MSDP peers Follow these steps to create an MSDP mesh group To do Use the command Remarks Enter system view system view Enter MSDP view msdp Create an MSDP peer as a mesh group member peer peer address mesh group name Required An MSDP peer does not belong to any mesh group by default Note z Before grouping multiple routers into an MSDP ...

Page 833: ...s in the domain are interoperable at the network layer z Configuring basic functions of MSDP Before configuring SA message delivery prepare the following data z ACL as a filtering rule for SA request messages z ACL as an SA message creation rule z ACL as a filtering rule for receiving or forwarding SA messages z Minimum TTL value of multicast packets encapsulated in SA messages z Maximum SA messag...

Page 834: ...e RPF check Follow these steps to configure the SA message content To do Use the command Remarks Enter system view system view Enter MSDP view msdp Enable encapsulation of a register message encap data enable Optional Disabled by default Configure the interface address as the RP address in SA messages originating rp interface type interface number Optional PIM RP address by default 7 5 3 Configuri...

Page 835: ...ion in the SA messages z By configuring a filtering rule for receiving or forwarding SA messages you can enable the router to filter the S G forwarding entries to be advertised when receiving or forwarding an SA message so that the propagation of multicast source information is controlled at SA message reception or forwarding z An SA message with encapsulated multicast data can be forwarded to a d...

Page 836: ...ts MSDP peer in the next cycle z If there is an SA message in the cache the router will obtain the information of all active sources directly from the SA message and join the corresponding SPT To protect the router against denial of service DoS attacks you can configure the maximum number of SA messages the route can cache Follow these steps to configure the SA message cache To do Use the command ...

Page 837: ... peer reset msdp statistics peer address Available in user view 7 7 MSDP Configuration Examples 7 7 1 Example of Leveraging BGP Routes I Network requirements z Two ISPs maintain their ASs AS 100 and AS 200 respectively OSPF is running within each AS and BGP is running between the two ASs z PIM SM 1 belongs to AS 100 while PIM SM 2 and PIM SM 3 belong to AS 200 z Each PIM SM domain has zero or one ...

Page 838: ... Figure 7 5 Network diagram for configuration leveraging BGP routes III Configuration procedure 1 Configure the interface IP addresses and unicast routing protocol for each switch Configure the IP address and subnet mask for each interface as per Figure 7 5 Detailed configuration steps are omitted here Configure OSPF for interconnection between switches in each PIM SM domain Ensure the network lay...

Page 839: ...Switch C 3 Configure the position of interface Loopback 0 C BSR and C RP Configure the position of Loopback 0 C BSR and C RP on Switch C SwitchC interface loopback 0 SwitchC LoopBack0 ip address 1 1 1 1 255 255 255 255 SwitchC LoopBack0 pim sm SwitchC LoopBack0 quit SwitchC pim SwitchC pim c bsr loopback 0 SwitchC pim c rp loopback 0 SwitchC pim quit The configuration on Switch D and Switch F is s...

Page 840: ...w the information about BGP peering relationships on Switch C SwitchC display bgp peer BGP local router ID 1 1 1 1 Local AS number 100 Total number of peers 1 Peers in established state 1 Peer V AS MsgRcvd MsgSent OutQ PrefRcv Up Down State 192 168 1 2 4 200 24 21 0 6 00 13 09 Established View the information about BGP peering relationships on Switch D SwitchD display bgp peer BGP local router ID ...

Page 841: ...n 1 1 1 1 32 192 168 1 1 0 0 100 i 2 2 2 2 32 192 168 3 2 0 100 0 3 3 3 3 32 0 0 0 0 0 0 192 168 1 0 0 0 0 0 0 0 192 168 1 1 0 0 100 192 168 1 1 32 0 0 0 0 0 0 192 168 1 2 32 0 0 0 0 0 0 192 168 1 1 0 0 100 192 168 3 0 0 0 0 0 0 0 i 192 168 3 2 0 100 0 192 168 3 1 32 0 0 0 0 0 0 192 168 3 2 32 0 0 0 0 0 0 i 192 168 3 2 0 100 0 5 Configure MSDP peers Configure an MSDP peer on Switch C SwitchC msdp ...

Page 842: ...tion about MSDP peering relationships on Switch D SwitchD display msdp brief MSDP Peer Brief Information Configured Up Listen Connect Shutdown Down 2 2 0 0 0 0 Peer s Address State Up Down time AS SA Count Reset Count 192 168 3 2 Up 00 15 32 200 8 0 192 168 1 1 UP 00 06 39 100 13 0 View the brief information about MSDP peering relationships on Switch F SwitchF display msdp brief MSDP Peer Brief In...

Page 843: ...g outgoing SA messages 0 0 Incoming outgoing SA requests 0 0 Incoming outgoing SA responses 0 0 Incoming outgoing data packets 0 0 7 7 2 Anycast RP Configuration Example I Network requirements z The PIM SM domain has multiple multicast sources and receivers OSPF runs within the domain to provide unicast routes z The anycast RP application is configured in the PIM SM domain When a new member joins ...

Page 844: ...1 1 1 32 Loop0 2 2 2 2 32 Loop1 3 3 3 3 32 Loop1 4 4 4 4 32 Loop10 10 1 1 1 32 Loop10 10 1 1 1 32 Figure 7 6 Network diagram for anycast RP configuration III Configuration procedure 1 Configure the interface IP addresses and unicast routing protocol for each switch Configure the IP address and subnet mask for each interface as per Figure 7 6 Detailed configuration steps are omitted here Configure ...

Page 845: ...ace loopback 10 SwitchC LoopBack10 ip address 10 1 1 1 255 255 255 255 SwitchC LoopBack10 pim sm SwitchC LoopBack10 quit SwitchC pim SwitchC pim c bsr loopback 1 SwitchC pim c rp loopback 10 SwitchC pim quit The configuration on Switch F is similar to the configuration on Switch C To view the PIM routing information on the switches use the display pim routing table command When the multicast sourc...

Page 846: ... Vlan interface200 Protocol pim sm UpTime 00 03 32 Expires 4 Configure Loopback 0 and MSDP peers Configure an MSDP peer on Loopback 0 of Switch C SwitchC interface loopback 0 SwitchC LoopBack0 ip address 1 1 1 1 255 255 255 255 SwitchC LoopBack0 pim sm SwitchC LoopBack0 quit SwitchC msdp SwitchC msdp originating rp loopback 0 SwitchC msdp peer 2 2 2 2 connect interface loopback 0 SwitchC msdp quit...

Page 847: ...r ASs AS 100 and AS 200 respectively OSPF is running within each AS and BGP is running between the two ASs z PIM SM 1 belongs to AS 100 while PIM SM 2 and PIM SM 3 belong to AS 200 z Each PIM SM domain has zero or one multicast source and one or more receivers OSPF runs within each domain to provide unicast routes z PIM SM 2 and PIM SM 3 are both PIM stub domains and BGP is not required between th...

Page 848: ...onfiguration procedure 1 Configure the interface IP addresses and unicast routing protocol for each switch Configure the IP address and subnet mask for each interface as per Figure 7 7 Detailed configuration steps are omitted here Configure OSPF for interconnection between the switches Ensure the network layer interoperation among Switch A Switch B and Switch C in PIM SM 1 the network layer intero...

Page 849: ...tch D and Switch F is similar to the configuration on Switch C 3 Configure the position of interface Loopback 0 C BSR and C RP Configure the position of Loopback 0 C BSR and C RP on Switch C SwitchC router id 1 1 1 1 SwitchC interface loopback 0 SwitchC LoopBack0 ip address 1 1 1 1 255 255 255 255 SwitchC LoopBack0 pim sm SwitchC LoopBack0 quit SwitchC pim SwitchC pim c bsr loopback 0 SwitchC pim ...

Page 850: ...g relationships between the switches If the command gives no output information a BGP peering relationship has not been established between the switches When the multicast source S1 sends multicast information receivers in PIM SM 2 and PIM SM 3 can receive the multicast data You can use the display msdp brief command to view the brief information of MSDP peering relationships between the switches ...

Page 851: ...eer address configured on the router z If no route is available between the MSDP peers the TCP connection setup will also fail III Solution 1 Check that a route is available between the routers Carry out the display ip routing table command to check whether the unicast route between the routers is correct 2 Check that a unicast route is available between the two routers that will become MSDP peers...

Page 852: ...ntries with one another in the Anycast RP application II Analysis z In the Anycast RP application RPs in the same PIM SM domain are configured to be MSDP peers to achieve load balancing among the RPs z An MSDP peer address must be different from the anycast RP address and the C BSR and C RP must be configured on different devices or interfaces z If the originating rp command is executed MSDP will ...

Page 853: ...Operation Manual Multicast Protocol H3C S3610 S5510 Series Ethernet Switches Chapter 7 MSDP Configuration 7 33 4 Verify that the C BSR address is different from the anycast RP address ...

Page 854: ...lticast Routing and Forwarding In multicast implementations multicast routing and forwarding are implemented by three types of tables z Each multicast routing protocol has its own multicast routing table such as PIM routing table z The information of different multicast routing protocols forms a general multicast routing table z The multicast forwarding table is directly used to control the forwar...

Page 855: ...e existing S G entry this means that the S G entry is correct but the packet arrived from a wrong path The packet is to be discarded z If the result of the RPF check shows that the RPF interface is not the incoming interface of the existing S G entry this means that the S G entry is no longer valid The router replaces the incoming interface of the S G entry with the interface on which the packet a...

Page 856: ...s the RPF interface and the RPF neighbor 2 Then the router selects one from these two optimal routes as the RPF route The selection is as follows z If configured to use the longest match principle the router selects the longest match route from the two if these two routes have the same mask the route selects the route with a higher priority if the two routes have the same priority the router selec...

Page 857: ...ket actually arrived The RPF check succeeds and the packet is forwarded 8 1 3 Multicast Static Routes If the topology structure of a multicast network is the same as that of a unicast network receivers can receive multicast data via unicast routes However the topology structure of a multicast network may differ from that of a unicast network and some routers may support only unicast but not multic...

Page 858: ...ch B and then to Switch C 8 1 4 Multicast Traceroute The multicast traceroute utility is used to trace the path that a multicast stream flows down from the multicast source to the last hop router I Concepts in multicast traceroute 1 Last hop router If a router has one of its interfaces connecting to the subnet the given destination address is on and if the router is able to forward multicast strea...

Page 859: ...ate a response packet and then sends the completed packet via unicast to the multicast traceroute querier 8 2 Configuration Task List Complete these tasks to configure multicast routing and forwarding Task Remarks Enabling IP Multicast Routing Required Configuring Multicast Static Routes Optional Configuring a Multicast Route Match Rule Optional Configuring Multicast Load Splitting Optional Config...

Page 860: ...ary addresses even if configured on interfaces For details about primary and secondary IP addresses refer to IP Addressing and Performance Configuration 8 3 3 Configuring Multicast Static Routes Based on the application environment a multicast static route has the following two functions z Changing an RPF route If the multicast topology structure is the same as the unicast topology in a network th...

Page 861: ...ying an interface by means of the interface type interface number command argument combination if the interface type of that router is Loopback or VLAN interface instead you can designate an RPF neighbor only by specifying an address rpf nbr address 8 3 4 Configuring a Multicast Route Match Rule If more than one route exists to the same subnet a router chooses a route based on the sequence of rout...

Page 862: ...forward multicast packets including packets sent from the local device or receive multicast packets Follow these steps to configure a multicast forwarding range To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure a multicast forwarding boundary multicast boundary group address mask mask length Required No forwarding b...

Page 863: ...arding table size To do Use the command Remarks Enter system view system view Configure the maximum number of downstream nodes for a single route in the multicast forwarding table multicast forwarding table downstream limit limit Optional The default is 128 Configure the maximum number of routing entries in the multicast forwarding table multicast forwarding table route limit limit Optional In the...

Page 864: ...ess mask mask mask length group address mask mask mask length incoming interface interface type interface number register outgoing interface exclude include match interface type interface number register Available in any view View the information of the multicast static routing table display multicast routing table static config source address mask length mask Available in any view View the RPF ro...

Page 865: ...ast forwarding table z When a forwarding entry is deleted from the multicast forwarding table the corresponding route entry will also be deleted from the multicast routing table 8 5 Configuration Examples 8 5 1 Multicast Static Route Configuration I Network requirements z All switches in the network support IP multicast z Switch A Switch B and Switch C run OSPF and have no unicast routes to Switch...

Page 866: ... and subnet mask for each interface as per Figure 8 3 The detailed configuration steps are omitted here Enable OSPF on Switch A Switch B and Switch C Ensure the network layer interoperation among the switches Ensure that the switches can dynamically update their routing information by leveraging the unicast routing protocol The specific configuration steps are omitted here 2 Enable IP multicast ro...

Page 867: ... RPF information about source 10 110 5 100 RPF interface Vlan interface100 RPF neighbor 10 110 1 1 Referenced route mask 10 110 5 0 24 Referenced route type igp Route selection rule preference preferred Load splitting rule disable SwitchC display multicast rpf info 10 220 5 100 As shown above Switch C does not have an RPF route to Source 2 After the multicast static route is configured use the dis...

Page 868: ... specify the next hop address to configure the outgoing interface when you configure the multicast static route 4 Check that the multicast static route matches the specified routing protocol If a protocol was specified in multicast static route configuration enter the display ip routing table command to check if an identical route was added by the protocol 5 Check that the multicast static route m...

Page 869: ...icast Protocol H3C S3610 S5510 Series Ethernet Switches Chapter 8 Multicast Routing and Forwarding Configuration 8 16 3 In the case of PIM SM use the display current configuration command to check the BSR and RP information ...

Page 870: ...ng a Guest VLAN 1 17 1 3 1 Configuration Prerequisites 1 17 1 3 2 Configuration Procedure 1 17 1 4 Displaying and Maintaining 802 1x 1 18 1 5 802 1x Configuration Example 1 18 1 6 Guest VLAN Configuration Example 1 21 1 7 ACL Assigning Configuration Example 1 24 Chapter 2 EAD Fast Deployment Configuration 2 1 2 1 EAD Fast Deployment Overview 2 1 2 2 Configuring EAD Fast Deployment 2 1 2 2 1 Config...

Page 871: ... 4 2 1 MAC Authentication Timers 4 2 4 2 2 Quiet MAC Address 4 2 4 2 3 VLAN Assigning 4 3 4 2 4 ACL Assigning 4 3 4 3 Configuring MAC Authentication 4 3 4 3 1 Configuration Prerequisites 4 3 4 3 2 Configuration Procedure 4 4 4 4 Displaying and Maintaining MAC Authentication 4 5 4 5 MAC Authentication Configuration Examples 4 5 4 5 1 Local MAC Authentication Configuration Example 4 5 4 5 2 RADIUS B...

Page 872: ...net as a common port access control mechanism As a port based network access control protocol 802 1x authenticates and controls accessing devices at the level of port A device connected to an 802 1x enabled port of an access control device can access the resources on the LAN only after passing authentication To get more information about 802 1x go to these topics z Architecture of 802 1x z Operati...

Page 873: ... a Remote Authentication Dial in User Service RADIUS server maintains user information like username password VLAN that the user belongs to committed access rate CAR parameters priority and ACLs The above systems involve three basic concepts PAE controlled port control direction I PAE Port access entity PAE refers to the entity that performs the 802 1x algorithm and protocol operations z The authe...

Page 874: ...ust the traffic from the supplicant Note Currently the devices support only denying the traffic from the supplicant 1 1 2 Operation of 802 1x The 802 1x authentication system employs the Extensible Authentication Protocol EAP to exchange authentication information between the supplicant PAE authenticator PAE and authentication server Figure 1 2 Operation of 802 1x z Between the supplicant PAE and ...

Page 875: ...takes the value 0x888E z Protocol version Version of the EAPOL protocol supported by the EAPOL frame sender z Type Type of the EAPOL frame Table 1 1 shows the defined types of EAPOL frames Table 1 1 Types of EAPOL frames Type Description EAP Packet a value of 0x00 Frame for carrying authentication information present between an authenticator system and the authentication server A frame of this typ...

Page 876: ...ield II EAP Packet Format An EAPOL frame of the type of EAP Packet carries an EAP packet in its Packet body field The format of the EAP packet is shown in Figure 1 4 Figure 1 4 EAP packet format z Code Type of the EAP packet which can be Request Response Success or Failure An EAP packet of the type of Success or Failure has no Data field and has a length of 4 An EAP packet of the type of Request o...

Page 877: ... bytes it can be fragmented and encapsulated into multiple EAP Message attributes Figure 1 6 Encapsulation format of the EAP Message attribute II Message Authenticator Figure 1 7 shows the encapsulation format of the Message Authenticator attribute The Message Authenticator attribute is used to prevent access requests from being snooped during EAP or CHAP authentication It must be included in any ...

Page 878: ...curity and PEAP Protected Extensible Authentication Protocol z EAP MD5 EAP MD5 authenticates the identity of a supplicant The RADIUS server sends an MD5 challenge through an EAP Request MD5 Challenge packet to the supplicant Then the supplicant encrypts the password with the offered challenge z EAP TLS With EAP TLS a supplicant and the RADIUS server verify each other s security certificates and id...

Page 879: ...ame and password the 802 1x client software generates an EAPOL Start frame and sends it to the authenticator to initiate an authentication process 2 Upon receiving the EAPOL Start frame the authenticator responds with an EAP Request Identity packet for the username of the supplicant 3 When the supplicant receives the EAP Request Identity packet it encapsulates the username in an EAP Response Ident...

Page 880: ...to grant the access request of the supplicant After the supplicant gets online the authenticator periodically sends handshake requests to the supplicant to check whether the supplicant is still online By default if two consecutive handshake attempts end up with failure the authenticator concludes that the supplicant has gone offline and performs the necessary operations guaranteeing that the authe...

Page 881: ... mode Different from the authentication process in EAP relay mode it is the authenticator that generates the random challenge for encrypting the user password information in EAP termination authentication process Consequently the authenticator sends the challenge together with the username and encrypted password information from the supplicant to the RADIUS server for authentication 1 1 6 802 1x T...

Page 882: ...se from the server it retransmits the request z Handshake timer handshake period After a supplicant passes authentication the authenticator sends to the supplicant handshake requests at this interval to check whether the supplicant is online If the authenticator receives no response after sending the allowed maximum number of handshake requests it considers that the supplicant is offline z Quiet t...

Page 883: ...n the message The device depending on the link type of the port used to log in adds the port to the assigned VLAN according to the following rules z If the port link type is Access the port leaves its current VLAN and joins the assigned VLAN z If the port link type is Trunk the assigned VLAN is allowed to pass the current trunk port The default VLAN ID of the port is that of the assigned VLAN z If...

Page 884: ...r way as described in VLAN assigning When a supplicant added into the guest VLAN initiates another authentication process if the authentication is not successful the supplicant stays in the guest VLAN otherwise two cases may occur z The authentication server assigns a VLAN The port leaves the guest VLAN and joins the assigned VLAN If the supplicant goes offline the port returns to its original VLA...

Page 885: ...et to lan access For detailed configuration of the RADIUS client refer to AAA RADIUS HWTACACS Configuration 1 2 2 Configuring 802 1x Globally Follow these steps to configure 802 1x globally To do Use the command Remarks Enter system view system view Enable 802 1x globally dot1x Required Disabled by default Set the authentication method dot1x authentication method chap eap pap Optional CHAP by defa...

Page 886: ...oxies globally dot1x supp proxy check logoff trap interface interface list Optional Disabled by default Note that z For 802 1x to take effect on a port you must enable it both globally in system view and for the port in system view or Ethernet interface view z You can also enable 802 1x and set port access control parameters that is the port access control mode port access method and the maximum n...

Page 887: ...se the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Set the port access control mode for the port dot1x port control authorized force auto unauthorized force Optional auto by default Set the port access control method for the port dot1x port method macbased portbased Optional macbased by default Set the maximum number of user...

Page 888: ... of RADIUS packets and sends the packets to the RADIUS server for authentication In this case you can configure the user name format command but it does not take effect For information about the user name format command refer to AAA RADIUS HWTACACS Commands z If the username of a supplicant contains the version number or one or more blank spaces you can neither retrieve information nor disconnect ...

Page 889: ...s from a user side device include VLAN tags and 802 1x and guest VLAN are enabled on the access port you are recommended to configure different VLAN IDs for the Voice VLAN the default port VLAN and the guest VLAN of 802 1x 1 4 Displaying and Maintaining 802 1x To do Use the command Remarks Display 802 1x session information statistics or configuration information of specified or all ports display ...

Page 890: ...erver and to send real time accounting packets to the accounting server every 15 minutes z Specify the switch to remove the domain name from the username before passing the username to the RADIUS server z Set the username of the 802 1x user as localuser and the password as localpass and specify to use plain text mode Enable the idle cut function to get the user offline whenever the user remains id...

Page 891: ...or the device to exchange packets with the authentication server Sysname radius radius1 key authentication name Specify the shared key for the device to exchange packets with the accounting server Sysname radius radius1 key accounting money Set the interval for the device to retransmit packets to the RADIUS server and the maximum number of transmission attempts Sysname radius radius1 timer respons...

Page 892: ...name interface Ethernet 1 0 1 Sysname Ethernet1 0 1 dot1x Sysname Ethernet1 0 1 quit Set the port access control method Optional The default answers the requirement Sysname dot1x port method macbased interface Ethernet 1 0 1 1 6 Guest VLAN Configuration Example I Network requirements As shown in Figure 1 11 z A host is connected to port Ethernet 1 0 1 of the switch and must pass 802 1x authenticat...

Page 893: ...MAC Authentication H3C S3610 S5510 Series Ethernet Switches Chapter 1 802 1x Configuration 1 22 II Network diagrams Figure 1 11 Network diagram for guest VLAN configuration Figure 1 12 Network diagram with VLAN 10 as the guest VLAN ...

Page 894: ...key authentication abc Sysname radius 2000 key accounting abc Sysname radius 2000 user name format without domain Sysname radius 2000 quit Configure domain system and specify to use RADIUS scheme 2000 for users of the domain Sysname domain system Sysname isp system authentication default radius scheme 2000 Sysname isp system authorization default radius scheme 2000 Sysname isp system accounting de...

Page 895: ...y vlan 10 command in the following cases to verify whether the configured guest VLAN functions z When no users log in z When a user fails the authentication z When a user goes offline 1 7 ACL Assigning Configuration Example I Network requirements As shown in Figure 1 14 a host is connected to port Ethernet 1 0 1 of the switch and must pass 802 1x authentication to access the Internet z Configure t...

Page 896: ...isp 2000 authentication default radius scheme 2000 Sysname isp 2000 authorization default radius scheme 2000 Sysname isp 2000 accounting default radius scheme 2000 Sysname isp 2000 quit Configure ACL 3000 to deny packets destined for 10 0 0 1 Sysname acl number 3000 Sysname acl adv 3000 rule 0 deny ip destination 10 0 0 1 0 Enable 802 1x globally Sysname dot1x Enable 802 1x for port Ethernet 1 0 1...

Page 897: ...Operation Manual 802 1x HABP MAC Authentication H3C S3610 S5510 Series Ethernet Switches Chapter 1 802 1x Configuration 1 26 ...

Page 898: ...unctions to implement fast deployment of EAD scheme To support the fast deployment of EAD schemes 802 1x provides the following two mechanisms 1 Limit on accessible network resources Before successful 802 1x authentication a user can access only specific IP segments each of which may have one or more servers Users can download EAD client software or obtain dynamic IP address from the servers 2 IE ...

Page 899: ...configured by default Note z Currently MAC authentication and port security cannot work together with EAD fast deployment Once MAC authentication or port security is enabled globally the EAD fast deployment is disabled automatically z If no freely accessible network segment is configured a user cannot obtain a dynamic IP address before passing 802 1x authentication To solve this problem you can co...

Page 900: ...it When there are a large number of users you can shorten the timeout time to improve the ACL usage efficiency Follow these steps to set the EAD rule timeout time To do Use the command Remarks Enter system view system view Set EAD rule timeout time dot1x timer ead timeout ead timeout value Optional 30 minutes by default 2 3 Displaying and Maintaining EAD Fast Deployment To do Use the command Remar...

Page 901: ...ort EAD fast deployment Configure the IP addresses of the interfaces omitted Configure the free IP Sysname system view Sysname dot1x free ip 192 168 1 0 24 Configure the redirect URL for client software download Sysname dot1x url http 192 168 1 3 Enable 802 1x globally Sysname dot1x Enable 802 1x on the port Sysname interface ethernet 1 0 1 Sysname Ethernet1 0 1 dot1x 3 Verify your configuration U...

Page 902: ...wser the user is not redirected to the specified URL Analysis z The address is in the string format In this case the operating system of the host regards the string a website name and tries to have it resolved If the resolution fails the operating system sends an ARP request with the address in the format other than X X X X The redirection function does redirect this kind of ARP request z The addr...

Page 903: ...n and MAC authentication allowing communication among switches HABP is built on the client server model Typically the HABP server sends HABP requests to the client periodically to collect the MAC address es of the attached switch es The client responds to the requests and forwards the HABP requests to the attached switch es The HABP server usually runs on the administrative device while the HABP c...

Page 904: ...ABP to work in client mode on a device connected to the administrative device Since HABP is enabled and works in client mode by default this configuration task is optional Follow these steps to configure an HABP client To do Use the command Remarks Enter system view system view Enable HABP habp enable Optional Enabled by default Configure HABP to work in client mode undo habp server Optional HABP ...

Page 905: ...tion Dial In User Service RADIUS based MAC authentication z Local MAC authentication For detailed information about RADIUS authentication and local authentication refer to AAA RADIUS HWTACACS Configuration After determining the authentication mode to be used you can choose the type of MAC authentication username including z MAC address where the MAC address of a user serves as both the username an...

Page 906: ...sers 4 2 Related Concepts 4 2 1 MAC Authentication Timers The following timers function in the process of MAC authentication z Offline detect timer At this interval the device checks to see whether an online user has gone offline Once detecting that a user becomes offline the device sends to the RADIUS server a stop accounting notice z Quiet timer Whenever a user fails MAC authentication the devic...

Page 907: ...t the user can access those restricted network resources 4 2 4 ACL Assigning ACLs assigned by an authorization server are referred to as authorization ACLs which are designed to control access to network resources with a very fine granularity When a user logs in if the RADIUS server is configured with authorization ACLs the device will permit or deny data flows traversing through the port through ...

Page 908: ... Enter system view system view Enable MAC authentication globally mac authentication Required Disabled by default mac authentication interface interface list Enable MAC authentication for specified ports interface interface type interface number mac authentication quit Required Disabled by default Specify the ISP domain for MAC authentication mac authentication domain isp name Optional The default...

Page 909: ... MAC authentication enabled port into an aggregation group nor enable MAC authentication on a port added into an aggregation group 4 4 Displaying and Maintaining MAC Authentication To do Use the command Remarks Display the global MAC authentication information or the MAC authentication information about specified ports display mac authentication interface interface list Available in any view Clear...

Page 910: ...er aaa quit Configure ISP domain aabbcc net and specify to perform local authentication Device domain aabbcc net Device isp aabbcc net authentication lan access local Device isp aabbcc net quit Enable MAC authentication globally Device mac authentication Enable MAC authentication for port Ethernet 1 0 1 Device mac authentication interface ethernet 1 0 1 Specify the ISP domain for MAC authenticatio...

Page 911: ...ccess 1 failed 0 Current online user number is 1 MAC ADDR Authenticate state AuthIndex 00e0 fc12 3456 MAC_AUTHENTICATOR_SUCCESS 29 4 5 2 RADIUS Based MAC Authentication Configuration Example I Network requirements As illustrated in Figure 4 2 a host is connected to the device through port Ethernet 1 0 1 The device authenticates the host through the RADIUS server z MAC authentication is required on...

Page 912: ...heme 2000 Device isp 2000 quit Enable MAC authentication globally Device mac authentication Enable MAC authentication for port Ethernet 1 0 1 Device mac authentication interface ethernet 1 0 1 Specify the ISP domain for MAC authentication Device mac authentication domain 2000 Set the MAC authentication timers Device mac authentication timer offline detect 180 Device mac authentication timer quiet ...

Page 913: ...MAC authentication to access the Internet z Configure the RADIUS server to assign ACL 3000 z Enable MAC authentication on port Ethernet 1 0 1 of the switch and configure ACL 3000 After the host passes MAC authentication the RADIUS server assigns ACL 3000 to port Ethernet 1 0 1 As a result the host can access the Internet but cannot access the FTP server whose IP address is 10 0 0 1 II Network diag...

Page 914: ...ACL 3000 to deny packets destined for 10 0 0 1 Sysname acl number 3000 Sysname acl adv 3000 rule 0 deny ip destination 10 0 0 1 0 Sysname acl adv 3000 quit Enable MAC authentication globally Sysname mac authentication Enable MAC authentication for port Ethernet 1 0 1 Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 mac authentication After completing the above configurations you can use the ...

Page 915: ... Authentication Authorization Servers 1 23 1 4 3 Configuring the RADIUS Accounting Servers and Relevant Parameters 1 24 1 4 4 Setting the Shared Key for RADIUS Packets 1 26 1 4 5 Setting the Maximum Number of RADIUS Request Retransmission Attempts 1 27 1 4 6 Setting the Supported RADIUS Server Type 1 27 1 4 7 Setting the Status of RADIUS Servers 1 28 1 4 8 Configuring Attributes Related to the Dat...

Page 916: ...laying and Maintaining RADIUS 1 39 1 6 3 Displaying and Maintaining HWTACACS 1 40 1 7 AAA RADIUS HWTACACS Configuration Examples 1 40 1 7 1 AAA for Telnet Users by a HWTACACS Server 1 40 1 7 2 AAA for Telnet Users by Separate Servers 1 42 1 8 Troubleshooting AAA RADIUS HWTACACS 1 44 1 8 1 Troubleshooting RADIUS 1 44 1 8 2 Troubleshooting HWTACACS 1 45 ...

Page 917: ... section covers these topics z Introduction to AAA z Introduction to ISP Domain z Introduction to RADIUS z Introduction to HWTACACS 1 1 1 Introduction to AAA Authentication Authorization and Accounting AAA provides a uniform framework for configuring these three security functions to implement the network security management The network security mentioned here refers to access control and includes...

Page 918: ...y after RADIUS authentication is successful The authorization information is carried in the RADIUS authentication response z HWTACACS authorization Users are authorized using a HWTACACS server III Accounting AAA supports the following accounting methods z None accounting The system does not keep accounts on the users z Local accounting Local accounting is for controlling the number of local user c...

Page 919: ...nd remote user access are required For example it is often used for managing a large number of geographically dispersed dial in users that use Modems The RADIUS service involves three components z Protocol Based on the UDP RFC 2865 and RFC 2866 define the RADIUS frame format and the message transfer mechanism and use 1812 as the authentication port and 1813 as the accounting port z Server The RADI...

Page 920: ... as PPP based PAP and CHAP II Basic message exchange process of RADIUS Information exchanged between the RADIUS client and the RADIUS server is authenticated through a shared key for security The RADIUS protocol combines the authentication and authorization processes by sending authorization information in the authentication response message For the interaction among the host the RADIUS client and...

Page 921: ...lue of Status Type being start 5 The RADIUS server returns a start accounting response Accounting Response 6 The subscriber accesses the network resources 7 The RADIUS client sends a stop accounting request Accounting Request to the RADIUS server with the value of Status Type being stop 8 The RADIUS server returns a stop accounting response Accounting Response 9 The subscriber stops network resour...

Page 922: ...he accounting 5 Accounting Response From the server to the client The server sends to the client a packet of this type to notify that it has received the Accounting Request and has correctly recorded the accounting information 2 The Identifier field 1 byte long is for matching request packets and response packets It varies with the Attribute field and the received valid response packets but keeps ...

Page 923: ...ed IP Address 30 Called Station Id 9 Framed IP Netmask 31 Calling Station Id 10 Framed Routing 32 NAS Identifier 11 Filter ID 33 Proxy State 12 Framed MTU 34 Login LAT Service 13 Framed Compression 35 Login LAT Node 14 Login IP Host 36 Login LAT Group 15 Login Service 37 Framed AppleTalk Link 16 Login TCP Port 38 Framed AppleTalk Network 17 unassigned 39 Framed AppleTalk Zone 18 Reply_Message 40 5...

Page 924: ...fferences between HWTACACS and RADIUS HWTACACS RADIUS Uses TCP providing more reliable network transmission Uses UDP Encrypts the entire packet except for the HWTACACS header Encrypts only the password field in an authentication packet Separates authentication from authorization Authentication and authorization can be deployed on different HWTACACS servers Performs authentication and authorization...

Page 925: ...ration 1 9 Figure 1 5 Network diagram for a typical HWTACACS application II Basic message exchange process of HWTACACS The following takes Telnet user as an example to describe how HWTACACS performs user authentication authorization and accounting Figure 1 6 illustrates the basic message exchange process of HWTACACS ...

Page 926: ...t to the HWTACACS server 2 The HWTACACS server sends back an authentication response requesting for the username Upon receiving the request the HWTACACS client asks the user for the username 3 After receiving the username from the user the HWTACACS client sends to the server an authentication continuance packet carrying the username 4 The HWTACACS server sends back an authentication response reque...

Page 927: ...erver 11 The HWTACACS server sends back an accounting response indicating that it has received the start accounting request 12 When the user logs off the HWTACACS client sends a stop accounting request to the HWTACACS server 13 The HWTACACS server sends back a stop accounting packet indicating that the stop accounting request has been received 1 2 AAA RADIUS HWTACACS Configuration Task List I AAA ...

Page 928: ...egarding RADIUS Servers Optional Configuring RADIUS Accounting on Optional Configuring an IP Address for the Security Policy Server Optional Enabling the Listening Port of the RADIUS Client Optional III HWTACACS configuration task list Task Remarks Creating a HWTACACS scheme Required Specifying the HWTACACS Authentication Servers Required Specifying the HWTACACS Authorization Servers Optional Spec...

Page 929: ...implement authentication authorization and accounting For HWTACACS scheme configuration refer to Configuring HWTACACS 1 3 2 Creating an ISP Domain For the NAS each accessing user belongs to an ISP domain Up to 16 ISP domains can be configured on a NAS If a user does not provide the ISP domain name the system considers that the user belongs to the default ISP domain Follow these steps to create an ...

Page 930: ...tion function and specify the URL of the self service server for changing user password self service url disable enable url string Optional Disabled by default Note A self service RADIUS server for example CAMS is required for the self service server localization function With the self service function a user can manage and control his or her accounting information or card number A server with sel...

Page 931: ...ccess modes or service types Follow these steps to configure an AAA authentication scheme for an ISP domain To do Use the command Remarks Enter system view system view Create an ISP domain and enter ISP domain view domain isp name Required Specify the default authentication scheme for all types of users authentication default hwtacacs scheme hwtacacs scheme name local local none radius scheme radi...

Page 932: ...the same level as authentication and accounting Its responsibility is to send authorization requests to the specified authorization server and to send authorization information to users authorized Authorization scheme configuration is optional in AAA configuration If you do not perform any authorization configuration the system default domain uses the local authorization scheme With the authorizat...

Page 933: ...l local none radius scheme radius scheme name local Optional local by default Specify the authorization scheme for command line users authorization command hwtacacs scheme hwtacacs scheme name Optional The default authorization scheme is used by default Specify the authorization scheme for LAN access users authorization lan access local none radius scheme radius scheme name local Optional The defa...

Page 934: ... with the authorization response message therefore you cannot specify a separate RADIUS server If you use RADIUS for authorization and authentication you must use the same scheme setting for authorization and authentication otherwise the system will prompt you with an error message 1 3 6 Configuring an AAA Accounting Scheme for an ISP Domain In AAA accounting is a separate process at the same leve...

Page 935: ...g login hwtacacs scheme hwtacacs scheme name local local none radius scheme radius scheme name local Optional The default accounting scheme is used by default Note z With the accounting optional command configured a user that will be disconnected otherwise can use the network resources even when there is no available accounting server or the communication with the current accounting server fails z...

Page 936: ... user is configured by default Configure a password for the local user password cipher simple password Required Place the local user to the state of active or blocked state active block Optional When created a local user is in the state of active by default and the user can request network services Specify the service types for the user service type lan access ssh telnet terminal level level Requi...

Page 937: ...Set attributes for a LAN access user attribute access limit max user number idle cut minute ip ip address location port slot number subslot number port number mac mac address vlan vlan id Optional If the user is bound to a remote port the nas ip parameter must be specified If the user is bound to a local port the nas ip parameter does not need to be specified The default value of nas ip is 127 0 0...

Page 938: ...n the level of the commands that a user can use after logging in depends on the priority of the user or the priority of user interface level as with other authentication methods For an SSH user using RSA public key authentication the commands that can be used depend on the level configured on the user interface For details regarding authentication method and command level refer to Login Configurat...

Page 939: ...rs In another words the attributes of a RADIUS scheme mainly include IP addresses of primary and secondary servers shared key and RADIUS server type Actually the RADIUS protocol configurations only set the parameters necessary for the information interaction between a NAS and a RADIUS server For these settings to take effect you must reference the RADIUS scheme containing those settings in ISP dom...

Page 940: ...er Optional The defaults are as follows 0 0 0 0 for the IP address and 1812 for the port Note z In practice you may specify two RADIUS servers as the primary and secondary authentication authorization servers respectively At a moment a server can be the primary authentication authorization server for a scheme and the secondary authentication authorization servers for another scheme z The IP addres...

Page 941: ...address and UDP port of the secondary RADIUS accounting server secondary accounting ip address port number Optional The defaults are as follows 0 0 0 0 for the IP address and 1813 for the port Enable the device to buffer stop accounting requests getting no responses stop accounting buffer enable Optional Enabled by default Set the maximum number of stop accounting request transmission attempts ret...

Page 942: ...user when the number of accounting request transmission attempts for the user reaches the limit but it still receives no response to the accounting request z The IP addresses of the primary and secondary accounting servers cannot be the same Otherwise the configuration fails z Currently RADIUS does not support keeping accounts on FTP users 1 4 4 Setting the Shared Key for RADIUS Packets The RADIUS...

Page 943: ...view Create a RADIUS scheme and enter RADIUS scheme view radius scheme radius scheme name Required Not defined by default Set the number of retransmission attempts of RADIUS packets retry retry times Optional 3 by default Note z The maximum number of retransmission attempts of RADIUS packets multiplied by the RADIUS server response timeout period cannot be greater than 75 z Refer to the timer resp...

Page 944: ...e primary server fails the primary server turns into the state of block and the device turns to the secondary server In this case z If the secondary server is available the device triggers the primary server quiet timer After the quiet timer times out the status of the primary server is active again and the status of the secondary server remains the same z If the secondary server fails the device ...

Page 945: ...erver to the active state so that the secondary server can perform authentication If the secondary server is still in the blocked state the primary secondary switchover cannot take place z If one server is in the active state while the other is blocked the primary secondary switchover will not take place even if the active server is not reachable 1 4 8 Configuring Attributes Related to the Data Se...

Page 946: ... to a RADIUS server z If a RADIUS scheme defines that the username is sent without the ISP domain name do not apply the RADIUS scheme to more than one ISP domain thus avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same userid as one z The nas ip command in RADIUS scheme view is only for the current RADIUS scheme while the radius nas ...

Page 947: ...by default Set the quiet timer for the primary server timer quiet minutes Optional 5 minutes by default Set the real time accounting interval timer realtime accounting minutes Optional 12 minutes by default Note z The product of the maximum number of retransmission attempts of RADIUS packets and the RADIUS server response timeout period cannot be greater than 75 This product is also the upper limi...

Page 948: ...uired Disabled by default Set the number of accounting on packet retransmission attempts accounting on enable send send times Optional 5 times by default Set the retransmission interval of accounting on packets accounting on enable interval seconds Optional 3 seconds by default Note If the system has no authentication scheme enabled with the accounting on function when you execute the accounting o...

Page 949: ...ow these steps to enable the listening port of the RADIUS client To do Use the command Remarks Enter system view system view Enable the listening port of the RADIUS client radius client enable Optional Enabled by default 1 5 Configuring HWTACACS 1 5 1 Creating a HWTACACS scheme The HWTACACS protocol is configured on a per scheme basis Before performing other HWTACACS configurations follow these st...

Page 950: ...e IP address and 49 for the TCP port Configure the IP address and port of the secondary HWTACACS authentication server secondary authentication ip address port number Required The defaults are as follows 0 0 0 0 for the IP address and 49 for the TCP port Note z The IP addresses of the primary and secondary authentication servers cannot be the same Otherwise the configuration fails z You can remove...

Page 951: ...Note z The IP addresses of the primary and secondary authorization servers cannot be the same Otherwise the configuration fails z You can remove an authorization server only when no active TCP connection for sending authorization packets is using it 1 5 4 Specifying the HWTACACS Accounting Servers Follow these steps to specify the HWTACACS accounting servers and perform related configurations To d...

Page 952: ... cannot be the same Otherwise the configuration fails z You can remove an accounting server only when no active TCP connection for sending accounting packets is using it z Currently HWTACACS does not support keeping accounts on FTP users 1 5 5 Setting the Shared Key for HWTACACS Packets When using a HWTACACS server as an AAA server you can set a key to secure the communications between the device ...

Page 953: ...TACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Specify the format of the username to be sent to a HWTACACS server user name format with domain without domain Optional By default the ISP domain name is included in the username Specify the unit for data flows or packets to be sent to a HWTACACS server data flow format data byte giga byte kilo byte mega byte p...

Page 954: ...ystem view Create a HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Set the TACACS server response timeout timer timer response timeout seconds Optional 5 seconds by default Set the quiet timer for the primary server timer quiet minutes Optional 5 minutes by default Set the real time accounting interval timer realtime accounting m...

Page 955: ...w Display information about specified or all local users display local user domain isp name idle cut disable enable service type ftp lan access ssh telnet terminal state active block user name user name vlan vlan id Available in any view 1 6 2 Displaying and Maintaining RADIUS To do Use the command Remarks Display the configuration information of a specified RADIUS scheme or all RADIUS schemes dis...

Page 956: ... server name statistics Available in any view Display information about buffered stop accounting requests that get no responses display stop accounting buffer hwtacacs scheme hwtacacs scheme name Available in any view Clear HWTACACS statistics reset hwtacacs statistics accounting all authentication authorization Available in user view Clear buffered stop accounting requests that get no responses r...

Page 957: ...dresses of various interfaces omitted Enable the Telnet server on the switch Switch system view Switch telnet server enable Configure the switch to use AAA for Telnet users Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Switch ui vty0 4 quit Configure the HWTACACS scheme Switch hwtacacs scheme hwtac Switch hwtacacs hwtac primary authentication 10 1 1 1 49 Switch hwtacacs...

Page 958: ...As shown in Figure 1 8 configure the switch to provide local authentication HWTACACS authorization and RADIUS accounting services to Telnet users The user name and the password for Telnet users are both telnet The HWTACACS server is used for authorization Its IP address is 10 1 1 2 On the switch set the shared keys for packets exchanged with the TACACS server to expert Configure the switch to remo...

Page 959: ...thentication mode scheme Switch ui vty0 4 quit Configure the HWTACACS scheme Switch hwtacacs scheme hwtac Switch hwtacacs hwtac primary authorization 10 1 1 2 49 Switch hwtacacs hwtac key authorization expert Switch hwtacacs hwtac user name format without domain Switch hwtacacs hwtac quit Configure the RADIUS scheme Switch radius scheme rd Switch radius rd primary accounting 10 1 1 1 1813 Switch r...

Page 960: ...S and the RADIUS server 2 The username is not in the format of userid isp name or no default ISP domain is specified for the NAS 3 The user is not configured on the RADIUS server 4 The password of the user is incorrect 5 The RADIUS server and the NAS are configured with different shared key Solution Check that 1 The NAS and the RADIUS server can ping each other 2 The username is in the userid isp ...

Page 961: ...thenticated and authorized but accounting for the user is not normal Analysis 1 The accounting port number is not correct 2 Configuration of the authentication authorization server and the accounting server are not correct on the NAS For example one server is configured on the NAS to provide all the services of authentication authorization and accounting but in fact the services are provided by di...

Page 962: ...es 1 5 1 2 4 Enabling the ARP Entry Check 1 5 1 2 5 ARP Configuration Example 1 6 1 3 Configuring Gratuitous ARP 1 6 1 3 1 Introduction to Gratuitous ARP 1 6 1 3 2 Configuring Gratuitous ARP 1 7 1 4 Configuring ARP Source Suppression 1 7 1 4 1 Introduction to ARP Source Suppression 1 7 1 4 2 Configuring ARP Source Suppression 1 7 1 5 Displaying and Maintaining ARP 1 8 Chapter 2 Proxy ARP Configura...

Page 963: ... address of a host at the network layer To send a network layer packet to a destination host the device must know the data link layer address such as the MAC address of the destination host To this end the IP address must be resolved into the corresponding data link layer address Note Unless otherwise stated the data link layer addresses that appear in this chapter refer to the 48 bit Ethernet MAC...

Page 964: ... is being sent to 1 1 3 ARP Address Resolution Process Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B as show in Figure 1 2 The resolution process is as follows 1 Host A looks in its ARP mapping table to see whether there is an ARP entry for Host B If Host A finds it Host A uses the MAC address in the entry to encapsulate the IP packet into a data l...

Page 965: ...table contains ARP entries which fall into two categories dynamic and static 1 A dynamic entry is automatically created and maintained by ARP It can get aged be updated by a new ARP packet or be overwritten by a static ARP entry When the aging timer expires or the port goes down the corresponding dynamic ARP entry will be removed 2 A static ARP entry is manually configured and maintained It cannot...

Page 966: ... deleted and if non permanent and resolved will become unresolved Follow these steps to configure a static ARP entry To do Use the command Remarks Enter system view system view Configure a permanent static ARP entry arp static ip address mac address vlan id interface type interface number vpn instance name Required No permanent static ARP entry is configured by default Configure a non permanent st...

Page 967: ... them from the ARP mapping table You can adjust the aging time for dynamic ARP entries according to the actual network condition Follow these steps to set aging time for dynamic ARP entries To do Use the command Remarks Enter system view system view Set aging time for dynamic ARP entries arp timer aging aging time Optional 20 minutes by default 1 2 4 Enabling the ARP Entry Check The ARP entry chec...

Page 968: ...et 1 0 10 of VLAN 10 II Configuration procedure Sysname system view Sysname arp check enable Sysname arp timer aging 10 Sysname vlan 10 Sysname vlan10 port Ethernet 1 0 10 Sysname vlan10 quit Sysname interface vlan interface 10 Sysname vlan interface10 arp max learning num 1000 Sysname vlan interface10 quit Sysname arp static 192 168 1 1 00e0 fc01 0000 10 ethernet1 0 10 1 3 Configuring Gratuitous ...

Page 969: ... gratuitous arp learning enable Required Disabled by default 1 4 Configuring ARP Source Suppression 1 4 1 Introduction to ARP Source Suppression If a host attacks the device on a network by sending large amounts of IP packets whose IP addresses cannot be resolved z The device sends large amounts of ARP request messages to the destination subnet which increases the load of the destination subnet z ...

Page 970: ...splay arp all dynamic static vlan vlan id interface interface type interface number verbose begin exclude include text count Available in any view Display the ARP entries for a specified IP address display arp ip address verbose begin exclude include text Available in any view Display the ARP entries for a specified VPN instance display arp vpn instance vpn instance name begin exclude include text...

Page 971: ...plements Layer 3 communication between VLAN interfaces isolated at Layer 2 or located on different networks In one of the following cases you need to enable the local proxy ARP z Devices connected to different isolated layer 2 ports in the same VLAN need to implement layer 3 communication z With the isolate user vlan function enabled on a device attached to an switch devices in different second VL...

Page 972: ...rface vlan id Available in any view 2 4 Proxy ARP Configuration Examples 2 4 1 Proxy ARP Configuration Example I Network requirements Host A and Host D have IP addresses of the same network segment Host A belongs to VLAN 1 and Host D belongs to VLAN 2 Configure proxy ARP on the device to enable the communication between the two hosts II Network diagram Vlan int1 192 168 10 99 24 192 168 10 100 16 ...

Page 973: ... 168 20 99 255 255 255 0 Switch Vlan interface2 proxy arp enable Switch Vlan interface2 quit 2 4 2 Local Proxy ARP Configuration Example in Case of Port Isolation I Network requirements z Host A and Host B belong to the same VLAN and are connected to Ethernet 1 0 2 and Ethernet 1 0 3 of the switch respectively z Ethernet 1 0 2 and Ethernet 1 0 3 isolated at layer 2 can implement layer 3 communicat...

Page 974: ...0 3 quit Configure an IP address of VLAN interface 2 Switch interface vlan interface 2 Switch Vlan interface2 ip address 192 168 10 100 255 255 0 0 Ping Host B on Host A to verify that the two hosts cannot be pinged through which indicates they are isolated at Layer 2 Configure local proxy ARP to let Host A and Host B communicate at Layer 3 Switch Vlan interface2 local proxy arp enable Switch Vlan...

Page 975: ...P Server on an Interface 2 4 2 5 Configuring an Address Pool for the DHCP Server 2 5 2 5 1 Configuration Task List 2 5 2 5 2 Creating a DHCP Address Pool 2 5 2 5 3 Configuring an Address Allocation Mode 2 6 2 5 4 Configuring a Domain Name Suffix for the Client 2 8 2 5 5 Configuring DNS Servers for the Client 2 8 2 5 6 Configuring WINS Servers and NetBIOS Node Type for the Client 2 9 2 5 7 Configur...

Page 976: ...figuration 3 9 3 5 DHCP Relay Agent Configuration Example 3 10 3 6 Troubleshooting DHCP Relay Agent Configuration 3 11 Chapter 4 DHCP Client Configuration 4 1 4 1 Introduction to DHCP Client 4 1 4 2 Enabling the DHCP Client on an Interface 4 2 4 3 Displaying and Maintaining the DHCP Client 4 2 4 4 DHCP Client Configuration Example 4 3 Chapter 5 DHCP Snooping Configuration 5 1 5 1 DHCP Snooping Ove...

Page 977: ...Operation Manual DHCP H3C S3610 S5510 Series Ethernet Switches Table of Contents iii 6 4 BOOTP Client Configuration Example 6 3 ...

Page 978: ...nwhile with the wide application of wireless networks the frequent movement of laptops across networks requires that the IP addresses be changed accordingly Therefore related configurations on hosts become more complex Dynamic Host Configuration Protocol DHCP was introduced to solve these problems DHCP is built on a client server model in which the client sends a configuration request and then the...

Page 979: ... assigned address to the client z Automatic allocation DHCP assigns a permanent IP address to a client z Dynamic allocation DHCP assigns an IP address to a client for a limited period of time which is called a lease Most clients obtain their addresses in this way 1 2 2 Dynamic IP Address Allocation Process Figure 1 2 Dynamic IP address allocation process As shown in the figure above a DHCP client ...

Page 980: ... IP addresses offered by other DHCP servers are assignable to other clients 1 2 3 IP Address Lease Extension The IP address dynamically allocated by a DHCP server to a client has a lease After the lease duration elapses the IP address will be reclaimed by the DHCP server If the client wants to use the IP address again it has to extend the lease duration After the half lease duration elapses the DH...

Page 981: ...the BROADCAST B flag If this flag is set to 0 the DHCP server sent a reply back by unicast if this flag is set to 1 the DHCP server sent a reply back by broadcast The remaining bits of the flags field are reserved for future use z ciaddr Client IP address z yiaddr your client IP address assigned by the server z siaddr Server IP address from which the clients obtained configuration parameters z gia...

Page 982: ...on It specifies the DNS server IP address to be assigned to the client z Option 51 IP address lease option z Option 53 DHCP message type option It identifies the type of the DHCP message z Option 55 Parameter request list option It is used by a DHCP client to request specified configuration parameters The option contains values that correspond to the parameters requested by the client z Option 66 ...

Page 983: ... padding formats vary with vendors Currently the device supports two padding formats normal and verbose 1 Normal padding format The padding contents for sub options in the normal padding format are z sub option 1 Padded with the VLAN ID and number of the port that received the client s request The following figure gives its format The value of the sub option type is 1 and that of the circuit ID ty...

Page 984: ...et an IP address along with specified voice parameters from the DHCP server Option 184 involves the following sub options z Sub option 1 IP address of the primary network calling processor which is a server serving as the network calling control source and providing program downloads z Sub option 2 IP address of the backup network calling processor that DHCP clients will contact when the primary o...

Page 985: ...hapter 1 DHCP Overview 1 8 1 5 Protocols and Standards z RFC2131 Dynamic Host Configuration Protocol z RFC2132 DHCP Options and BOOTP Vendor Extensions z RFC1542 Clarifications and Extensions for the Bootstrap Protocol z RFC 3046 DHCP Relay Agent Information Option ...

Page 986: ...ation Examples z Troubleshooting DHCP Server Configuration Note z The DHCP server configuration is supported only on VLAN interfaces and loopback interfaces The secondary IP address pool configuration is not supported on loopback interfaces z DHCP Snooping must be disabled on the DHCP server 2 1 Introduction to DHCP Server 2 1 1 Application Environment The DHCP server is well suited to the network...

Page 987: ...hild has no such configuration or z Overridden if the lower level child has such configuration Note The IP address lease does not enjoy the inheritance attribute II Principles for selecting an address pool The DHCP server observes the following principles to select an address pool to assign IP addresses to clients 1 If there is an address pool where an IP address is statically bound to the MAC add...

Page 988: ... of the DHCP server resides to avoid wrong IP address allocation 2 1 3 IP Address Allocation Sequence A DHCP server assigns an IP address to a client according to the following sequence 1 The IP address manually bound to the client s MAC address or ID 2 The IP address that was ever assigned to the client 3 The IP address designated by the Option 50 field in a DHCP DISCOVER message 4 The first assi...

Page 989: ...The subaddress keyword is valid only when the server and client are on the same subnet If a DHCP relay agent exists in between regardless of subaddress the DHCP server will select an IP address from the address pool of the subnet which contains the primary IP address of the DHCP relay agent s interface connected to the client When the DHCP server and client are on the same subnet the server will z...

Page 990: ...in Name Suffix for the Client Configuring DNS Servers for the Client Configuring WINS Servers and NetBIOS Node Type for the Client Configuring the BIMS Server Information for the Client Configuring Gateways for the Client Configuring Option 184 Parameters for the Client with Voice Service Configuring the TFTP Server and Bootfile Name for the Client Configuring Self Defined DHCP Options Optional 2 ...

Page 991: ...hen the client with the MAC address or ID requests an IP address the DHCP server will find the IP address from the binding for the client A DHCP address pool now supports only one static binding which can be a MAC to IP or ID to IP binding Follow these steps to configure the static binding in a DHCP address pool To do Use the command Remarks Enter system view system view Enter DHCP address pool vi...

Page 992: ...ust be identical to the ID displayed by using the display dhcp client verbose command on the client Otherwise the client cannot obtain an IP address II Configuring dynamic address allocation You need to specify one and only one address range using a mask for the dynamic address allocation To avoid address conflicts the DHCP server excludes IP addresses used by the GW FTP server and so forth from d...

Page 993: ...ress pool on the DHCP server to provide the clients with the domain name suffix With this suffix assigned the client needs only input part of a domain name and the system will add the domain name suffix for name resolution For details about DNS refer to DNS Configuration of this manual Follow these steps to configure a domain name suffix in the DHCP address pool To do Use the command Remarks Enter...

Page 994: ... node The b node client sends the destination name in a broadcast message The destination returns its IP address to the client after receiving the message z p peer to peer node The p node client sends the destination name in a unicast message to the WINS server and the WINS server returns the destination IP address z m mixed node A combination of broadcast first and peer to peer second The m node ...

Page 995: ...gure the BIMS server IP address port number and shared key in the DHCP address pool To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Specify the BIMS server IP address port number and shared key bims server ip ip address port port number sharekey key Required Not specified by default 2 5 8 Configuring Gateways for the Client DHC...

Page 996: ... then can initiate a call using parameters in Option 184 Follow these steps to configure option 184 parameters in the DHCP address pool To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Specify the IP address of the primary network calling processor voice config ncp ip ip address Required Not specified by default Specify the IP a...

Page 997: ...uration file To implement auto configuration you need to specify the IP address and name of a TFTP server and the bootfile name in the DHCP address pool on the DHCP server but you do not need to perform any configuration on the DHCP client When option 55 in the requesting client message contains parameters of option 66 option 67 or option 150 the DHCP server will return the IP address and name of ...

Page 998: ...ress pool To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Configure a self defined DHCP option option code ascii ascii string hex hex string 1 16 ip address ip address 1 8 Required No DHCP option is configured by default Table 2 1 Description of common options Option Option name Corresponding command Command parameter 3 Router ...

Page 999: ... the DHCP address pool 2 6 2 Enabling Unauthorized DHCP Server Detection There are unauthorized DHCP servers on networks which reply DHCP clients with wrong IP addresses With this feature enabled when receiving a DHCP message with the siaddr field not being 0 from a client the DHCP server will record the value of the siaddr field in the message and the receiving interface The administrator can use...

Page 1000: ...ction To do Use the command Remarks Enter system view system view Specify the number of ping packets dhcp server ping packets number Optional One ping packet by default The value 0 indicates that no ping operation is performed Configure a timeout waiting for ping responses dhcp server ping timeout milliseconds Optional 500 ms by default The value 0 indicates that no ping operation is performed 2 7...

Page 1001: ... Support Option 82 for related configuration details 2 8 Displaying and Maintaining the DHCP Server To do Use the command Remarks Display information about IP address conflicts display dhcp server conflict all ip ip address Display information about lease expiration display dhcp server expired all ip ip address pool pool name Display information about assignable IP addresses display dhcp server fr...

Page 1002: ...2 9 DHCP Server Configuration Examples DHCP networking involves two types z The DHCP server and client are on the same subnet and exchange messages directly z The DHCP server and client are not on the same subnet and they communicate with each other via a DHCP relay agent The DHCP server configuration for the two types is the same I Network requirements z The DHCP server Switch A assigns IP addres...

Page 1003: ...face 1 should be less than 122 and that of clients connected to VLAN interface 2 less than 124 II Network diagram Figure 2 1 DHCP network diagram III Configuration procedure Specify IP addresses for VLAN interfaces omitted Configure the DHCP server Enable DHCP SwitchA system view SwitchA dhcp enable Exclude IP addresses addresses of the DNS server WINS server and gateways SwitchA dhcp server forbi...

Page 1004: ...255 128 SwitchA dhcp pool 2 expired day 5 SwitchA dhcp pool 2 gateway list 10 1 1 254 2 10 Troubleshooting DHCP Server Configuration I Symptom A client s IP address obtained from the DHCP server conflicts with another IP address II Analysis A host on the subnet may have the same IP address III Solution 1 Disconnect the client s network cable and ping the client s IP address on another host with a ...

Page 1005: ...nfiguration is supported only VLAN interfaces z DHCP Snooping must be disabled on the DHCP relay agent 3 1 Introduction to DHCP Relay Agent 3 1 1 Application Environment Since DHCP clients request IP addresses via broadcast messages the DHCP server and clients must be on the same subnet Therefore a DHCP server must be available on each subnet It is not practical DHCP relay agent solves the problem...

Page 1006: ...location Process The following describes the forwarding process on the DHCP relay agent Figure 3 2 DHCP relay agent work process As shown in the figure above the DHCP relay agent works as follows 1 After receiving a DHCP DISCOVER or DHCP REQUEST broadcast message from a DHCP client the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the message to the design...

Page 1007: ...mat The DHCP relay agent will Drop Random Drop the message Keep Random Forward the message without changing Option 82 normal Forward the message after replacing the original Option 82 with the Option 82 padded in normal format Option 82 Replace verbose Forward the message after replacing the original Option 82 with the Option 82 padded in verbose format normal Forward the message after adding the ...

Page 1008: ...Use the command Remarks Enter system view system view Enter interface view Interface interface type interface number Enable the DHCP relay agent on the current interface dhcp select relay Required With DHCP enabled interfaces work in the DHCP server mode Note If the DHCP client obtains an IP address via the DHCP relay agent the address pool of the subnet which the IP address of the DHCP relay agen...

Page 1009: ... servers and those of relay agent s interfaces cannot be on the same subnet Otherwise the client cannot obtain an IP address z A DHCP server group can correlate with one or multiple DHCP relay agent interfaces while a relay agent interface can only correlate with one DHCP server group Using the dhcp relay server select command repeatedly overwrites the previous configuration However if the specifi...

Page 1010: ...u can manually configure IP to MAC bindings on the DHCP relay agent so that users can access external network using fixed IP addresses For avoidance of invalid IP address configuration you can configure the DHCP relay agent to check whether a requesting client s IP and MAC addresses match a binding on it both dynamic and static bindings If not the client cannot access outside networks via the DHCP...

Page 1011: ...gent uses the IP address of a client and the MAC address of the DHCP relay interface to regularly send a DHCP REQUEST message to the DHCP server z If the server returns a DHCP ACK message or does not return any message within a specified interval which means the IP address is assignable now the DHCP relay agent will update its bindings by aging out the binding entry of the IP address z If the serv...

Page 1012: ...After the recorded information of a DHCP server is cleared a new record will be put for the DHCP server 3 3 6 Configuring the DHCP Relay Agent to Support Option 82 I Prerequisites You need to complete the following tasks before configuring the DHCP relay agent to support Option 82 z Enabling DHCP z Enabling the DHCP relay agent on the specified interface z Correlating a DHCP server group with rela...

Page 1013: ...on 82 is padded with the device name sysname of a node the device name must contain no spaces Otherwise the DHCP relay agent will drop the message 3 4 Displaying and Maintaining DHCP Relay Agent Configuration To do Use the command Remarks Display information about DHCP server groups correlated to a specified or all interfaces display dhcp relay all interface interface type interface number Availab...

Page 1014: ...clients reside The IP address of VLAN interface 1 is 10 10 1 1 24 and IP address of VLAN interface 2 is 10 1 1 2 24 that communicates with the DHCP server 10 1 1 1 24 As shown in the figure below Switch A forwards messages between DHCP clients and the DHCP server II Network diagram Switch B DHCP server Switch A DHCP relay agent DHCP client DHCP client DHCP client DHCP client Vlan int2 10 1 1 2 24 ...

Page 1015: ...nt subnets routes in between must be reachable 3 6 Troubleshooting DHCP Relay Agent Configuration I Symptom DHCP clients cannot obtain any configuration parameters via the DHCP relay agent II Analysis Some problems may occur with the DHCP relay agent or server configuration Enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface stat...

Page 1016: ... to obtain an IP address 4 1 Introduction to DHCP Client With the DHCP client enabled on an interface the interface will use DHCP to obtain configuration parameters such as an IP address from the DHCP server For S3610 S5510 series Ethernet switches operating as DHCP clients the vendor and device information contained in Option 60 of DHCP requests is not configurable instead it is determined by the...

Page 1017: ...on will overwrite the previous configuration z After the DHCP client is enabled on an interface no secondary IP address is configurable for the interface z If the IP address assigned by the DHCP server shares a network segment with the IP addresses of other interfaces on the device the DHCP client enabled interface will not request any IP address of the DHCP server unless the conflicted IP address...

Page 1018: ... address II Network diagram See Figure 2 1 III Configuration procedure The following is the configuration on Switch B shown in Figure 2 1 Enable the DHCP client on VLAN interface 1 SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address dhcp alloc Note To implement the DHCP client server model you need to perform related configuration on the DHCP server For detail...

Page 1019: ...ween the DHCP client and relay agent or between the DHCP client and server z The DHCP Snooping enabled device cannot be a DHCP server or DHCP relay agent z You are not recommended to enable the DHCP client BOOTP client and DHCP Snooping on the same device Otherwise DHCP Snooping entries may fail to be generated or the BOOTP client DHCP client may fail to obtain an IP address 5 1 DHCP Snooping Over...

Page 1020: ...trator can locate the DHCP client to further implement security control and accounting For more information refer to Relay agent option Option 82 If DHCP snooping supports Option 82 it will handle a client s request according to the contents defined in Option 82 if any The handling strategies are described in the table below If a reply returned by the DHCP server contains Option 82 the DHCP snoopi...

Page 1021: ...view interface interface type interface number Specify the port as trusted dhcp snooping trust Required Untrusted by default Note z You need to specify the ports connected to the valid DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses The trusted port and the port connected to the DHCP client must be in the same VLAN z You are not recommended to configure both the D...

Page 1022: ...ame user defined node identifier Optional normal by default Note z To support Option 82 it is required to perform related configuration on both the DHCP server and the device enabled with DHCP Snooping Refer to Configuring the Handling Mode for Option 82 for DHCP server configuration of this kind z If the handling strategy of the DHCP Snooping enabled device is configured as replace you need to co...

Page 1023: ...ddress bindings in DHCP REQUEST messages and DHCP ACK messages received from trusted ports z Switch B supports Option 82 After receiving a DHCP request from the client Switch B adds Option 82 padded in verbose format to the request message and forwards the message to the DHCP server II Network diagram Eth1 0 1 Switch A DHCP server Switch B DHCP snooping Eth1 0 2 Eth1 0 3 DHCP client DHCP client Fi...

Page 1024: ... 82 on Ethernet 1 0 2 SwitchB Ethernet1 0 2 dhcp snooping information format verbose node identifier sysname SwitchB Ethernet1 0 2 quit Configure DHCP Snooping to support Option 82 on Ethernet 1 0 3 SwitchB interface ethernet 1 0 3 SwitchB Ethernet1 0 3 dhcp snooping information enable Configure the padding format to verbose for Option 82 on Ethernet 1 0 3 SwitchB Ethernet1 0 3 dhcp snooping infor...

Page 1025: ...This section covers these topics z BOOTP Application z Obtaining an IP Address Dynamically z Protocols and Standards 6 1 1 BOOTP Application After you specify an interface of a device as a BOOTP client the interface can use BOOTP to get information such as IP address from the BOOTP server which simplifies your configuration Before using BOOTP an administrator needs to configure a BOOTP parameter f...

Page 1026: ...r receives the request and searches the configuration file for the corresponding IP address according to the MAC address of the BOOTP client The BOOTP server then returns a BOOTP response to the BOOTP client 3 The BOOTP client obtains the IP address from the received the response 6 1 3 Protocols and Standards Some protocols and standards related to BOOTP include z RFC 951 Bootstrap Protocol BOOTP ...

Page 1027: ...ew 6 4 BOOTP Client Configuration Example I Network requirement Switch B s port belonging to VLAN 1 is connected to the LAN VLAN interface 1 obtains an IP address from the DHCP server by using BOOTP II Network diagram See Figure 2 1 III Configuration procedure The following describes only the configuration on Switch B serving as a client Configure VLAN interface 1 to dynamically obtain an IP addre...

Page 1028: ...edure 2 1 2 1 2 Configuration Examples 2 2 2 2 Configuring a Basic IPv4 ACL 2 3 2 2 1 Configuration Prerequisites 2 3 2 2 2 Configuration Procedure 2 3 2 2 3 Configuration Examples 2 4 2 3 Configuring an Advanced IPv4 ACL 2 4 2 3 1 Configuration Prerequisites 2 5 2 3 2 Configuration Procedure 2 5 2 3 3 Configuration Examples 2 6 2 4 Configuring an Ethernet Frame Header ACL 2 7 2 4 1 Configuration ...

Page 1029: ...mples 3 3 3 3 Configuring an Advanced IPv6 ACL 3 3 3 3 1 Configuration Prerequisites 3 3 3 3 2 Configuration Procedure 3 3 3 3 3 Configuration Examples 3 5 3 4 Copying an IPv6 ACL 3 5 3 4 1 Configuration Prerequisites 3 5 3 4 2 Configuration Procedure 3 6 3 5 Displaying and Maintaining IPv6 ACLs 3 6 3 6 IPv6 ACL Configuration Example 3 6 3 6 1 Network Requirements 3 6 3 6 2 Network Diagram 3 7 3 6...

Page 1030: ...illegal users from accessing networks and to control network traffic and save network resources Access control lists ACL are often used to filter packets with configured matching rules ACLs are sets of rules or sets of permit or deny statements that decide what packets can pass and what should be rejected based on matching criteria such as source MAC address destination MAC address source IP addre...

Page 1031: ...sers the device denies all packets that do not match the ACL 1 2 IPv4 ACL This section covers these topics z IPv4 ACL Classification z IPv4 ACL Naming z IPv4 ACL Match Order z IP Fragments Filtering with IPv4 ACL 1 2 1 IPv4 ACL Classification IPv4 ACLs identified by ACL numbers fall into the following four categories z Basic IPv4 ACL based on source IP address Basic ACLs are numbered 2000 through ...

Page 1032: ...e order in which they are configured z auto where depth first match is performed The term depth first match has different meanings for different types of ACLs I Depth first match for a basic IPv4 ACL The following shows how your device performs depth first match in a basic IPv4 ACL 1 Sort rules by source IP address wildcard first and compare packets against the rule configured with more zeros in t...

Page 1033: ...hows how your device performs depth first match in an Ethernet frame header ACL 1 Sort rules by source MAC address mask first and compare packets against the rule configured with more ones in the source MAC address mask prior to other rules 2 If two rules are present with the same number of ones in their source MAC address masks look at the destination MAC address masks Then compare packets agains...

Page 1034: ... other Layer 3 or Layer 4 protocol header fields Advanced ACLs are numbered 3000 through 3999 1 3 2 IPv6 ACL Naming When creating an IPv6 ACL you can specify a unique name for it Afterwards you can identify the IPv6 ACL by its name An IPv6 ACL can have only one name Whether to specify a name for an ACL is up to you After creating an ACL you cannot specify a name for it nor can you change or remove...

Page 1035: ... with the protocol carried on IPv6 specified prior to other rules 2 If two rules are present with the same protocol range look at source IPv6 address wildcard in addition Then compare packets against the rule configured with a larger prefix length in the source IPv6 address wildcard prior to the other 3 If the prefix lengths in the source IPv6 address wildcards are the same look at the destination...

Page 1036: ...L takes effect only in specified time ranges Only after a time range is configured and the system time is within the time range can an ACL rule take effect Two types of time ranges are available z Periodic time range which recurs periodically on the day or days of the week z Absolute time range which takes effect only in a period of time and does not recur 2 1 1 Configuration Procedure Follow thes...

Page 1037: ...ember 31 2004 23 59 you may use the time range test 12 00 to 14 00 wednesday from 00 00 01 01 2004 to 23 59 12 31 2004 command z You may create individual time ranges identified with the same name They are regarded as one time range whose active period is the result of ORing periodic ones ORing absolute ones and ANDing periodic and absolute ones z With no start time specified the time range is fro...

Page 1038: ...m view system view Create and enter basic IPv4 ACL view acl number acl number name acl name match order auto config Required The default match order is config If you specify a name for an IPv4 ACL when creating the ACL you can use the acl name acl name command to enter the view of the ACL later Create or modify a rule rule rule id deny permit fragment logging source sour addr sour wildcard any tim...

Page 1039: ...red in an ACL If the match order for this ACL is auto rules are displayed in the depth first match order rather than by rule number Caution z You can modify the match order of an IPv4 ACL with the acl number acl number name acl name match order auto config command but only when it does not contain any rules z The rule specified in the rule comment command must have existed 2 2 3 Configuration Exam...

Page 1040: ...Pv4 ACL To do Use the command Remarks Enter system view system view Create and enter advanced IPv4 ACL view acl number acl number name acl name match order auto config Required The default match order is config If you specify a name for an IPv4 ACL when creating the ACL you can use the acl name acl name command to enter the view of the ACL later Create or modify a rule rule rule id deny permit pro...

Page 1041: ...urrent highest rule ID For example if the rule numbering step is 5 and the current highest rule ID is 28 the next rule will be numbered 30 For detailed information about step refer to the step command z You may use the display acl command to verify rules configured in an ACL If the match order for this ACL is auto rules are displayed in the depth first match order rather than by rule number Cautio...

Page 1042: ...range command first 2 4 2 Configuration Procedure Follow these steps to configure an Ethernet frame header ACL To do Use the command Remarks Enter system view system view Create and enter Ethernet frame header ACL view acl number acl number name acl name match order auto config Required The default match order is config If you specify a name for an IPv4 ACL when creating the ACL you can use the ac...

Page 1043: ...ep is 5 and the current highest rule ID is 28 the next rule will be numbered 30 For detailed information about step refer to the step command z You may use the display acl command to verify rules configured in an ACL If the match order for this ACL is auto rules are displayed in the depth first match order rather than by rule number Caution z You can modify the match order of an IPv4 ACL with the ...

Page 1044: ...n Prerequisites If you want to reference a time range to a rule define it with the time range command first 2 5 2 Configuration Procedure Follow these steps to configure a user defined ACL To do Use the command Remarks Enter system view system view Create and enter user defined ACL view acl number acl number name acl name Required If you specify a name for an ACL when creating the ACL you can use ...

Page 1045: ...matically assign rule IDs starting with 0 and increasing in rule numbering steps of five A rule ID thus assigned is greater than the current highest rule ID For example if the current highest rule ID is 28 the next rule will be numbered 30 For detailed information about step refer to the step command z For a user defined ACL the match order can only be config Caution The rule specified in the rule...

Page 1046: ...y an existing IPv4 ACL to generate a new one of the same type acl copy source acl number name source acl name to dest acl number name dest acl name Required Caution z The source IPv4 ACL and the destination IPv4 ACL must be of the same type z The generated ACL does not take the name of the source IPv4 ACL 2 7 Displaying and Maintaining IPv4 ACLs To do Use the command Remarks Display information ab...

Page 1047: ...esident s office 192 168 2 0 24 192 168 3 0 24 192 168 1 0 24 Figure 2 1 Network diagram for IPv4 ACL configuration 2 8 3 Configuration Procedure 1 Create a time range for office hours Create a periodic time range spanning 8 00 to 18 00 in working days Switch system view Switch time range trname 8 00 to 18 00 working day 2 Define an ACL to control access to the salary query server Configure a rule...

Page 1048: ... match acl 3001 Switch classifier c_market quit Configure traffic behavior b_ market to deny matching packets Switch traffic behavior b_market Switch behavior b_market filter deny Switch behavior b_market quit Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd Switch qos policy p_rd Switch qospolicy p_rd classifier c_rd behavior b_rd Switch qospolicy p_rd quit Configure QoS poli...

Page 1049: ...guring a Basic IPv6 ACL Basic IPv6 ACLs filter packets based on source IPv6 address They are numbered in the range 2000 to 2999 3 2 1 Configuration Prerequisites If you want to reference a time range to a rule define it with the time range command first 3 2 2 Configuration Procedure Follow these steps to configure an IPv6 ACL To do Use the command Remarks Enter system view system view Create and e...

Page 1050: ... if the ACL match order is set to auto rather than config you cannot modify ACL rules z When defining ACL rules you need not assign them IDs The system can automatically assign rule IDs starting with 0 and increasing in certain rule numbering steps A rule ID thus assigned is greater than the current highest rule ID For example if the rule numbering step is five and the current highest rule ID is 2...

Page 1051: ...000 named none 2 rules ACL s step is 5 rule 0 permit source 2030 5060 9050 64 rule 5 deny source FE80 5060 8050 96 3 3 Configuring an Advanced IPv6 ACL Advanced ACLs filter packets based on the source IPv6 address destination IPv6 address protocol carried on IPv6 and other protocol header fields such as the TCP UDP source port TCP UDP destination port ICMP message type and ICMP message code Advanc...

Page 1052: ... range time name Required To create multiple rules repeat this step Set a rule numbering step step step value Optional The default step is 5 Create an ACL description description text Optional By default no IPv6 ACL description is present Create a rule description rule rule id comment text Optional By default no rule description is present Note that z You will fail to create or modify a rule if it...

Page 1053: ...3 3 Configuration Examples Create IPv6 ACL 3000 to permit the TCP packets with the source address 2030 5060 9050 64 to pass Sysname system view Sysname acl ipv6 number 3000 Sysname acl6 adv 3000 rule permit tcp source 2030 5060 9050 64 Verify the configuration Sysname acl6 adv 3000 display acl ipv6 3000 Advanced IPv6 ACL 3000 named none 1 rule ACL s step is 5 rule 0 permit tcp source 2030 5060 905...

Page 1054: ...name of the source IPv6 ACL 3 5 Displaying and Maintaining IPv6 ACLs To do Use the command Remarks Display information about a specified or all IPv6 ACLs display acl ipv6 acl6 number all name acl6 name Available in any view Display the configuration and status on time range display time range time name all Available in any view Clear statistics about a specified or all IPv6 ACLs that are reference...

Page 1055: ...packets matching IPv6 ACL 2000 Switch traffic classifier c_rd Switch classifier c_rd if match acl ipv6 2000 Switch classifier c_rd quit Configure traffic behavior b_rd to deny matching packets Switch traffic behavior b_rd Switch behavior b_rd filter deny Switch behavior b_rd quit Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd Switch qos policy p_rd Switch qospolicy p_rd clas...

Page 1056: ...P address source TCP port and destination TCP port Then only the ACL rules that contain no other information items than the above ones can be applied correctly on the port for packet filtering QoS and other purposes The switch supports both default flow template and user defined flow templates And the user defined flow templates can be classified into two types basic and extended Initially if you ...

Page 1057: ...6 smac sport tcp flag tos Create a flow template Create an extended flow template flow template flow template name extend start offset max value length max value ipv4 offset max value length max value ipv6 offset max value length max value l2 offset max value length max value l4 offset max value length max value Optional Use either command Enter interface view interface interface type interface nu...

Page 1058: ...lation MAC IP port binding selective QinQ and voice VLAN And also you are not recommended to use these functions after you apply a flow template on the port The S3610 and S5510 Series Ethernet Switches support up to two user defined flow templates each Note that the total length of all the elements in a basic flow template must be less than 16 bytes otherwise you will see an error message when app...

Page 1059: ... cos Service 802 1p COS field 0 service vlan id Service VLAN ID field 0 sip Source IP address field in IP head 0 sipv6 Source IPv6 address field in IPv6 head 0 smac Source MAC address field in ethernet packet head 6 sport Source port field 2 tcp flag The flag field in tcp head 1 Note z Elements dscp ip precedence and tos always use the same byte in a flow template even if you configure all of them...

Page 1060: ...reate basic flow template aaa Sysname system view Sysname flow template aaa basic customer cos smac customer vlan id Reference flow template aaa on interface Ethernet 1 0 1 Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 flow template aaa Sysname Ethernet1 0 1 quit Create user defined ACL 5000 and configure the extended flow template bbb to match ARP packets Sysname acl number 5000 Sysname ...

Page 1061: ... template interface Interface Ethernet1 0 1 user defined flow template basic name aaa index 1 total reference counts 1 fields smac customer vlan id customer cos Interface Ethernet1 0 2 user defined flow template extend name bbb index 2 total reference counts 1 fields l2 12 2 Delete flow template aaa As it is being referenced by interface Ethernet 1 0 1 remove it from the interface first Sysname in...

Page 1062: ...1 Traffic Classification 2 1 2 1 2 Priority 2 2 2 2 TP and TS Overview 2 5 2 3 Traffic Evaluation and the Token Bucket 2 5 2 3 1 Token bucket 2 5 2 3 2 Evaluating the traffic with the token bucket 2 6 2 3 3 Complicated evaluation 2 6 2 3 4 TP 2 6 2 3 5 TS 2 7 2 4 TP and TS Configuration 2 8 2 4 1 Configuring TP 2 8 2 4 2 Configuring TS 2 9 2 5 Displaying TP TS 2 11 Chapter 3 QoS Policy Configurati...

Page 1063: ...Prerequisites 5 5 5 3 2 Configuration Procedure 5 5 5 3 3 Configuration Examples 5 5 5 4 Configuring Port Priority Trust Mode 5 6 5 4 1 Configuration Prerequisites 5 6 5 4 2 Configuration Procedure 5 6 5 4 3 Configuration Examples 5 6 5 5 Displaying Priority Mapping 5 7 Chapter 6 Congestion Avoidance 6 1 6 1 Overview 6 1 6 2 Configuring WRED 6 2 6 2 1 Configuration Prerequisites 6 2 6 2 2 Configur...

Page 1064: ...Configuration Prerequisites 8 1 8 2 2 Configuration Procedure 8 2 8 3 Displaying and Maintaining VLAN Policy 8 2 8 4 VLAN Policy Configuration Examples 8 2 8 4 1 Network Requirements 8 2 8 4 2 Configuration Procedure 8 2 Chapter 9 Traffic Mirroring Configuration 9 1 9 1 Overview 9 1 9 2 Configuring Traffic Mirroring 9 1 9 2 1 Mirroring Traffic to a port 9 1 9 2 2 Mirroring Traffic to the CPU 9 2 9...

Page 1065: ...termined by the order in which packets arrive All the packets share the resources of the network Network resources available to the packets completely depend on the time they arrive This service policy is known as Best effort which delivers the packets to their destination with the best effort with no assurance and guarantee for delivery delay jitter packet loss ratio reliability and so on The tra...

Page 1066: ...ty need to be further improved 1 4 Occurrence and Influence of Congestion and the Countermeasures QoS issues that traditional networks face are mainly caused by congestion Congestion means reduced service rate and extra delay introduced because of relatively insufficient resource provisioned 1 4 1 Occurrence of Congestion Congestion is very common in a complicated environment of packet switching o...

Page 1067: ...t it cannot solve all the problems that cause network congestion A more effective way to solve network congestion problems is to enhance the function of the network layer in traffic control and resource assignment to provide differentiated services for different requirements and to assign and utilize resources correctly In the process of resource assignment and traffic control the direct or indire...

Page 1068: ... congestion avoidance mechanism will drop packets and regulate traffic to solve the overload of the network z TS TS is a traffic control measure to regulate the output rate of the traffic actively TS regulates the traffic to match the network resources that can be provided by the downstream devices so as to avoid unnecessary packet loss and congestion Among the traffic management techniques traffi...

Page 1069: ...sification is generally based on the information in the packet header and rarely based on the content of the packet The classification result is unlimited in range They can be a small range specified by a quintuplet source address source port number protocol number destination address and destination port number or all the packets to a certain network segment Generally the precedence of bits in th...

Page 1070: ...the range of 0 to 15 z RFC2474 re defines the ToS field in the IP packet header which is called the DS field The first six bit 0 to bit 5 bits of the DS field indicate DSCP precedence in the range of 0 to 63 The last two bits bit 6 and bit 7 are reserved bits Table 2 1 Description on IP Precedence IP Precedence decimal IP Precedence binary Description 0 000 Routine 1 001 priority 2 010 immediate 3...

Page 1071: ... CS class This class comes from the IP ToS field and includes eight subclasses z Best Effort BE class This class is a special class without any assurance in the CS class The AF class can be degraded to the BE class if it exceeds the limit Current IP network traffic belongs to this class by default Table 2 2 Description on DSCP precedence values DSCP value decimal DSCP value binary Description 46 1...

Page 1072: ...value is 8100 and a 2 byte Tag Control Information TCI TPID is a new class defined by IEEE to indicate a packet with an 802 1Q tag Figure 2 3 describes the detailed contents of an 802 1Q tag header Figure 2 3 802 1Q tag headers In the figure above the 3 bit priority field in TCI is 802 1p priority in the range of 0 to 7 In the figure above the priority field three bits in length in TCI is 802 1p p...

Page 1073: ...low obtains only the resources committed to it within a certain period of time network congestion due to excessive burst traffic can be avoided TP and TS are traffic control policies for limiting traffic and resource usage by supervising the traffic The prerequisite for TP or TS is to determine whether or not the traffic exceeds the set threshold Traffic control policies are adopted only when the ...

Page 1074: ...and a number of tokens equivalent to the packet forwarding authority must be taken out otherwise this means too many tokens have been used the traffic is in excess of the specification 2 3 3 Complicated evaluation You can set two token buckets in order to evaluate more complicated conditions and implement more flexible regulation policies For example TP uses four parameters z CIR z CBS z Peak info...

Page 1075: ...t or a non conforming packet with a new DSCP precedence value and forwarding the packet 2 3 5 TS TS is a policy used to adjust the rate of outbound traffic actively A typical TS implementation is to control outbound traffic according to the traffic control settings of the downstream network nodes The difference between TP and TS lies in that when traffic exceeds the set threshold TP drops packets ...

Page 1076: ...ure queue based TS Configure TS on ports Configure TS for all traffic Configure TS on ports 2 4 1 Configuring TP TP configuration includes the following two tasks the first task is to define the characteristics of the packets to be policed the second task is to define policing policies for the matched packets I Configure ACL based TP Follow these steps to configure ACL based TP To do Use the comma...

Page 1077: ...nter system view Sysname system view Enter port view Sysname interface Ethernet 1 0 1 Configure TP parameters Sysname Ethernet1 0 1 qos car inbound acl 2000 cir 1000 red discard 2 4 2 Configuring TS TS can be implemented in the following ways z Queue based TS where TS is applied to the packets of a specific queue z TS applied to all traffic I Configure queue based TS Follow these steps to configur...

Page 1078: ...ew or port group view Enter port group view port group manual port group name aggregation agg id Perform either of the two operations The configuration performed in Ethernet port view applies to the current port only The configuration performed in port group view applies to all the ports in the port group Configure TS qos gts any cir committed information rate Required CIR must be a multiple of 65...

Page 1079: ...ion 2 11 2 5 Displaying TP TS To do Use the command Remarks Display the configuration and statistics about TP on a port display qos car interface interface type interface number Display the configuration and statistics about TS on a port display qos gts interface interface type interface number Available in any view ...

Page 1080: ...ules You can use commands to define a series of rules to classify packets Additionally you can use commands to define the relationship among classification rules and and or z and The devices considers a packet to be of a specific class when the packet matches all the specified classification rules z or The device considers a packet be of a specific class when the packet matches one of the specifie...

Page 1081: ... define the class as required for the policy to be associated with car Traffic filtering Use the if match match criteria command to define the class as required for the policy to be associated with filter Traffic mirroring Use the if match match criteria command to define the class as required for the policy to be associated with mirror to Nested VLAN tag Use the if match match criteria command to...

Page 1082: ...able forms of this argument Table 3 2 The form of the match criteria argument Form Description acl access list number Specifies an ACL to match packets The access list number argument is in the range 2000 to 4999 Note that for a class with the logical relationship between the classification rules in it set to logical and a packet matches the class if it matches a rule in the ACL acl ipv6 access li...

Page 1083: ...ent IP precedence is in the range 0 to 7 protocol protocol name Specifies to match the packets of a specified protocol The protocol name argument can be IP IPv6 or Bittorrent The S3610 and S5510 series Ethernet switches do not support the Bittorrent protocol currently service vlan id vlan id list Specifies to match the packets of the VLANs of the operator s network The vlan id list argument is a l...

Page 1084: ... you want to define a primap behavior you need to define a priority mapping table as required Refer to Priority Mapping for more information I Configuration procedure Follow these steps to define a traffic behavior To do Use the command Remarks Enter system view system view Create a traffic behavior and enter the corresponding traffic behavior view traffic behavior behavior name Required behavior ...

Page 1085: ...terface interface type interface number next hop ipv4 add ipv4 add ipv6 add interface type interface number ipv6 add interface type interface number Remark DSCP value for packets remark dscp dscp value Remark 802 1p priority for packets remark dot1p 8021p Remark drop precedence for packets remark drop precedence drop precedence value Remark IP precedence for packets remark ip precedence ip precede...

Page 1086: ...clusive with the nest command II Configuration example 1 Network requirements Create a traffic behavior named test configuring TP action for it with the CAR being 100 kbps 2 Configuration procedure Enter system view Sysname system view Create the traffic behavior This operation leads you to traffic behavior view Sysname traffic behavior test Configure TP action for the traffic behavior Sysname beh...

Page 1087: ...et port view applies to the current port only The configuration performed in port group view applies to all the ports in the port group Apply an associated policy qos apply policy policy name inbound Required II Configuration example 1 Network requirements Configure a policy named test to associate the traffic behavior named test_behavior with the class named test_class Apply the policy to the inb...

Page 1088: ... about a class and the corresponding actions associated by a policy display qos policy user defined policy name classifier classifier name Display the information about the policies applied on a port display qos policy interface interface type interface number inbound Display the information about a traffic behavior display traffic behavior user defined behavior name Display the information about ...

Page 1089: ...ay cause the transmitting device to retransmit the packets because the lost packets time out which causes a malicious cycle The core of congestion management is how to schedule the resources and determine the sequence of forwarding packets when congestion occurs 4 2 Congestion Management Policy Queuing technology is generally adopted to solve the congestion problem The queuing technology is to cla...

Page 1090: ...ch are queue7 queue6 queue5 queue4 queue3 queue2 queue1 and queue0 Their priorities decrease in order In queue scheduling SP sends packets in the queue with higher priority strictly following the priority order from high to low When the queue with higher priority is empty packets in the queue with lower priority are sent You can put critical service packets into the queues with higher priority and...

Page 1091: ... 50 30 10 10 50 30 10 and 10 corresponding to w7 w6 w5 w4 w3 w2 w1 and w0 respectively In this way the queue with the lowest priority can be assured of 5 Mbps of bandwidth at least thus avoiding the disadvantage of SP queue scheduling algorithm that packets in low priority queues are possibly not to be served for a long time Another advantage of WRR queue scheduling algorithm is that though the qu...

Page 1092: ...up 2 The SP scheduling algorithm is adopted for WRR groups For example queue 0 queue 1 queue 2 and queue 3 are in WRR group 1 and queue 4 queue 5 queue 6 and queue 7 are in group 2 Round robin is performed in WRR group 2 firstly If no packet is to be sent in WRR group 2 round robin is performed in WRR group 1 4 4 1 Configuration Procedure Follow these steps to configure WRR queues To do Use the co...

Page 1093: ... 1 qos wrr 1 group 1 weight 2 Sysname Ethernet1 0 1 qos wrr 2 group 1 weight 4 Sysname Ethernet1 0 1 qos wrr 3 group 1 weight 6 Sysname Ethernet1 0 1 qos wrr 4 group 1 weight 8 Sysname Ethernet1 0 1 qos wrr 5 group 1 weight 10 Sysname Ethernet1 0 1 qos wrr 6 group 1 weight 12 Sysname Ethernet1 0 1 qos wrr 7 group 1 weight 14 4 5 Configuring SP WRR Queues As required you can adopt SP queue scheduli...

Page 1094: ... configuration performed in port group view applies to all the ports in the port group Configure SP queue scheduling qos wrr queue id group sp Required Configure WRR queue scheduling qos wrr queue id group group id weight queue weight Required Caution With SP WRR queue scheduling algorithm adopted the queues assigned to the same queue scheduling group must be with consecutive queue numbers 4 5 2 C...

Page 1095: ...1 0 1 qos wrr 1 group sp Sysname Ethernet1 0 1 qos wrr 2 group 1 weight 20 Sysname Ethernet1 0 1 qos wrr 3 group 1 weight 70 Sysname Ethernet1 0 1 qos wrr 4 group 1 weight 100 Sysname Ethernet1 0 1 qos wrr 5 group 2 weight 10 Sysname Ethernet1 0 1 qos wrr 6 group 2 weight 50 Sysname Ethernet1 0 1 qos wrr 7 group 2 weight 80 4 6 Displaying Congestion Management To do Use the command Remarks Display...

Page 1096: ...e higher the drop precedence the more likely a packet is dropped For packets without 802 1q tags the switch uses the priority of the receiving port as the 802 1p precedence of the received packets and then obtains the local precedence of the received packets by mapping the 802 1p precedence For packets with 802 1q tags the switch provides the following two priority trust modes z Trusting packet pr...

Page 1097: ...scp lp mapping column lists the default target local precedence values available only for IP packets z The dscp dp mapping lists the default target drop precedence values available only for IP packets z The dscp dot1p mapping column lists the default target 802 1p precedence values available only for IP packets z The dscp dscp mapping column lists the default target DSCP precedence values availabl...

Page 1098: ...t only when the priority mapping action is configured in the associated traffic behavior specified by a policy For the detailed information about configuring traffic behavior refer to section 3 4 3 Defining a Traffic Behavior 5 2 Configuring a Priority Mapping Table You can modify the priority mapping tables in a switch as required Follow the two steps to configure priority mapping tables z Enter ...

Page 1099: ...equirements Modify the dot1p lp mapping table as those listed in Table 5 3 Table 5 3 The specified dot1p lp mapping 802 1p priority Local precedence 0 0 1 0 2 1 3 1 4 2 5 2 6 3 7 3 II Configuration procedure Enter system view Sysname system view Enter dot1p lp priority mapping table view Sysname qos map table dot1p lp Modify dot1p lp priority mapping parameters Sysname maptbl dot1p lp import 0 1 e...

Page 1100: ...3 2 Configuration Procedure Follow these steps to configure port priority To do Use the command Remarks Enter system view system view Enter port view interface interface type interface number Enter port view or port group view Enter port group view port group manual port group name aggregation agg id Perform either of the two operations The configuration performed in Ethernet port view applies to ...

Page 1101: ...rface interface type interface number Enter port view or port group view Enter port group view port group manual port group name aggregation agg id Perform either of the two operations The configuration performed in Ethernet port view applies to the current port only The configuration performed in port group view applies to all the ports in the port group Configure to trust 802 1p priorities carri...

Page 1102: ...y Mapping To do Use the command Remarks Display the information about a specified priority mapping table display qos map table dot1p lp dot1p dp dscp lp dscp dp dscp dot1p dscp dscp Display the priority trust mode configured for a port display qos trust interface interface type interface number Available in any view ...

Page 1103: ...anism on the source end can maximize throughput and utilization rate of the network and minimize packet loss and delay I Traditional packet drop policy Tail drop is adopted in the traditional packet drop policy When a queue length reaches the maximum value all the new packets are dropped This packet drop policy will result in global TCP synchronization If the queue drops packets from multiple TCP ...

Page 1104: ... is avoided When packets in a TCP connection are dropped and sent at a low rate packets in other TCP connections are still sent at a high rate In this way packets in a part of connections are sent at a high rate in any case Thus the utilization rate of bandwidth is improved III Queue length In the following cases you can increase the queue length to buffer more packets and improve packet forwardin...

Page 1105: ...port only Configuration performed in port group view applies to all the ports in the port group Enable WRED qos wred enable Required 6 2 3 Configuration Example I Network requirements Enable WRED on Ethernet1 0 1 II Configuration procedure Enter system view Sysname system view Enter port view Sysname interface Ethernet 1 0 1 Enable WRED Sysname Ethernet1 0 1 qos wred enable 6 3 Configuring Queue L...

Page 1106: ...ueue id length queue length 1 8 Required 6 3 3 Configuration Example I Network requirements Set the queue length of queue 1 and queue 3 to 8 and 32 on Ethernet 1 0 1 II Configuration procedure Enter system view Sysname system view Enter port view Sysname interface Ethernet 1 0 1 Configure queue length Sysname Ethernet1 0 1 burst traffic queue 1 length 8 queue 3 length 32 6 4 Displaying and Maintai...

Page 1107: ...t defined in the aggregation CAR 7 2 Applying Aggregation CAR on Ports 7 2 1 Configuration Prerequisites z Parameter values of the aggregation CAR are determined z Ports where aggregation CAR is applied are determined z Matching rules for traffic are determined on the ports ACLs must be defined if ACL based matching rules are used z Refer to the ACL module for details on ACL defining 7 2 2 Configu...

Page 1108: ...nter port group view port group manual port group name aggregation agg id Perform either of the two operations The configuration performed in port view applies to the current port only Configuration performed in port group view applies to all the ports in the port group Apply aggregation CAR qos car inbound acl ipv6 acl number name global car name Required III Configuration Example Apply aggregati...

Page 1109: ... Use the command Remarks Enter system view system view Enter traffic behavior view traffic behavior behavior name Required Reference aggregation CAR in the traffic behavior car name global car name Required III Configuration Example Reference aggregation CAR aggcar 1 in the traffic behavior be1 The aggregation CAR aggcar 1 is configured with the following parameters CIR is 200 kbps CBS is 2000 byt...

Page 1110: ...ning Aggregation CAR To do Use the command Remarks Clear the statistics information of the specified aggregation CAR reset qos car name global car name Available in user view Display the configuration information and statistics information about the specified aggregation CAR display qos car name global car name Available in any view ...

Page 1111: ... VLAN policies can facilitate the application and management of QoS policies on the switch VLAN policies are not effective on dynamic VLANs VLAN policies will not be applied to dynamic VLANs For example the device may create VLANs dynamically when GVRP protocol is running In this case the corresponding VLAN policies are not effective on dynamic VLANs Note For S5510 series Ethernet switches if you ...

Page 1112: ... the QoS policy applied to the VLAN the port belongs to 8 3 Displaying and Maintaining VLAN Policy To do Use the command Remarks Display the VLAN policy display qos vlan policy name policy name vlan vlan id Available in any view Clear the statistics information about the VLAN policy reset qos vlan policy vlan vlan id Available in user view 8 4 VLAN Policy Configuration Examples 8 4 1 Network Requi...

Page 1113: ...ate a traffic behavior and enter traffic behavior view Sysname traffic behavior be1 Configure the traffic behavior Sysname behavior be1 car cir 64 Sysname behavior be1 quit Create a QoS policy and enter QoS policy view Sysname qos policy test Associate a class with a traffic behavior Sysname qospolicy test classifier cl1 behavior be1 Sysname qospolicy test quit Apply the policy to specific VLANs S...

Page 1114: ...ent to a destination port that is a mirroring port z Mirroring to CPU The desired traffic on a mirrored port is replicated and sent to the CPU on the board of the port for further analysis z Mirroring to VLAN The desired traffic on a mirrored port is replicated and sent to a VLAN where the traffic is broadcast and all the ports if available in the VLAN will receive the traffic If the destination V...

Page 1115: ...oring group you cannot configure the two ports at the same time For the detailed information about local port mirroring group refer to the Port Mirroring module in this manual 9 2 2 Mirroring Traffic to the CPU Follow these steps to mirror traffic to the CPU To do Use the command Remarks Enter system view system view Enter traffic behavior view traffic behavior behavior name Mirror traffic to the ...

Page 1116: ...nfiguring traffic mirroring to a port 9 4 2 Configuration Procedure Configure Switch Enter system view Sysname system view Configure basic IPv4 ACL 2000 to match packets with the source IP address 192 168 0 1 Sysname acl number 2000 Sysname acl basic 2000 rule permit source 192 168 0 1 0 Sysname acl basic 2000 quit Configure a traffic classification rule to use ACL 2000 for traffic classification ...

Page 1117: ... qos policy 1 Sysname policy 1 classifier 1 behavior 1 Sysname policy 1 quit Apply the policy in the inbound direction of Ethernet1 0 1 Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 qos apply policy 1 inbound After the configurations you can monitor all packets sent from Host A on the data monitoring device ...

Page 1118: ...rt Mirroring 1 2 1 1 3 Other Functions Supported by Port Mirroring 1 3 1 2 Configuring Local Port Mirroring 1 3 1 3 Configuring Remote Port Mirroring 1 5 1 3 1 Configuring a Remote Source Mirroring Group 1 5 1 3 2 Configuring a Remote Destination Port Mirroring Group 1 6 1 4 Displaying Port Mirroring 1 7 1 5 Port Mirroring Configuration Examples 1 8 1 5 1 Local Port Mirroring Configuration Example...

Page 1119: ...ng specified ports to the destination mirroring port As destination mirroring ports usually have data monitoring devices connected to them you can analyze the packets duplicated to the destination mirroring port on these devices so as to monitor and troubleshoot the network Figure 1 1 A port mirroring implementation 1 1 1 Classification of Port Mirroring There are two kinds of port mirroring local...

Page 1120: ...t are in the same local port mirroring group Packets passing through the source ports are duplicated and then are forwarded to the destination port II Remote port mirroring Remote port mirroring is achieved through the cooperation of remote source port mirroring group and remote destination port mirroring group Figure 1 2 illustrates a remote port mirroring implementation Figure 1 2 A remote mirro...

Page 1121: ... group If yes the destination device forwards the packet to the monitoring device through the destination mirroring port Note z With the S3610 and S5510 series you can configure either one local mirroring group or one remote source mirroring group but not both at a time z If the destination port of traffic mirroring and that of the local port mirroring group are different you cannot configure traf...

Page 1122: ...em view mirroring group group id monitor port monitor port id interface interface type interface number Add a port to the mirroring group as the destination port In interface view mirroring group group id monitor port You can add a destination port to a port mirroring group in either system view or interface view They achieve the same purpose Note z A local mirroring group is effective only when i...

Page 1123: ...ber mirroring group group id mirroring port both inbound outbound Add ports to the mirroring group as source ports In interface view quit You can add ports to a source port mirroring group in either system view or interface view They achieve the same purpose In system view mirroring group group id reflector port reflector port id interface interface type interface number mirroring group group id r...

Page 1124: ...tor port only when it operates with the following settings being the defaults operation mode half duplex full duplex port speed MDI setting Conversely these settings cannot be modified once a port is configured as a reflector port z Only existing static VLANs can be configured as remote port mirroring VLANs To remove a VLAN operating as a remote port mirroring VLAN you need to restore it to a norm...

Page 1125: ... is a hybrid port port hybrid vlan rprobe vlan id tagged untagged Perform one of these three operations according to the port type Note z A destination port cannot be a member port of the current mirroring group z A port can be configured in only one mirroring group and a VLAN can be used by only one mirroring group z It is not recommended to enable STP RSTP or MSTP on the destination port otherwi...

Page 1126: ... and sent from the R D department and the marketing department through the data monitoring device Use the local port mirroring function to meet the requirement Perform the following configurations on Switch C z Configure Ethernet 1 0 1 and Ethernet 1 0 2 as mirroring source ports z Configure Ethernet 1 0 3 as the mirroring destination port II Network diagram Figure 1 3 Network diagram for local po...

Page 1127: ...Switch B connects to Ethernet 1 0 1 of Switch C z The data monitoring device is connected to Ethernet 1 0 2 of Switch C The administrator wants to monitor the packets sent from Department 1 and 2 through the data monitoring device Use the remote port mirroring function to meet the requirement Perform the following configurations z Use Switch A as the source device Switch B as the intermediate devi...

Page 1128: ...ing VLAN of the remote port mirroring group Add port Ethernet 1 0 1 and Ethernet1 0 2 to the remote port mirroring group as source ports Configure port Ethernet 1 0 4 as the reflector port SwitchA mirroring group 1 remote probe vlan 2 SwitchA mirroring group 1 mirroring port Ethernet 1 0 1 Ethernet 1 0 2 inbound SwitchA mirroring group 1 reflector port Ethernet 1 0 4 Configure port Ethernet 1 0 3 ...

Page 1129: ...SwitchC system view SwitchC interface Ethernet 1 0 1 SwitchC Ethernet1 0 1 port link type trunk SwitchC Ethernet1 0 1 port trunk permit vlan 2 SwitchC Ethernet1 0 1 quit Create a remote destination port mirroring group SwitchC mirroring group 1 remote destination Create VLAN 2 SwitchC vlan 2 SwitchC vlan2 quit Configure VLAN 2 as the remote port mirroring VLAN of the remote destination port mirror...

Page 1130: ... 1 12 1 3 8 Configuring Communication Between the Management Device and the Member Devices Within a Cluster 1 14 1 3 9 Configuring Cluster Member Management 1 14 1 4 Configuring the Member Devices 1 15 1 4 1 Enabling NDP Globally and for Specific Ports 1 15 1 4 2 Enabling NTDP Globally and for Specific Ports 1 15 1 4 3 Manually Collecting NTDP Information 1 15 1 4 4 Enabling the Cluster Function 1...

Page 1131: ...taining Cluster Management z Cluster Management Configuration Examples 1 1 Cluster Management Overview 1 1 1 Cluster Management Definition A cluster is an aggregation of a group of communication devices Cluster management is to implement management of large numbers of distributed network devices Cluster management is implemented through Huawei Group Management Protocol version 2 HGMPv2 By employin...

Page 1132: ... z Allowing simultaneous software upgrading and parameter configuring on multiple devices free of topology and distance limitations 1 1 2 Roles in a Cluster The devices in a cluster play different roles according to their different functions and status You can specify the role a device plays The following three roles exist in a cluster management device member device and candidate device z Managem...

Page 1133: ...ce after being added to a cluster z A member device becomes a candidate device after it is removed from the cluster z A management device becomes a candidate device only after the cluster is removed 1 1 3 How a Cluster Works HGMPv2 consists of the following three protocols z Neighbor Discovery Protocol NDP z Neighbor Topology Discovery Protocol NTDP z Cluster A cluster configures and manages the d...

Page 1134: ...sponding entry in the NDP table is updated otherwise only the holdtime of the entry is updated If no NDP information from the neighbor is received within the holdtime the corresponding entry is removed from the NDP table NDP runs on the data link layer and therefore supports different network layer protocols II Introduction to NTDP NTDP is a protocol used to collect network topology information NT...

Page 1135: ... to control the speed of the NTDP topology collection request advertisement z Upon receiving an NTDP topology collection request the device does not forward it instead it waits for a period of time and then forwards the NTDP topology collection request on the first NTDP enabled port z On the same device except the first port each NTDP enabled port waits for a period of time and then forwards the N...

Page 1136: ...interval three times of the interval to send handshake packets it changes the status of the member device from Active to Connect Likewise if a member device fails to receive the handshake packets from the management device in an interval three times of the interval to send handshake packets the status of the member device will also be changed from Active to Connect z If this management device in i...

Page 1137: ... and the member candidate devices Therefore z If the packets from the management VLAN cannot pass a port the device connected with the port cannot be added to the cluster Therefore if the ports including the subtending ports connecting the management device and the member candidate devices prohibit the packets from the management VLAN you can set the packets from the management VLAN to pass the po...

Page 1138: ...nagement Device Configuring Cluster Member Management Optional Enabling NDP Globally and for Specific Ports Optional Enabling NTDP Globally and for Specific Ports Optional Manually Collecting NTDP Information Optional Enabling the Cluster Function Optional Configuring the Member Devices Deleting a Member Device from a Cluster Optional Configuring Access Between the Management Device and Its Member...

Page 1139: ...ormally you must enable NDP both globally and on the specified port z If the subtending port or the port connecting the management device to a member candidate device is a port of a member in an aggregation group you must enable NDP on all member ports of the aggregation group at the same time Otherwise NDP will work abnormally z You are recommended to disable NDP on the port which connects with t...

Page 1140: ...he port ntdp enable Optional NTDP is enabled on all ports by default Caution z For NTDP to work normally you must enable NTDP both globally and on the specified port z The NTDP function is mutually exclusive with the BPDU TUNNEL function under a port and you cannot enable them at the same time For the detailed description of the BPDU TUNNEL function refer to BPDU TUNNEL part of the manual z If the...

Page 1141: ...er hop delay time Optional 200 ms by default Configure the port delay to forward topology collection request ntdp timer port delay time Optional 20 ms by default 1 3 5 Manually Collecting NTDP Information The management device collects topology information periodically after a cluster is created In addition you can configure to manually collect NTDP information to initiate NTDP information collect...

Page 1142: ...o the routing table the candidate device will be added to and removed from the cluster repeatedly Caution z You can only specify a management VLAN before establishing a cluster After a device has been added to the cluster you cannot modify the management VLAN To change the management VLAN after the cluster is established you should remove the cluster on the management device re specify the managem...

Page 1143: ...ign a name to it build name Required By default the device is not the management device II Automatically establishing a cluster In addition to establishing a cluster manually you are also provided with the means to establish a cluster automatically With only a few commands as shown in the table below on the management device you can let the system automatically build a cluster During the process y...

Page 1144: ...gement device and member devices communicate by sending handshake packets to maintain connection between them You can configure interval of sending handshake packets and the holdtime of a device on the management device This configuration applies to all member devices within the cluster Follow these steps to configure communication between the management device and the member devices within a clus...

Page 1145: ...you can control them remotely on the management device For example you can reboot a member device that operates improperly and specify to delete the booting configuration file when the member device reboots and thus achieve normal communication between the management and member devices Follow these steps to reboot a member device To do Use the command Remarks Enter system view system view Enter cl...

Page 1146: ...onfigure manage and monitor the member devices through the management device You can manage member devices in a cluster through switching from the operation interface of the management device to that of a member device or configure the management device by switching from the operation interface of a member device to that of the management device Follow these steps to configure access between membe...

Page 1147: ...ding management device and member devices of the cluster otherwise the switch may fail because of authentication failure z When you switch the management device to a member device if member n does not exist the system prompts error if the switch succeeds your user level on the management device is retained z If the Telnet users on the device to be logged in reach the maximum number the switch fail...

Page 1148: ...ains the MAC addresses of devices If a blacklist device is connected to network through another device not included in the blacklist the MAC address and access port of the latter are also included in the blacklist A whitelist member cannot be a blacklist member and vice versa However a topology node can belong to neither the whitelist nor the blacklist Nodes of this type are usually newly added no...

Page 1149: ... you can configure FTP TFTP server NM host and log host for the cluster on the management device z After you configure an FTP TFTP server for a cluster the members in the cluster access the FTP TFTP server configured through the management device z After you configure a log host for a cluster all the log information of the members in the cluster will be output to the configured log host in the fol...

Page 1150: ...ter logging host ip address Required By default no log host is configured for a cluster Configure the SNMP NM host shared by the member devices in the cluster snmp host ip address community string read string1 write string2 Required By default no SNMP host is configured Configure the NM interface of the management device nm interface vlan interface vlan interface id Optional Caution z For the conf...

Page 1151: ...rmation display cluster base topology mac address mac address member id member number View the current blacklist of the cluster display cluster black list View the information of candidate devices display cluster candidates mac address mac address verbose Display the current topology information or the topology path between two devices display cluster current topology mac address mac address to ma...

Page 1152: ...e management device belongs to VLAN 2 whose interface IP address is 163 172 55 1 24 The network management interface of the management device is VLAN interface 2 VLAN 2 is the network management NM interface of the management device z All the devices in the cluster use the same FTP server and TFTP server which share one IP address 63 172 55 1 24 z The SNMP NMS and log host share one IP address 69 ...

Page 1153: ...er function Switch cluster enable 2 Configuring the management device Enable NDP globally and for the Ethernet 1 0 2 and Ethernet 1 0 3 ports Switch system view Switch ndp enable Switch interface Ethernet 1 0 2 Switch Ethernet1 0 2 ndp enable Switch Ethernet1 0 2 quit Switch interface Ethernet 1 0 3 Switch Ethernet1 0 3 ndp enable Switch Ethernet1 0 3 quit Configure the period for the receiving de...

Page 1154: ...e port connecting the management device to candidate devices as a Trunk port and allow packets from the management VLAN to pass Switch interface Ethernet 1 0 2 Switch Ethernet1 0 2 port link type trunk Switch Ethernet1 0 2 port trunk permit vlan 10 Switch Ethernet1 0 2 quit Switch interface Ethernet 1 0 3 Switch Ethernet1 0 3 port link type trunk Switch Ethernet1 0 3 port trunk permit vlan 10 Swit...

Page 1155: ...nfigure the network management interface aabbcc_0 Switch vlan 2 aabbcc_0 Switch vlan2 port Ethernet 1 0 1 aabbcc_0 Switch quit aabbcc_0 Switch interface vlan interface 2 aabbcc_0 Switch Vlan interface2 ip address 163 172 55 1 24 aabbcc_0 Switch Vlan interface2 quit aabbcc_0 Switch cluster aabbcc_0 Switch cluster nm interface vlan interface 2 Note z Upon completion of the above configurations you c...

Page 1156: ...es Ethernet Switches Table of Contents i Table of Contents Chapter 1 UDP Helper Configuration 1 1 1 1 Introduction to UDP Helper 1 1 1 2 Configuring UDP Helper 1 2 1 3 Displaying and Maintaining UDP Helper 1 3 1 4 UDP Helper Configuration Example 1 3 ...

Page 1157: ...per functions as a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified destination server With UDP Helper enabled the device decides whether to forward a received UDP broadcast packet according to the UDP destination port number of the packet z If the destination port number of the packet matches the one pre configured on the device the device modi...

Page 1158: ...able the forwarding of packets with the specified UDP destination port number s udp helper port port number dns netbios ds netbios ns tacacs tftp time Optional By default the UDP helper enabled device forwards broadcast packets with any of the destination port numbers 69 53 37 137 138 and 49 Enter VLAN interface view interface Vlan interface vlan id Specify the destination server to which UDP pack...

Page 1159: ...bers or the corresponding parameters For example udp helper port 53 and udp helper port dns specify the same UDP port number z When you view the configuration information by using the display current configuration command the UDP Helper configuration of the default ports will not be displayed UDP Helper configuration of these ports will be displayed only after UDP Helper is disabled z The configur...

Page 1160: ...witch A to the network segment 10 2 0 0 16 is available Enable Switch A to receive directed broadcasts SwitchA system view SwitchA ip forward broadcast Enable UDP Helper SwitchA udp helper enable Enable the forwarding broadcast packets with the UDP destination port number 55 SwitchA udp helper port 55 Specify the server with the IP address of 10 2 1 1 as the destination server to which UDP packets...

Page 1161: ...2 Enabling SNMP Logging 1 5 1 4 Trap Configuration 1 6 1 4 1 Configuration Prerequisites 1 6 1 4 2 Configuration Procedure 1 6 1 5 Displaying and Maintaining SNMP 1 8 1 6 SNMP Configuration Example 1 9 1 7 SNMP Logging Configuration Example 1 10 Chapter 2 RMON Configuration 2 1 2 1 RMON Overview 2 1 2 1 1 Introduction 2 1 2 1 2 Working Mechanism 2 1 2 1 3 RMON Groups 2 2 2 2 Configuring RMON 2 3 2...

Page 1162: ...ealizes automatic management of products from different manufacturers Offering only the basic set of functions SNMP makes the management tasks independent of both the physical features of the managed devices and the underlying networking technology Thus SNMP achieves effective management of devices from different manufacturers especially so in small fast and low cost network environments 1 1 1 SNM...

Page 1163: ...e will simply be discarded A community name performs a similar role as a key word and can be used to regulate access from NMS to Agent SNMPv3 offers an authentication that is implemented with a User Based Security Model USM which could be authentication with privacy authentication without privacy or no authentication no privacy USM regulates the access from NMS to Agent in a more efficient way 1 1...

Page 1164: ...ation version all v1 v2c v3 Optional The defaults are as follows Hangzhou H3C Technologies Co Ltd for contact Hangzhou China for location and SNMP v3 for the version Configure an SNMP agent group snmp agent group v3 group name authentication privacy read view read view write view write view notify view notify view acl acl number Required Add a new user to an SNMP agent group snmp agent usm user v3...

Page 1165: ...ollows Hangzhou H3C Technologies Co Ltd for contact Hangzhou China for location and SNMP v3 for the version Config ure directl y Config ure a comm unity name snmp agent community read write community name acl acl number mib view view name Config ure an SNMP group snmp agent group v1 v2c group name read view read view write view write view notify view notify view acl acl number Config ure SNMP NMS ...

Page 1166: ...guring SNMP Logging 1 3 1 Introduction to SNMP Logging SNMP logs the GET and SET operations that NMS performs to SNMP Agent When the GET operation is performed Agent logs the IP address of NMS node name of the GET operation and OID of the node When the SET operation is performed Agent logs the IP address of NMS node name of the SET operation OID of the node the value set and the error code and ind...

Page 1167: ...information and the information center refer to the Information Center Configuration part of the manual 1 4 Trap Configuration SNMP Agent sends Traps to NMS to alert the latter of critical and important events such as restart of the managed device 1 4 1 Configuration Prerequisites Basic SNMP configurations have been completed These configurations include version configuration community name is nee...

Page 1168: ...ission parameters Follow these steps to configure Trap To do Use the command Remarks Enter system view system view Configure target host attribute for Traps snmp agent target host trap address udp domain ip address ipv6 ipv6 address udp port port number vpn instance vpn instance name params securityname security string v1 v2c v3 authentication privacy Required The vpn instance keyword is applicabl...

Page 1169: ...gent system information including the contact location and version of the SNMP display snmp agent sys info contact location version Display SNMP agent statistics display snmp agent statistics Display the SNMP agent engine ID display snmp agent local engineid Display SNMP agent group information display snmp agent group group name Display the modules that can send Traps and whether their Trap sendi...

Page 1170: ... the SNMP agent group and SNMP agent user Sysname system view Sysname snmp agent community read public Sysname snmp agent community write private Sysname snmp agent mib view included internet 1 3 6 1 Sysname snmp agent group v3 managev3group write view internet Sysname snmp agent usm user v3 managev3user managev3group Configure VLAN interface 2 with the IP address of 1 1 1 1 24 Add the port Ethern...

Page 1171: ...gure the authentication mode authentication password privacy mode privacy password In addition the time out time and number of retries should also be configured The user can inquire and configure the switch through NMS For detailed information refer to the NMS manuals Note The configurations on the agent and the NMS must match in order to perform the related operations 1 7 SNMP Logging Configurati...

Page 1172: ...e following log information is displayed on the terminal when NMS performs the GET operation to Agent Jan 1 02 49 40 566 2006 Sysname SNMP 6 GET seqNO 10 srcIP 1 1 1 2 op get node sysName 1 3 6 1 2 1 1 5 0 value z The following log information is displayed on the terminal when NMS performs the SET operation to Agent Jan 1 02 59 42 576 2006 Sysname SNMP 6 SET seqNO 11 srcIP 1 1 1 2 op set errorInde...

Page 1173: ...ue is a string of characters and the string contains characters not in the range of ASCII 0 to 127 or invisible characters the string is displayed in hexadecimal For example value 81 43 hex Note The system information of the information center can be output to the terminal or to the log buffer In this example SNMP log is output to the terminal To set the SNMP log to be output to other directions r...

Page 1174: ...tor remote network devices in a more proactive and effective way It reduces traffic between network management station NMS and agent facilitating large network management RMON comprises two parts NMSs and agents running on network devices z Each RMON NMS administers the agents within its administrative domain z An RMON agent resides on a network monitor or probe for an interface It monitors and ga...

Page 1175: ...the private alarm group The events can be handled in one of the following ways z Logging events in the event log table z Sending traps to NMSs z Both logging and sending traps z No action II Alarm group The RMON alarm group monitors specified alarm variables such as statistics on a port If the sampled value of the monitored variable is bigger than or equal to the upper threshold an upper event is ...

Page 1176: ...e can cause an alarm event That is the rising alarm and falling alarm are alternate IV History group The history group controls the periodic statistical sampling of data such as bandwidth utilization number of errors and total number of packets Note that each value provided by the group is a cumulative sum during a sampling period V Ethernet statistics group The statistics group monitors port util...

Page 1177: ...try number buckets number interval sampling interval owner text Optional Create an entry in the statistics table rmon statistics entry number owner text Optional Exit Ethernet port view quit Create an entry in the alarm table rmon alarm entry number alarm variable sampling interval absolute delta rising threshold threshold value1 event entry1 falling threshold threshold value2 event entry2 owner t...

Page 1178: ...pported by the device the entry will be created However the validated value of the buckets number argument corresponding with the entry is the history table size supported by the device Table 2 1 Restrictions on the configuration of RMON Entry Parameters to be compared Maximum number of entries that can be created Event Event description description string event type log trap logtrap or none and c...

Page 1179: ...ion display rmon prialarm entry number Available in any view Display RMON events configuration information display rmon event entry number Available in any view Display RMON event log information display rmon eventlog event number Available in any view 2 4 RMON Configuration Example I Network requirements Agent is connected to a configuration terminal through its console port and to a remote NMS a...

Page 1180: ...k of resources 0 Packets received according to length in octets 64 644 65 127 518 128 255 688 256 511 101 512 1023 3 1024 1518 0 Create an event to start logging after the event is triggered Sysname system view Sysname rmon event 1 log owner 1 rmon Configure an alarm group to sample received bytes on Ethernet 1 0 1 When the received bytes exceed the upper or below the lower limit logging is enable...

Page 1181: ...uring the Interface to Send NTP Messages 1 12 1 4 2 Disabling an Interface from Receiving NTP Messages 1 13 1 4 3 Configuring the Maximum Number of Dynamic Sessions Allowed 1 13 1 5 Configuring Access Control Rights 1 13 1 5 1 Configuration Prerequisites 1 14 1 5 2 Configuration Procedure 1 14 1 6 Configuring NTP Authentication 1 15 1 6 1 Configuration Prerequisites 1 15 1 6 2 Configuration Proced...

Page 1182: ...ynchronizes timekeeping among distributed time servers and clients NTP runs over the User Datagram Protocol UDP using UDP port 123 The purpose of using NTP is to keep consistent timekeeping among all clock dependent devices within the network so that the devices can provide diverse applications based on the consistent time For a local system running NTP its time can be synchronized by other refere...

Page 1183: ...ed between the backup server and all the clients Advantages of NTP z NTP uses a stratum to describe the clock precision and is able to synchronize time among all devices within the network z NTP supports access control and MD5 authentication z NTP can unicast multicast or broadcast protocol messages 1 1 2 How NTP Works Figure 1 1 shows the basic work flow of NTP Device A and Device B are interconn...

Page 1184: ...am T2 z When the NTP message leaves Device B Device B timestamps it The timestamp is 11 00 02 am T3 z When Device A receives the NTP message the local time of Device A is 10 00 03 am T4 Up to now Device A has sufficient information to calculate the following two important parameters z The roundtrip delay of NTP message Delay T4 T1 T3 T2 2 seconds z Time difference between Device A and Device B Off...

Page 1185: ...t refer to NTP clock synchronization messages A clock synchronization message is encapsulated in a UDP message in the format shown in Figure 1 2 Figure 1 2 Clock synchronization message format Main fields are described as follows z LI 2 bit leap indicator When set to 11 it warns of an alarm condition clock unsynchronized when set to any other value it is not to be processed by NTP z VN 3 bit versi...

Page 1186: ...o the primary reference source z Reference Identifier Identifier of the particular reference source z Reference Timestamp the local time at which the local clock was last set or corrected z Originate Timestamp the local time at which the request departed the client for the service host z Receive Timestamp the local time at which the request arrived at the service host z Transmit Timestamp the loca...

Page 1187: ...ymmetric active the device that receives this message automatically enters the symmetric passive mode and sends a reply with the Mode field in the message set to 2 symmetric passive By exchanging messages the symmetric peers mode is established between the two devices Then the two devices can synchronize or be synchronized by each other If the clocks of both devices have been already synchronized ...

Page 1188: ... configured to the default NTP multicast address 224 0 1 1 with the Mode field in the messages set to 5 multicast mode Clients listen to the multicast messages from servers After a client receives the first multicast message the client and the server start to exchange messages with the Mode field set to 3 client mode and 4 server mode to calculate the network delay between client and the server Th...

Page 1189: ...28 associations at the same time including static associations and dynamic associations A static association refers to an association that a user has manually created by using an NTP command while a dynamic association is a temporary association created by the system during operation A dynamic association will be removed if the system fails to receive messages from it over a specific long time In ...

Page 1190: ...address must be a host address rather than a broadcast address a multicast address or the IP address of the local clock z When the interface sending the NTP packet is specified by the source interface argument the source IP address of the NTP packet will be configured as the primary IP address of the specified interface z A device can act as a server to synchronize the clock of other devices only ...

Page 1191: ...z When the interface used to send NTP messages is specified by the source interface argument the source IP address of the NTP message will be configured as the primary IP address of the specified interface z Typically at least one of the symmetric active and symmetric passive peers has been synchronized otherwise the clock synchronization will not proceed z You can configure multiple symmetric pas...

Page 1192: ...nterface view interface interface type interface number Enter the interface used to send NTP broadcast messages Configure the device to work in the NTP broadcast server mode ntp service broadcast server authentication keyid keyid version number Required Note A broadcast server can synchronize broadcast clients only after its clock has been synchronized 1 3 4 Configuring NTP Multicast Mode The mult...

Page 1193: ...iew interface interface type interface number Enter the interface used to send NTP multicast message Configure the device to work in the NTP multicast server mode ntp service multicast server ip address authentication keyid keyid ttl ttl number version number Required Note z A multicast server can synchronize broadcast clients only after its clock has been synchronized z You can configure up to 10...

Page 1194: ...ceiving NTP Messages To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Disable the interface from receiving NTP messages ntp service in interface disable Required An interface is enabled to receive NTP messages by default 1 4 3 Configuring the Maximum Number of Dynamic Sessions Allowed To do Use the command Remarks Enter syst...

Page 1195: ...e peer device to perform synchronization and control query to the local device and also permits the local device to synchronize its clock to the peer device From the highest NTP service access control right to the lowest one are peer server synchronization and query When a device receives an NTP request it will perform an access control right match and will use the first matched right 1 5 1 Config...

Page 1196: ...ication function cannot be normally enabled z For the server client mode or symmetric mode you need to associate the specified authentication key on the client symmetric active peer if in the symmetric peer mode with the corresponding NTP server symmetric passive peer if in the symmetric peer mode Otherwise the NTP authentication feature cannot be normally enabled z For the broadcast server mode o...

Page 1197: ...eer ip address peer name authentication keyid keyid Required You can associate a non existing key with an NTP server To enable NTP authentication you must configure the key and specify it as a trusted key after associating the key with the NTP server Note After you enable the NTP authentication feature for the client make sure that you configure for the client an authentication key that is the sam...

Page 1198: ...ciate a non existing key with an NTP server To enable NTP authentication you must configure the key and specify it as a trusted key after associating the key with the NTP server Note The procedure of configuring NTP authentication on a server is the same as that on a client and the same authentication key must be configured on both the server and client sides 1 7 Displaying and Maintaining NTP To ...

Page 1199: ...k as the reference source with the stratum level of 2 DeviceA system view DeviceA ntp service refclock master 2 2 Configuration on Device B View the NTP status of Device B before clock synchronization DeviceB display ntp service status Clock status unsynchronized Clock stratum 16 Reference clock ID none Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 7 Clock offset 0 0...

Page 1200: ... session information of Device B which shows that an association has been set up between Device B and Device A DeviceB display ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 127 127 1 0 2 63 64 3 75 5 31 0 16 5 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 1 8 2 Configuring the NTP Symmetric Mode I Network ...

Page 1201: ...on Device C after Device B is synchronized to Device A Specify the local clock as the reference source with the stratum level of 1 DeviceC system view DeviceC ntp service refclock master 1 Configure Device B as a symmetric peer after local synchronization DeviceC ntp service unicast peer 3 0 1 32 In the step above Device B and Device C are configured as symmetric peers with Device C in the symmetr...

Page 1202: ...n association has been set up between Device B and Device C DeviceB display ntp service sessions source reference stra reach poll now offset delay disper 245 3 0 1 31 127 127 1 0 2 15 64 24 10535 0 19 6 14 5 1234 3 0 1 33 LOCL 1 14 64 27 77 0 16 0 14 8 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 2 1 8 3 Configuring NTP Broadcast Mode I Network requirem...

Page 1203: ...ages through VLAN interface 2 SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service broadcast server 2 Configuration on Switch D Configure Switch D to work in the broadcast client mode and receive broadcast messages on VLAN interface 2 SwitchD system view SwitchD interface vlan interface 2 SwitchD Vlan interface2 ntp service broadcast client 3 Configuration on Switch A Configure S...

Page 1204: ...Switch D is 3 while that of Switch C is 2 View the NTP session information of Switch D which shows that an association has been set up between Switch D and Switch C SwitchD display ntp service sessions source reference stra reach poll now offset delay disper 1234 3 0 1 31 127 127 1 0 2 254 64 62 16 0 32 0 16 6 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total association...

Page 1205: ...rver mode and send multicast messages through VLAN interface 2 SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service multicast server 2 Configuration on Switch D Configure Switch D to work in the multicast client mode and receive multicast messages on VLAN interface 2 SwitchD system view SwitchD interface vlan interface 2 SwitchD Vlan interface2 ntp service multicast client Becaus...

Page 1206: ...source peer 3 selected 4 candidate 5 configured Total associations 1 3 Configuration on Switch B Because Switch A and Switch C are on different subnets you must enable IGMP on Switch B before Switch A can receive multicast messages from Switch C Enable IP multicast routing and IGMP SwitchB system view SwitchB multicast routing enable SwitchB interface vlan interface 2 SwitchB Vlan interface2 pim d...

Page 1207: ...witch C is 2 View the NTP session information of Switch A which shows that an association has been set up between Switch A and Switch C SwitchA display ntp service sessions source reference stra reach poll now offset delay disper 1234 3 0 1 31 127 127 1 0 2 255 64 26 16 0 40 0 16 6 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 Note Refer to the Multica...

Page 1208: ...n keyid 42 authentication mode md5 aNiceKey Specify the key as key as a trusted key DeviceB ntp service reliable authentication keyid 42 Specify Device A as the NTP server DeviceB ntp service unicast server 1 0 1 11 authentication keyid 42 Before Device B can synchronize its clock to that of Device A you need to enable NTP authentication for Device A Perform the following configuration on Device A...

Page 1209: ... B which shows that an association has been set up Device B and Device A DeviceB display ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 127 127 1 0 2 63 64 3 75 5 31 0 16 5 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 1 8 6 Configuring NTP Broadcast Mode with Authentication I Network requirements z Switch ...

Page 1210: ...cation SwitchC ntp service authentication enable SwitchC ntp service authentication keyid 88 authentication mode md5 123456 SwitchC ntp service reliable authentication keyid 88 Specify Switch C as an NTP broadcast server and specify an authentication key SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service broadcast server authentication keyid 88 2 Configuration on Switch D Confi...

Page 1211: ...ncy 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 7 Clock offset 0 0000 ms Root delay 31 00 ms Root dispersion 8 31 ms Peer dispersion 34 30 ms Reference time 16 01 51 713 UTC Apr 20 2007 C6D95F6F B6872B02 As shown above Switch D has been synchronized to Device B and the clock stratum level of Switch D is 3 while that of Switch C is 2 View the NTP session information of Switch D which...

Page 1212: ...ain Name Resolution 1 1 1 2 Configuring Domain Name Resolution 1 3 1 2 1 Configuring Static Domain Name Resolution 1 3 1 2 2 Configuring Dynamic Domain Name Resolution 1 3 1 3 Displaying and Maintaining DNS 1 4 1 4 DNS Configuration Examples 1 4 1 4 1 Static Domain Name Resolution Configuration Example 1 4 1 4 2 Dynamic Domain Name Resolution Configuration Example 1 5 1 5 Troubleshooting DNS Confi...

Page 1213: ...NS server translate them into correct IP addresses There are two types of DNS services static and dynamic After a user specifies a name the device checks the local static name resolution table for an IP address If no IP address is available it contacts the DNS server for dynamic name resolution which takes more time than static name resolution Therefore some frequently queried name to IP address m...

Page 1214: ...ifferent devices while the DNS server and the DNS client usually must run on different devices Dynamic domain name resolution allows the DNS client to store latest mappings between domain names and IP addresses in the dynamic domain name cache There is no need to send a request to the DNS server for a repeated query next time The aged mappings are removed from the cache after some time and latest ...

Page 1215: ...symbol Currently the device supports static and dynamic DNS services Note If an alias is configured for a domain name on the DNS server the device can resolve the alias into the IP address of the host 1 2 Configuring Domain Name Resolution 1 2 1 Configuring Static Domain Name Resolution Follow these steps to configure static domain name resolution To do Use the command Remarks Enter system view sy...

Page 1216: ... do Use the command Remarks Display the static domain name resolution table display ip host Available in any view Display DNS server information display dns server dynamic Available in any view Display domain name suffixes display dns domain dynamic Available in any view Display the information of the dynamic domain name cache display dns dynamic host Available in any view Clear the information of...

Page 1217: ...CTRL_C to break Reply from 10 1 1 2 bytes 56 Sequence 1 ttl 255 time 1 ms Reply from 10 1 1 2 bytes 56 Sequence 2 ttl 255 time 4 ms Reply from 10 1 1 2 bytes 56 Sequence 3 ttl 255 time 3 ms Reply from 10 1 1 2 bytes 56 Sequence 4 ttl 255 time 2 ms Reply from 10 1 1 2 bytes 56 Sequence 5 ttl 255 time 3 ms host com ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round tri...

Page 1218: ...e device and the host and configurations are done on both the device and the host For the IP addresses of the interfaces see Figure 1 3 z This configuration may vary with different DNS servers The following configuration is performed on Windows 2000 server 1 Configure the DNS server Enter DNS server configuration page Select Start Programs Administrative Tools DNS Create zone com In Figure 1 4 rig...

Page 1219: ...DNS Configuration 1 7 Figure 1 4 Create a zone Create a mapping between the host name and IP address Figure 1 5 Add a host In Figure 1 5 right click zone com and then select New Host to bring up a dialog box as shown in Figure 1 6 Enter host name host and IP address 3 1 1 1 ...

Page 1220: ...the ping host command on the device to verify that the communication between the device and the host is normal and that the corresponding destination IP address is 3 1 1 1 Sysname ping host Trying DNS resolve press CTRL_C to break Trying DNS server 2 1 1 2 PING host com 3 1 1 1 56 data bytes press CTRL_C to break Reply from 3 1 1 1 bytes 56 Sequence 1 ttl 255 time 3 ms Reply from 3 1 1 1 bytes 56 ...

Page 1221: ...namic domain name resolution the user cannot get the correct IP address II Solution z Use the display dns dynamic host command to verify that the specified domain name is in the cache z If there is no defined domain name check that dynamic domain name resolution is enabled and the DNS client can communicate with the DNS server z If the specified domain name is in the cache but the IP address is in...

Page 1222: ...Configuration File for Next Startup 1 9 1 3 Displaying and Maintaining Device Configuration 1 10 Chapter 2 FTP Configuration 2 1 2 1 FTP Overview 2 1 2 1 1 Introduction to FTP 2 1 2 1 2 Implementation of FTP 2 1 2 2 Configuring the FTP Client 2 2 2 2 1 Establishing an FTP Connection 2 2 2 2 2 Configuring the FTP Client 2 4 2 2 3 FTP Client Configuration Example 2 5 2 3 Configuring the FTP Server 2...

Page 1223: ...th the path excluded to indicate a file in the current path The filename can be 1 to 91 characters in length 1 1 File System Management This section covers these topics z File System Overview z Directory Operations z File Operations z Storage Device Operations z File System Prompt Mode Setting z File System Operations 1 1 1 File System Overview A major function of the file system is to manage stor...

Page 1224: ...e z The directory to be removed must be empty meaning before you remove a directory you must delete all the files and the subdirectory under this directory For file deletion refer to the delete command and for subdirectory deletion refer to the rmdir command z After the execution of the rmdir command the files in this directory will be automatically deleted for ever 1 1 3 File Operations File oper...

Page 1225: ...iew Enter system view system view Execute the batch file execute filename Optional Note You can create a file by copying or downloading or using the save command Caution z Empty the recycle bin timely with the reset recycle bin command to save memory space z As the delete unreserved file url command deletes a file permanently and the action cannot be undone use it with caution z The execute comman...

Page 1226: ...t of the second is cfb and so on z If storage device partitioning is supported on the device the name of the partition device is composed of the physical device name and partition number The serial numbers of partitions are displayed in numbers such as 0 1 or 2 For a device with only one CF card for example the second partition of the CF card is cf1 for a device with multiple CF cards the third pa...

Page 1227: ...ata loss z quiet where the system does not do that in any cases To prevent undesirable consequence resulted from misoperations the alert mode is preferred To do Use the command Remarks Enter system view system view Set the operation prompt mode of the file system file prompt alert quiet Optional The default is alert 1 1 6 File System Operations Example Display the files and the subdirectory under ...

Page 1228: ...nfiguration z Erasing the Startup Configuration File z Specifying a Configuration File for Next Startup z Backing up Restoring the Configuration File for Next Startup 1 2 1 Configuration File Overview A configuration file saves the device configurations in command lines in text format You can view configuration information conveniently through the configuration files I Types of configuration The c...

Page 1229: ...ation You can modify the configuration on your device at the command line interface CLI To use the modified configuration for your subsequent startups you must save it using the save command as a configuration file I Modes in saving the configuration z Fast saving mode This is the mode when you use the save command without the safely keyword The mode saves the file quicker but is likely to lose th...

Page 1230: ...e the default path or enter a filename to specify a new path but the suffix of the filename must be cfg and the path must be the path of the storage device on the AMB active main board 1 2 3 Erasing the Startup Configuration File With the configuration file erased your device will boot up with the default configuration next time it is powered on You may need to erase the configuration file for one...

Page 1231: ...ration file for next startup through operations at the CLI TFTP is used for intercommunication between the device and the server The backup function enables you to backup a configuration file to the TFTP server while the restore function enables you to download the configuration file from the TFTP server for next startup II Backing up the configuration file for next startup To do Use the command R...

Page 1232: ...tup command in user view to verify if the filename of the startup configuration file is the same with the filename argument and use the dir command to verify if the restored file exists 1 3 Displaying and Maintaining Device Configuration To do Use the command Remarks Display the configuration file saved in the storage device display saved configuration by linenum Available in any view Display the ...

Page 1233: ...5510 Series Ethernet Switches Chapter 1 File System Management Configuration 1 11 Note For detailed description of the display this and display current configuration commands refer to the System Maintaining and Debugging Configuration part of the manual ...

Page 1234: ... text file transmission 2 1 2 Implementation of FTP FTP adopts the server client model Your switch can function either as client or as server as shown in Figure 2 1 They work in the following way z When the switch serves as the FTP client a PC user first telnets or connects to the switch through an emulation program then executes the ftp command to establish the connection to the remote FTP server...

Page 1235: ...cessfully access the FTP server You can specify one by configuring the source address of the packets of the FTP client to meet the requirement of the security policy of the FTP client You can configure the source address by configuring the source interface or source IP address The primary IP address configured on the source interface is the source address of the transmitted packets The source addr...

Page 1236: ...view quit Log onto the remote FTP server directly in user view ftp server address service port source interface interface type interface number ip source ip address ftp Log onto the remote FTP server indirectly in FTP client view open server address service port Use either approach Available in user view Note z If no primary IP address is configured on the source interface the FTP connection fails...

Page 1237: ... command Optional Enable information display in a detailed manner verbose Optional Enabled by default Use other username to relog after logging onto the FTP server successfully user username password Optional Set the file transfer mode to ASCII ascii Optional ASCII by default Set the file transfer mode to binary binary Optional ASCII by default Change the working path on the remote FTP server cd p...

Page 1238: ...ual to the disconnect command Disconnect with the FTP server and exit to user view bye Optional Terminate the connection with the remote FTP server and exit to user view quit Optional Available in FTP client view equal to the bye command Note z FTP uses two modes for file transfer ASCII mode and binary mode z The Is command can only display the file directory name while the dir command can display...

Page 1239: ...le to be downloaded Sysname dir Directory of flash 0 drw Dec 07 2005 10 00 57 filename 1 drw Jan 02 2006 14 27 51 logfile 2 rw 1216 Jan 02 2006 14 28 59 config cfg 3 rw 1216 Jan 02 2006 16 27 26 backup cfg 14605 KB total 6890 KB free Sysname delete unreserved flash backup cfg Download the startup file from the server Sysname ftp 10 1 1 1 Trying 10 1 1 1 Press CTRL K to abort Connected to 10 1 1 1 ...

Page 1240: ...e manual 2 3 Configuring the FTP Server 2 3 1 Configuring FTP Server Operating Parameters The FTP server uses two modes to update files when you upload files use the put command to the FTP server z In fast mode the FTP server starts writing data to the Flash after file transfer completes This protects the files intended to be overwritten on the device from being corrupted in the event that anomali...

Page 1241: ...s to the directories and associating the username and password with the account Follow these steps to configure authentication and authorization for FTP server To do Use the command Remarks Enter system view system view Create a local user and enter its view local user user name Required No local user exists by default and the system does not support FTP anonymous user access Assign a password to ...

Page 1242: ...rk directory and level commands and the AAA related configuration refer to the AAA RADIUS HWTACACS Configuration part of the manual 2 3 3 FTP Server Configuration Example I Network requirements z Use your device as an FTP server Create a user account for an FTP user on it setting the username to abc and the password to pwd z The IP address of the VLAN interface is 1 1 1 1 16 z The PC serves as the...

Page 1243: ...4 drw Jan 02 2006 15 20 21 ftp 2540 KB total 2511 KB free Sysname delete unreserved flash back cfg 2 Configure the PC FTP Client Upload the startup file to the FTP server and save it under the root directory of the FTP server c ftp 1 1 1 1 Connected to 1 1 1 1 220 FTP service ready User 1 1 1 1 none abc 331 Password required for abc Password 230 User logged in ftp put aaa bin bbb bin Note z When u...

Page 1244: ... root directory For description of the corresponding command refer to the System Maintaining and Debugging part of the manual 2 4 Displaying and Maintaining FTP To do Use the command Remarks Display the configuration of the FTP client display ftp client configuration Available in any view Display the configuration of the FTP server display ftp server Available in any view Display detailed informat...

Page 1245: ...tication Therefore it is more suitable where complex interaction is not needed between client and server TFTP uses the UDP port 69 for data transmission For TFTP basic operation refer to RFC 1350 In TFTP file transfer is initiated by the client z In a normal file downloading process the client sends a read request to the TFTP server receives data from the server and then sends the acknowledgement ...

Page 1246: ... start up because the original system file is not overwritten This mode is securer but consumes more memory You are recommended to use the latter mode or use a filename not existing in the current directory as the target filename when downloading startup file or configuration file Multiple routes may exist for a TFTP client to successfully access the TFTP server You can specify one by configuring ...

Page 1247: ...ber ip source ip address Optional A device uses the source address determined by the routing protocol to communicate with the TFTP server by default Return to user view quit Download or upload a file in IPv4 network tftp server address get put sget source filename destination filename source interface interface type interface number ip source ip address Optional Download or upload a file in IPv6 n...

Page 1248: ...ned for the client z On your device VLAN interface 1 is assigned an IP address 1 1 1 1 16 Make sure that the port connected to PC belongs to the same VLAN z TFTP a startup file from PC for upgrading and a configuration file config cfg to PC for backup II Network diagram Figure 3 2 Smooth upgrading using the TFTP client function III Configuration procedure 1 Configure PC TFTP Server the configurati...

Page 1249: ...mory is available Sysname tftp 1 2 1 1 get aaa bin bbb bin Upload a configuration file config cfg to the TFTP server Sysname tftp 1 2 1 1 put config cfg configback cfg Specify the main startup file for next startup with the boot loader command Suppose the device in this example supports the main and backup attribute of the startup file Sysname boot loader file bbb bin Sysname reboot Caution Startu...

Page 1250: ...ing to Output System Information to a Monitor Terminal 1 9 1 2 4 Setting to Output System Information to a Log Host 1 10 1 2 5 Setting to Output System Information to the Trap Buffer 1 11 1 2 6 Setting to Output System Information to the Log Buffer 1 12 1 2 7 Setting to Output System Information to the SNMP NMS 1 12 1 2 8 Configuring Synchronous Information Output 1 13 1 3 Displaying and Maintaini...

Page 1251: ... information center offers a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems Note By default the information center is enabled An enabled information center affects the system performance in some degree due to information classification and output Such impact becomes more obvious in the event that there is enormous inform...

Page 1252: ...information of all severities will be output III Ten channels and six output directions of system information The system supports six information output directions including the console monitor logbuffer loghost trapbuffer and SNMP The system supports ten channels The channels 0 through 5 have their default channel names and are associated with six output directions by default Both the channel nam...

Page 1253: ...Note Configurations for the six output directions function independently and take effect only after the information center is enabled IV Outputting system information by source module The system is composed of a variety of protocol modules board drivers and configuration modules The system information can be classified filtered and output by source module Some source module names and descriptions ...

Page 1254: ...on exchange protocol module LAGG Link Aggregation module LINE Line module MSDP Multicast Source Discovery Protocol module MSTP Multiple Spanning Tree Protocol module NAT Network Address Translation module NTP Network Time Protocol module PKI Public Key Infrastructure module OSPF Open Shortest Path First module QoS Quality of Service module RDS Radius module RM Routing Management module RMON Remote...

Page 1255: ...e all required in the above format z Before the priority may have or followed with a space indicating log alarm or debug information respectively Below is an example of the format of log information to be output to a log host 188 Sep 28 15 33 46 235 2005 MyDevice SHELL 5 LOGIN Console login from con0 What follows is a detailed explanation of the fields involved I Priority The priority is calculate...

Page 1256: ...evels based on its severity from 0 to 7 Refer to Table 1 1 for definition and description of these severity levels Note that there is a forward slash between the levels severity and digest fields VI Digest The digest field is a string of up to 32 characters outlining the system information Note that there is a colon between the digest and content fields VII Content This field provides the content ...

Page 1257: ...to Table 1 2 for default channel names Configure the channel through which system information can be output to the console info center console channel channel number channel name Optional System information is output to the console by default with channel 0 as the default channel Configure the output rules of system information info center source module name default channel channel number channel ...

Page 1258: ...able d informat ional Enable d warning s Disable d debuggi ng Log buffer default all module s Enable d warning s Disable d debuggi ng Disable d debuggi ng SNMP NMS default all module s Disable d debuggi ng Enable d warning s Disable d debuggi ng II Enabling the display of system information on the console After setting to output system information to the console you need to enable the associated d...

Page 1259: ...enable Optional Enabled by default Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default channel names Configure the channel through which system information can be output to a monitor terminal info center monitor channel channel number channel name Optional System information is output to the monitor terminal ...

Page 1260: ... terminal logging Optional Enabled by default Enable the display of trap information on a monitor terminal terminal trapping Optional Enabled by default 1 2 4 Setting to Output System Information to a Log Host To do Use the command Remarks Enter system view system view Enable information center info center enable Optional Enabled by default Name the channel with a specified channel number info cen...

Page 1261: ...ault Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default channel names Configure the channel through which system information can be output to the trap buffer and specify the buffer size info center trapbuffer channel channel number channel name size buffersize Optional System information is output to the tra...

Page 1262: ... by default with channel 4 known as logbuffer as the default channel and a default buffer size of 512 Configure the output rules of the system information info center source module name default channel channel number channel name debug level severity state state log level severity state state trap level severity state state Optional Refer to Table 1 4 for the output rules of the system information...

Page 1263: ...timestamp info center timestamp debugging log trap boot date none Optional The time stamp for log trap and debug information is date by default Note To ensure that system information can be output to the SNMP NMS you need to make the necessary configurations on the SNMP agent and the NMS For detailed information on SNMP refer to the SNMP RMON Configuration part of the manual 1 2 8 Configuring Sync...

Page 1264: ...nput will be displayed in a new line 1 3 Displaying and Maintaining Information Center To do Use the command Remarks Display channel information for a specified channel display channel channel number channel name Available in any view Display the configurations for all information channels except channel 6 to 9 display info center Available in any view Display the state of the log buffer and the l...

Page 1265: ... severity higher than informational will be output to the log host z The source modules are ARP and IP II Network diagram Figure 1 1 Network diagram for outputting log information to a Unix log host III Configuration procedure 1 Configuring the device Enable information center Sysname system view Sysname info center enable Specify the channel to output log information to the log host loghost by de...

Page 1266: ...h has similar configurations to the Unix operating systems implemented by other vendors Step 1 issue the following commands as a root user mkdir var log MyDevice touch var log MyDevice information Step 2 Edit the file etc syslog conf as a root user and add the following selector action pair MyDevice configuration messages local4 info var log MyDevice information Note Be aware of the following issu...

Page 1267: ...y higher than informational will be output to the log host z All modules can output log information II Network diagram Figure 1 2 Network diagram for outputting log information to a Linux log host III Configuration procedure 1 Configuring the device Enable information center Sysname system view Sysname info center enable Specify the channel to output log information to the log host optional loghos...

Page 1268: ...Device touch var log MyDevice information Step 2 Edit the file etc syslog conf as a root user and add the following selector action pair MyDevice configuration messages local7 info var log MyDevice information Note Be aware of the following issues while editing the etc syslog conf file z Comments must be on a separate line and must begin with the sign z The selector action pair must be separated w...

Page 1269: ...with a severity higher than informational will be output to the console z The source modules are ARP and IP II Network diagram Figure 1 3 Network diagram for sending log information to the console III Configuration procedure Enable information center Sysname system view Sysname info center enable Specify the channel to output log information to the console optional Console by default Sysname info ...

Page 1270: ...ate of a channel Enable system information output for the ARP and IP modules with information severity ranging from emergencies to informational Sysname info center source arp channel console log level informational Sysname info center source ip channel console log level informational Sysname quit Enable the display of log information on a monitor terminal Sysname terminal monitor Current terminal...

Page 1271: ...15 Chapter 2 System Maintaining and Debugging 2 1 2 1 System Maintaining and Debugging Overview 2 1 2 1 1 Introduction to System Maintaining and Debugging 2 1 2 1 2 Introduction to System Debugging 2 2 2 2 System Maintaining and Debugging 2 3 2 2 1 System Maintaining 2 3 2 2 2 System Debugging 2 4 2 3 System Maintaining Example 2 5 Chapter 3 Device Management 3 1 3 1 Device Management Overview 3 1...

Page 1272: ...tering Exiting System View z Configuring the Device Name z Configuring the System Clock z Configuring a Banner z Configuring CLI Hotkeys z Configuring User Levels and Command Levels z Displaying and Maintaining Basic Configurations 1 1 1 Entering Exiting System View Follow these steps to enter exit system view To do Use the command Remarks Enter system view from user view system view Return to use...

Page 1273: ...n user view II Displaying the system clock The system clock is displayed by system time stamp which is the same as that displayed by the display clock command The system clock is decided by the commands clock datetime clock timezone and clock summer time If these three commands are not configured the display clock command displays the original system clock If you combine these three commands in di...

Page 1274: ...etime 3 00 2007 3 3 Display 03 00 00 zone time Sat 03 03 2007 If the original system clock is not in the summer time range the original system clock is displayed Configure clock summer time ss one off 1 00 2006 1 1 1 00 2006 8 8 2 Display 01 00 00 UTC Sat 01 01 2005 3 If the original system clock is in the summer time range the original system clock summer offset is displayed Configure clock summe...

Page 1275: ...n the summer time range date time is displayed Configure clock summer time ss one off 1 00 2007 1 1 1 00 2007 8 8 2 and clock datetime 3 00 2007 1 1 Display 03 00 00 ss Mon 01 01 2007 Configure clock timezone zone time add 1 and clock summer time ss one off 1 00 2007 1 1 1 00 2007 8 8 2 Display 02 00 00 zone time Sat 01 01 2005 If the value of the original system clock zone offset is not in the su...

Page 1276: ...t in the summer time range date time is displayed Configure clock timezone zone time add 1 clock summer time ss one off 1 00 2008 1 1 1 00 2008 8 8 2 and clock datetime 1 30 2008 1 1 Display 23 30 00 zone time Mon 12 31 2007 1 2 3 and 1 or 1 3 2 and 1 date time is in the summer time range If the value of date time summer offset is not in the summer time range date time summer offset is displayed I...

Page 1277: ...are not part of the banner information In this case the input text together with the command keywords cannot exceed 510 characters The other is to input all the banner information in multiple lines by pressing the Enter key In this case up to 2000 characters can be input The latter input mode can be achieved in the following three ways z Press the Enter key directly after the command keywords and ...

Page 1278: ... lines by default Display hotkeys display hotkey Available in any view Refer to Table 1 2 for hotkeys reserved by the system Note By default the Ctrl G Ctrl L and Ctrl O hotkeys are configured with command line and the Ctrl T and Ctrl U commands are NULL z Ctrl G corresponds to the display current configuration command z Ctrl L corresponds to the display ip routing table command z Ctrl O correspon...

Page 1279: ...sor to the leading character of the continuous string to the left Esc D Deletes all the characters of the continuous string at the current cursor position and to the right of the cursor Esc F Moves the cursor to the front of the next continuous string to the right Esc N Moves the cursor down by one line available before you press the Enter key Esc P Moves the cursor up by one line available before...

Page 1280: ...anage level 3 Manage FTP TFTP XMODEM and file system operation commands Follow these steps to configure user level and command level To do Use the command Remarks Switch the user level super level Optional Available in user view Enter system view system view Configure the password for switching the user level super password level user level simple cipher password Optional By default no password is...

Page 1281: ...n 1 1 7 Displaying and Maintaining Basic Configurations To do Use the command Remarks Display information on system version display version Display information on the system clock display clock Display information on terminal users display users all Display the configurations saved in the storage device display saved configuration by linenum Display the current validated configurations display cur...

Page 1282: ...nd Lines z Display Features z History Command z Command Line Error Information z Edit Features 1 2 1 Introduction to CLI CLI is an interaction interface between devices and users Through CLI you can configure your devices by entering commands and view the output information and verify your configurations thus facilitating your configuration and management of your devices CLI provides the following...

Page 1283: ...ile dir List files on a file system display Display current system information omitted 2 Enter a command and a separated by a space If is at the position of a keyword all the keywords are given with a brief description Sysname terminal debugging Send debug information to terminal logging Send log information to terminal monitor Send information output to current terminal trapping Send trap informa...

Page 1284: ...Function Press Space when information display pauses Continues to display information of the next screen page Press Enter when information display pauses Continues to display information of the next line Enter Ctrl C when information display pauses Stops the display and the command execution Ctrl E Moves the cursor to the end of the current line 1 2 4 History Command The CLI can automatically save...

Page 1285: ...200X and XP Terminal or Telnet However the up arrow and down arrow keys are invalid in Windows 9X HyperTerminal because they are defined in a different way You can use Ctrl P and Ctrl N instead 1 2 5 Command Line Error Information The commands are executed only if they have no syntax error Otherwise error information is reported Table 1 5 lists some common errors Table 1 5 Common command line erro...

Page 1286: ...ight Backspace key Deletes the character to the left of the cursor and move the cursor back one character Left arrow key or Ctrl B The cursor moves one character space to the left Right arrow key or Ctrl F The cursor moves one character space to the right Up arrow key or Ctrl P Down arrow key or Ctrl N Displays history commands Tab key Pressing Tab after entering part of a keyword enables the fuzz...

Page 1287: ...2 If the network is functioning properly the destination device responds by sending an ICMP echo reply to the source device after receiving the ICMP echo request 3 If there is network failure the source device displays timeout or destination unreachable 4 Display related statistics Output of the ping command includes z Information on the destination s responses towards each ICMP echo request if th...

Page 1288: ...h a TTL expired ICMP message which gives the source device the address of the second router 5 The above process continues until the ultimate destination device is reached In this way the source device can trace the addresses of all the routers that have been used to get to the destination device 2 1 2 Introduction to System Debugging The device provides various debugging functions For the majority...

Page 1289: ...ns For details refer to Information Center Configuration 2 2 System Maintaining and Debugging 2 2 1 System Maintaining To do Use the command Remarks ping ip a source ip c count f h ttl i interface type interface number m interval n p pad q r s packet size t timeout tos tos v vpn instance vpn instance name remote system Optional Used in IPv4 network Available in any view Check whether a specified I...

Page 1290: ... t parameter in the command when configuring the ping command z Only the directly connected segment address can be pinged if the outgoing interface is specified with the i argument 2 2 2 System Debugging To do Use the command Remarks Enable the terminal monitoring of system information terminal monitor Optional The terminal monitoring on the console is enabled by default and that on the monitoring...

Page 1291: ...nal debugging and terminal monitor commands refer to the Information Center Commands part of the manual 2 3 System Maintaining Example I Network requirements z The IP address of the destination device is 10 1 1 4 z Display the routers used while packets are forwarded from the current device to the destination device II Network diagram omitted here III Configuration procedure Sysname tracert 10 1 1...

Page 1292: ...ing path The file name without a path consists of 1 to 91 characters 3 1 Device Management Overview Through the device management function you can view the current working state of a device configure running parameters and perform daily device maintenance and management Currently the following device management functions are available z Rebooting a Device z Specifying a Boot ROM File for the Next ...

Page 1293: ... delay commands can reboot a device As a result the ongoing services will be interrupted Be careful to use these commands z If a primary boot file fails or does not exist the device cannot be rebooted with this command In this case you can re specify a primary boot file to reboot the device or you can power off the device then power it on and the system automatically uses the secondary boot file t...

Page 1294: ...he path of it to the root directory 3 2 3 Upgrading Boot ROM During the operation of the device you can use Boot ROM in the storage device to upgrade Boot ROM programs that are running on the device Follow these steps to upgrade Boot ROM To do Use the command Remarks Upgrade the Boot ROM program of the device bootrom update file file url Required Available in user view Note Restart the device to v...

Page 1295: ... card or logical interface is removed If you repeatedly insert and remove different subcards or interface cards to create or delete a large amount of logical interface the interface indexes will be used up which will result in interface creation failures To avoid such a case you can clear all 16 bit interface indexes saved but not used in the current system in user view After the above operation z...

Page 1296: ...es Yes GBIC GigaBit Interface Converter Generally used for 1000M Ethernet interfaces Yes Yes XFP 10 Gigabit small Form factor Pluggable Generally used for 10G Ethernet interfaces Yes No XENPAK 10 Gigabit EtherNet Transceiver Package Generally used for 10G Ethernet interfaces Yes Yes Note For pluggable transceivers supported by S3610 S5510 series Ethernet switches refer to H3C S3610 Series Ethernet...

Page 1297: ...ard during device debugging or test The information includes name of the card device serial number and vendor name or vendor name specified III Diagnosing pluggable transceivers The system outputs alarm information for you to diagnose and troubleshoot faults of pluggable transceivers Optical transceivers customized by H3C also support the digital diagnosis function which enables a transceiver to m...

Page 1298: ...in any view Display the usage of the memory of a device display memory Available in any view Display the power state of a device display power power id Available in any view Display the reboot type of a device display reboot type Available in any view Display the reboot time of a device display schedule reboot Available in any view 3 4 Device Management Configuration Example 3 4 1 Remote Upgrade C...

Page 1299: ...view FTP Server ftp server enable Set the FTP username to aaa and password to hello FTP Server local user aaa FTP Server luser aaa password cipher hello Configure the user to have access to the aaa directory FTP Server luser aaa service type ftp ftp directory flash aaa z Configuration on Device Caution If the size of the Flash on the device is not large enough delete the original application progr...

Page 1300: ...p get aaa bin ftp get boot btm Clear the FTP connection and return to user view ftp bye Device Upgrade the Boot ROM file of the device Device bootrom update file boot btm Specify the application program for the next boot Device boot loader file aaa bin Reboot the device The application program is upgraded after the reboot Device reboot Start to check configuration with next startup configuration f...

Page 1301: ... DHCP Test 1 6 1 2 3 Configuring the FTP Test 1 8 1 2 4 Configuring the HTTP Test 1 11 1 2 5 Configuring the Jitter Test 1 13 1 2 6 Configuring the SNMP Query Test 1 16 1 2 7 Configuring the TCP Test 1 19 1 2 8 Configuring the UDP Test 1 22 1 2 9 Configuring the DLSw Test 1 25 1 3 Configuring Optional Parameters for NQA Tests 1 27 1 3 1 Configuring Optional Parameters Common to NQA 1 27 1 3 2 Conf...

Page 1302: ...etwork quality analyzer is an enhanced Ping tool used for testing the performance of protocols running on networks Besides the Ping functions NQA can provide the following functions z Detecting the availability and the response time of DHCP FTP HTTP and SNMP services z Testing the delay jitter of the network z Verifying the availability of TCP UDP and DLSw packets Different from Ping NQA does not ...

Page 1303: ...ultiple TCP or UDP listening services on the NQA server with each listening service corresponding to a specified destination address and port number 1 1 3 NQA Test Operation NQA can test multiple protocols A test group must be created for each type of NQA test Each test group can be related to only one type of NQA test Each test group has an administrator name and an operation tag The administrato...

Page 1304: ...esponding services of this known port will be unavailable This section covers these topics z Configuring the ICMP Test z Configuring the DHCP Test z Configuring the FTP Test z Configuring the HTTP Test z Configuring the Jitter Test z Configuring the SNMP Query Test z Configuring the TCP Test z Configuring the UDP Test z Configuring the DLSw Test 1 2 1 Configuring the ICMP Test The ICMP test is mai...

Page 1305: ...e multiple VPNs you need to use this command to specify a VPN instance for test Specify the IP address of an interface as the source IP address of an ICMP test request packet source interface interface type interface number Optional The interface specified by this command can only be VLAN interface In addition the interface must be up Otherwise the test will fail Configure common optional paramete...

Page 1306: ...p count 10 SwitchA nqa admin icmp timeout 5 Enable the ICMP test SwitchA nqa admin icmp test enable View the test results with the display nqa results command SwitchA nqa admin icmp display nqa results admin icmp NQA entry admin admin tag icmp test result Destination ip address 10 2 2 2 Send operation times 10 Receive response times 10 Min Max Average Round Trip Time 1 3 1 Square Sum of Round Trip...

Page 1307: ...uration part of the manual II Configuration procedure Follow these steps to configure the DHCP test To do Use the command Remarks Enter system view system view Enable the NQA client nqa agent enable Required Create an NQA test group and enter its view nqa admin name operation tag Set the test type to DHCP test type dhcp Required Specify an interface for a DHCP test source interface interface type ...

Page 1308: ...qa admin dhcp test type dhcp SwitchA nqa admin dhcp source interface ethernet 1 0 Enable the DHCP test SwitchA nqa admin dhcp test enable View the test results with the display nqa results command SwitchA nqa admin dhcp display nqa results admin dhcp NQA entry admin admin tag dhcp test result Send operation times 1 Receive response times 1 Min Max Average Round Trip Time 527 527 527 Square Sum of ...

Page 1309: ...est To do Use the command Remarks Enter system view system view Enable the NQA client nqa agent enable Required Create an NQA test group and enter its view nqa admin name operation tag Set the test type to FTP test type ftp Required Configure a destination address for a test destination ip ip address Required Here it is the IP address of the FTP server Configure the source IP address of a test req...

Page 1310: ... operation the file obtained from the FTP server will not be saved on the device either If there is no such file name file on the FTP server the FTP test will fail z When you perform a put operation a file name file with a fixed size and contents will be created on the FTP server but the uploaded file will not be saved III Configuration example 1 Network requirements Use the NQA FTP function to te...

Page 1311: ...ation put SwitchA nqa admin ftp username admin SwitchA nqa admin ftp password nqa SwitchA nqa admin ftp filename config txt Enable the FTP test SwitchA nqa admin ftp test enable View the test results with the display nqa results command SwitchA nqa admin ftp display nqa results admin ftp NQA entry admin admin tag ftp test result Destination ip address 10 2 2 2 Send operation times 1 Receive respon...

Page 1312: ...pe http Required Configure a destination address for a test destination ip ip address Required Here it is the IP address of the HTTP server Configure the HTTP operation type http operation get post Optional get by default meaning to get data from the HTTP server Configure an HTTP operation string http string string version Required Configure common optional parameters Refer to Configuring Optional...

Page 1313: ...itchA nqa admin http test type http SwitchA nqa admin http destination ip 10 2 2 2 SwitchA nqa admin http http operation get SwitchA nqa admin http http string index htm HTTP 1 0 Enable the HTTP test SwitchA nqa admin http test enable View the test results with the display nqa results command SwitchA nqa admin http display nqa results admin http NQA entry admin admin tag http test result Destinati...

Page 1314: ...hen sends it back to the source port After the source port receives the data packet the delay jitter can be calculated To improve the accuracy of the statistics results you must send multiple test packets when you perform a test The more test packets are sent the more accurate the statistics results are However it takes a longer time to complete the test You can quicken a jitter test by reducing t...

Page 1315: ...NQA test group and enter its view nqa admin name operation tag Set the test type to jitter test type jitter Required Configure a destination address for a test destination ip ip address Required The destination address is the listening IP address on the NQA server Configure a destination port destination port port number Required The destination port is the listening port on the NQA server Configu...

Page 1316: ...n to test the delay jitter of packet transmission between the local port Switch A and the specified destination port Switch B 2 Network diagram Figure 1 6 Network diagram for the jitter test 3 Configuration procedure z Configuration on Switch B Enable the NQA server and configure the listening IP address and port number SwitchB system view SwitchB nqa server enable SwitchB nqa server udpecho 10 2 ...

Page 1317: ...to Sequence Error 0 Failures due to Internal Error 0 Failures due to Other Errors 0 Jitter result RTT Number 10 SD Maximal delay 4 DS Maximal delay 4 Min Positive SD 1 Min Positive DS 0 Max Positive SD 1 Max Positive DS 0 Positive SD Number 1 Positive DS Number 0 Positive SD Sum 1 Positive DS Sum 0 Positive SD average 0 Positive DS average 0 Positive SD Square Sum 1 Positive DS Square Sum 0 Min Ne...

Page 1318: ...destination ip ip address Required Configure common optional parameters Refer to Configuring Optional Parameters for NQA Tests Optional Enable the NQA test test enable Required View the test results display nqa results admin name operation tag Required Available in any view III Configuration example 1 Network requirements Use the NQA SNMP query function to test the time it takes Switch A to send a...

Page 1319: ...iew SwitchA nqa agent enable SwitchA nqa admin snmp SwitchA nqa admin snmp test type snmpquery SwitchA nqa admin snmp destination ip 10 2 2 2 Enable the SNMP query test SwitchA nqa admin snmp test enable View the test results with the display nqa results command SwitchA nqa admin snmp display nqa results admin snmp NQA entry admin admin tag snmp test result Destination ip address 10 2 2 2 Send ope...

Page 1320: ...tination port needs to be configured on the client but TCP port 7 used for listening needs to be configured on the server Even if a port is configured on the client the port does not take effect z For the TCP Private test a connection setup request is initiated to the specified port of the destination address I Configuration procedure 1 Configure the NQA server Follow these steps to configure the ...

Page 1321: ...istening IP address on the NQA server Configure a destination port destination port port number If the test type is TCP Public no port needs to be configured If the test type is TCP Private a port must be configured and it must be the listening port configured on the NQA server Configure common optional parameters Configuring Optional Parameters for NQA Tests Optional Enable the NQA test test enab...

Page 1322: ...in tcpprivate test type tcpprivate SwitchA nqa admin tcpprivate destination ip 10 2 2 2 SwitchA nqa admin tcpprivate destination port 9000 Enable the TCP test SwitchA nqa admin tcpprivate test enable View the test results with the display nqa results command SwitchA nqa admin tcpprivate display nqa results admin tcpprivate NQA entry admin admin tag tcpprivate test result Destination ip address 10 ...

Page 1323: ...client but port 7 for listening needs to be configured on the server Even if a port is configured on the client the port does not take effect z For the UDP Private test a connection setup request is initiated to the specified port of the destination address I Configuration procedure 1 Configure the NQA server Follow these steps to configure the NQA server for the UDP test To do Use the command Rem...

Page 1324: ...DP Private a port must be configured and it must be the listening port configured on the NQA server Configure the size of test packets sent datasize size Optional 100 bytes by default Configure a string of fill characters of a test packet datafill text Optional The string of fill characters of a UDP packet is the string corresponding with the ASCII code 00 to FF by default Configure common optiona...

Page 1325: ...in udpprivate test type udpprivate SwitchA nqa admin udpprivate destination ip 10 2 2 2 SwitchA nqa admin udpprivate destination port 8000 Enable the TCP test SwitchA nqa admin udpprivate test enable View the test results with the display nqa results command SwitchA nqa admin udpprivate display nqa results admin udpprivate NQA entry admin admin tag udpprivate test result Destination ip address 10 ...

Page 1326: ...e set up between the NQA client and the specified device and the DLSw function must be enabled on the specified device II Configuration procedure Follow these steps to configure the DLSw test To do Use the command Remarks Enter system view system view Enable the NQA client nqa agent enable Required Create an NQA test group and enter its view nqa admin name operation tag Set the test type to DLSw t...

Page 1327: ...chA nqa admin dlsw test type dlsw SwitchA nqa admin dlsw destination ip 10 2 2 2 Enable the DLSw test SwitchA nqa admin dlsw test enable View the test results with the display nqa results command SwitchA nqa admin dlsw display nqa results admin dlsw NQA entry admin admin tag dlsw test result Destination ip address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average Round Trip ...

Page 1328: ...Trap Delivery 1 3 1 Configuring Optional Parameters Common to NQA Follow these steps to configure optional parameters common to NQA To do Use the command Remarks Enter system view system view Configure the maximum number of tests that the NQA client can simultaneously perform nqa agent max requests number Optional 5 by default 1 3 2 Configuring Optional Parameters Common to an NQA Test Group Follo...

Page 1329: ...re the NQA probe time out time timeout time Optional Three seconds by default If no response packet is received within the time out time of a request packet the probe fails Configure the maximum number of history records that can be saved in a test group history records number Optional 50 by default If the number of history records exceeds this value the earliest test results are discarded Configu...

Page 1330: ...s invalid for the DHCP test Configure the source port of a test request packet source port port number Optional You can specify a port as the source port of a test request packet Otherwise the system automatically assigns a port to serve as the source port of the test request packet This command is only valid for jitter UDP and SNMP tests Enable the routing table bypass function sendpacket passrou...

Page 1331: ...configure Trap To do Use the command Remarks Enter system view system view Create an NQA test group and enter its view nqa admin name operation tag Required Enable trap debugging to send a trap message to the network management server send trap all probefailure testcomplete testfailure Optional No trap message is sent to the network management server by default Configure the minimum number of prob...

Page 1332: ...the command Remarks Display history information of tests display nqa history admin name operation tag Available in any view Display the results of the last NQA jitter test display nqa jitter admin name operation tag Available in any view Display the results of the last test display nqa results admin name operation tag Available in any view ...

Page 1333: ...es 1 14 1 2 7 Displaying and Maintaining VRRP for IPv4 1 15 1 3 Configuring VRRP for IPv6 1 15 1 3 1 VRRP for IPv6 Configuration Task List 1 15 1 3 2 Enabling Users to Ping Virtual IPv6 Addresses 1 15 1 3 3 Configuring the Association Between Virtual IPv6 Address and MAC Address 1 16 1 3 4 Creating Standby Group and Configuring Virtual IPv6 Address 1 17 1 3 5 Configuring Standby Group Priority Pre...

Page 1334: ...es that VRRP involves can only be VLAN interfaces unless otherwise specified 1 1 Introduction to VRRP 1 1 1 VRRP Overview Normally as shown in Figure 1 1 you can configure a default route with the gateway as the next hop for every host on a network segment allowing all packets destined to the other network segments to be sent over the default route to the gateway and then be forwarded by the gatew...

Page 1335: ...e default links without changing configurations such as dynamic routing protocols route discovery protocols when a device fails and prevent network interruption due to a single link failure There are two VRRP versions VRRPv2 and VRRPv3 VRRPv2 is based on IPv4 while VRRPv3 is based on IPv6 The two versions implement the same functions but provide different commands 1 1 2 VRRP Standby Group Overview...

Page 1336: ...s the master switch to act as the gateway and the other two are backup switches Caution z The IP address of the virtual router can be either an unused IP address on the segment where the standby group resides or the IP address of an interface on a switch in the standby group In the latter case the switch is called the IP address owner z In a VRRP standby group there can only be one IP address owne...

Page 1337: ...uthentication mode in a network facing possible security problems A switch sending a packet fills the authentication key into the packet and the switch receiving the packet compares its local authentication key with that of the received packet If the two authentication keys are the same the received VRRP packet is considered real and valid otherwise the received packet is considered an invalid one...

Page 1338: ...s case it regards itself as the master and sends VRRP advertisements to start a new master switch election in a standby group 1 1 4 Format of VRRP Packets VRRP uses multicast packets The switch acting as the master sends VRRP packets periodically to declare its existence VRRP packets are also used for checking the parameters of the virtual router and electing the master I IPv4 based VRRP packet fo...

Page 1339: ...nd is 0 for any other authentication modes II IPv6 based VRRP packet format Version Type Virtual Rtr ID Priority Count IPv6 Addrs Auth Type Adver Int Checksum IPv6 address 1 Authentication data 1 Authentication data 2 IPv6 address n 0 7 15 23 31 3 Figure 1 4 IPv6 based VRRP packet format As shown in Figure 1 4 an IPv6 based VRRP packet consists of the following fields z Version Version number of t...

Page 1340: ... with that of its own If its priority is higher it becomes the master otherwise it remains a backup z In non preemption mode the switch in the standby group remains as a master or backup as long as the master does not fail The backup will no become the master even if the former is configured with a higher priority z If the timer of a backup expires but the backup still does not receive any VRRP ad...

Page 1341: ...the state of listening If Switch A fails Switch B and Switch C will elect for the new master The new master takes over the forwarding task to provide services to hosts on the LAN II Load balancing You can create more than one standby group on an interface of a switch allowing the switch to be the master of one standby group but a backup of another at the same time In load balancing mode multiple s...

Page 1342: ...tandby group 3 Switch C is the master Switch A and Switch B are the backups For load balancing among Switch A Switch B and Switch C hosts on the LAN need to be configured to use standby group 1 2 and 3 as the default gateways respectively When configuring VRRP priorities ensure that each switch holds such a priority in each standby group that it will take the expected role in the group 1 2 Configu...

Page 1343: ...etween Virtual IP Address and MAC Address After the virtual IP address of a standup group is associated with a MAC address the master switch takes the configured MAC address as the source MAC address of the packets to be sent so that the hosts in the internal network can learn the association between the IP address and the MAC address and thus forward the packets to be forwarded to the other netwo...

Page 1344: ...tual MAC address is associated with the virtual IP address by default Caution You should configure this function before creating a standby group Otherwise you cannot modify the mapping between the virtual IP address and the MAC address 1 2 4 Creating Standby Group and Configuring Virtual IP Address You need to configure a virtual IP address for a standby group when creating the standby group A VRR...

Page 1345: ...ke effect z The virtual IP address of the virtual router can be either an unused IP address on the segment where the standby group resides or the IP address of an interface on a switch in the standby group In the latter case the switch is called the IP address owner z The virtual IP address of the standby group cannot be 0 0 0 0 255 255 255 255 loopback address non A B C address and other illegal ...

Page 1346: ...nterface interface type interface number Configure switch priority in the standby group vrrp vrid virtual router id priority priority value Optional 100 by default Configure the switch in the standby group to work in preemption mode and configure preemption delay vrrp vrid virtual router id preempt mode timer delay delay value Optional The switch in the standby group works in preemption mode and t...

Page 1347: ...ode md5 simple key Optional Authentication is not performed by default Configure the time interval for the Master in the standby group to send VRRP advertisement vrrp vrid virtual router id timer advertise adver interval Optional 1 second by default Disable TTL check on VRRP packets vrrp un check ttl Optional Enabled by default Do not create a standby group before executing this command Note z You...

Page 1348: ...configure VRRP for IPv6 Task Remarks Enabling Users to Ping Virtual IPv6 Addresses Optional Configuring the Association Between Virtual IPv6 Address and MAC Address Optional Creating Standby Group and Configuring Virtual IPv6 Address Required Configuring Standby Group Priority Preemption Mode and Interface Tracking Optional Configuring VRRP Packet Attributes Optional 1 3 2 Enabling Users to Ping V...

Page 1349: ...or a standby group after the standby group is created and the virtual IPv6 address is associated with the virtual MAC address With such association adopted the hosts in the internal network need not update the association between IPv6 address and MAC address when the master switch changes z Virtual IPv6 address is associated with real MAC address of the interface When an IP address owner exists in...

Page 1350: ...RP standby group I Configuration prerequisites Before creating standby group and configuring virtual IPv6 address you should first configure the IPv6 address of the interface and ensure that the virtual IPv6 address to be configured is in the same network segment as the IPv6 address of the interface II Configuration procedure Follow these steps to create standby group and configure its virtual IPv...

Page 1351: ...can decide which switch in the standby group serves as the Master Follow these steps to configure standby group priority preemption mode and interface tracking To do Use the command Remarks Enter system view system view Enter the specified interface view interface interface type interface number Configure the priority of the switch in the standby group vrrp ipv6 vrid virtual router id priority pri...

Page 1352: ... interface interface type interface number Configure the authentication mode and authentication key when the standby groups send and transmit VRRP packets vrrp ipv6 vrid virtual router id authentication mode simple key Optional Authentication is not performed by default Configure the time interval for the Master in the standby group to send VRRP advertisement vrrp ipv6 vrid virtual router id timer...

Page 1353: ...umber vrid virtual router id Available in user view 1 4 IPv4 Based VRRP Configuration Examples This section provides these configuration examples z Single VRRP Standby Group Configuration Example z VRRP Interface Tracking Configuration Example z Multiple VRRP Standby Group Configuration Example 1 4 1 Single VRRP Standby Group Configuration Example I Network requirements z Host A needs to access Ho...

Page 1354: ... SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 202 38 160 1 255 255 255 0 Create standby group 1 and set its virtual IP address to be 202 38 160 111 SwitchA Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Set the priority of Switch A in standby group 1 to 110 SwitchA Vlan interface2 vrrp vrid 1 priority 110 Set Switch A to work in preemption mode The preemption delay ...

Page 1355: ...in Status UP State Master Config Pri 110 Run Pri 110 Preempt Mode YES Delay Time 5 Auth Type NONE Virtual IP 202 38 160 111 Virtual MAC 0000 5e00 0101 Master IP 202 38 160 1 Display detailed information of standby group 1 on Switch B SwitchB Vlan interface2 display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 1 Adm...

Page 1356: ...d by Switch B 1 4 2 VRRP Interface Tracking Configuration Example I Network requirements z Host A needs to access Host B on the Internet using 202 38 160 111 24 as its default gateway z Switch A and Switch B belong to standby group 1 with the virtual IP address of 202 38 160 111 z If Switch A operates normally packets sent from Host A to Host B are forwarded by Switch A if Switch A is in work but ...

Page 1357: ...cation mode simple hello Set the interval for Master to send VRRP advertisement to five seconds SwitchA Vlan interface2 vrrp vrid 1 timer advertise 5 Set the interface to be tracked SwitchA Vlan interface2 vrrp vrid 1 track interface vlan interface 3 reduced 30 2 Configure Switch B Configure VLAN 2 SwitchB system view SwitchB vlan 2 SwitchB vlan2 port GigabitEthernet 2 0 5 SwitchB vlan2 quit Switc...

Page 1358: ...SwitchB Vlan interface2 display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 5 Admin Status UP State Backup Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 0 Auth Type SIMPLE TEXT Key hello Virtual IP 202 38 160 111 Master IP 202 38 160 1 The above information indicates that in standby group 1 Switch A is th...

Page 1359: ...e Vlan interface2 VRID 1 Adver Timer 5 Admin Status UP State Master Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 0 Auth Type SIMPLE TEXT Key hello Virtual IP 202 38 160 111 Virtual MAC 0000 5e00 0101 Master IP 202 38 160 2 The above information indicates that if VLAN interface 3 on Switch A is not available the priority of Switch A is reduced to 80 and it becomes the backup Switch B beco...

Page 1360: ... interface2 ip address 202 38 160 1 255 255 255 0 Create a standby group 1 and set its virtual IP address to 202 38 160 111 SwitchA Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Configure the priority of Switch A in standby group 1 to 110 SwitchA Vlan interface2 vrrp vrid 1 priority 110 Create a standby group 2 and set its virtual IP address to 202 38 160 112 SwitchA Vlan interface2 vrrp v...

Page 1361: ...etailed information of the standby group on Switch A SwitchA Vlan interface2 display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 1 Admin Status UP State Master Config Pri 110 Run Pri 110 Preempt Mode YES Delay Time 0 Auth Type NONE Virtual IP 202 38 160 111 Virtual MAC 0000 5e00 0101 Master IP 202 38 160 1 Interfa...

Page 1362: ...itch A in standby group 2 Switch A is the backup Switch B is the master and the host with the default gateway of 202 38 160 112 24 accesses the Internet through Switch B 1 5 IPv6 Based VRRP Configuration Examples This section provides these configuration examples z Single VRRP Standby Group Configuration Example z VRRP Interface Tracking Configuration Example z Multiple VRRP Standby Group Configur...

Page 1363: ...net 2 0 5 SwitchA vlan2 quit SwitchA interface vlan interface 2 SwitchA Vlan interface2 ipv6 address fe80 1 link local SwitchA Vlan interface2 ipv6 address 1 1 64 Create a standby group 1 and set its virtual IP address to FE80 10 SwitchA Vlan interface2 vrrp ipv6 vrid 1 virtual ip fe80 10 link local Set the priority of Switch A in standby group 1 to 110 SwitchA Vlan interface2 vrrp ipv6 vrid 1 pri...

Page 1364: ...ipv6 command to verify the configuration Display detailed information of standby group 1 on Switch A SwitchA Vlan interface2 display vrrp ipv6 verbose IPv6 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 100 Admin Status UP State Master Config Pri 110 Run Pri 110 Preempt Mode YES Delay Time 0 Auth Type NONE Virtual IP FE80 10 Virtual M...

Page 1365: ...e Vlan interface2 VRID 1 Adver Timer 100 Admin Status UP State Master Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 0 Auth Type NONE Virtual IP FE80 10 Virtual MAC 0000 5e00 0201 Master IP FE80 2 The above information indicates that if Switch A fails Switch B becomes the master and packets sent from Host A to Host B are forwarded by Switch B 1 5 2 VRRP Interface Tracking Configuration Exa...

Page 1366: ...link local SwitchA Vlan interface2 ipv6 address 1 1 64 Create a standby group 1 and set its virtual IP address to FE80 10 SwitchA Vlan interface2 vrrp ipv6 vrid 1 virtual ip fe80 10 link local Set the priority of Switch A in standby group 1 to 110 SwitchA Vlan interface2 vrrp ipv6 vrid 1 priority 110 Set the authentication mode for standby group 1 to simple and authentication key to hello SwitchA ...

Page 1367: ...p ipv6 vrid 1 authentication mode simple hello Set the VRRP advertisement interval to 500 centiseconds SwitchB Vlan interface2 vrrp ipv6 vrid 1 timer advertise 500 Set Switch B to work in preemption mode The preemption delay is five seconds SwitchB Vlan interface2 vrrp ipv6 vrid 1 preempt mode timer delay 5 3 Verify the configuration After the configuration Host B can be pinged through on Host A Y...

Page 1368: ... through Host B on Host A You can use the display vrrp ipv6 command to view the detailed information of the standby group If Switch A is in work but its interface VLAN interface 3 is not available the detailed information of standby group 1 on Switch A is displayed SwitchA Vlan interface2 display vrrp ipv6 verbose IPv6 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vla...

Page 1369: ...it becomes the backup Switch B becomes the master and packets sent from Host A to Host B are forwarded by Switch B 1 5 3 Multiple VRRP Standby Group Configuration Example I Network requirements z In the network some hosts use FE80 10 as their default gateway and some hosts use FE80 20 as their default gateway z Load sharing and mutual backup between default gateways can be implemented by using VRR...

Page 1370: ...SwitchB vlan2 port GigabitEthernet 2 0 5 SwitchB vlan2 quit SwitchB interface vlan interface 2 SwitchB Vlan interface2 ipv6 address fe80 2 link local SwitchB Vlan interface2 ipv6 address 1 2 64 Create standby group 1 and set its virtual IP address to FE80 10 SwitchB Vlan interface2 vrrp ipv6 vrid 1 virtual ip fe80 10 link local Create standby group 2 and set its virtual IP address to FE80 20 Switc...

Page 1371: ...E80 2 Display detailed information of the standby group on Switch B SwitchB Vlan interface2 display vrrp ipv6 verbose IPv6 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 100 Admin Status UP State Backup Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 0 Auth Type NONE Virtual IP FE80 10 Master IP FE80 1 Interface Vlan interface2...

Page 1372: ...frequently Analysis This error is probably due to the inconsistent configuration of the other switch in the standby group or that a device is attempting to send illegitimate VRRP packets Solution z In the first case modify the configuration z In the latter case you have to resort to non technical measures II Symptom 2 Multiple masters are present in the same standby group Analysis z If presence of...

Page 1373: ... Ethernet Switches Chapter 1 VRRP Configuration 1 40 III Symptom 3 Frequent VRRP state transition Analysis The VRRP advertisement interval is set too short Solution Increase the interval to sent VRRP advertisement or introduce a preemption delay ...

Page 1374: ...r SSH Client 1 12 1 3 3 Configuring First time Authentication 1 12 1 3 4 Establishing a Connection Between SSH Client and Server 1 13 1 4 Displaying and Maintaining SSH 1 14 1 5 SSH Server Configuration Examples 1 15 1 5 1 When Using Password Authentication 1 15 1 5 2 When Using Publickey Authentication 1 18 1 6 SSH Client Configuration Examples 1 25 1 6 1 When Using Password Authentication 1 25 1...

Page 1375: ...Operation Manual SSH H3C S3610 S5510 Series Ethernet Switches Table of Contents ii 2 3 6 Terminating the Connection to the Remote SFTP Server 2 6 2 4 SFTP Configuration Example 2 7 ...

Page 1376: ...ce can not only work as an SSH server to support connections with SSH clients but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server Caution Currently when acting as an SSH server the device supports two SSH versions SSH2 and SSH1 When acting as an SSH client the device supports SSH2 only 1 1 1 Algorithm and Key Algorithm is a set o...

Page 1377: ... encryption and signature 1 1 3 SSH Operating Process The session establishment between an SSH client and the SSH server involves the following five stages Table 1 1 Stages in establishing a session between the SSH client and the server Stages Description Version negotiation SSH1 and SSH2 are supported The two parties negotiate a version to use Key and algorithm negotiation SSH supports multiple a...

Page 1378: ...on z The server and the client send key algorithm negotiation packets to each other which include the supported public key algorithm list encryption algorithm list MAC algorithm list and compression algorithm list z Based on the received algorithm negotiation packets the server and the client figure out the algorithms to be used z The server and the client use the DH key exchange algorithm and par...

Page 1379: ...server a public authentication request containing its user name public key and algorithm The server validates the public key If the public key is invalid the authentication fails otherwise the server generates a digital signature to authenticate the client and then sends back a message to inform the success or failure of the authentication Note Besides password authentication and publickey authent...

Page 1380: ...w otherwise the server may not be able to perform the commands z If the text exceeds 2000 bytes you can upload the configuration file to the server and use the configuration file to restart the server so that the server executes the commands 1 2 Configuring the Device as an SSH Server 1 2 1 SSH Server Configuration Task List Complete the following tasks to configure an SSH server Task Remarks Enab...

Page 1381: ...iew system view Enter single user interface view or multi user interface view user interface type keyword number ending number Required Set the login authentication method to scheme authentication mode scheme command authorization Required By default the authentication mode is password Specify the protocols for the user interfaces to support protocol inbound all ssh telnet Optional All protocols a...

Page 1382: ... server host key is in the range 512 to 2048 bits With SSH2 however some clients require that the keys generated by the server must not be less than 768 bits II Exporting the RSA key pair You can display or export the local RSA host key for setting the host key on the remote end Follow these steps to display or export an RSA host key To do Use the command Remarks Enter system view system view Disp...

Page 1383: ...c key to a string coded using the PKCS standard Before importing the public key you must upload the public key file in binary to the server through FTP or TFTP Caution z When the device functions as the SSH server you cannot use Secure CRT 4 07 to upload the client public key to the server z You can configure at most 20 client pubic keys on an SSH server I Configuring a client public key manually ...

Page 1384: ...m a public key file public key peer keyname import sshkey filename Required 1 2 6 Configuring an SSH User This configuration allows you to create an SSH user and specify the service type and authentication method Follow these steps to configure an SSH user To do Use the command Remarks Enter system view system view For stelnet users ssh user username service type stelnet authentication type passwo...

Page 1385: ...e service type to stelnet or all on the server Otherwise the client will fail to log in successfully z The working folder of an SFTP user is subject to the user authentication method For a user using only password authentication the working folder is the AAA authorized one For a user using only publickey authentication or using both the publickey and password authentication methods the working fol...

Page 1386: ...lt the SSH server can work with SSH1 x clients Set the RSA server key pair update interval ssh server rekey interval hours Optional 0 by default that is the RSA server key pair is not updated Set the SSH user authentication timeout period ssh server authentication timeout time out value Optional 60 seconds by default Set the maximum number of SSH authentication attempts ssh server authentication r...

Page 1387: ...ype interface number Required By default the address of the interface decided by the routing is used to access the SSH server 1 3 3 Configuring First time Authentication When the device connects to the SSH server as an SSH client you can configure whether the device supports first time authentication z With first time authentication when an SSH client not configured with the server host public key...

Page 1388: ...llow these steps to disable first time authentication To do Use the command Remarks Enter system view system view Disable first time authentication support undo ssh client first time Optional By default first time authentication is supported on a client Configure the server public key Refer to 1 2 5 Configuring a Client Public Key Required The method of configuring server public key on the client ...

Page 1389: ...ryption algorithms and HMAC algorithms for them ssh2 ipv6 server port number prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher 3des aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Use either command in user view 1 4 Displaying and Maintaining SSH To do Use the command Remarks Display informa...

Page 1390: ...are directly connected through the Ethernet interfaces z The host runs SSH client software to securely log on to the switch for configuration z Password authentication is used II Network diagram Figure 1 2 SSH server configuration using password authentication III Configuration procedure 1 Configure the SSH server Generate an RSA key pair and enable SSH server Switch system view Switch public key ...

Page 1391: ...imple aabbcc Switch luser client001 service type ssh level 3 Switch luser client001 quit Specify the service type for user client001 as Stelnet and the authentication method as password Switch ssh user client001 service type stelnet authentication type password 2 Configure the SSH client Note There are a variety of SSH client software such as PuTTY OpenSSH and so on The following is an example of ...

Page 1392: ...Configuration 1 17 Figure 1 3 SSH client configuration interface From the window shown in Figure 1 3 click Open The following SSH client interface appears If the connection is normal you will be prompted to enter the username client001 and password aabbcc as shown in Figure 1 4 ...

Page 1393: ... are directly connected through the Ethernet interfaces z The host runs SSH client software to securely log on to the switch for configuration z Publickey authentication is used the algorithm is RSA II Network diagram Figure 1 5 SSH server configuration using publickey authentication III Configuration procedure 1 Configure the SSH server Generate an RSA key pair and enable SSH server Switch system...

Page 1394: ...mand privilege level to 3 Switch ui vty0 4 user privilege level 3 Switch ui vty0 4 quit Note Before performing the following tasks you must generate an RSA key pair using the client software on the client save the public key in a file named key pub and then upload the file to the SSH server through FTP or TFTP For details refer to Configuring the SSH Client Import the client s public key from file...

Page 1395: ... Configuration 1 20 Figure 1 6 Generate a client key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1 7 Otherwise the process bar stops moving and the key pair generating process is stopped ...

Page 1396: ...0 S5510 Series Ethernet Switches Chapter 1 SSH Configuration 1 21 Figure 1 7 Generate a client key pair 2 After the key pair is generated click Save public key to save the key in a file by entering a file name key pub in this case ...

Page 1397: ...pops up to prompt you whether to save the private key without any protection Click Yes and enter the name of the file for saving the key private in this case Figure 1 9 Generate a client key 4 Note After generating a key pair on a client you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the server done before continuing configuration of ...

Page 1398: ...h the SSH server Launch PuTTY exe to enter the following interface In the Host Name or IP address text box enter the IP address of the server 192 168 1 40 Figure 1 10 SSH client configuration interface 1 Select Connection SSH Auth The following window appears Click Browse to bring up the file selection window navigate to the private key file and click OK ...

Page 1399: ...on 1 24 Figure 1 11 SSH client configuration interface 2 From the window shown in Figure 1 11 click Open The following SSH client interface appears If the connection is normal you will be prompted to enter the username client002 to enter the configuration interface as shown in Figure 1 12 ...

Page 1400: ...As shown in Figure 1 13 Switch A the SSH client needs to log on to Switch B the SSH server through the SSH protocol z The username of the SSH client is client001 and the password is aabbcc Password authentication is required II Network diagram Figure 1 13 SSH client configuration using password authentication III Configuration procedure 1 Configure the SSH server Create an RSA key pair and enable ...

Page 1401: ...tchB luser client001 service type ssh level 3 SwitchB luser client001 quit Specify the service type for user client001 as Stelnet and the authentication method as password SwitchB ssh user client001 service type stelnet authentication type password 2 Configure the SSH client Configure an IP address for VLAN interface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan interface1 ...

Page 1402: ...FFA256699B3BF871221CC9C5D F257523777D033BEE77FC378145F2AD SwitchA pkey key code D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F71 01F7C62621216D5A572C379A32AC290 SwitchA pkey key code E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2D SwitchA pkey key code 485348 SwitchA pkey key code public key code end SwitchA pkey public key peer public key end Specify the host pu...

Page 1403: ...e an RSA key pair and enable SSH server SwitchB system view SwitchB public key local create rsa SwitchB ssh server enable Configure an IP address for VLAN interface 1 which the SSH client will use as the destination for SSH connection SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Set the authentication mode for the us...

Page 1404: ... authentication type publickey assign publickey Switch001 2 Configure the SSH client Configure an IP address for VLAN interface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 10 165 87 137 255 255 255 0 SwitchA Vlan interface1 quit Generate an RSA key pair SwitchA public key local create rsa Export the RSA public key to the file key pub SwitchA public k...

Page 1405: ...iguration 1 30 The Server is not authenticated Continue Y N y Do you want to save the server public key Y N n Copyright c 2004 2007 Hangzhou H3C Tech Co Ltd All rights reserved Without the owner s prior written consent no decompiling or reverse engineering shall be allowed SwitchB ...

Page 1406: ...also server as an SFTP client enabling a user to login from the device to a remote device for secure file transfer 2 2 Configuring an SFTP Server 2 2 1 Configuration Prerequisites z You have configured the SSH server For the detailed configuration procedure refer to Configuring the Device as an SSH Server z You have used the ssh user service type command to set the service type of SSH users to sft...

Page 1407: ...P connection exceeds the specified threshold the system automatically tears the connection down so that a user cannot occupy a connection for nothing Follow these steps to configure the SFTP connection idle timeout period To do Use the command Remarks Enter system view system view Configure the SFTP connection idle timeout period sftp server idle timeout time out value Required 10 minutes by defau...

Page 1408: ... remote SFTP server and enter SFTP client view Follow these steps to enable the SFTP client To do Use the command Remarks Establish a connection to the remote IPv4 SFTP server and enter SFTP client view sftp server port number prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher 3des aes128 des prefer stoc ...

Page 1409: ...ha1 sha1 96 Required Execute the command in user view Change the working directory of the remote SFTP server cd remote path Optional Return to the upper level directory cdup Optional Display the current working directory of the remote SFTP server pwd Optional dir a l remote path Display files under a specified directory ls a l remote path Optional The dir command functions as the ls command Change...

Page 1410: ...d in user view Change the name of a specified file on the SFTP server rename old name new name Optional Download a file from the remote server and save it locally get remote file local file Optional Upload a local file to the remote SFTP server put local file remote file Optional dir a l remote path Display the files under a specified directory ls a l remote path Optional The dir command functions...

Page 1411: ...list of all commands or the help information of an SFTP client command help all command name Required 2 3 6 Terminating the Connection to the Remote SFTP Server Follow these steps to terminate the connection to the remote SFTP server To do Use the command Remarks Establish a connection to the remote SFTP server and enter SFTP client view sftp ipv6 server port number prefer ctos cipher 3des aes128 ...

Page 1412: ...tchB public key local create rsa SwitchB ssh server enable Configure an IP address for VLAN interface 1 which the SSH client uses as the destination for SSH connection SwitchB interface Vlan interface 1 SwitchB Vlan interface1 ip address 192 168 0 1 255 255 255 0 SwitchB Vlan interface1 quit Set the authentication method on the user interface to AAA SwitchB user interface vty 0 4 SwitchB ui vty0 4...

Page 1413: ...hA Vlan interface1 quit SwitchA quit Establish a connection to the remote SFTP server and enter SFTP client view SwitchA sftp 192 168 0 1 Input Username client001 Trying 192 168 0 1 Press CTRL K to abort Connected to 192 168 0 1 The Server is not authenticated Continue Y N y Do you want to save the server public key Y N n Enter password sftp client Display files under the current directory of the ...

Page 1414: ...nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 30 new1 Rename directory new1 to new2 and check if the directory is renamed successfully sftp client rename new1 new2 File successfully renamed sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone no...

Page 1415: ...fig cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 rwxrwxrwx 1 noone nogroup 283 Sep 02 06 35 pub rwxrwxrwx 1 noone nogroup 283 Sep 02 06 36 puk sftp client Terminate the connection to the remote SFTP server sftp client quit Bye SwitchA ...

Page 1416: ...te Exchange between a MCE and a Site 2 4 2 2 1 Configuring Route Exchange between a MCE and a Site 2 4 2 2 2 Configuring to Use Static Routes between a MCE and a Site 2 5 2 2 3 Configuring to Use RIP between a MCE and a Site 2 5 2 2 4 Configuring to Use OSPF between a MCE and a Site 2 5 2 2 5 Configuring to Use IS IS between a MCE and a Site 2 6 2 2 6 Configuring to Use EBGP between a MCE and a Si...

Page 1417: ...rovides flexible networking modes excellent scalability and convenient support for MPLS QoS and MPLS TE Hence it is widely used The BGP MPLS VPN model consists of three kinds of devices z Customer edge device CE A CE resides on a customer network and has one or more interfaces directly connected with service provider networks It can be a router a switch or a host It neither can sense the existence...

Page 1418: ...nected rather than all VPN routing information on the provider network A P router maintains only routes to PEs It does not need to know anything about VPN routing information When VPN traffic travels over the MPLS backbone the ingress PE functions as the ingress LSR the egress PE functions as the egress LSR while P routers function as the transit LSRs You can use H3C S3610 S5510 series switches as...

Page 1419: ...te Each VPN instance contains the VPN membership and routing rules of the corresponding site If a user at a site belongs to multiple VPNs at the same time the VPN instance of the site contains information about all the VPNs For independency and security of VPN data each VPN instance on a PE maintains a relatively independent routing table and a separate label forwarding information base LFIB VPN i...

Page 1420: ...ic IPv4 address prefix you make it a globally unique VPN IPv4 address prefix An RD can be related to an autonomous system AS number in which case it is the combination of an AS number and a discretionary number or be related to an IP address in which case it is the combination of an IP address and a discretionary number An RD can be in either of the following two formats distinguished by the Type ...

Page 1421: ...E through a CE as shown in Figure 1 1 With the users increasing demand for service segmentation and security a private network may be divided into multiple VPNs and the users of different VPN are usually isolated from each other In a private network containing multiple VPNs users may be in such a dilemma equipment investment and the maintenance cost increment caused by assigning a CE for each of t...

Page 1422: ... to also to bind the interfaces sub interfaces to the VPNs on PE 1 in the same way as those on the MCE device The MCE device is connected to PE 1 through a trunk which permits packets of VLAN 2 and VLAN 3 with VLAN tags carried In this way PE 1 can determine the VPN a received packet belongs to according to the VLAN tag of the packet and passes the packet to the corresponding tunnel 1 2 Routing In...

Page 1423: ...ocesses to VPN instances With the same binding configured on CE and site private network routes of different VPNs can be exchanged between CEs and sites through different RIP processes thus isolating and securing VPN routes III OSPF A S3610 S5510 switch can bind OSPF processes to VPN instances and isolate the routes of different VPNs Note that For an OSPF process bound to a VPN instance the router...

Page 1424: ...gs for different VPN instances on each MCE It is recommended that a VPN be assigned the same route tag on multiple MCEs IV IS IS Similar to those in OSPF IS IS processes can be bound to VPN instances for private network routes to be exchanged between CEs and sites An IS IS process can be bound to only one VPN instance V EBGP To use EBGP to exchange private routes between a CE and a site you need t...

Page 1425: ...lt VPN routing information can be transmitted by performing relatively simple configurations between CE and PE such as importing the VPN routing entries on MCE devices to the routing table of the routing protocol running between CEs and PEs The following routing protocols can be used between CE and PE for routing formation exchange z Static route z RIP z OSPF z IS IS z EBGP For information on how ...

Page 1426: ...ch to MCE Create a VPN instance Required See 2 1 3 Creating a VPN Instance Associate the VPN instance with an interface Required See 2 1 4 Associating an VPN Instance with an Interface Configure the route related attributes for the VPN instance Required See 2 1 5 Configuring the Route related Attributes for a VPN Instance 2 1 2 Setting the Operation Mode of the Switch to MCE The switch must work i...

Page 1427: ...ionship between the VPN instance and a VPN Table 2 3 Create a VPN instance Operation Command Description Enter system view system view Create a VPN instance and enter VPN instance view ip vpn instance vpn instance name Required By default no VPN instance is present Configure an RD for the VPN instance route distinguisher route distinguisher Required By default a VPN instance has no RD configured S...

Page 1428: ...dvertising VPN routes is as follows z When the switch learns a VPN route from a site and injects it into BGP BGP associates the route with a VPN target extended community attribute list which is normally the export route attribute list of the VPN instance z A VPN instance determines whether to accept a received route according to the VPN target import extended community attribute list associated w...

Page 1429: ...PN target specified for a VPN instance on the MCE device must be same as that specified for the VPN instance on the PE device 2 2 Configuring Route Exchange between a MCE and a Site 2 2 1 Configuring Route Exchange between a MCE and a Site Table 2 6 Configure route exchange between a MCE and a site Operation Description Related section Configure to use static routes between a MCE and a site See 2 ...

Page 1430: ...ormal static route 2 2 3 Configuring to Use RIP between a MCE and a Site A RIP process can be bound to only one VPN instance RIP processes not bound to any VPN instances belong to the public network Table 2 8 Configure to use RIP between a MCE and a site Operation Command Description Enter system view system view Enable RIP for a VPN instance This operation also leads you to RIP view rip process i...

Page 1431: ...tional By default the OSPF domain ID is 0 This operation is performed on the MCE device As for the corresponding configuration on the site you can just enable OSPF as usual Note z Router IDs of the public network configured in system view do not applies to OSPF processes bound to VPN instances So you need to configure the Router ID after enabling OSPF for a VPN instance z To make sure routes can b...

Page 1432: ...uring to Use EBGP between a MCE and a Site 1 Configuration on the MCE device Table 2 11 Configure an MCE device Operation Command Description Enter system view system view Enter BGP view bgp as number Enter BGP VPN instance view ipv4 family vpn instance vpn instance name Required Configure a CE as a VPN peer peer group name ip address as number as number Required Import routes of the local CE impo...

Page 1433: ...ATH attribute can be used for route loop detect With EBGP running between a MCE and a site the routes advertised by an MCE device to the site carry the local AS number So do the routes advertised by the site In this case you need to configure to permit the routes with their AS numbers contained in their AS_PATH attributes being the local AS number on MCE devices for the routes advertised by the si...

Page 1434: ...PE 2 3 1 Configuring Route Exchange between a MCE and a PE Table 2 13 Configure route exchange between a MCE and a PE Operation Description Related section Define a static route for a VPN instance See 2 3 2 Configuring to Use Static Routes between a MCE and a PE Configure to use RIP between a MCE and a PE See 2 3 3 Configuring to Use RIP between a MCE and a PE Configure to use OSPF between a MCE a...

Page 1435: ...tion text Required By default for a static route the preference value is 60 the tag value is 0 and no description information is configured Set the default preference value of static routes ip route static default preference default preference value Optional By default the preference value of a static route is 60 Note z A static route configured for a VPN instance does not take effect if you confi...

Page 1436: ...me tag tag Required By default RIP does not import routes from other protocols 2 3 4 Configuring to Use OSPF between a MCE and a PE When configuring to use OSPF between a MCE and a PE you need to configure the OSPF processes to be bound to VPN instances and router IDs you also need to manually import the VPN routes in the site maintained by the MCE device to the routing table of the PE Table 2 16 ...

Page 1437: ...e importing routes of other protocols you can specify the default cost value for the imported routes as well You can also apply filter policies for imported routes Table 2 17 Configure IS IS to import external routes Operation Command Description Enter system view system view Enable IS IS for a VPN instance and enter IS IS view isis process id vpn instance vpn instance name Import routes of other ...

Page 1438: ... id med med value route policy route policy name Required The MCE device must import routes of the local site to the VPN routing table in order to advertise these routes to the PE device Apply a filter policy for routes to be advertised filter policy acl number ip prefix ip prefix name export direct isis process id ospf process id rip process id static Optional By default no filter policy is appli...

Page 1439: ... the BGP VPNv4 routing information of a specified VPN instance display bgp vpnv4 vpn instance vpn instance name routing table network address mask mask length longer prefixes as path acl as path acl number cidr community aa nn 1 13 no export subconfed no advertise no export whole match community list basic community list number whole match adv community list number 1 16 dampened dampening paramete...

Page 1440: ...s displayed For information about the commands used to display routing protocol configuration see relevant chapters in the IPv4 Routing module of this manual 2 5 MCE Configuration Example 2 5 1 MCE Configuration Example A I Network requirements z An MCE device connects to VPN1 with the address range being 192 168 0 0 16 through VLAN interface 10 with the IP address being 10 214 10 3 and connects t...

Page 1441: ...n the MCE device with the RD values of the two VPN instances being 10 1 and 20 1 Configure the VPN target values of the two VPN instances as 10 1 and 20 1 for both the import and export extended community attribute list MCE system view MCE ip vpn instance vpn1 MCE vpn instance vpn1 route distinguisher 10 1 MCE vpn instance vpn1 vpn target 10 1 both MCE vpn instance vpn1 quit MCE ip vpn instance vp...

Page 1442: ...abled You can configure to use static routes between MCE and a site Configuration on VR1 Assume VR1 is an S3610 switch configure IP address 10 214 10 2 24 for the interface connecting to MCE and IP address 192 168 0 1 24 for the interface connecting to VPN1 The operation of adding a port to a VLAN and configuring IP address for a VLAN interface is omitted here Configure a default route on VR1 spec...

Page 1443: ...20 VR2 rip 20 network 192 168 10 0 VR2 rip 20 network 10 0 0 0 Display the information about the routes of VPN2 on MCE MCE rip 20 display ip routing table vpn instance vpn2 Routing Tables vpn2 Destinations 5 Routes 5 Destination Mask Proto Pre Cost NextHop Interface 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 10 214 20 0 24 Direct 0 0 10 214 20 3 Vlan20 10 21...

Page 1444: ...ess to VPN1 and set the OSPF domain ID to 10 MCE Ethernet1 0 3 quit MCE ospf 10 router id 101 101 10 1 vpn instance vpn1 MCE ospf 10 domain 10 Advertise the network segment 10 214 10 0 within Area0 and import static routes of VPN1 MCE ospf 10 area 0 MCE ospf 10 area 0 0 0 0 network 10 214 10 0 0 0 0 255 MCE ospf 10 area 0 0 0 0 quit MCE ospf 10 import route static Create OSPF process 10 on PE bind...

Page 1445: ...ies the configuration PE display ip routing table vpn instance vpn2 display ip routing table vpn instance vpn2 Routing Tables vpn2 Destinations 6 Routes 6 Destination Mask Proto Pre Cost NextHop Interface 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 10 214 20 0 24 Direct 0 0 10 214 20 4 Vlan20 10 214 20 4 32 Direct 0 0 127 0 0 1 InLoop0 200 200 20 1 32 Direct ...

Page 1446: ...he procedure of enabling OSPF in the two VPN instances and advertising the network segments is the same as that in normal OSPF and is omitted Create OSPF process 10 for MCE and bind OSPF process 10 to VPN instance 1 so that MCE can learn the routes of VPN1 MCE system view MCE ospf router id 10 10 10 1 10 vpn instance vpn1 MCE ospf 10 area 0 MCE ospf 10 area 0 0 0 0 network 10 100 10 0 0 0 0 255 Di...

Page 1447: ...xtHop Interface 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 10 100 20 0 24 Direct 0 0 10 100 20 1 Vlan3 10 100 20 1 32 Direct 0 0 127 0 0 1 InLoop0 172 16 20 0 24 OSPF 10 1 10 100 20 2 Vlan3 z Configure the routing protocol running between MCE and PE The procedure of connecting MCE to PE through trunk ports is similar to that in 2 5 1 MCE Configuration Exampl...

Page 1448: ... 100 10 2 Vlan2 For VPN2 perform the configurations similar to the above on MCE and PE to import the OSPF routing information of VPN2 to the EBGP routing table Configuration procedures are omitted here Followed is the result of the above configurations PE display ip routing table vpn instance vpn2 Routing Tables vpn2 Destinations 5 Routes 5 Destination Mask Proto Pre Cost NextHop Interface 127 0 0...

Page 1449: ...AM Connection Establishment 1 2 1 1 3 Standards and Protocols 1 4 1 2 OAM Configuration 1 5 1 2 1 OAM Configuration Task List 1 5 1 2 2 Configuring Basic OAM Basic Functions 1 5 1 2 3 Configuring the Periods and Thresholds for OAM Link Error Event Detection 1 6 1 2 4 Enabling OAM Loopback Testing 1 7 1 3 Displaying and Maintaining OAM Configuration 1 8 1 4 OAM Configuration Example 1 9 ...

Page 1450: ...he last mile By enabling Ethernet OAM on two devices connected by a point to point connection you can monitor the link status of the link between the two devices Ethernet OAM provides the following functions z Link performance monitoring for detecting link errors z Fault detection and alarm for reporting link errors to the administrators z Loopback testing for detecting link errors through non OAM...

Page 1451: ...DUs are used for link monitoring They are sent as an alarm in case a failure occurs to the link connecting the local OAM entity and a remote OAM entity z Loopback control OAMPDUs are used for remote loopback control By inserting the information used to enable disable loopback to a Loopback control OAMPDU you can enable disable loopback on a remote OAM entity 1 1 2 OAM Connection Establishment Foll...

Page 1452: ...Responding to Loopback Control OAMPDUs Available if both sides operate in active OAM mode Available Transmitting organization specific OAMPDUs Available Available After an OAM connection is established the OAM entities on both sides exchange Information OAMPDUs periodically to keep the OAM connection valid If an OAM entity receives no Information OAMPDU for five seconds the OAM connection is consi...

Page 1453: ...gradually The flag field defined in OAMPDUs allows an OAM entity to send error information to its peer It can identify the following link faults z Link Fault Peer link signal is lost z Dying Gasp An unexpected fault such as power failure occurred z Critical Event An undetermined critical event happened As Information OAMPDUs are sent periodically across OAM connections an OAM entity can inform one...

Page 1454: ... view system view Enter Ethernet port view interface interface type interface number Set OAM operating mode oam mode active passive Optional The default is active OAM mode Enable OAM on the current port oam enable Required OAM is disabled by default After OAM is enabled the OAM entity tries to establish OAM connection with its peer Note z OAM connections can be initiated only by OAM entities opera...

Page 1455: ...econd Configure the threshold for error frame event detection oam errored frame threshold threshold value Optional The default is 1 Configure the period for frame percentage error event detection oam errored frame period period period value Optional The default is 1 000 milliseconds Configure the threshold for frame percentage error event detection oam errored frame period threshold threshold valu...

Page 1456: ...ystem first uses the following expression to convert the period for frame percentage error event detection to the maximum number of 64 byte frames that can be transmitted through an Ethernet port in the period bandwidth period 64 8 1000 where bandwidth is the port bandwidth in bps and period is the configured period in milliseconds z A second percentage error event occurs when a period for second ...

Page 1457: ...g is disabled all the ports involved will be shut down and then brought up z OAM loopback testing is disabled when you execute the undo oam enable command to disable OAM when you execute the undo oam loopback command to disable OAM loopback testing or when the OAM connection is timed out 1 3 Displaying and Maintaining OAM Configuration To do Use the command Remarks Display global OAM configuration...

Page 1458: ... 1 0 1 to operate in passive OAM mode and enable OAM for it DeviceA system view DeviceA interface ethernet 1 0 1 DeviceA Ethernet1 0 1 oam mode passive DeviceA Ethernet1 0 1 oam enable DeviceA Ethernet1 0 1 quit Set the period for error frame event detection to 20 seconds DeviceA oam errored frame period 20 Set the threshold for error frame event detection to 10 DeviceA oam errored frame threshold...

Page 1459: ...ystem view DeviceB interface ethernet 1 0 1 DeviceB Ethernet1 0 1 oam enable DeviceB Ethernet1 0 1 quit Display OAM link error event statistics DeviceB display oam link event remote Port Ethernet1 0 1 Link Status Up OAMRemoteErrFrameEvent ms milliseconds Event Time Stamp 5789 Errored FrameWindow 10 100ms Errored Frame Threshold 1 Errored Frame 3 Error Running Total 35 Event Running Total 17 The ab...

Page 1460: ... DLDP Mode 1 11 1 2 3 Setting the Interval for Sending Advertisement Packets 1 11 1 2 4 Setting the DelayDown Timer 1 12 1 2 5 Setting the Port Shutdown Mode 1 13 1 2 6 Configuring DLDP Authentication 1 13 1 2 7 Resetting DLDP State 1 14 1 2 8 Resetting DLDP State in System view 1 14 1 2 9 Resetting DLDP State in Port view Port Group View 1 15 1 3 Displaying and Maintaining DLDP 1 15 1 4 DLDP Conf...

Page 1461: ...g DLDP z DLDP Configuration Example z Troubleshooting 1 1 Overview A special kind of links namely unidirectional links may occur in a network When a unidirectional link appears the local device can receive packets from the peer device through the link layer but the peer device cannot receive packets from the local device Unidirectional link can cause problems such as loops in a Spanning Tree Proto...

Page 1462: ...hut down the related port automatically or prompt users to take measures as configured to avoid network problems As a data link layer protocol DLDP cooperates with physical layer protocols to monitor the link status of a device The auto negotiation mechanism provided by physical layer protocols detects physical signals and faults DLDP however performs operations such as identifying peer devices de...

Page 1463: ... normally with all its neighbors in both directions or DLDP remains in active state for more than five seconds It is the normal state where no unidirectional link is detected Probe A device enters this state if it receives a packet from an unknown neighbor In this state DLDP sends packets to check whether the link is a unidirectional link After a device enters this state the probe sending timer is...

Page 1464: ...or an enhanced detect is launched When the Echo waiting timer expires and no Echo packet is received from a neighbor device the link is set as a unidirectional link and the device transits to the Disable state In this case the device sends Disable packets prompts the user to shut down the port or shuts down the port automatically depending on the DLDP down mode configured and removes the correspon...

Page 1465: ...e Inactive state when it detects a port down event When a device transits to this state the DelayDown timer is triggered The setting of the timer ranges from 1 to 5 in seconds A device in DelayDown state only responds to port up events A device in the DelayDown state resumes its original DLDP state if it detects a port up event before the DelayDown timer expires Otherwise it removes the correspond...

Page 1466: ...d DLDP mode however Port A tests Port B after the Entry timer concerning Port B expires Port A then transits to the Disable state if it receives no Echo packet from Port A when the Echo timer expires As Port B is physically down it is in the Inactive DLDP state Figure 1 3 A case for Enhanced DLDP mode Note z In normal DLDP mode only fiber cross connected unidirectional links as shown in Figure 1 1...

Page 1467: ...cation In this mode before sending a packet the sending side encrypts the user configured password using MD5 algorithm assigns the digest to the Authentication field and sets the Authentication type field to 2 The receiving side checks the values of the two fields of received DLDP packets and drops the packets with the two fields conflicting with the corresponding local configuration V DLDP implem...

Page 1468: ...s no process is performed Flush packet Determines whether or not the local port is in Disable state If not removes the corresponding neighbor entry if any If the corresponding neighbor entry does not exist creates the neighbor entry transits to Probe state and returns Echo packets Probe packet Retrieves the neighbor information If the corresponding neighbor entry already exists resets the Entry ti...

Page 1469: ...the neighbor Processing procedure In normal mode no echo packet is received when the Echo timer expires In enhanced mode no echo packet is received when the enhanced timer expires DLDP transits to the Disable state outputs log and tracking information and sends Disable packets In addition depending on the user defined DLDP down mode DLDP shuts down the local port or prompts users to shut down the ...

Page 1470: ...LDP State Optional Note that z DLDP works only when the link is up z To ensure unidirectional links can be detected make sure these settings are the same on the both sides DLDP state enabled disabled the interval for sending Advertisement packets authentication mode and password z Keep the interval for sending Advertisement packets adequate to enable unidirectional links to be detected in time If ...

Page 1471: ...ed in Ethernet port view applies to the current port only The configuration performed in port group view applies to all the ports in the port group Enable DLDP dldp enable Required Disabled on a port by default You can perform this operation on an optical port or an electrical port Caution DLDP takes effect only when it is enabled both globally and on a port 1 2 2 Setting DLDP Mode Follow these st...

Page 1472: ...nable DLDP to operate properly make sure the intervals for sending Advertisement packets on both sides of a link are the same 1 2 4 Setting the DelayDown Timer On some ports when the Tx line fails the port goes down and then comes up again causing optical signal jitters on the Rx line When a port goes down due to a Tx failure the device transits to the DelayDown state instead of the Inactive state...

Page 1473: ...rt shutdown mode To do Use the command Remarks Enter system view system view Set port shutdown mode dldp unidirectional shutdown auto manual Optional auto by default Caution z On a port with both remote OAM loopback and DLDP enabled if the port shutdown mode is auto mode the port will be shut down by DLDP when it receives a packet sent by itself causing remote OAM loopback to operate improperly To...

Page 1474: ...e after you reset DLDP state for it That is it can be in Inactive state if the port is physically down or in Active state if the port is physically up after you reset DLDP state for it Caution z The configuration of resetting DLDP state performed in system view applies to all the ports shut down by DLDP z The configuration of resetting DLDP state performed in port view or port group view applies t...

Page 1475: ...DP state dldp reset Required 1 3 Displaying and Maintaining DLDP To do Use the command Remarks Display the DLDP configuration of a port display dldp interface type interface number Available in any view Display the statistics on DLDP packets passing through a port display dldp statistics interface type interface number Available in any view Clear the statistics on DLDP packets passing through a po...

Page 1476: ...eviceA GigabitEthernet1 1 1 dldp enable DeviceA GigabitEthernet1 1 1 interface gigabitethernet 1 1 2 DeviceA GigabitEthernet1 1 2 dldp enable DeviceA GigabitEthernet1 1 2 quit Set the interval for sending Advertisement packets to 6 seconds DeviceA dldp interval 6 Set the DelayDown timer to 2 seconds DeviceA dldp delaydown timer 2 Set the DLDP mode as enhanced mode DeviceA dldp work mode enhance Se...

Page 1477: ...isable state and the links are down which means unidirectional links are detected and the two ports are thus shut down Reset DLDP state for the ports shut down by DLDP DeviceA dldp reset 2 Configuration on Device B The configuration on Device B is the same as that on Device A and is thus omitted Note If two fibers are cross connected all the four ports involved will be shut down by DLDP 1 5 Troubl...

Page 1478: ...es Chapter 1 DLDP Configuration 1 18 z DLDP authentication modes passwords on Device A and Device B are not the same Solution Make sure the interval for sending Advertisement packets the authentication mode and the password on Device A and Device B are the same ...

Page 1479: ...figuration Example 1 12 1 4 Configuring Transit Node 1 12 1 4 1 Configuration Procedure 1 12 1 4 2 Transit Node Configuration Example 1 13 1 5 Configuring Edge Node 1 14 1 5 1 Configuration Procedure 1 14 1 5 2 Edge Node Configuration Example 1 15 1 6 Configuring Assistant Edge Node 1 15 1 6 1 Configuration Procedure 1 15 1 6 2 Assistant Edge Node Configuration Example 1 17 1 7 Displaying and Main...

Page 1480: ...Maintaining RRPP z RRPP Typical Configuration Examples 1 1 RRPP Overview Rapid Ring Protection Protocol RRPP is an Ethernet ring specific link layer protocol It can not only prevent data loop from causing broadcast storm efficiently when the Ethernet ring is complete but also restore communication channels among nodes on the Ethernet ring rapidly when a link is torn down Compared with Spanning Tre...

Page 1481: ...ecially designed to transfer RRPP packets The ports accessing an RRPP ring on devices belong to the control VLAN of the ring and only these ports can join this VLAN IP address configuration is prohibited on the ports of the control VLAN You can configure a control VLAN for the primary ring namely the primary control VLAN However the control VLAN of a subring namely the secondary control VLAN is as...

Page 1482: ...ill logically deny data VLANs and permit only the packets of the control VLANs z When an RRPP ring is in disconnect state the secondary port of the master node will permit data VLANs that is forward packets of data VLANs 2 In terms of functionality there is no difference between the primary port and the secondary port of the transit node Both are designed for the transfer of protocol packets and d...

Page 1483: ...e ring transits into disconnect state until the secondary port receives the Health packet again Note z In an RRPP domain a transit node learns the Hello timer value and the Fail timer value on the master node through the received Health packets guaranteeing the consistency of two timer values across a ring z The Fail timer value must be greater than or equal to 3 times of the Hello timer value 1 1...

Page 1484: ...ckets to examine the links of the primary ring between the edge node and the assistant edge node Major Fault Assistant edge node initiates Major Fault packets to notify the edge node of a failure when a link of primary ring between edge node and assistant edge node is torn down 1 1 3 Typical RRPP Networking Here are several typical networking applications I Single ring Device A Device B Device C D...

Page 1485: ... node Ring 2 Figure 1 3 Multi domain tangent rings There are two or more rings in the network topology and only one common node between rings In this case you need define an RRPP domain for each ring III Single domain intersecting rings Figure 1 4 Single domain intersecting rings There are two or more rings in the network topology and two common nodes between rings In this case you only need to de...

Page 1486: ...is case you only need to define an RRPP domain and set one ring as the primary ring and other rings as subrings V Multi domain intersecting rings Device A Device B Device C Device D Device E Master node Transit node Domain 1 Ring1 Ring 2 Master node Device F Master node Ring 3 Domain 2 Domain 3 Transit node Transit node Figure 1 6 Multi domain intersecting rings There are two or more domains in a ...

Page 1487: ... domain is down Upon the receipt of a Link Down packet the master node releases the secondary port from blocking data VLAN while sending Common Flush FDB packet to notify all the transit nodes the edge nodes and the assistant nodes to update their own MAC entries and ARP entries III Ring recovery The master node may find the ring is restored after a period of time after the ports belonging to the ...

Page 1488: ...dge port is activated only when the edge node ensures that no loop will be brought forth when the edge port is activated 1 1 5 Protocols and Standards Related standard RFC 3619 1 2 RRPP Configuration Task List Complete the following tasks to configure RRPP Task Description Configuring Master Node Required Configuring Transit Node Optional Configuring Edge Node Optional Configuring Assistant Edge N...

Page 1489: ...in intersection common port and the two ports that access the same node to the same RRPP ring must not be configured as multi domain intersection common ports at the same time z When configuring multi domain intersecting rings do not enable or disable the RRPP ring on which the multi domain intersection common port resides with RRPP globally enabled z In the case of multi domain intersection the r...

Page 1490: ...nfiguration Procedure Follow these steps to configure master node To do Use the command Remarks Enter system view system view Create an RRPP domain and enter its view rrpp domain domain id Required Specify control VLAN for the RRPP domain control vlan vlan id Required Specify the current device as the master node of the ring and specify the primary port and the secondary port ring ring id node mod...

Page 1491: ...mary port and Ethernet 1 0 2 as the secondary port z Set the Hello timer value to 2 seconds and the Fail timer value to 7 seconds II Configuration procedure Sysname system view Sysname rrpp domain 1 Sysname rrpp domain1 control vlan 4092 Sysname rrpp domain1 ring 1 node mode master primary port ethernet 1 0 1 secondary port ethernet 1 0 2 level 0 Sysname rrpp domain1 timer hello timer 2 fail timer...

Page 1492: ...igured for an RRPP domain must be a new one z Control VLAN configuration is required for configuring an RRPP ring z To use the undo rrpp domain command to remove an RRPP domain you must ensure the RRPP domain has no RRPP ring 1 4 2 Transit Node Configuration Example I Network requirements z Specify the device in RRPP domain 1 z Set VLAN 4092 as the control VLAN z Specify the device as the transit ...

Page 1493: ...nd specify the primary port and the secondary port ring ring id node mode transit primary port interface type interface number secondary port interface type interface number level level value Required Specify the current device as the edge node of a subring and specify the common port and the edge port ring ring id node mode edge common port interface type interface number edge port interface type...

Page 1494: ...tworking requirements z Specify the device in RRPP domain 1 z Set VLAN 4092 as the control VLAN z Specify the device as the transit node of primary ring 1 in RRPP domain 1 Ethernet 1 0 1 as the primary port and Ethernet 1 0 2 as the secondary port z Specify the device as the edge node of subring 2 in RRPP domain 1 Ethernet 1 0 2 as a common port and Ethernet 1 0 4 as an edge port II Configuration ...

Page 1495: ... mode transit primary port interface type interface number secondary port interface type interface number level level value Required Specify the current device as the assistant edge node of the subring and specify a common port and an edge port ring ring id node mode assistant edge common port interface type interface number edge port interface type interface number Required Enable the primary rin...

Page 1496: ...1 6 2 Assistant Edge Node Configuration Example I Networking requirements z Specify the device in RRPP domain 1 z Set VLAN 4092 as the control VLAN z Specify the device as the transit node of primary ring 1 in RRPP domain 1 Ethernet 1 0 1 as the primary port and Ethernet 1 0 2 as the secondary port z Specify the device as the assistant edge node of subring 2 in RRPP domain 1 Ethernet 1 0 2 as the ...

Page 1497: ...ypical Configuration Examples This section covers these topics z Configuring Single Ring Topology z Configuring Intersecting Ring Topology 1 8 1 Configuring Single Ring Topology I Networking requirements z Device A Device B Device C and Device D constitute RRPP domain 1 z Specify the control VLAN of RRPP domain 1 as VLAN 4092 z Device A Device B Device C and Device D constitute primary ring 1 z Sp...

Page 1498: ...ing on the device z Enable the RRPP ring z Enable RRPP III Configuration procedure 1 Perform the following configuration on Device A Device A system view Device A rrpp domain 1 Device A rrpp domain1 control vlan 4092 Device A rrpp domain1 ring 1 node mode master primary port ethernet 1 0 1 secondary port ethernet 1 0 2 level 0 Device A rrpp domain1 ring 1 enable Device A rrpp domain1 quit Device A...

Page 1499: ... to view RRPP configuration 1 8 2 Configuring Single Domain Intersecting Ring Topology I Networking requirements z Device A Device B Device C and Device D constitute RRPP domain 1 z VLAN 4092 is the control VLAN of RRPP domain 1 z Device A Device B Device C and Device D constitute primary ring 1 z Device B Device C and Device E constitute subring 2 z Device A is the master node of primary ring 1 E...

Page 1500: ...domain z Specify the node mode of a device on an RRPP ring and the ports accessing the RRPP ring on the device z Enable these two RRPP rings z Enable RRPP III Configuration procedure 1 Perform the following configuration on Device A Device A system view Device A rrpp domain 1 Device A rrpp domain1 control vlan 4092 Device A rrpp domain1 ring 1 node mode master primary port ethernet 1 0 1 secondary...

Page 1501: ...ge common port ethernet 1 0 1 edge port ethernet 1 0 3 Device C rrpp domain1 ring 1 enable Device C rrpp domain1 ring 2 enable Device C rrpp domain1 quit Device C rrpp enable 4 Perform the following configuration on Device D Device D system view Device D rrpp domain 1 Device D rrpp domain1 control vlan 4092 Device D rrpp domain1 ring 1 node mode transit primary port ethernet 1 0 1 secondary port e...

Page 1502: ...net 1 0 2 is a multi domain intersection common port z Device C is a transit node on primary ring 1 in RRPP domain 1 and a transit node on primary ring 2 in RRPP domain 2 and Ethernet 1 0 2 is a multi domain intersection common port z Device D is a transit node on primary ring 1 in RRPP domain 1 Ethernet 1 0 1 is the primary port and Ethernet 1 0 2 is the secondary port z Device F is a transit nod...

Page 1503: ...ng configuration on Device B Device B system view Device B rrpp domain 1 Device B rrpp domain1 control vlan 4090 Device B rrpp domain1 ring 1 node mode transit primary port ethernet 1 0 1 secondary port ethernet 1 0 2 level 0 Device B rrpp domain1 ring 1 enable Device B rrpp domain1 quit Device B rrpp domain 2 Device B rrpp domain2 control vlan 4092 Device B rrpp domain2 ring 2 node mode transit p...

Page 1504: ...rpp domain1 quit Device D rrpp enable 5 Perform the following configuration on Device E Device E system view Device E rrpp domain 2 Device E rrpp domain2 control vlan 4092 Device E rrpp domain2 ring 2 node mode master primary port ethernet 1 0 1 secondary port ethernet 1 0 2 level 0 Device E rrpp domain2 ring 2 enable Device E rrpp domain2 quit Device E rrpp enable 6 Perform the following configur...

Page 1505: ...olicy 1 5 1 4 1 Configuration Prerequisites 1 5 1 4 2 Configuration Procedure 1 6 1 5 Displaying and Maintaining SSL 1 6 1 6 Troubleshooting SSL 1 6 1 6 1 SSL Handshake Failure 1 6 Chapter 2 HTTPS Configuration 2 1 2 1 HTTPS Overview 2 1 2 2 HTTPS Configuration Task List 2 1 2 3 Associating the HTTPS Service with an SSL Server Policy 2 2 2 4 Enabling the HTTPS Service 2 2 2 5 Associating the HTTPS...

Page 1506: ...ed during the handshake phase z Authentication SSL supports authenticating both the server and the client through certificates with the authentication of the client being optional z Reliability SSL uses key based message authentication code MAC to verify message integrity As shown in Figure 1 1 the SSL protocol consists of two layers of protocols the SSL record protocol at the lower layer and the ...

Page 1507: ... server and the SSL client Complete the following tasks to configure SSL Task Remarks Configuring an SSL Server Policy Required Configuring an SSL Client Policy Optional 1 3 Configuring an SSL Server Policy An SSL server policy is a set of SSL parameters for a server to use when booting up An SSL server policy takes effect only after it is associated with an application layer protocol HTTP protoco...

Page 1508: ...ot wait by default Set the maximum number of cached sessions and the caching timeout time session cachesize size timeout time Optional The defaults are as follows 500 for the maximum number of cached sessions 3600 seconds for the caching timeout time Enable certificate based SSL client authentication client verify enable Optional Not enabled by default Note If you enable client authentication here...

Page 1509: ...sname system view Sysname pki entity en Sysname pki entity en common name http server1 Sysname pki entity en fqdn ssl security com Sysname pki entity en quit Create a PKI domain and configure it Sysname pki domain 1 Sysname pki domain 1 ca identifier ca1 Sysname pki domain 1 certificate request url http 10 1 2 2 certsrv mscep mscep dll Sysname pki domain 1 certificate request from ra Sysname pki d...

Page 1510: ...ysname ip https ssl server policy myssl Enable HTTPS service Sysname ip https enable 4 Verify your configuration Launch IE on the host and enter https 10 1 1 1 in the address bar You should be able to log in to the switch and manage it Note z For details about PKI configuration commands refer to PKI Commands z For details about the public key local create rsa command refer to SSH Commands 1 4 Conf...

Page 1511: ...prefer cipher rsa_aes_128_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha Optional rsa_rc4_128_md5 by default Specify the SSL protocol version for the SSL client policy version ssl3 0 tls1 0 Optional TLS 1 0 by default Note If you enable client authentication on the server you must request a local certificate for the client 1 5 Displaying and Maintaining SSL To do Use the command Remarks D...

Page 1512: ...em z If the SSL server has no certificate request one for it z If the server certificate cannot be trusted install on the SSL client the root certificate of the CA that issues the local certificate to the SSL server or let the server requests a certificate from the CA that the SSL client trusts z If the SSL server is configured to authenticate the client but the certificate of the SSL client does ...

Page 1513: ...ayer SSL protocol The SSL protocol of HTTPS enhances the security of the device in the following ways z Uses the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal clients z Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity thus realizing the security management of the device z Defines certific...

Page 1514: ...icy policy name Required Not associated by default Note z If the ip https ssl server policy command is executed repeatedly the HTTPS service is only associated with the last specified SSL server policy z When the HTTPS service is disabled the association between the HTTPS service and the SSL server is automatically removed To enable it again you need to re associate the HTTPS service with an SSL s...

Page 1515: ...lication process takes much time the SSL negotiation may fail and the HTTPS service cannot be started normally Therefore the ip https enable command must be executed for multiple times to ensure normal startup of the HTTPS service 2 5 Associating the HTTPS Service with a Certificate Attribute Access Control Policy Associating the HTTPS service with a configured certificate access control policy he...

Page 1516: ...ain at least one permit rule Otherwise no HTTPS client can log onto the device z For the configuration of an SSL server policy refer to PKI Configuration 2 6 Associating the HTTPS Service with an ACL Associating the HTTPS service with an ACL can filter out requests from some clients to let pass only clients that pass the ACL filtering Follow these steps to associate the HTTPS service with an ACL T...

Page 1517: ...In this configuration example Windows Server serves as CA and you need to install Simple Certificate Enrollment Protocol SCEP component II Network diagram Figure 2 1 Network diagram for HTTPS configuration III Configuration procedure Perform the following configurations on Switch 1 Apply for a certificate for Switch Configure a PKI entity Switch system view Switch pki entity en Switch pki entity e...

Page 1518: ...fy enable Switch ssl server policy myssl quit 3 Configure certificate access control policy Configure certificate attribute group Switch pki certificate attribute group mygroup1 Switch pki cert attribute group mygroup1 attribute 1 issuer name dn ctn new ca Switch pki cert attribute group mygroup1 quit Configure certificate access control policy myacp and create a control rule Switch pki certificat...

Page 1519: ...es Chapter 2 HTTPS Configuration 2 7 Launch the IE explorer on Host and enter https 10 1 1 1 You can log onto Switch and control it Note z For details of PKI commands refer to PKI Commands z For details of the public key local create rsa command refer to SSH Commands ...

Page 1520: ... in Auto Mode 1 8 1 5 2 Submitting a Certificate Request in Manual Mode 1 9 1 6 Retrieving a Certificate Manually 1 10 1 7 Configuring PKI Certificate Validation 1 11 1 8 Destroying a Local RSA Key Pair 1 13 1 9 Deleting a Certificate 1 13 1 10 Configuring an Access Control Policy 1 14 1 11 Displaying and Maintaining PKI 1 14 1 12 PKI Configuration Examples 1 15 1 12 1 Configuring a PKI Entity to ...

Page 1521: ...tion and public keys PKI allows users to request certificates use certificates and revoke certificates By leveraging digital certificates and relevant services like certificate distribution and blacklist publication PKI supports authentication the entities involved in communication and thus guaranteeing the confidentiality integrity and non repudiation of data 1 1 2 PKI Terms I Digital certificate...

Page 1522: ...and function an effective way for checking the validity of certificates A CA may publish multiple CRLs when the number of revoked certificates is so large that publishing them in a single CRL may degrade network performance III CA policy A CA policy is a set of criteria that a CA follows in managing certificate requests and in issuing revoking and publishing CRLs Usually a CA advertises its policy...

Page 1523: ...tes keys CRLs and logs while providing a simple query function LDAP is a protocol for accessing and managing PKI information An LDAP server stores user information and digital certificates from the RA server and provides directory navigation service From an LDAP server an entity can retrieve local and CA certificates of its own as well as certificates of other entities 1 1 4 Applications of PKI Th...

Page 1524: ...on and issues a certificate 4 The RA receives the certificate from the CA sends it to the LDAP server to provide directory navigation service and notifies the entity that the certificate is successfully issued 5 The entity retrieves the certificate With the certificate the entity can communicate with other entities safely through encryption and digital signature 6 The entity makes a request to the...

Page 1525: ... where www is a host name and whatever com a domain name z IP address of the entity z Locality where the entity resides z Organization to which the entity belongs z Unit of the entity in the organization z State where the entity resides Note The configuration of an entity DN must comply with the CA certificate issue policy You need to determine for example which entity DN parameters are mandatory ...

Page 1526: ...the data length of a certificate request If the entity DN in a certificate request goes beyond a certain limit the server does not respond to the certificate request 1 4 Configuring a PKI Domain Before requesting a PKI certificate an entity needs to be configured with some enrollment information which is referred to as a PKI domain A PKI domain is intended only for convenience of reference by othe...

Page 1527: ...y deployed to store certificates and CRLs If this is the case you need to configure the IP address of the LDAP server z Fingerprint for root certificate validation Upon receiving the root certificate of the CA an entity needs to validate the fingerprint of the root certificate namely the hash value of the root certificate content This hash value is unique to every certificate The entity will rejec...

Page 1528: ...l No fingerprint is configured by default Note z Currently up to two PKI domains can be created on a device z The CA name is required only when you retrieve a CA certificate It is not used when in local certificate request 1 5 Submitting a PKI Certificate Request When requesting a certificate an entity introduces itself to the CA by providing its identity information and public key which will be t...

Page 1529: ...nerating an RSA key pair is an important step in certificate request The key pair includes a public key and a private key The private key is kept by the user while the public key is transferred to the CA along with some other information For detailed information about RSA key pair configuration refer to SSH Configuration Follow these steps to submit a certificate request in manual mode To do Use t...

Page 1530: ...ficate stored locally z When it is impossible to request a certificate from the CA through SCEP you can save the request information by using the pki request certificate domain command with the pkcs10 and filename keywords and then send the file to the CA by an out of band means z Make sure the clocks of an entity and the CA are synchronous Otherwise the validity period of the certificate may be a...

Page 1531: ...icate and local certificate first z The pki retrieval certificate configuration will not be saved in the configuration file 1 7 Configuring PKI Certificate Validation A certificate needs to be validated before being used Validating a certificate is to check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked Before validating a certificate you nee...

Page 1532: ...ieval crl domain domain name Required Verify the validity of a certificate pki validate certificate ca local domain domain name Required II Configuring CRL checking disabled PKI certificate validation Follow these steps to configure CRL checking disabled PKI certificate validation To do Use the command Remarks Enter system view system view Enter PKI domain view pki domain domain name Disable CRL c...

Page 1533: ...pire you can destroy the old RSA key pair and then create a pair to request a new certificate Follow these steps to destroy a local RSA key pair To do Use the command Remarks Enter system view system view Destroy a local RSA key pair public key local destroy rsa Required Note For details about the public key local destroy rsa command refer to SSH Commands 1 9 Deleting a Certificate When a certific...

Page 1534: ...d alt subject name fqdn ip issuer name subject name dn fqdn ip ctn equ nctn nequ attribute value Optional There is no restriction on the issuer name certificate subject name and alternative subject name by default Return to system view quit Create a certificate attribute based access control policy and enter its view pki certificate access control policy policy name Required No access control poli...

Page 1535: ...uired when you use the Windows Server as the CA In this case when configuring the PKI domain you need to use the certificate request from ra command to specify that the entity requests a certificate from an RA z The SCEP plug in is not required when RSA Keon is used In this case when configuring a PKI domain you need to use the certificate request from ca command to specify that the entity request...

Page 1536: ...diction configuration page of the CA server This includes selecting the proper extension profiles enabling the SCEP autovetting function and adding the IP address list for SCEP autovetting 3 Configure the CRL publishing behavior After completing the above configuration you need to perform CRL related configurations In this example select the local CRL publishing mode of HTTP and set the HTTP URL t...

Page 1537: ...orsa certificate request entity aaa Configure the URL for the CRL distribution point Switch pki domain torsa crl url http 4 4 4 133 447 myca crl Switch pki domain torsa quit 3 Generate a local key pair using RSA Switch public key local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It may take a few minutes Press CTRL C to abort Input the bits in t...

Page 1538: ...n Use the following command to view information about the local certificate acquired Switch display pki certificate local domain torsa Certificate Data Version 3 0x2 Serial Number 9A96A48F 9A509FD7 05FFF4DF 104AD094 Signature Algorithm sha1WithRSAEncryption Issuer C cn O org OU test CN myca Validity Not Before Jan 8 09 26 53 2007 GMT Not After Jan 8 09 26 53 2008 GMT Subject CN Switch Subject Publ...

Page 1539: ...4B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C You can also use some other display commands to view detailed information about the CA certificate and CRLs Refer to the parts related to display pki certificate ca domain and display pki crl domain commands in PKI Commands 1 12 2 Configuring a Certificate Attribute Based Access Control Policy I Network requirements z The client accesses the remote HTTPS serv...

Page 1540: ... rules The first rule defines that the DN of the subject name includes the string aabbcc and the second rule defines that the IP address of the certificate issuer is 10 0 0 1 Switch pki certificate attribute group mygroup1 Switch pki cert attribute group mygroup1 attribute 1 subject name dn ctn aabbcc Switch pki cert attribute group mygroup1 attribute 2 issuer name ip equ 10 0 0 1 Switch pki cert ...

Page 1541: ...ce Switch ip https certificate access control policy myacp Enable HTTPS service Switch ip https enable 1 13 Troubleshooting PKI 1 13 1 Failed to Retrieve a CA Certificate I Symptom Failed to retrieve a CA certificate II Analysis Possible reasons include these z The network connection is not proper For example the network cable may be damaged or loose z No trusted CA is specified z The URL of the e...

Page 1542: ...me required parameters of the entity DN are not configured III Solution z Make sure that the network connection is physically proper z Retrieve a CA certificate z Regenerate a key pair z Specify a trusted CA z Use the ping command to check that the RA server is reachable z Configure the RA for certificate request z Configure the required entity DN parameters 1 13 3 Failed to Retrieve CRLs I Sympto...

Page 1543: ...itches Chapter 1 PKI Configuration 1 23 III Solution z Make sure that the network connection is physically proper z Retrieve a CA certificate z Specify the IP address of the LADP server z Specify the URL for CRL distribution z Re configure the LDAP version ...

Page 1544: ...Operation Manual Appendix H3C S3610 S5510 Series Ethernet Switches Table of Contents i Table of Contents Appendix A Acronyms A 1 ...

Page 1545: ...Backup Designated Router C CAR Committed Access Rate CLI Command Line Interface CoS Class of Service D DHCP Dynamic Host Configuration Protocol DLDP Device Link Detection Protocol DR Designated Router D V Distance Vector Routing Algorithm E EGP Exterior Gateway Protocol F FTP File Transfer Protocol G GARP Generic Attribute Registration Protocol GE Gigabit Ethernet GVRP GARP VLAN Registration Proto...

Page 1546: ...r Edge MIB Management Information Base N NBMA Non Broadcast MultiAccess NIC Network Information Center NMS Network Management System NVRAM Nonvolatile RAM O OAM Operation Administration and Maintenance OSPF Open Shortest Path First P PIM Protocol Independent Multicast PIM DM Protocol Independent Multicast Dense Mode PIM SM Protocol Independent Multicast Sparse Mode PKI Public Key Infrastructure Q ...

Page 1547: ...kets Layer STP Spanning Tree Protocol T TCP IP Transmission Control Protocol Internet Protocol TFTP Trivial File Transfer Protocol ToS Type of Service TTL Time To Live U UDP User Datagram Protocol V VLAN Virtual LAN VOD Video On Demand VRRP Virtual Router Redundancy Protocol W WRR Weighted Round Robin X XID eXchange Identification XRN eXpandable Resilient Networking ...

Reviews:

No comments