manualshive.com logo in svg

H3C S5500-EI series, Operation Manual, Page: 1424 / 1529

Share
Download
H3C S5500-EI series Operation Manual Download Page 1424

Operation Manual – Port Security 
H3C S5500-EI Series Ethernet Switches  

Chapter 1  Port Security Configuration

 

1-1 

Chapter 1  Port Security Configuration 

When configuring port security, go to these sections for information you are interested 

in: 

z

 

Introduction to Port Security 

z

 

Port Security Configuration Task List 

z

 

Displaying and Maintaining Port Security 

z

 

Port Security Configuration Examples 

z

 

Troubleshooting Port Security 

1.1  Introduction to Port Security 

1.1.1  Port Security Overview 

Port security is a MAC address-based security mechanism for network access 

controlling. It is an extension to the existing 802.1x authentication and MAC 

authentication. It controls the access of unauthorized devices to the network by 

checking the source MAC address of an inbound frame and the access to unauthorized 

devices by checking the destination MAC address of an outbound frame.  

With port security, you can define various port security modes to make a device learn 

only legal source MAC addresses, so that you can implement different network security 

management as needed. When a port security-enabled device detects an illegal frame, 

it triggers the corresponding port security feature and takes a pre-defined action 

automatically. This reduces your maintenance workload and greatly enhances system 

security. 

The following types of frames are classified as illegal: 

z

 

Received frames with unknown source MAC addresses when MAC address 

learning is disabled. 

z

 

Received frames with unknown source MAC addresses when the number of MAC 

addresses learned by the port has already reached the upper limit. 

z

 

Frames from unauthenticated users. 

1.1.2  Port Security Features 

I. NTK 

The need to know (NTK) feature checks the destination MAC addresses in outbound 

frames and allows frames to be sent to only devices passing authentication, thus 

preventing illegal devices from intercepting network traffic.  

Summary of Contents for S5500-EI series

Page 1: ...H3C S5500 EI Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co Ltd http www h3c com Manual Version 20071120 C 1 01 Product Version Release 2102 ...

Page 2: ...InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice Every effort has been made in the preparation of this document to ensure accuracy of the contents but all statements information and recommendations ...

Page 3: ...uct overview and network application of the switches 1 Login Introduces the ways to log into an Ethernet switch 2 VLAN Introduces VLAN Voice VLAN GVRP fundamental and the related configuration 3 IP Addressing and IP Performance Introduces IP address and IP performance fundamental and the related configuration 4 QinQ BPDU Tunneling Introduces QinQ BPDU Tunneling and the related configuration 5 Port...

Page 4: ...ticast protocol related configurations 16 802 1x HABP MAC Authentication Introduces 802 1x HABP MAC and related configurations 17 AAA RADIUS HWTACACS Introduces AAA RADIUS HWTACACS and the related configurations 18 ARP Introduces ARP and the related configuration 19 DHCP Introduces DHCP and the related configuration 20 ACL Introduces IPv4 IPv6 based ACL and the related configuration 21 QoS Introdu...

Page 5: ...d the related configurations 35 Port Security Introduces Port Security and the related configurations 36 LLDP Introduces LLDP and the related configurations 37 PoE Introduces PoE and the related configuration 38 sFlow Introduces sFlow and the related configurations 39 SSL HTTPS Introduces SSL HTTPS and the related configurations 40 PKI Introduces PKI and the related configurations 41 Track Introdu...

Page 6: ...al bars Many or none can be selected 1 n The argument s before the ampersand sign can be entered 1 to n times A line starting with the sign is comments II GUI conventions Convention Description Button names are inside angle brackets For example click OK Window names menu items data table and field names are inside square brackets For example pop up the New User window Multi level menus are separat...

Page 7: ...1 3 Software Version Release 1 2 Chapter 2 Documentation and Product Version 2 1 2 1 Documentation and Software Version 2 1 2 2 H3C S5500 EI Series Ethernet Switch Documentation Set 2 1 Chapter 3 Product Overview 3 1 3 1 Preface 3 1 3 2 Product Models 3 1 Chapter 4 Networking Applications 4 1 4 1 Serving as a Convergence Layer Device 4 1 4 2 Serving as a Access Layer Device 4 1 ...

Page 8: ...an irregular basis due to product version upgrade or some other reasons Therefore the contents in the CD ROM may not be the latest version This manual serves the purpose of user guide only Unless otherwise noted all the information in the document set does not claim or imply any warranty For the latest software documentation go to the H3C website 1 2 H3C Website Perform the following steps to quer...

Page 9: ...Ethernet Switches Chapter 1 Obtaining the Documentation 1 2 1 3 Software Version Release With software upgrade new software features may be added You can acquire the information about the newly added software features through software release notes ...

Page 10: ...Ethernet Switches Command Manual Release 2102 apply to S5500 EI series Ethernet switches with their software version being Release 2102 2 2 H3C S5500 EI Series Ethernet Switch Documentation Set Table 2 1 H3C S5500 EI series Ethernet switch documentation set Manual Manual version H3C S5500 EI Series Ethernet Switches Installation Manual V1 01 H3C S5500 EI Series Ethernet Switches Operation Manual R...

Page 11: ...ets and metropolitan area networks MANs Supporting IPv4 IPv6 dual stack the S5500 EI series provide abundant service features and routing functions and can also be used for connecting server groups in data centers 3 2 Product Models Table 3 1 Models in the H3C S5500 EI series Model Number of service ports Ports Console port H3C S5500 28C EI 28 24 10 100 1 000 M electrical ports 4 Gigabit SFP Combo...

Page 12: ...duct Overview 3 2 Model Number of service ports Ports Console port H3C S5500 28F EI 28 24 100 1 000 M SFP ports 8 10 100 1 000 M Combo electrical ports 2 10GE module slots 1 H3C S5500 28C EI DC 28 24 10 100 1 000 M electrical ports 4 Gigabit SFP Combo ports 2 10GE module slots 1 ...

Page 13: ...op GTTD access of enterprise networks user access of campus networks and connection of data center server clusters Several typical networking applications are described as follows 4 1 Serving as a Convergence Layer Device In medium and large sized enterprises or campus networks the S5500 EI series Ethernet switches can serve as convergence layer switches that provide high performance and large cap...

Page 14: ...Chapter 4 Networking Applications 4 2 Ethernet cables the S5500 EI series can provide power to IP phone WLAN AP and other PD devices that support IEEE 802 3af to facilitate network maintenance and management Figure 4 2 Application of S5500 EI series at access layer ...

Page 15: ...onfiguration with Authentication Mode Being Password 2 10 2 5 1 Configuration Procedure 2 10 2 5 2 Configuration Example 2 12 2 6 Console Port Login Configuration with Authentication Mode Being Scheme 2 14 2 6 1 Configuration Procedure 2 14 2 6 2 Configuration Example 2 17 Chapter 3 Logging In Through Telnet 3 1 3 1 Introduction 3 1 3 1 1 Common Configuration 3 1 3 1 2 Telnet Configurations for Di...

Page 16: ...1 Overview 7 1 7 2 Configuring Source IP Address for Telnet Service Packets 7 1 7 3 Displaying the source IP address Interface Specified for Telnet Packets 7 2 Chapter 8 Controlling Login Users 8 1 8 1 Introduction 8 1 8 2 Controlling Telnet Users 8 1 8 2 1 Prerequisites 8 1 8 2 2 Controlling Telnet Users by Source IP Addresses 8 1 8 2 3 Controlling Telnet Users by Source and Destination IP Addres...

Page 17: ...eries Ethernet switch supports two types of user interfaces AUX and VTY Table 1 1 Description on user interface User interface Applicable user Port used Description AUX Users logging in through the console port Console port Each switch can accommodate one AUX user VTY Telnet users and SSH users Ethernet port Each switch can accommodate up to five VTY users Note As the AUX port and the console port...

Page 18: ...sages to all user interfaces a specified user interface send all number type number Optional Execute this command in user view Disconnect a specified user interface free user interface type number Optional Execute this command in user view Enter system view system view Set the banner header incoming legal login shell motd text Optional Set a system name for the switch sysname string Optional Enter...

Page 19: ...he screen length 0 command to disable the function to display information in pages Make terminal services available shell Optional By default terminal services are available in all user interfaces Set the display type of a terminal terminal type ansi vt100 Optional By default the terminal display type is ANSI The device must use the same type of display as the terminal If the terminal uses VT 100 ...

Page 20: ...to an S5500 EI series Ethernet switch through its console port only To log in to an Ethernet switch through its console port the related configuration of the user terminal must be in accordance with that of the console port Table 2 1 lists the default settings of a console port Table 2 1 The default settings of a console port Setting Default Baud rate 9 600 bps Flow control Off Check mode No check...

Page 21: ...e console port launch a terminal emulation utility such as Terminal in Windows 3 X or HyperTerminal in Windows 9X Windows 2000 Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally the parameters of a terminal are configured as those listed in Table 2 1 Figure 2 2 Create a connection Figure 2 3 Specify the port used to establish t...

Page 22: ...sfully completes POST power on self test The prompt such as H3C appears after the user presses the Enter key z You can then configure the switch or check the information about the switch by executing commands You can also acquire help by type the character Refer to the following chapters for information about the commands 2 3 Console Port Login Configuration 2 3 1 Common Configuration Table 2 2 li...

Page 23: ...the AUX user interface Optional By default commands of level 3 are available to the users logging in to the AUX user interface Define a shortcut key for aborting tasks Optional The default shortcut key combination for aborting tasks is Ctrl C Define a shortcut key for starting terminal sessions Optional By default pressing Enter key starts the terminal session Make terminal services available Opti...

Page 24: ...urations for Different Authentication Modes Table 2 3 lists console port login configurations for different authentication modes Table 2 3 Console port login configurations for different authentication modes Authentication mode Console port login configuration Description None Perform common configuration Perform common configuration for console port login Optional Refer to section 2 3 1 Common Co...

Page 25: ...he user name and password of a local user are configured on the switch z The user name and password of a remote user are configured on the RADIUS server Refer to user manual of RADIUS server for more Manage AUX users Set service type for AUX users Required Scheme Perform common configuration Perform common configuration for console port login Optional Refer to section 2 3 1 Common Configuration fo...

Page 26: ...l The default data bits of a console port is 8 Configure the command level available to users logging in to the user interface user privilege level level Optional By default commands of level 3 are available to users logging in to the AUX user interface Define a shortcut key for starting terminal sessions activation key character Optional By default pressing Enter key starts the terminal session D...

Page 27: ... level available to users logging in to a switch depends on both the authentication mode none command and the user privilege level level command as listed in the following table Table 2 4 Determine the command level A Scenario Authentication mode User type Command Command level The user privilege level level command not executed Level 3 None authentication m ode none Users logging in through conso...

Page 28: ...ser logging in through the console port H3C ui aux0 authentication mode none Specify commands of level 2 are available to the user logging in to the AUX user interface H3C ui aux0 user privilege level 2 Set the baud rate of the console port to 19 200 bps H3C ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 H3C ui aux0 screen length 30 Set the maximum number of comma...

Page 29: ...word authentication Set the local password set authentication password cipher simple password Required Set the baud rate speed speed value Optional The default baud rate of an AUX port also the console port is 9 600 bps Set the check mode parity even mark none odd space Optional By default the check mode of a console port is set to none that is no check bit Set the stop bits stopbits 1 1 5 2 Optio...

Page 30: ... information in pages Set history command buffer size history command max size value Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time for the user interface idle timeout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the conn...

Page 31: ...w you to login through Telnet and your user level is set to the administrator level level 3 After you telnet to the switch you need to limit the console user at the following aspects z The user is authenticated against the local password when logging in through the console port z The local password is set to 123456 in plain text z The commands of level 2 are available to users logging in to the AU...

Page 32: ... AUX user interface H3C ui aux0 user privilege level 2 Set the baud rate of the console port to 19 200 bps H3C ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 H3C ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 H3C ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes H...

Page 33: ...pecify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to the AAA RADIUS HWTACACS module for more z Configure the user name and password accordingly on the AAA server Refer to the user manual of AAA server Create a local user Enter local user view local user user ...

Page 34: ...ult commands of level 3 are available to users logging in to the AUX user interface Define a shortcut key for starting terminal sessions activation key character Optional By default pressing Enter key starts the terminal session Define a shortcut key for aborting tasks escape key default character Optional The default shortcut key combination for aborting tasks is Ctrl C Make terminal services ava...

Page 35: ...termine the command level Scenario Authentication mode User type Command Command level The user privilege level level command is not executed and the service type terminal level level command does not specify the available command level Level 0 The default command level available for local users is level 0 The user privilege level level command is not executed and the service type terminal level l...

Page 36: ... Terminal z Configure to authenticate the user logging in through the console port in the scheme mode z The commands of level 2 are available to the user logging in to the AUX user interface z The baud rate of the console port is 19 200 bps z The screen can contain up to 30 lines z The history command buffer can store up to 20 commands z The timeout time of the AUX user interface is 6 minutes II N...

Page 37: ...me Set the baud rate of the console port to 19 200 bps H3C ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 H3C ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 H3C ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes H3C ui aux0 idle timeout 6 After the above configurat...

Page 38: ...ther settings are configured Refer to Table 3 2 and Table 3 3 Telnet is running Telnet terminal The IP address of the management VLAN of the switch is available Note z After you log in to the switch through Telnet you can issue commands to the switch by way of pasting session text which cannot exceed 2000 bytes and the pasted commands must be in the same view otherwise the switch may not execute t...

Page 39: ...hortcut key combination for aborting tasks is Ctrl C Make terminal services available Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can contain Optional By default the screen can contain up to 24 lines Set history command buffer size Optional By default the history command buffer can contain up to 10 commands VTY terminal conf...

Page 40: ...o perform local authentication or RADIUS authentication AAA configuration specifies whether to perform local authentication or RADIUS authentication Optional Local authentication is performed by default Refer to the AAA RADIUS HWTACACS module for more Configure user name and password Configure user names and passwords for local remote users Required z The user name and password of a local user are...

Page 41: ...ble to users logging in to VTY user interfaces Configure the protocols to be supported by the VTY user interface protocol inbound all ssh telnet Optional By default both Telnet protocol and SSH protocol are supported Set the command that is automatically executed when a user logs into the user interface auto execute command text Optional By default no command is automatically executed when a user ...

Page 42: ...Note that if you configure not to authenticate the users the command level available to users logging in to a switch depends on both the authentication mode none command and the user privilege level level command as listed in Table 3 4 Table 3 4 Determine the command level when users logging in to switches are not authenticated Scenario Authentication mode User type Command Command level The user ...

Page 43: ...m view H3C telnet server enable Enter VTY 0 user interface view H3C user interface vty 0 Configure not to authenticate Telnet users logging in to VTY 0 H3C ui vty0 authentication mode none Specify commands of level 2 are available to users logging in to VTY 0 H3C ui vty0 user privilege level 2 Configure Telnet protocol is supported H3C ui vty0 protocol inbound telnet Set the maximum number of line...

Page 44: ...e the command level available to users logging in to the user interface user privilege level level Optional By default commands of level 0 are available to users logging in to VTY user interface Configure the protocol to be supported by the user interface protocol inbound all ssh telnet Optional By default both Telnet protocol and SSH protocol are supported Set the command that is automatically ex...

Page 45: ... interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Note that if you configure to authenticate the users in the password mode the command level available to users logging in to a switch depends on bo...

Page 46: ...gram Figure 3 2 Network diagram for Telnet configuration with the authentication mode being password III Configuration procedure Enter system view and enable the Telnet service H3C system view H3C telnet server enable Enter VTY 0 user interface view H3C user interface vty 0 Configure to authenticate users logging in to VTY 0 using the local password H3C ui vty0 authentication mode password Set the...

Page 47: ...uit Optional By default the local AAA scheme is applied If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to the AAA RADIUS HWTACACS modul...

Page 48: ... Set the command that is automatically executed when a user logs into the user interface auto execute command text Optional By default no command is automatically executed when a user logs into a user interface Define a shortcut key for aborting tasks escape key default character Optional The default shortcut key combination for aborting tasks is Ctrl C Make terminal services available shell Optio...

Page 49: ...tory directory lan access ssh telnet terminal level level command as listed in Table 3 6 Table 3 6 Determine the command level when users logging in to switches are authenticated in the scheme mode Scenario Authenticat ion mode User type Command Command level The user privilege level level command is not executed and the service type command does not specify the available command level Level 0 The...

Page 50: ...ervice type command specifies the available command level Determined by the user privilege level level command The user privilege level level command is not executed and the service type command does not specify the available command level Level 0 The user privilege level level command is not executed and the service type command specifies the available command level Determined by the service ty p...

Page 51: ... The history command buffer can store up to 20 commands z The timeout time of VTY 0 is 6 minutes II Network diagram Figure 3 3 Network diagram for Telnet configuration with the authentication mode being scheme III Configuration procedure Enter system view and enable the Telnet service H3C system view H3C telnet server enable Create a local user named guest and enter local user view H3C local user ...

Page 52: ...ion to the Console Port z Execute the following commands in the terminal window to enable the Telnet server function and assign an IP address to the management VLAN interface of the switch Enable the Telnet server function and configure the IP address of the management VLAN interface as 202 38 160 92 and the subnet mask as 255 255 255 0 H3C system view H3C telnet server enable H3C interface vlan i...

Page 53: ...nd prompts for login password The CLI prompt such as H3C appears if the password is correct If all VTY user interfaces of the switch are in use you will fail to establish the connection and receive the message that says All user interfaces are used please try later A H3C series Ethernet switch can accommodate up to five Telnet connections at same time Step 6 After successfully Telnetting to a swit...

Page 54: ...netting to a switch labeled as Telnet client you can Telnet to another switch labeled as Telnet server by executing the telnet command and then to configure the later Figure 3 6 Network diagram for Telnetting to another switch from the current switch Step 1 Configure the user name and password for Telnet on the switch operating as the Telnet server Refer to section 3 2 Telnet Configuration with Au...

Page 55: ...essage that says All user interfaces are used please try later Step 5 After successfully Telnetting to the switch you can configure the switch or display the information about the switch by executing corresponding commands You can also type at any time for help Refer to the following chapters for the information about the commands ...

Page 56: ...ing table Table 4 1 Requirements for logging in to a switch using a modem Item Requirement The PC can communicate with the modem connected to it The modem is properly connected to PSTN Administrator side The telephone number of the switch side is available The modem is connected to the console port of the switch properly The modem is properly configured The modem is properly connected to PSTN and ...

Page 57: ...ation Note After logging in to a switch through its console port by using a modem you will enter the AUX user interface The corresponding configuration on the switch is the same as those when logging in to the switch locally through its console port except that z When you log in through the console port using a modem the baud rate of the console port is usually set to a value lower than the transm...

Page 58: ...Configuration with Authentication Mode Being Scheme for more Step 2 Perform the following configuration on the modem directly connected to the switch AT F Restore the factory settings ATS0 1 Configure to answer automatically after the first ring AT D Ignore DTR signal AT K0 Disable flow control AT R1 Ignore RTS signal AT S0 Set DSR to high level by force ATEQ1 W Disable the modem from returning co...

Page 59: ...nd 82882285 Modem Modem Figure 4 1 Establish the connection by using modems Step 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 4 2 and Figure 4 3 Note that you need to set the telephone number to that of the modem directly connected to the switch Figure 4 2 Set the telephone number ...

Page 60: ...uch as H3C appears You can then configure or manage the switch You can also enter the character at anytime for help Refer to the following chapters for information about the configuration commands Note If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Refer to the System Maintenance and Debugging module for information about command...

Page 61: ...ddress of the management VLAN of the switch is configured The route between the switch and the network management terminal is available Refer to the module IP Addressing and Performance and IP Routing for more Switch The user name and password for logging in to the Web based network management system are configured IE is available PC operating as the network management terminal The IP address of t...

Page 62: ... PC and the switch as shown in the following figure Figure 5 1 Establish an HTTP connection between your PC and the switch Step 4 Log in to the switch through IE Launch IE on the Web based network management terminal your PC and enter the IP address of the management VLAN interface of the switch here it is http 10 153 17 82 Make sure the route between the Web based network management terminal and ...

Page 63: ...e this command in system view The Web server is started by default Start the Web server ip http enable Required Execute this command in system view 5 4 Displaying Web Users After the above configurations execute the display command in any view to display the information about Web users and thus to verify the configuration effect Table 5 2 Display information about Web users To do Use the command D...

Page 64: ... agent To log in to a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 6 1 Requirements for logging in to a switch through an NMS Item Requirement The IP address of the management VLAN of the switch is configured The route between the NMS and the switch is available Refer to the module IP Addressing and Performance and IP Routing for more Switch ...

Page 65: ...face of the switch is used to transmit packets between the Telnet client and the Telnet server This conceals the IP address of the actual interface used As a result external attacks are guarded and the security is improved On the other hand you can configure the Telnet server to accept only Telnet service packets with specific source IP addresses to make sure specific users can log in to the switc...

Page 66: ...e interface number Optional Not specified by default Note To perform the configurations listed in Table 7 1 and Table 7 2 make sure that z The IP address specified is that of the local device z The interface specified exists z If a source IP address or source interface is specified you need to make sure that the route between the IP addresses or interface of both sides is reachable 7 3 Displaying ...

Page 67: ...resses Through Layer 2 ACLs Section 8 2 4 Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACLs Section 8 3 2 Controlling Network Management Users by Source IP Addresses By source IP addresses Through basic ACLs Section 8 4 2 Controlling Web Users by Source IP Addresses WEB Disconnect Web users by force By executing commands in CLI Section 8 4 3 Disconnect...

Page 68: ...d The inbound keyword specifies to filter the users trying to Telnet to the current switch The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch 8 2 3 Controlling Telnet Users by Source and Destination IP Addresses Controlling Telnet users by source and destination IP addresses is achieved by applying advanced ACLs which are numbered from 3000 to...

Page 69: ...g Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs which are numbered from 4000 to 4999 Refer to the ACL module for information about defining an ACL To do Use the command Remarks Enter system view system view Create a basic ACL or enter basic ACL view acl number acl number match order config auto As for the acl number command the config keyword is specified by default Def...

Page 70: ...acl number 2000 match order config H3C acl basic 2000 rule 1 permit source 10 110 100 52 0 H3C acl basic 2000 rule 2 permit source 10 110 100 46 0 H3C acl basic 2000 rule 3 deny source any H3C acl basic 2000 quit Apply the ACL H3C user interface vty 0 4 H3C ui vty0 4 acl 2000 inbound 8 3 Controlling Network Management Users by Source IP Addresses You can manage a S5500 EI series Ethernet switch th...

Page 71: ...mand the config keyword is specified by default Define rules for the ACL rule rule id permit deny source sour addr sour wildcard any time range time name fragment logging Required Quit to system view quit Apply the ACL while configuring the SNMP community name snmp agent community read write community name mib view view name acl acl number Required Apply the ACL while configuring the SNMP group na...

Page 72: ...t group command and the snmp agent group v3 command and SNMP user names the snmp agent usm user command and the snmp agent usm user v3 command take effect in the network management systems that adopt SNMPv2c or higher SNMP versions If you configure both the SNMP group name and the SNMP user name and specify ACLs in the two operations the switch will filter network management users by both SNMP gro...

Page 73: ...perform the following two operations to control Web users by source IP addresses z Defining an ACL z Applying the ACL to control Web users 8 4 1 Prerequisites The controlling policy against Web users is determined including the source IP addresses to be controlled and the controlling actions permitting or denying 8 4 2 Controlling Web Users by Source IP Addresses Controlling Web users by source IP...

Page 74: ...Example I Network requirements Only the users sourced from the IP address of 10 110 100 52 are permitted to access the switch II Network diagram Switch 10 110 100 46 Host A IP network Host B 10 110 100 52 Figure 8 3 Network diagram for controlling Web users using ACLs III Configuration procedure Define a basic ACL H3C system view H3C acl number 2030 match order config H3C acl basic 2030 rule 1 per...

Page 75: ...ration 1 13 1 6 1 Introduction to Protocol Based VLAN 1 13 1 6 2 Configuring a Protocol Based VLAN 1 13 1 7 Configuring IP Subnet Based VLAN 1 15 1 7 1 Introduction 1 15 1 7 2 Configuring an IP Subnet Based VLAN 1 15 1 8 Displaying and Maintaining VLAN 1 16 1 9 VLAN Configuration Example 1 17 Chapter 2 Voice VLAN Configuration 2 1 2 1 Introduction to Voice VLAN 2 1 2 1 1 Voice VLAN Modes on a Port...

Page 76: ... Standards 3 5 3 2 GVRP Configuration Task List 3 5 3 3 Configuring GVRP 3 5 3 3 1 Enabling GVRP 3 5 3 3 2 Configuring GARP Timers 3 6 3 4 Displaying and Maintaining GVRP 3 7 3 5 GVRP Configuration Examples 3 8 3 5 1 GVRP Configuration Example I 3 8 3 5 2 GVRP Configuration Example II 3 9 3 5 3 GVRP Configuration Example III 3 10 ...

Page 77: ...tiple Access Collision Detect CSMA CD mechanism As the medium is shared in an Ethernet network performance may degrade as the number of hosts on the network is increasing If the number of the hosts in the network reaches a certain level problems caused by collisions broadcasts and so on emerge which may cause the network operating improperly In addition to the function that suppresses collisions w...

Page 78: ...nning physical network segments That is users from the same workgroup do not have to be within the same physical area making network construction and maintenance much easier and more flexible 1 1 2 VLAN Fundamental To enable packets being distinguished by the VLANs they belong to The VLAN tag fields used to identify VLANs are added to packets As common switches operate on the data link layer of th...

Page 79: ...es are encapsulated in standard format when packets are transmitted across different medium With the field set to 0 MAC addresses are encapsulated in standard format with the field set to 1 MAC addresses are encapsulated in non standard format The filed is 0 by default z The VLAN ID field 12 bits in length and with its value ranging from 0 to 4095 identifies the ID of the VLAN a packet belongs to ...

Page 80: ...AN protocol based VLAN and IP subnet based VLAN 1 2 Configuring Basic VLAN Attributes Follow these steps to configure basic VLAN attributes To do Use the command Remarks Enter system view system view Create VLANs vlan vlan id1 to vlan id2 all Optional Using this command can create multiple VLANs in a bulk Enter VLAN view vlan vlan id Required If the specified VLAN does not exist the command create...

Page 81: ...s are Layer 3 virtual interfaces which do not exist physically on devices used for Layer 3 interoperability between different VLANs Each VLAN can have one VLAN interface Packets of a VLAN can be forwarded on network layer through the corresponding VLAN interface As each VLAN forms a broadcast domain a VLAN can be an IP network segment and the VLAN interface can be the gateway to enable IP address ...

Page 82: ...erface will not be created 1 4 Port Based VLAN Configuration 1 4 1 Introduction to Port Based VLAN This is the simplest and yet the most effective way of classifying VLANs It groups VLAN members by port After added to a VLAN a port can forward the packets of the VLAN I Port link type Based on the tag handling mode a port s link type can be one of the following three z Access port the port only bel...

Page 83: ... an Access port will revert to VLAN 1 whereas that for the Trunk or Hybrid port remains meaning the port can use a nonexistent VLAN as the default VLAN Note For a port in automatic voice VLAN mode do not set the voice VLAN as the default VLAN of the port Otherwise the system prompts error information For information about voice VLAN refer to Voice VLAN Configuration Configured with the default VLA...

Page 84: ... the port z Discard the packet if the VLAN ID is not in the list of VLANs allowed to pass through the port Send the packet if the VLAN ID is allowed to pass through the port Use the port hybrid vlan command to configure whether the port keeps or strips the tags when sending packets of a VLAN including the default VLAN 1 4 2 Configuring an Access Port Based VLAN There are two ways to configure Acce...

Page 85: ...efault Add the current Access port to a specified VLAN port access vlan vlan id Optional By default all Access ports belong to VLAN 1 Note To add an Access port to a VLAN make sure the VLAN already exists 1 4 3 Configuring a Trunk Port Based VLAN A Trunk port may belong to multiple VLANs and you can only perform this configuration in Ethernet port view or port group view Follow these steps to conf...

Page 86: ...transmitted properly 1 4 4 Configuring a Hybrid Port Based VLAN A Hybrid port may belong to multiple VLANs and this configuration can only be performed in Ethernet port view or port group view Follow these steps to configure the Hybrid port based VLAN To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enter Ethernet port v...

Page 87: ...er being tagged with the tag of the VLAN This function is usually coupled with the security technologies such as 802 1X to provide secure and flexible network accesses for terminal devices I MAC address based VLAN implementation With MAC address based VLANs created on a port the port operates as follows z If an untagged packet is received the port checks its MAC address VLAN entries for the one th...

Page 88: ...server 1 5 2 Configuring a MAC Address Based VLAN Note MAC address based VLANs are available only on Hybrid ports Follow these steps to configure a MAC address based VLAN To do Use the command Remarks Enter system view system view Associate MAC addresses with a VLAN mac vlan mac address mac addr mask mac mask vlan vlan id priority priority Required Enter Ethernet interface view interface interface...

Page 89: ...rmat and protocol type A port can be associated to multiple protocol templates An untagged packet that is packet carrying no VLAN tag reaching a port associated with a protocol based VLAN will be processed as follows z If the packet matches a protocol template the packet will be tagged with the VLAN ID of the protocol based VLAN defined by the protocol template z If the packet matches no protocol ...

Page 90: ... port view interface interface type interface number Enter Ethernet port view or port group view Enter port group view port group manual port group name aggregation agg id Use either command In Ethernet port view the subsequent configurations only apply to the current port in port group view the subsequent configurations apply to all ports in the port group Configure the port link type as Hybrid p...

Page 91: ... configure a VLAN as both a protocol based VLAN and a voice VLAN Because a protocol based VLAN requires that the inbound packets on the Hybrid port are untagged packets whereas the Hybrid port working in auto voice VLAN mode only supports to process tagged voice traffic For more information refer to Voice VLAN Configuration 1 7 Configuring IP Subnet Based VLAN 1 7 1 Introduction In this approach V...

Page 92: ... ports in the port group Configure port link type as Hybrid port link type hybrid Required Allow an IP subnet based VLAN to pass through the current Hybrid port port hybrid vlan vlan id list tagged untagged Required Configure the association between the Hybrid port and the IP subnet based VLAN port hybrid ip subnet vlan vlan vlan id Required 1 8 Displaying and Maintaining VLAN To do Use the comman...

Page 93: ...y view Display the IP subnet based VLAN information and IP subnet index of specified ports display ip subnet vlan interface interface type interface number to interface type interface number all Available in any view Clear the statistics on a VLAN interface reset counters interface Vlan interface vlan interface id Available in user view 1 9 VLAN Configuration Example I Network requirements z Devic...

Page 94: ... 0 1 DeviceA GigabitEthernet1 0 1 port trunk permit vlan 2 6 to 50 100 Please wait Done 2 Configure Device B following similar steps as that of Device A IV Verification Verifying the configuration of Device A is similar to that of Device B So only Device A is taken for example here Display the information about GigabitEthernet 1 0 1 of Device A to verify the above configurations DeviceA display in...

Page 95: ...dcasts 11111535 multicasts Input 0 input errors 0 runts 0 giants 0 throttles 0 CRC 0 frame overruns 0 aborts ignored parity errors Output total 175995 packets 31290143 bytes 47 broadcasts 68494 multicasts 0 pauses Output normal 175995 packets bytes 47 broadcasts 68494 multicasts 0 pauses Output 0 output errors underruns buffer failures 0 aborts 0 deferred 0 collisions 0 late collisions 0 lost carr...

Page 96: ...traffic improving transmission priority and ensuring voice quality A device determines whether a received packet is a voice packet by checking its source MAC address Packets containing source MAC addresses that comply with the voice device Organizationally Unique Identifier OUI for short addresses are regarded as voice traffic and are forwarded to the voice VLAN You can configure the OUI addresses...

Page 97: ...atically add the port into the Voice VLAN and apply ACL rules and configure the packet precedence An aging time can be configured for the voice VLAN The system will remove a port from the voice VLAN if no voice packet is received from it after the aging time The adding and removing of ports are automatically realized by the system z In manual mode administrators add the IP phone access port to the...

Page 98: ...ybrid not supported Access not supported Trunk supported provided that the default VLAN of the access port exists and is not the voice VLAN and that the access port belongs to the default VLAN Tagged voice traffic Hybrid supported provided that the default VLAN of the access port exists and is not the voice VLAN and is in the list of tagged VLANs whose packets can pass through the access port Acce...

Page 99: ...ation refer to section Port Based VLAN Configuration z Use the display interface command to display the default VLAN and the VLANs that are allowed to go through a certain port 2 1 2 Security Mode and Normal Mode for the Voice VLAN Voice VLAN modes fall into security mode and normal mode based on the filtering mechanisms of the voice VLAN enabled ports on the inbound packets In the two modes the v...

Page 100: ...ode Follow these steps to set the port voice VLAN mode to automatic To do Use the command Remarks Enter system view system view Configure the aging time of the voice VLAN voice vlan aging minutes Optional Only applicable to ports in automatic mode and defaults to 1 440 minutes Enable the security mode for the voice VLAN voice vlan security enable Optional Enabled by default Configure the OUI addre...

Page 101: ...ed as the voice VLAN Otherwise the system will prompt error information 2 2 3 Configuring Voice VLAN Mode on a Port to Manual Mode Follow these steps to set the port voice VLAN mode to manual To do Use the command Remarks Enter system view system view Enable the security mode of a voice VLAN voice vlan security enable Optional Enabled by default Configure the OUI address of a voice VLAN voice vlan...

Page 102: ...s operation is required if the inbound voice traffic is untagged If the inbound voice traffic is tagged do not configure the voice VLAN as the default VLAN of the port Enable the voice VLAN feature on the port voice vlan enable Required Note z Only one VLAN of a device can have the voice VLAN function enabled at a time and the VLAN must be an exsiting static VLAN z A port that is in a link aggrega...

Page 103: ...1 with an OUI address of 0011 2200 0000 and a mask of ffff ff00 0000 to be forwarded through the voice VLAN II Network diagram Internet Device A GE 1 0 1 VLAN2 VLAN2 010 1001 OUI 0011 2200 0000 Mask ffff ff00 0000 Device B Figure 2 1 Network diagram for automatic voice VLAN mode configuration III Configuration procedure Create VLAN 2 and VLAN 6 DeviceA system view DeviceA vlan 2 DeviceA vlan2 quit...

Page 104: ...id vlan 6 tagged Enable the voice VLAN feature on the port DeviceA GigabitEthernet1 0 1 voice vlan enable DeviceA GigabitEthernet1 0 1 return IV Verification Display information about the OUI addresses OUI address masks and descriptive strings DeviceA display voice vlan oui Oui Address Mask Description 0001 e300 0000 ffff ff00 0000 Siemens phone 0003 6b00 0000 ffff ff00 0000 Cisco phone 0004 0d00 ...

Page 105: ... Eth1 0 1 VLAN2 VLAN2 010 1001 OUI 0011 2200 0000 Mask ffff ff00 0000 Device B Figure 2 2 Network diagram for manual voice VLAN mode configuration III Configuration procedure Configure the voice VLAN to work in security mode and only allows legal voice packets to pass through the voice VLAN enabled port Optional enabled by default DeviceA system view DeviceA voice vlan security enable Configure th...

Page 106: ...eA GigabitEthernet1 0 1 voice vlan enable IV Verification Display information about the OUI addresses OUI address masks and descriptive strings DeviceA display voice vlan oui Oui Address Mask Description 0001 e300 0000 ffff ff00 0000 Siemens phone 0003 6b00 0000 ffff ff00 0000 Cisco phone 0004 0d00 0000 ffff ff00 0000 Avaya phone 0011 2200 0000 ffff ff00 0000 test 0060 b900 0000 ffff ff00 0000 Phi...

Page 107: ...does not exist on a device as an entity GARP compliant participants are known as GARP applications One example is GVRP When a GARP participant is present on a port on your device the port is regarded as a GARP participant I GARP messages and timers 1 GARP messages GARP participants exchange information through the following three types of messages Join message Leave message and LeaveAll message z ...

Page 108: ... a join timer to set the sending interval If the first Join message is not acknowledged after the interval defined by the Join timer the GARP participant sends the second Join message z Leave timer Starts upon receipt of a Leave message sent for deregistering some attribute information If no Join message is received before this timer expires the GARP participant removes the attribute information a...

Page 109: ...th a particular multicast MAC address as destination Based on this address a device can identify to which GVRP application GVRP for example should a GARP PDU be delivered III GARP message format The following figure illustrates the GARP message format Figure 3 1 GARP message format Table 3 1 describes the GARP message fields Table 3 1 Description on the GARP message fields Field Description Value ...

Page 110: ...local database about active VLAN members and through which port they can be reached It thus ensures that all GVRP participants on a bridged LAN maintain the same VLAN registration information The VLAN registration information propagated by GVRP includes both manually configured local static entries and dynamic entries from other devices GVRP provides the following three registration types on a por...

Page 111: ...rs Optional 3 3 Configuring GVRP 3 3 1 Enabling GVRP Follow these steps to enable GVRP on a trunk port To do Use the command Remarks Enter system view system view Enable GVRP globally gvrp Required Globally disabled by default Enter Ethernet port view interface interface type interface number Enter Ethernet port view or port group view Enter port group view port group aggregation agg id manual por...

Page 112: ...iew interface interface type interface number Enter Ethernet port view or port group view Enter port group view port group manual port group name aggregation agg id Use either command In Ethernet port view the subsequent configurations only apply to the current port in port group view the subsequent configurations apply to all ports in the port group Configure the hold timer join timer and leave t...

Page 113: ...le in any view Display GARP timers for specified or all ports display garp timer interface interface list Available in any view Display the local VLAN information maintained by GVRP display gvrp local vlan interface interface type interface number Available in any view Display the current GVRP state display gvrp state interface interface type interface number vlan vlan id Available in any view Dis...

Page 114: ...nk port allowing all VLANs to pass DeviceA interface GigabitEthernet 1 0 1 DeviceA GigabitEthernet1 0 1 port link type trunk DeviceA GigabitEthernet1 0 1 port trunk permit vlan all Enable GVRP on GigabitEthernet 1 0 1 the Trunk port DeviceA GigabitEthernet1 0 1 gvrp DeviceA GigabitEthernet1 0 1 quit Create VLAN 2 a static VLAN DeviceA vlan 2 2 Configure Device B Enable GVRP globally DeviceB system...

Page 115: ...Configure GVRP for dynamic VLAN information registration and update among devices Specify fixed GVRP registration on Device A and normal GVRP registration on Device B II Network diagram Figure 3 3 Network diagram for GVRP configuration III Configuration procedure 1 Configure Device A Enable GVRP globally DeviceA system view DeviceA gvrp Configure port GigabitEthernet 1 0 1 as a Trunk port allowing...

Page 116: ...1 port trunk permit vlan all Enable GVRP on GigabitEthernet 1 0 1 DeviceB GigabitEthernet1 0 1 gvrp DeviceB GigabitEthernet1 0 1 quit Create VLAN 3 a static VLAN Sysname vlan 3 3 Verify the configuration Display dynamic VLAN information on Device A DeviceA display vlan dynamic No dynamic vlans exist Display dynamic VLAN information on Device B DeviceB display vlan dynamic Now the following dynamic...

Page 117: ...forbidden DeviceA GigabitEthernet1 0 1 quit Create VLAN 2 a static VLAN DeviceA vlan 2 2 Configure Device B Enable GVRP globally DeviceB system view DeviceB gvrp Configure port GigabitEthernet 1 0 1 as a Trunk port allowing all VLANs to pass DeviceB interface GigabitEthernet 1 0 1 DeviceB GigabitEthernet1 0 1 port link type trunk DeviceB GigabitEthernet1 0 1 port trunk permit vlan all Enable GVRP ...

Page 118: ...type is autonegotiation link duplex type is autonegotiation Flow control is not enabled The Maximum Frame Length is 9212 Broadcast MAX ratio 100 Unicast MAX ratio 100 Multicast MAX ratio 100 Allow jumbo frame to pass PVID 1 Mdi type auto Link delay is 0 sec Port link type trunk VLAN passing 1 default vlan VLAN permitted 1 default vlan Omitted The above output indicates that port GigabitEthernet 1 ...

Page 119: ...n Example 1 5 1 3 Displaying and Maintaining IP Addressing 1 7 Chapter 2 IP Performance Configuration 2 1 2 1 IP Performance Overview 2 1 2 2 Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network 2 1 2 2 1 Enabling Reception of Directed Broadcasts to a Directly Connected Network 2 1 2 2 2 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network ...

Page 120: ...ressing uses a 32 bit address to identify each host on a network An example is 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1 1 for the address just mentioned Each IP address breaks down into two parts z Net id First several bits of the IP address defining ...

Page 121: ...ss 255 255 255 255 1 1 2 Special Case IP Addresses The following IP addresses are for special use and they cannot be used as host IP addresses z IP address with an all zero net ID Identifies a host on the local network For example IP address 0 0 0 16 indicates the host with a host ID of 16 on the local network z IP address with an all zero host ID Identifies a network z IP address with an all one ...

Page 122: ...ll ones are not assignable to hosts The same is true of subnetting When designing your network you should note that subnetting is somewhat a tradeoff between subnets and accommodated hosts For example a Class B network can accommodate 65 534 216 2 Of the two deducted Class B addresses one with an all one host id is the broadcast address and the other with an all zero host id is the network address...

Page 123: ...an IP address to an interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Assign an IP address to the interface ip address ip address mask mask length sub Required No IP address is assigned by default Caution z The primary IP address you assigned to the interface can overwrite the old one if there is any z An interface ...

Page 124: ...s and a secondary IP address to VLAN interface 1 on the switch z Set the switch as the gateway on all hosts II Network diagram Figure 1 3 Network diagram for IP addressing configuration III Configuration procedure Assign a primary IP address and a secondary IP address to VLAN interface 1 Switch system view Switch interface vlan interface 1 Switch Vlan interface1 ip address 172 16 1 1 255 255 255 0...

Page 125: ...24 Use the ping command to verify the connectivity between the switch and the hosts on the subnet 172 16 2 0 24 Switch ping 172 16 2 2 PING 172 16 2 2 56 data bytes press CTRL_C to break Reply from 172 16 2 2 bytes 56 Sequence 1 ttl 255 time 25 ms Reply from 172 16 2 2 bytes 56 Sequence 2 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 3 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56...

Page 126: ...isplaying and Maintaining IP Addressing To do Use the command Remarks Display information about a specified or all Layer 3 interfaces display ip interface interface type interface number Display brief information about a specified or all Layer 3 interfaces display ip interface brief interface type interface number Available in any view ...

Page 127: ...abling ICMP error packets sending 2 2 Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network Directed broadcasts refer to broadcast packets sent to a specific network In the destination IP address of a directed broadcast the network ID is a network specific number and the host ID is all ones Enabling the device to receive and forward directed broadcasts to a direc...

Page 128: ...directed broadcasts ip forward broadcast acl acl number Required By default the device is disabled from forwarding directed broadcasts Note z You can reference an ACL to forward only directed broadcasts permitted by the ACL z If you execute the ip forward broadcast acl command on an interface repeatedly the last execution overwrites the previous one If the command executed last time does not inclu...

Page 129: ...tchA Vlan interface2 ip address 2 2 2 2 24 Enable VLAN interface 2 to forward directed broadcasts SwitchA Vlan interface2 ip forward broadcast z Configure Switch B Enable Switch B to receive directed broadcasts SwitchB system view SwitchB ip forward broadcast Configure a static route to the host SwitchB ip route static 1 1 1 1 24 2 2 2 2 Configure an IP address for VLAN interface 2 SwitchB interfa...

Page 130: ... after the timer expires z Size of TCP receive send buffer Follow these steps to configure TCP optional parameters To do Use the command Remarks Enter system view system view Configure TCP synwait timer s timeout value tcp timer syn timeout time value Optional By default the timeout value is 75 seconds Configure TCP finwait timer s timeout value tcp timer fin timeout time value Optional By default...

Page 131: ...e packet and sends an ICMP timeout packet to the source The device will send an ICMP timeout packet under the following conditions z If the device finds the destination of a packet is not itself and the TTL field of the packet is 1 it will send a TTL timeout ICMP error message z When the device receives the first fragment of an IP datagram whose destination is the device itself it will start a tim...

Page 132: ...e will be reduced z As the redirection function increases the routing table size of a host the host s performance will be reduced if its routing table becomes very large z If a host sends malicious ICMP destination unreachable packets end users may be affected To prevent such problems you can disable the device from sending ICMP error packets Follow these steps to disable sending ICMP error packet...

Page 133: ...display icmp statistics Display socket information display ip socket socktype sock type task id socket id Display FIB forward information display fib begin include exclude string acl acl number ip prefix ip prefix name Display FIB forward information matching the specified destination IP address display fib ip address1 mask1 mask length1 ip address2 mask2 mask length2 longer longer Display statist...

Page 134: ...ing Basic QinQ 1 4 1 3 Configuring Selective QinQ 1 4 1 4 Configuring the TPID Value to Be Carried in VLAN Tags 1 5 1 5 QinQ Configuration Example 1 6 Chapter 2 BPDU Tunneling Configuration 2 1 2 1 Introduction to BPDU Tunneling 2 1 2 1 1 Why BPDU Tunneling 2 1 2 1 2 How BPDU Tunneling Works 2 1 2 2 Configuring BPDU Isolation 2 3 2 3 Configuring BPDU Transparent Transmission 2 3 2 4 Configuring De...

Page 135: ...ents The port QinQ feature is a flexible easy to implement Layer 2 VPN technique which enables the access point to encapsulate an outer VLAN tag in Ethernet frames from customer networks private networks so that the Ethernet frames will travel across the service provider s backbone network public network with double VLAN tags The inner VLAN tag is the customer network VLAN tag while the outer one ...

Page 136: ...k 1 1 2 Implementations of QinQ There are two types of QinQ implementations basic QinQ and selective QinQ 1 Basic QinQ Basic QinQ is a port based feature which is implemented through VLAN VPN With the VLAN VPN feature enabled on a port when a frame arrives at the port the switch will tag it with the port s default VLAN tag regardless of whether the frame is tagged or untagged If the received frame...

Page 137: ...9100 and 0x8100 respectively while the configured TPID value of the service provider VLAN tag is 0x9100 and that of the VLAN tag for a customer network is 0x8200 the device considers that the frame carries only the service provider VLAN tag but not the customer VLAN tag In addition the systems of different vendors may set the TPID of the outer VLAN tag of QinQ frames to different values For compat...

Page 138: ... command Configurations made in Ethernet port view will take effect on the current port only configuration made in port group view will take effect on all ports in the port group Enable QinQ on the port s qinq enable Required Disabled by default 1 3 Configuring Selective QinQ The outer VLAN tag added to a frame by the basic QinQ feature is the VLAN tag corresponding to the port s default VLAN ID w...

Page 139: ...sponding to the outer VLAN tags raw vlan id inbound all vlan id list Required Caution z An inner VLAN tag corresponds to only one outer VLAN tag If you want to change an outer VLAN tag you must delete the old outer VLAN tag configuration and configure a new outer VLAN tag z You can configure selective QinQ and basic QinQ on the same port The switch uses the basic QinQ function to attach the port s...

Page 140: ...ider network z Third party devices are deployed between Provider A and Provider B with a TPID value of 0x8200 After configuration the network should satisfy the following requirement z Frames of VLAN 10 of Customer A and frames of VLAN 10 of Customer B can be forwarded to each other through VLAN 1000 of the provider network frames of VLAN 20 of Customer A and frames of VLAN 20 of Customer C can be...

Page 141: ...re the port to tag frames from VLAN 10 with an outer tag with the VLAN ID of 1000 ProviderA GigabitEthernet1 0 1 qinq vid 1000 ProviderA GigabitEthernet1 0 1 vid 1000 raw vlan id inbound 10 ProviderA GigabitEthernet1 0 1 vid 1000 quit Configure the port to tag frames from VLAN 20 with an outer tag with the VLAN ID of 2000 ProviderA GigabitEthernet1 0 1 qinq vid 2000 ProviderA GigabitEthernet1 0 1 ...

Page 142: ...iderB GigabitEthernet1 0 1 port trunk permit vlan 1000 2000 To enable interoperability with the third party devices in the public network set the TPID value to be carried in VLAN Tags to 0x8200 ProviderB GigabitEthernet1 0 1 quit ProviderB qinq ethernet type service tag 8200 z Configuration on GigabitEthernet 1 0 2 Configure VLAN 2000 as the default VLAN of the port ProviderB interface GigabitEthe...

Page 143: ... network This prevents each network from correctly calculating its spanning tree As a result when redundant links exist in a network data loops will unavoidably occur By allowing each network to have its own spanning tree while running STP BPDU tunneling can resolve this problem z BPDU tunneling can isolate BPDUs of different customer networks so that one network is not affected by others while ca...

Page 144: ...s BPDU input output device BPDU input output device Service provider network Figure 2 1 Network hierarchy of BPDU tunneling z At the BPDU input side the device changes the destination MAC address of a BPDU from a customer network from 0x0180 C200 0000 to a special multicast MAC address 0x010F E200 0003 by default In the service provider s network the modified BPDUs are forwarded as data packets in...

Page 145: ...p Enable BPDU tunneling for the port s bpdu tunnel dot1q enable Required Disabled by default Note z BPDU tunneling must be enabled globally before the BPDU tunnel configuration for a port can take effect z The BPDU tunneling feature is incompatible with the GVRP feature so these two features cannot be enabled at the same time For introduction to GVRP refer to VLAN Configuration z The BPDU tunnelin...

Page 146: ...on the port s bpdu tunnel dot1q stp Required Disabled by default Note z BPDU tunneling must be enabled globally before the BPDU tunnel configuration for a port can take effect z The BPDU tunneling feature is incompatible with the GVRP feature so these two features cannot be enabled at the same time For introduction to GVRP refer to VLAN Configuration z The BPDU tunneling feature is incompatible wi...

Page 147: ... network access devices z Provider A Provider B and Provider C are service provider network access devices which are interconnected through configured trunk ports The configuration is required to satisfy the following requirements z Geographically dispersed customer network devices Customer A Customer C and Customer D can implement consistent spanning tree calculation across the service provider n...

Page 148: ...0 2 port access vlan 4 ProviderB GigabitEthernet1 0 2 undo ntdp enable ProviderB GigabitEthernet1 0 2 bpdu tunnel dot1q enable 3 Configuration on Provider C Configure BPDU transparent transmission on GigabitEthernet 1 0 3 ProviderC system view ProviderC interface GigabitEthernet 1 0 3 ProviderC GigabitEthernet1 0 3 port access vlan 2 ProviderC GigabitEthernet1 0 3 stp disable ProviderC GigabitEthe...

Page 149: ... Note When STP works stably on the customer network if Customer A acts as the root bridge the ports of Customer C and Customer D connected with Provider C can receive BPDUs from Customer A Since BPDU isolation is enabled on Customer B the port that connects Customer B to Provider B cannot receive BPDUs from Customer A ...

Page 150: ...the Broadcast Multicast Unknown Unicast Storm Suppression Ratio for an Ethernet Port 1 6 1 1 8 Setting the Interval for Collecting Ethernet Port Statistics 1 7 1 1 9 Enabling Forwarding of Jumbo Frames 1 8 1 1 10 Enabling Loopback Detection on an Ethernet Port 1 8 1 1 11 Configuring the Cable Type for an Ethernet Port 1 10 1 1 12 Testing the Cable on an Ethernet Port 1 10 1 1 13 Configuring the St...

Page 151: ...rt Group Optional Configuring the Broadcast Multicast Unknown Unicast Storm Suppression Ratio for an Ethernet Port Optional Setting the Interval for Collecting Ethernet Port Statistics Optional Enabling Forwarding of Jumbo Frames Optional Enabling Loopback Detection on an Ethernet Port Optional Configuring the Cable Type for an Ethernet Port Optional Testing the Cable on an Ethernet Port Optional ...

Page 152: ...nal auto by default Shut down the Ethernet port shutdown Optional By default an Ethernet port is in up state To bring up an Ethernet port use the undo shutdown command Note The speed 1000 command is only applicable to GigabitEthernet ports 1 1 2 Combo Port Configuration I Introduction to Combo port A Combo port can operate as either an optical port or an electrical port Inside the device there is ...

Page 153: ...pe interface number Enable a specified double Combo port undo shutdown Optional By default out of the two ports in a Combo port the one with a smaller port ID is enabled For detailed information about Combo ports and the corresponding physical ports refer to the installation manual 1 1 3 Enabling Flow Control on an Ethernet Port When flow control is enabled on both sides if traffic congestion occu...

Page 154: ...port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the up down suppression time of physical link state changes link delay delay time Required The default suppression time is 0 seconds indicating that the physical layer reports the change of the port state to the system right after the port state changes 1 1 ...

Page 155: ...rs to configure on a single port as well as on multiple ports in a port group In port group view the user only needs to input the configuration command once on one port and that configuration will apply to all ports in the port group This effectively reduces redundant configurations A Port group belongs to one of the following two categories z Manual port group manually created by users Multiple E...

Page 156: ...r information about aggregation port group refer to Link Aggregation Configuration 1 1 7 Configuring the Broadcast Multicast Unknown Unicast Storm Suppression Ratio for an Ethernet Port You can use the following commands to suppress the broadcast multicast and unknown unicast traffic In port configuration mode the suppression ratio indicates the maximum broadcast multicast or unknown unicast traff...

Page 157: ...tio broadcast suppression ratio pps max pps Optional By default all broadcast traffic is allowed to pass through a port that is broadcast traffic is not suppressed Configure multicast storm suppression ratio multicast suppression ratio pps max pps Optional By default all multicast traffic is allowed to pass through a port that is multicast traffic is not suppressed Configure unknown unicast storm ...

Page 158: ...ge You can set the jumbo frame length in Ethernet port view or port group view z If you set the jumbo frame length in Ethernet port view the configuration takes effect only on the current port z If you set the jumbo frame length in port group view the configuration takes effect on all ports in the port group Follow these steps to enable the forwarding of jumbo frames To do Use the command Remarks ...

Page 159: ...pback detection loopback detection enable Required Disabled by default Configure the interval for port loopback detection loopback detection interval time time Optional 30 seconds by default Enter Ethernet port view interface interface type interface number Enable loopback detection on the port loopback detection enable Required Disabled by default Enable loopback detection control on the port Tru...

Page 160: ... auto mode is recommended The other two modes are useful only when the device cannot determine the cable type Follow these steps to configure the cable type for an Ethernet Port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the cable type the Ethernet port can identify mdi across auto normal Optional Default...

Page 161: ...detected exceeds the threshold Caution Although the storm suppression function and the storm constrain function can all be used to control specific type of traffic they conflict with each other So do not configure the both for an Ethernet port at the same time For example with multicast storm suppression ratio set on an Ethernet port do not enable the storm constrain function for multicast traffic...

Page 162: ...unction is disabled Set the action to be taken when the traffic exceeds the upper threshold storm constrain control block shutdown Optional By default the storm constrain function is disabled Specify to send trap messages when the traffic detected exceeds the upper threshold or drops down below the lower threshold from a point higher than the upper threshold storm constrain enable trap Optional By...

Page 163: ...isplay the current state of a specified port and related information display interface interface type interface number Available in any view Display a summary of a specified port display brief interface interface type interface number begin include exclude text Available in any view Clear the statistics on a specified port reset counters interface interface type interface number Available in user ...

Page 164: ...e supports only one isolation group that is created automatically by the system as Isolation Group 1 The user can neither delete the isolation group nor create other isolation groups z There is no restriction on the number of ports to be added to an isolation group z A port inside an isolation group and a port outside the isolation group can communicate with each other at Layer 2 and Layer 3 Ports...

Page 165: ...ay port isolate group Available in any view 2 4 Port Isolation Configuration Example I Networking Requirement z Users Host A Host B and Host C are connected to GigabitEthernet1 0 1 GigabitEthernet1 0 2 and GigabitEthernet1 0 3 of Device z Device is connected to an external network through Ethernet 2 0 4 z GigabitEthernet1 0 1 GigabitEthernet1 0 2 GigabitEthernet1 0 3 and Ethernet 2 0 4 belong to t...

Page 166: ...net1 0 1 Device GigabitEthernet1 0 1 port isolate enable Device GigabitEthernet1 0 1 quit Device interface GigabitEthernet1 0 2 Device GigabitEthernet1 0 2 port isolate enable Device GigabitEthernet1 0 2 quit Device interface GigabitEthernet1 0 3 Device GigabitEthernet1 0 3 port isolate enable Display the information about the isolation group Device display port isolate group Port isolate group in...

Page 167: ...ggregation 1 4 1 3 Load Sharing in a Link Aggregation Group 1 5 1 4 Service Loop Group 1 6 1 5 Aggregation Port Group 1 7 Chapter 2 Link Aggregation Configuration 2 1 2 1 Configuring Link Aggregation 2 1 2 1 1 Configuring a Manual Link Aggregation Group 2 1 2 1 2 Configuring a Static LACP Link Aggregation Group 2 2 2 1 3 Configuring an Aggregation Group Name 2 3 2 1 4 Configuring a Service Loop Gr...

Page 168: ...CPDUs to notify the remote system of its system LACP priority system MAC address port LACP priority port number and operational key Upon receipt of an LACPDU the remote system compares the received information with the information received on other ports to determine the ports that can operate as selected ports This allows the two systems to reach agreement on the states of the related ports When ...

Page 169: ... priority Policy setting on the port Port trust mode GVRP GVRP state on ports enabled or disabled GVRP registration type GARP timers Q in Q State of Q in Q enabled or disabled Added outer VLAN tag Policy of appending outer VLAN tag according to inner VLAN IDs BPDU tunnel BPDU tunnel state on ports enabled or disabled BPDU tunnel state for STP on ports enabled or disabled VLAN VLANs carried on the ...

Page 170: ... port z Ports in the up state with the same speed duplex mode link state and basic configuration as the reference port become the candidates for selected ports while the other ports become unselected ports z There is a limit on the number of selected ports in a manual aggregation group If the number of selected port candidates does not reach the limit all the candidates become selected ports if th...

Page 171: ... automatically II Port states in static aggregation In a static aggregation group ports can be selected or unselected where both can receive and transmit LACPDUs but only selected ports can receive and transmit data frames When setting the state of the ports in the local and remote static aggregation groups the local and remote systems do the following 1 Compare their system IDs to identify the hi...

Page 172: ... need to do that port by port As a solution you may add the ports into an aggregation port group where you can make configuration for all member ports When the configuration of some port in a static aggregation group changes the system does not remove the aggregation instead it re sets the selected unselected state of the member ports and re selects a master port 1 3 Load Sharing in a Link Aggrega...

Page 173: ...oadcast packet the switch selects the forwarding port according to the source MAC address the destination MAC address and the receiving port of the packet Note When only one selected port remains in a load sharing aggregation group the group keeps working in the load sharing mode 1 4 Service Loop Group You can create a service loop group by creating a manual aggregation group of service loop ports...

Page 174: ...ms of duplex speed pair link state and other basic configurations Their configuration consistency requires administrative maintenance which is troublesome after you change some configuration To simplify configuration port groups are provided allowing you to configure for all ports in individual groups at one time One example of port groups is aggregation port group Upon creation or removal of a li...

Page 175: ...gregation group and add an Ethernet port to it To do Use the command Remarks Enter system view system view Create a manual aggregation group link aggregation group agg id mode manual Required Enter Ethernet port view interface interface type interface number Assign the Ethernet port to the aggregation group port link aggregation group agg id Required Note that z You can create a manual aggregation...

Page 176: ...gation group agg id mode static Required Enter Ethernet port view interface interface type interface number Configure the port LACP priority lacp port priority port priority Optional 32768 by default Changing port LACP priority can affect the selected unselected state of the ports in the group Assign the Ethernet port to the aggregation group port link aggregation group agg id Required Note that z...

Page 177: ... steps to configure a name for an aggregation group To do Use the command Remarks Enter system view system view Configure a name for a link aggregation group link aggregation group agg id description agg name Required None is configured by default 2 1 4 Configuring a Service Loop Group Follow these steps to configure a service loop group To do Use the command Remarks Enter system view system view ...

Page 178: ...ation port group view port group aggregation agg id Caution In aggregation port group view you can configure aggregation related settings such as STP VLAN QoS GVRP Q in Q BPDU tunnel MAC address learning but cannot add or remove member ports 2 2 Displaying and Maintaining Link Aggregation To do Use the command Remarks Display the local system ID display lacp system id Available in any view Display...

Page 179: ...2 3 Link Aggregation Configuration Example I Network requirements z Switch A aggregates ports GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to form one link connected to Switch B and performs load sharing among these ports z Create a tunnel service loop group and add port GigabitEthernet 1 0 1 to the group II Network diagram GE1 0 1 GE1 0 2 GE1 0 3 GE1 0 1 GE1 0 2 GE1 0 3 Figure 2 1 Network ...

Page 180: ...chA link aggregation group 1 mode static Add ports GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to the group SwitchA interface GigabitEthernet 1 0 1 SwitchA GigabitEthernet1 0 1 port link aggregation group 1 SwitchA GigabitEthernet1 0 1 interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 port link aggregation group 1 SwitchA GigabitEthernet1 0 2 interface GigabitEthernet 1 0 3 Swit...

Page 181: ...ction to MAC Address Table 1 1 1 2 Configuring MAC Address Table Management 1 2 1 2 1 Configuring MAC Address Entries 1 2 1 2 2 Configuring MAC Address Aging Timer 1 3 1 2 3 Configuring the Maximum Number of MAC Addresses an Ethernet Port or a Port Group Can Learn 1 4 1 3 Displaying and Maintaining MAC Address Table Management 1 4 1 4 MAC Address Table Management Configuration Example 1 5 ...

Page 182: ...ing Each entry in this table contains the MAC address of a connected device to which port this device is connected and to which VLAN the port belongs A MAC address table consists of two types of entries static and dynamic Static entries are manually configured and never age out Dynamic entries can be manually configured or dynamically learned and may age out The following is how a switch learns a ...

Page 183: ...th its MAC address If no response is received the frame will be dropped 3 Upon receipt of the response the device adds an entry in the MAC address table indicating from which port the frames destined for the MAC address should be sent 4 Forward subsequent frames destined for the same MAC address directly from the hardware 5 Discard the frames which cannot reach the destination MAC address Figure 1...

Page 184: ...t 1 2 2 Configuring MAC Address Aging Timer The MAC address table on your device is available with an aging mechanism for dynamic entries to prevent its resources from being exhausted Set the aging timer appropriately a long aging interval may cause the MAC address table to retain outdated entries and fail to accommodate latest network changes a short interval may result in removal of valid entrie...

Page 185: ...nterface type interface number Enter Ethernet port or port group view Enter port group view port group aggregation agg id manual port group name Required Use either command to configure on a port or ports in a group Configure the maximum number of MAC addresses that can be learned on an Ethernet port or port group mac address max mac count count Required The maximum number of MAC addresses that ca...

Page 186: ...Add a static entry 000f e235 dc71 for port GigabitEthernet 1 0 1 in VLAN 1 II Configuration procedure Add a static MAC address entry Sysname system view Sysname mac address static 000f e235 dc71 interface GigabitEthernet 1 0 1 vlan 1 Set the aging timer for dynamic MAC address entries to 500 seconds Sysname mac address timer aging 500 Display the MAC address entry for port GigabitEthernet 1 0 1 Sy...

Page 187: ... 1 2 Configuring a Static Binding Entry 1 1 1 3 Configuring Dynamic Binding Function 1 2 1 4 Displaying IP Source Guard 1 3 1 5 IP Source Guard Configuration Examples 1 3 1 5 1 Static Binding Entry Configuration Example 1 3 1 5 2 Dynamic Binding Function Configuration Example 1 5 1 6 Troubleshooting 1 7 1 6 1 Failed to Configure Static Binding Entries and Dynamic Binding Function 1 7 ...

Page 188: ... After receiving a packet the port looks up the key attributes including IP address MAC address and VLAN tag of the packet in the binding entries of the IP source guard If there is a matching entry the port will forward the packet Otherwise the port will abandon the packet IP source guard filters packets based on the following types of binding entries z IP port binding entry z MAC port binding ent...

Page 189: ... or a multicast address and the IP address can only be a Class A Class B or Class C address and can be neither 127 x x x nor 0 0 0 0 1 3 Configuring Dynamic Binding Function After the dynamic binding function is enabled on a port IP source guard will receive and process corresponding DHCP Snooping entries which contain such information as MAC address IP address VLAN tag port information or entry t...

Page 190: ...n Ethernet Host A and Host B are connected to ports GigabitEthernet1 0 1 and GigabitEthernet1 0 2 of Switch B respectively Host C is connected to port GigabitEthernet1 0 2 of Switch A while Switch B is connected to port GigabitEthernet1 0 1 of Switch A Detailed requirements are as follows z On port GigabitEthernet1 0 2 of Switch A only IP packets with the source MAC address of 00 01 02 03 04 05 an...

Page 191: ... 0 2 SwitchA GigabitEthernet1 0 2 user bind ip address 192 168 0 3 mac address 0001 0203 0405 SwitchA GigabitEthernet1 0 2 quit Configure port GigabitEthernet1 0 1 of Switch A to allow only IP packets with the source MAC address of 00 01 02 03 04 06 and the source IP address of 192 168 0 1 to pass SwitchA interface GigabitEthernet1 0 1 SwitchA GigabitEthernet1 0 1 user bind ip address 192 168 0 1 ...

Page 192: ...atic 0001 0203 0406 192 168 0 1 N A GigabitEthernet1 0 1 Static 2 binding entries queried 2 listed On Switch B static binding entries are configured successfully SwitchB display user bind The following user address bindings have been configured MAC IP Vlan Port Status 0001 0203 0406 192 168 0 1 N A GigabitEthernet1 0 1 Static 0001 0203 0407 192 168 0 2 N A GigabitEthernet1 0 2 Static 2 binding ent...

Page 193: ...Configure port GigabitEthernet1 0 2 connected to the DHCP server as a trusted port SwitchA interface GigabitEthernet1 0 2 SwitchA GigabitEthernet1 0 2 dhcp snooping trust SwitchA GigabitEthernet1 0 2 quit 2 Verify the configuration Display the dynamic binding entries that port GigabitEthernet1 0 1 has obtained from DHCP Snooping SwitchA display ip check source The following user address bindings h...

Page 194: ... after it is configured with dynamic binding function 1 6 Troubleshooting 1 6 1 Failed to Configure Static Binding Entries and Dynamic Binding Function I Symptom Configuring static binding entries and dynamic binding function fails on a port II Analysis IP Source Guard is not supported on the port which has joined an aggregation group Neither static binding entries nor dynamic binding function can...

Page 195: ...ask List 1 10 1 2 1 Enabling DLDP 1 10 1 2 2 Setting DLDP Mode 1 11 1 2 3 Setting the Interval for Sending Advertisement Packets 1 11 1 2 4 Setting the DelayDown Timer 1 12 1 2 5 Setting the Port Shutdown Mode 1 13 1 2 6 Configuring DLDP Authentication 1 13 1 2 7 Resetting DLDP State 1 14 1 3 Displaying and Maintaining DLDP 1 15 1 4 DLDP Configuration Example 1 15 1 4 1 DLDP Configuration Example ...

Page 196: ...DLDP z DLDP Configuration Example z Troubleshooting 1 1 Overview A special kind of links namely unidirectional links may occur in a network When a unidirectional link appears the local device can receive packets from the peer device through the link layer but the peer device cannot receive packets from the local device Unidirectional link can cause problems such as loops in a Spanning Tree Protoco...

Page 197: ...n shut down the related port automatically or prompt users to take measures as configured to avoid network problems As a data link layer protocol DLDP cooperates with physical layer protocols to monitor the link status of a device The auto negotiation mechanism provided by physical layer protocols detects physical signals and faults DLDP however performs operations such as identifying peer devices...

Page 198: ... normally with all its neighbors in both directions or DLDP remains in active state for more than five seconds It is the normal state where no unidirectional link is detected Probe A device enters this state if it receives a packet from an unknown neighbor In this state DLDP sends packets to check whether the link is a unidirectional link After a device enters this state the probe sending timer is...

Page 199: ... an enhanced detect is launched When the Echo waiting timer expires and no Echo packet is received from a neighbor device the link is set as a unidirectional link and the device transits to the Disable state In this case the device sends Disable packets prompts the user to shut down the port or shuts down the port automatically depending on the DLDP down mode configured and removes the correspondi...

Page 200: ... Inactive state when it detects a port down event When a device transits to this state the DelayDown timer is triggered The setting of the timer ranges from 1 to 5 in seconds A device in DelayDown state only responds to port up events A device in the DelayDown state resumes its original DLDP state if it detects a port up event before the DelayDown timer expires Otherwise it removes the correspondi...

Page 201: ...DLDP mode however Port A tests Port B after the Entry timer concerning Port B expires Port A then transits to the Disable state if it receives no Echo packet from Port A when the Echo timer expires As Port B is physically down it is in the Inactive DLDP state Figure 1 3 A case for Enhanced DLDP mode Note z In normal DLDP mode only fiber cross connected unidirectional links as shown in Figure 1 1 c...

Page 202: ...ation In this mode before sending a packet the sending side encrypts the user configured password using MD5 algorithm assigns the digest to the Authentication field and sets the Authentication type field to 2 The receiving side checks the values of the two fields of received DLDP packets and drops the packets with the two fields conflicting with the corresponding local configuration V DLDP impleme...

Page 203: ...no process is performed Flush packet Determines whether or not the local port is in Disable state If not removes the corresponding neighbor entry if any If the corresponding neighbor entry does not exist creates the neighbor entry transits to Probe state and returns Echo packets Probe packet Retrieves the neighbor information If the corresponding neighbor entry already exists resets the Entry time...

Page 204: ...e neighbor Processing procedure In normal mode no echo packet is received when the Echo timer expires In enhanced mode no echo packet is received when the enhanced timer expires DLDP transits to the Disable state outputs log and tracking information and sends Disable packets In addition depending on the user defined DLDP down mode DLDP shuts down the local port or prompts users to shut down the po...

Page 205: ... z DLDP works only when the link is up z To ensure unidirectional links can be detected make sure these settings are the same on the both sides DLDP state enabled disabled the interval for sending Advertisement packets authentication mode and password z Keep the interval for sending Advertisement packets adequate to enable unidirectional links to be detected in time If the interval is too long uni...

Page 206: ...plies to the current port only The configuration performed in port group view applies to all the ports in the port group Enable DLDP dldp enable Required Disabled on a port by default You can perform this operation on an optical port or an electrical port Note DLDP takes effect only when it is enabled both globally and on a port 1 2 2 Setting DLDP Mode Follow these steps to set DLDP mode To do Use...

Page 207: ...ble DLDP to operate properly make sure the intervals for sending Advertisement packets on both sides of a link are the same 1 2 4 Setting the DelayDown Timer On some ports when the Tx line fails the port goes down and then comes up again causing optical signal jitters on the Rx line When a port goes down due to a Tx failure the device transits to the DelayDown state instead of the Inactive state t...

Page 208: ...t shutdown mode To do Use the command Remarks Enter system view system view Set port shutdown mode dldp unidirectional shutdown auto manual Optional auto by default Caution z On a port with both remote OAM loopback and DLDP enabled if the port shutdown mode is auto mode the port will be shut down by DLDP when it receives a packet sent by itself causing remote OAM loopback to operate improperly To ...

Page 209: ...ctive state if the port is physically down or in Active state if the port is physically up after you reset DLDP state for it Caution z The configuration of resetting DLDP state performed in system view applies to all the ports shut down by DLDP z The configuration of resetting DLDP state performed in port view or port group view applies to the current port or all the ports in the port group shut d...

Page 210: ...P To do Use the command Remarks Display the DLDP configuration of a port display dldp interface type interface number Available in any view Display the statistics on DLDP packets passing through a port display dldp statistics interface type interface number Available in any view Clear the statistics on DLDP packets passing through a port reset dldp statistics interface type interface number Availa...

Page 211: ...viceA GigabitEthernet1 0 50 dldp enable DeviceA GigabitEthernet1 0 50 interface gigabitethernet 1 0 51 DeviceA GigabitEthernet1 0 51 dldp enable DeviceA GigabitEthernet1 0 51 quit Set the interval for sending Advertisement packets to 6 seconds DeviceA dldp interval 6 Set the DelayDown timer to 2 seconds DeviceA dldp delaydown timer 2 Set the DLDP mode as enhanced mode DeviceA dldp work mode enhanc...

Page 212: ...sable state and the links are down which means unidirectional links are detected and the two ports are thus shut down Reset DLDP state for the ports shut down by DLDP DeviceA dldp reset 2 Configuration on Device B The configuration on Device B is the same as that on Device A and is thus omitted Note If two fibers are cross connected all the four ports involved will be shut down by DLDP 1 5 Trouble...

Page 213: ...s Chapter 1 DLDP Configuration 1 18 z DLDP authentication modes passwords on Device A and Device B are not the same Solution Make sure the interval for sending Advertisement packets the authentication mode and the password on Device A and Device B are the same ...

Page 214: ...Edge Ports 1 30 1 3 11 Configuring Whether Ports Connect to Point to Point Links 1 31 1 3 12 Configuring the Mode a Port Uses to Recognize Send MSTP Packets 1 33 1 3 13 Enabling the Output of Port State Transition Information 1 34 1 3 14 Enabling the MSTP Feature 1 34 1 4 Configuring Leaf Nodes 1 35 1 4 1 Configuring an MST Region 1 35 1 4 2 Configuring the Work Mode of MSTP 1 35 1 4 3 Configuring...

Page 215: ... Agreement Check 1 44 1 7 1 Prerequisites 1 45 1 7 2 Configuration Procedure 1 45 1 7 3 Configuration Example 1 46 1 8 Configuring Protection Functions 1 46 1 8 1 Configuration prerequisites 1 47 1 8 2 Enabling BPDU Guard 1 47 1 8 3 Enabling Root Guard 1 48 1 8 4 Enabling Loop Guard 1 49 1 8 5 Enabling TC BPDU Attack Guard 1 50 1 9 Displaying and Maintaining MSTP 1 51 1 10 MSTP Configuration Examp...

Page 216: ... This avoids proliferation and infinite recycling of packets that would occur in a loop network and prevents deterioration of the packet processing capability of network devices caused by duplicate packets received In the narrow sense STP refers to the STP protocol defined in IEEE 802 1d in the broad sense it refers to the STP protocol defined in IEEE 802 1d and various enhanced spanning tree prot...

Page 217: ... bridge and designated port The following table describes a designated bridge and a designated port Table 1 1 Description of designated bridge and designated port Classification Designated bridge Designated port For a device The device directly connected with this device and responsible for forwarding BPDUs The port through which the designated bridge forwards BPDUs to this device For a LAN The de...

Page 218: ...ies the network topology by transmitting configuration BPDUs between network devices Configuration BPDUs contain sufficient information for network devices to complete the spanning tree calculation Important fields in a configuration BPDU include z Root bridge ID consisting of root bridge priority and MAC address z Root path cost the cost of the shortest path to the root bridge z Designated bridge...

Page 219: ...ds out its configuration BPDUs and receives configuration BPDUs from other devices The process of selecting the optimum configuration BPDU is as follows Table 1 2 Selection of the optimum configuration BPDU Step Description 1 Upon receiving a configuration BPDU on a port the device performs the following processing z If the received configuration BPDU has a lower priority than that of the configur...

Page 220: ...ssumes itself to be the root bridge with the root bridge ID being its own device ID By exchanging configuration BPDUs the devices compare one another s root bridge ID The device with the smallest root bridge ID is elected as the root bridge z Selection of the root port and designated ports The process of selecting the root port and designated ports is as follows Table 1 3 Selection of the root por...

Page 221: ... so that the port will only receive BPDUs but not send any and will not forward data Note When the network topology is stable only the root port and designated ports forward traffic while other ports are all in the blocked state they only receive STP packets but do not forward user traffic Once the root bridge the root port on each non root bridge and designated ports have been successfully electe...

Page 222: ...ation BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the configuration received message and discards the received configuration BPDU z Port AP2 receives the configuration BPDU of Device C 2 0 2 CP1 Device A finds that the BPDU of the local port 0 0 0 AP2 is superior to the received configuration BPDU and discards the received config...

Page 223: ...uration BPDU BP1 0 0 0 AP1 BP2 1 0 1 BP2 Device B z Device B compares the configuration BPDUs of all its ports and determines that the configuration BPDU of BP1 is the optimum configuration BPDU Then it uses BP1 as the root port the configuration BPDUs of which will not be changed z Based on the configuration BPDU of BP1 and the path cost of the root port 5 Device B calculates a designated port co...

Page 224: ...P2 Designated port CP2 0 10 2 CP2 z Next port CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to its old one Device C launches a BPDU update process z At the same time port CP1 receives configuration BPDUs periodically from Device A Device C does not launch an update process after comparison CP1 0 0 0 AP2 CP2 0 5 1 BP2 Device C ...

Page 225: ... sends out this configuration BPDU through the designated port z If the configuration BPDU received on the designated port has a lower priority than the configuration BPDU of the local port the port will immediately send out its better configuration BPDU in response z If a path becomes faulty the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs ...

Page 226: ...ropagated throughout the network z Hello time is the time interval at which a device sends hello packets to the surrounding devices to make sure that the paths are fault free z Max age is a parameter used to determine whether a configuration BPDU held in the device has expired A configuration BPDU beyond the max age will be discarded 1 1 2 Introduction to MSTP I Why MSTP 1 Disadvantages of STP and...

Page 227: ...same spanning tree 2 Features of MSTP The multiple spanning tree protocol MSTP overcomes the shortcomings of STP and RSTP In addition to support for rapid network convergence it also allows data flows of different VLANs to be forwarded along their own paths thus providing a better load sharing mechanism for redundant links For description about VLANs refer to VLAN Configuration MSTP features the f...

Page 228: ...pping configuration z They have the same MSTP revision level configuration and z They are physically linked with one another For example all the devices in region A0 in Figure 1 4 have the same MST region configuration z The same region name z The same VLAN to instance mapping VLAN 1 is mapped to MST instance 1 VLAN 2 to MST instance 2 and the rest to the command and internal spanning tree CIST CI...

Page 229: ... in a switched network If you regard each MST region as a device the CST is a spanning tree calculated by these devices through STP or RSTP For example the red lines in Figure 1 4 describe the CST 5 CIST Jointly constituted by ISTs and the CST the CIST is a single spanning tree that connects all devices in a switched network In Figure 1 4 for example the ISTs in all MST regions plus the inter regi...

Page 230: ...a boundary port 10 Roles of ports In the MSTP calculation process port roles include root port designated port master port alternate port backup port and so on z Root port a port responsible for forwarding data to the root bridge z Designated port a port responsible for forwarding data to the downstream network segment or device z A master port connects an MST region to the common root The path fr...

Page 231: ...ts Where z Devices A B C and D constitute an MST region z Port 1 and port 2 of device A connect to the common root bridge z Port 5 and port 6 of device C form a loop z Port 3 and port 4 of device D connect downstream to other MST regions 11 Port states In MSTP port states fall into the following tree z Forwarding the port learns MAC addresses and forwards user traffic z Learning the port learns MA...

Page 232: ...I How MSTP works MSTP divides an entire Layer 2 network into multiple MST regions which are interconnected by a calculated CST Inside an MST region multiple spanning trees are generated through calculation each spanning tree called an MST instance Among these MST instances instance 0 is the IST while all the others are MSTIs Similar to STP MSTP uses configuration BPDUs to calculate spanning trees ...

Page 233: ...be recognized by devices running MSTP and used for spanning tree calculation In addition to basic MSTP functions many management facilitating special functions are provided as follows z Root bridge hold z Root bridge backup z Root guard z BPDU guard z Loop guard z TC BPDU guard 1 1 3 Protocols and Standards MSTP is documented in z IEEE 802 1d Spanning Tree Protocol z IEEE 802 1w Rapid Spanning Tre...

Page 234: ...hether Ports Connect to Point to Point Links Optional Configuring the Mode a Port Uses to Recognize Send MSTP Packets Optional Enabling the Output of Port State Transition Information Optional Configuring the Root Bridge Enabling the MSTP Feature Required Configuring an MST Region Required Configuring the Work Mode of MSTP Device Optional Configuring the Timeout Factor Optional Configuring the Max...

Page 235: ...P Configuration 1 3 Configuring the Root Bridge 1 3 1 Configuring an MST Region I Configuration procedure Follow these steps to configure an MST region To do Use the command Remarks Enter system view system view Enter MST region view stp region configuration Configure the MST region name region name name Optional The MST region name is the MAC address by default instance instance id vlan vlan list...

Page 236: ... region related parameters especially the VLAN to instance mapping table will cause MSTP to launch a new spanning tree calculation process which may result in network topology instability To reduce the possibility of topology instability caused by configuration MSTP will not immediately launch a new spanning tree calculation process when processing MST region related configurations instead such co...

Page 237: ... current device as a secondary root bridge of a specific spanning tree To do Use the command Remarks Enter system view system view Specify the current device as a secondary root bridge of a specific spanning tree stp instance instance id root secondary Required By default a device does not function as a secondary root bridge Note that z Upon specifying the current device as the root bridge or a se...

Page 238: ...ST If you include these two options in your command for any other instance the configuration can succeed but they will not actually work For the description of network diameter and hello time refer to Configuring the Network Diameter of a Switched Network and Configuring Timers of MSTP z Alternatively you can also specify the current device as the root bridge by setting the priority of the device ...

Page 239: ... example Configure MSTP to work in STP compatible mode Sysname system view Sysname stp mode stp 1 3 4 Configuring the Priority of the Current Device The priority of a device determines whether it can be elected as the root bridge of a spanning tree A lower value indicates a higher priority By setting the priority of a device to a low value you can specify the device as the root bridge of the spann...

Page 240: ...with a hop count set to the maximum value When a switch receives this configuration BPDU it decrements the hop count by 1 and uses the new hop count as the remaining hop count in the BPDUs it propagates When the hop count of a BPDU reaches 0 it is discarded by the device that received it Thus devices beyond the reach of the maximum hop are unable to take part in spanning tree calculation and there...

Page 241: ...diameter is the path that comprises more devices than any other among these paths I Configuration procedure Follow these steps to configure the network diameter of the switched network To do Use the command Remarks Enter system view system view Configure the network diameter of the switched network stp bridge diameter bridge number Optional 7 by default Note z Network diameter is a parameter that ...

Page 242: ...the timers of MSTP To do Use the command Remarks Enter system view system view Configure the forward delay timer stp timer forward delay centi seconds Optional 1 500 centiseconds 15 seconds by default Configure the hello time timer stp timer hello centi seconds Optional 200 centiseconds 2 seconds by default Configure the max age timer stp timer max age centi seconds Optional 2 000 centiseconds 20 ...

Page 243: ...s to the device burden and causes waste of network resources We recommend that you use the default setting z If the max age time setting is too small the network devices will frequently launch spanning tree calculation and may take network congestion to a link failure if the max age setting is too large the network may fail to timely detect link failures and fail to timely launch spanning tree cal...

Page 244: ...an avoid such unwanted spanning tree calculation by lengthening the timeout time I Configuration procedure Follow these steps to configure the timeout factor To do Use the command Remarks Enter system view system view Configure the timeout factor of the device stp timer factor number Optional 3 by default Note z Timeout time timeout factor 3 hello time z Typically we recommend that you set the tim...

Page 245: ...on rate of the port s stp transmit limit packet number Optional 10 by default Note If the maximum transmission rate setting of a port is too big the port will send a large number of MSTP packets within each hello time thus using excessive network resources We recommend that you use the default setting II Configuration example Set the maximum transmission rate of port GigabitEthernet 1 0 1 to 5 Sys...

Page 246: ...ge ports by default Note z With BPDU guard disabled when a port set as an edge port receives a BPDU from another port it will become a non edge port again In this case you must reset the port before you can configure it to be an edge port again z If a port directly connects to a user terminal configure it to be an edge port and enable BPDU guard for it This enables the port to transition to the fo...

Page 247: ...force false force true Optional The default setting is auto namely the device automatically detects whether an Ethernet port connects to a point to point link Note z In the case of link aggregation every port in the aggregation group can be configured to connect to a point to point link If a port works in auto negotiation mode and the negotiation result is full duplex this port can be configured a...

Page 248: ... view system view Enter Ethernet interface view interface interface type interface number Enter Ethernet interface view or port group view Enter port group view port group manual port group name aggregation agg id Required Use either command Configurations made in Ethernet interface view will take effect on the current port only configurations made in port group view will take effect on all ports ...

Page 249: ...teps to enable output of port state transition information To do Use the command Remarks Enter system view system view Enable output of port state transition information of all instances or a particular instance stp port log all instance instance id Optional Enabled by default 1 3 14 Enabling the MSTP Feature I Configuration procedure Follow these steps to enable the MSTP feature To do Use the com...

Page 250: ...he device s CPU resources II Configuration example Enable MSTP for the device and disable MSTP on port GigabitEthernet1 0 1 Sysname system view Sysname stp enable Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 stp disable 1 4 Configuring Leaf Nodes 1 4 1 Configuring an MST Region Refer to Configuring an MST Region in the section about root bridge configuration 1 4 2 Configuri...

Page 251: ... to use in automatic calculation for the default path cost The device supports the following standards z dot1d 1998 The device calculates the default path cost for ports based on IEEE 802 1d 1998 z dot1t The device calculates the default path cost for ports based on IEEE 802 1t z legacy The device calculates the default path cost for ports based on a private standard Follow these steps to specify ...

Page 252: ...t take into account the number of ports in the aggregated link Whereas 802 1t takes the number of ports in the aggregated link into account The calculation formula is Path Cost 200 000 000 link speed in 100 kbps where link speed is the sum of the link speed values of the non blocked ports in the aggregated link II Configuring Path Costs of Ports Follow these steps to configure the path cost of por...

Page 253: ...ons are the same the port with the highest priority will be elected as the root port On an MSTP compliant device a port can have different priorities in different MST instances and the same port can play different roles in different MST instances so that data of different VLANs can be propagated along different physical paths thus implementing per VLAN load balancing You can set port priority valu...

Page 254: ...ation process II Configuration example Set the priority of port GigabitEthernet 1 0 1 to 16 in MST instance 1 Sysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 stp instance 1 port priority 16 1 4 8 Configuring Whether Ports Connect to Point to Point Links Refer to Configuring Whether Ports Connect to Point to Point Links in the section about root bridge confi...

Page 255: ...de In this case you can perform an mCheck operation to force the port to migrate to the MSTP or RSTP mode You can perform mCheck on a port through two approaches which lead to the same result 1 5 1 Configuration Prerequisites MSTP has been correctly configured on the device 1 5 2 Configuration Procedure I Performing mCheckglobally Follow these steps to perform global mCheck To do Use the command R...

Page 256: ...d configuration domain name revision level VLAN to instance mappings on them is identical An MSTP enabled device identifies devices in the same MST region by checking the configuration ID in BPDU packets The configuration ID includes the region name revision level configuration digest that is in 16 byte length and is the result calculated via the HMAC MD5 algorithm based on VLAN to instance mappin...

Page 257: ...e or port group view Enter port group view port group manual port group name aggregation agg id Required Use either command Configurations made in Ethernet interface view will take effect on the current port only configurations made in port group view will take effect on all ports in the port group Enable digest snooping on the interface or port group stp config digest snooping Required Not enable...

Page 258: ...lobally and on associated ports to make it take effect It is recommended to enable the feature on all associated ports first and then globally making all configured ports take effect and disable the feature globally to disable it on all associated ports z It is not recommended to enable Digest Snooping on the MST region edge port to avoid loops z It is recommended to enable Digest Snooping first a...

Page 259: ...tion requests Both RSTP and MSTP switches can perform rapid transition operation on a designated port only when the port receives an agreement packet from the downstream switch The differences between RSTP and MSTP switches are z For MSTP the downstream device s root port sends an agreement packet only after it receives an agreement packet from the upstream device z For RSTP the down stream device...

Page 260: ... fails to transit rapidly and can only change to the forwarding state after a period twice the Forward Delay In this case you can enable the No Agreement Check feature on the downstream device s port to perform rapid state transition 1 7 1 Prerequisites z A device is the upstream one that is connected to another vendor s MSTP supported device via a point to point link z Configure the same region n...

Page 261: ...ts to a third party s device that has different MSTP implementation Both switches are in the same region z Another vendor s device is the regional root bridge and Device A is the downstream device II Network diagram Figure 1 9 No Agreement Check configuration III Configuration procedure Enable No Agreement Check on GigabitEthernet1 0 1 of Device A DeviceA system view DeviceA interface GigabitEther...

Page 262: ... ports to allow rapid transition of these ports When these ports receive configuration BPDUs the system will automatically set these ports as non edge ports and start a new spanning tree calculation process This will cause a change of network topology Under normal conditions these ports should not receive configuration BPDUs However if someone forges configuration BPDUs maliciously to attack the d...

Page 263: ...uperseded by another device causing undesired change of the network topology As a result of this kind of illegal topology change the traffic that should go over high speed links is drawn to low speed links resulting in network congestion To prevent this situation from happening MSTP provides the root guard function to protect the root bridge If the root guard function is enabled on a port this por...

Page 264: ...ard By keeping receiving BPDUs from the upstream device a device can maintain the state of the root port and other blocked ports However due to link congestion or unidirectional link failures these ports may fail to receive BPDUs from the upstream device In this case the downstream device will reselect the port roles those ports failed to receive upstream BPDUs will become designated ports and the...

Page 265: ...evice will receive a larger number of TC BPDUs within a short time and frequent deletion operations bring a big burden to the device and hazard network stability With the TC BPDU guard function enabled the device limits the maximum number of times of immediately deleting forwarding address entries within 10 seconds after it receives TC BPDUs to the value set with the stp tc protection threshold co...

Page 266: ... Available in any view View the status information and statistics information of MSTP display stp instance instance id interface interface list brief Available in any view View the information about MST region configuration in effect display stp region configuration Available in any view View root bridge information of all MSTP instances display stp root Available in any view Clear the statistics ...

Page 267: ...rmit VLAN 10 20 Permit VLAN 10 20 Permit VLAN 20 30 Permit VLAN 20 30 Figure 1 10 Network diagram for MSTP configuration Note Permit beside each link in the figure is followed by the VLANs the packets of which are permitted to pass this link III Configuration procedure 1 Configuration on Device A Enter MST region view DeviceA system view DeviceA stp region configuration Configure the region name V...

Page 268: ...figuration Configure the region name VLAN to instance mappings and revision level of the MST region DeviceB mst region region name example DeviceB mst region instance 1 vlan 10 DeviceB mst region instance 3 vlan 30 DeviceB mst region instance 4 vlan 40 DeviceB mst region revision level 0 Activate MST region configuration manually DeviceB mst region active region configuration DeviceB mst region qu...

Page 269: ... configuration manually DeviceC mst region active region configuration DeviceC mst region quit Define Device C as the root bridge of MST instance 4 DeviceC stp instance 4 root primary View the MST region configuration information that has taken effect DeviceC display stp region configuration Oper configuration Format selector 0 Region name example Revision level 0 Instance Vlans Mapped 0 1 to 9 11...

Page 270: ... revision level 0 Activate MST region configuration manually DeviceD mst region active region configuration DeviceD mst region quit View the MST region configuration information that has taken effect DeviceD display stp region configuration Oper configuration Format selector 0 Region name example Revision level 0 Instance Vlans Mapped 0 1 to 9 11 to 29 31 to 39 41 to 4094 1 10 3 30 4 40 ...

Page 271: ...namic Routing 1 3 1 2 2 Classification of Dynamic Routing Protocols 1 3 1 2 3 Routing Protocols and Routing Priority 1 4 1 2 4 Load Balancing and Route Backup 1 5 1 2 5 Route Recursion 1 6 1 2 6 Sharing of Routing Information 1 6 1 3 Displaying and Maintaining a Routing Table 1 6 Chapter 2 GR Overview 2 1 2 1 Introduction to Graceful Restart 2 1 2 2 Basic Concepts in Graceful Restart 2 1 2 3 Grace...

Page 272: ...et reaches the last router which forwards the packet to the intended destination host 1 1 2 Routing Through a Routing Table I Routing table Routing tables play a key role in routing Each router maintains a routing table and each entry in the table specifies which physical interface a packet destined for a certain destination should go out to reach the next hop the next router or the directly conne...

Page 273: ...z Priority for the route Routes to the same destination but having different nexthops may have different priorities and be found by various routing protocols or manually configured The optimal route is the one with the highest priority with the smallest metric Routes can be divided into two categories by destination z Subnet routes The destination is a subnet z Host routes The destination is a hos...

Page 274: ...ocol Overview 1 2 1 Static Routing and Dynamic Routing Static routing is easy to configure and requires less system resources It works well in small stable networks with simple topologies Its major drawback is that you must perform routing configuration again whenever the network topology changes it cannot adjust to network changes by itself Dynamic routing is based on dynamic routing protocols wh...

Page 275: ...ered and calculated III Type of the destination address z Unicast routing protocols RIP OSPF BGP and IS IS z Multicast routing protocols PIM SM and PIM DM This chapter focuses on unicast routing protocols For information on multicast routing protocols refer to the Multicast Protocol Configuration IV Version of IP protocol IPv4 routing protocols RIP OSPFv2 BGP4 and IS IS IPv6 routing protocols RIPn...

Page 276: ... can be configured with a different priority z IPv4 and IPv6 routes have their own respective routing tables 1 2 4 Load Balancing and Route Backup I Load balancing In multi route mode a routing protocol can be configured with multiple equal cost routes to the same destination These routes have the same priority and will all be used to accomplish load balancing if there is no route with a higher pr...

Page 277: ...tocols such as OSPF and IS IS do not need route recursion because they obtain nexthop information through route calculation 1 2 6 Sharing of Routing Information As different routing protocols use different routing algorithms to calculate routes they may find different routes In a large network with multiple routing protocols it is required for routing protocols to share their routing information E...

Page 278: ...splay ipv6 routing table Display verbose IPv6 routing table information display ipv6 routing table verbose Display routing information for a specified destination IPv6 address display ipv6 routing table ipv6 address prefix length longer match verbose Display routing information permitted by an IPv6 ACL display ipv6 routing table acl acl6 number verbose Display routing information permitted by an I...

Page 279: ...acency with them and the routing information The neighbors will help the restarting device to update its routing information and to restore it to the state prior to the restart in minimal time The routing and forwarding remain highly stable across the restart the packet forwarding path remains the same and the whole system can forward IP packets continuously Hence it is called Graceful Restart 2 2...

Page 280: ...m the GR Restarter for a period as specified by the GR Time 2 3 Graceful Restart Communication Procedure Configure a device as GR Restarter in a network This device and its GR Helper must support GR or be GR capable Thus when GR Restarter restarts its GR Helper can know its restart process Note In some cases GR Restarter and GR Helper can replace with each other The communication procedure between...

Page 281: ...ill recover within the GR Time Before the GR Time expires the GR Helper will neither terminate the session with the GR Restarter nor delete the topology or routing information of the latter 3 GR Restarter signaling to GR Helper Figure 2 3 The GR Restarter signals to the GR Helper s after restart As illustrated in Figure 2 3 after the GR Restarter has recovered it will signal to all its neighbors a...

Page 282: ... the GR sessions between them and calculates its own routing table based on this information 2 4 Graceful Restart Mechanism for Several Commonly Used Protocols The switch supports Graceful Restart based on Boarder Gateway Protocol BGP Open Shortest Path First OSPF and Intermediate System to Intermediate System IS IS For the implementation and configuration procedure of the Graceful Restart mechani...

Page 283: ... 2 1 4 RIP Message Format 2 4 2 1 5 Supported RIP Features 2 5 2 1 6 Protocols and Standards 2 5 2 2 Configuring RIP Basic Functions 2 6 2 2 1 Configuration Prerequisites 2 6 2 2 2 Configuration Procedure 2 6 2 3 Configuring RIP Route Control 2 8 2 3 1 Configuring an Additional Routing Metric 2 8 2 3 2 Configuring RIPv2 Route Summarization 2 9 2 3 3 Disabling Host Route Reception 2 10 2 3 4 Advert...

Page 284: ...1 Prerequisites 3 23 3 3 2 Configuration Procedure 3 23 3 4 Configuring OSPF Area Parameters 3 24 3 4 1 Prerequisites 3 24 3 4 2 Configuration Procedure 3 24 3 5 Configuring OSPF Network Types 3 25 3 5 1 Prerequisites 3 26 3 5 2 Configuring the OSPF Network Type for an Interface 3 26 3 5 3 Configuring an NBMA Neighbor 3 26 3 5 4 Configuring a Router Priority for an OSPF Interface 3 27 3 6 Configur...

Page 285: ...ability 3 40 3 8 2 Configuring the OSPF GR Helper 3 42 3 8 3 Triggering OSPF Graceful Restart 3 42 3 9 Displaying and Maintaining OSPF 3 43 3 10 OSPF Configuration Examples 3 44 3 10 1 Configuring OSPF Basic Functions 3 44 3 10 2 Configuring an OSPF Stub Area 3 48 3 10 3 Configuring an OSPF NSSA Area 3 51 3 10 4 Configuring OSPF DR Election 3 53 3 10 5 Configuring OSPF Virtual Links 3 58 3 10 6 OS...

Page 286: ...ic Host Name Mapping 4 31 4 5 8 Configuring IS IS Authentication 4 31 4 5 9 Configuring LSDB Overload Tag 4 32 4 5 10 Logging the Adjacency Changes 4 33 4 5 11 Enabling an Interface to Send Small Hello Packets 4 33 4 5 12 Enabling SNMP Trap 4 34 4 6 Configuring IS IS GR 4 34 4 7 Displaying and Maintaining IS IS 4 35 4 8 IS IS Configuration Example 4 36 4 8 1 IS IS Basic Configuration 4 36 4 8 2 DI...

Page 287: ...eer Groups 5 33 5 7 3 Configuring BGP Community 5 34 5 7 4 Configuring a BGP Route Reflector 5 35 5 7 5 Configuring a BGP Confederation 5 36 5 8 Configuring BGP GR 5 37 5 9 Displaying and Maintaining BGP 5 38 5 9 1 Displaying BGP 5 38 5 9 2 Resetting BGP Connections 5 39 5 9 3 Clearing BGP Information 5 39 5 10 BGP Configuration Examples 5 39 5 10 1 BGP Basic Configuration 5 39 5 10 2 BGP and IGP ...

Page 288: ...iguring a Routing Policy 6 6 6 4 1 Prerequisites 6 6 6 4 2 Creating a Routing Policy 6 6 6 4 3 Defining if match Clauses for the Routing Policy 6 7 6 4 4 Defining apply Clauses for the Routing Policy 6 8 6 5 Displaying and Maintaining the Routing Policy 6 10 6 6 Routing Policy Configuration Example 6 10 6 6 1 Applying Routing Policy When Redistributing IPv4 Routes 6 10 6 7 Troubleshooting Routing ...

Page 289: ...oper configuration and usage of static routes can improve network performance and ensure bandwidth for important network applications The disadvantage of using static routes is that they cannot adapt to network topology changes If a fault or a topological change occurs in the network the routes will be unreachable and the network breaks In this case the network administrator has to modify the stat...

Page 290: ...a packet a router first searches the routing table for the route to the destination address of the packet The system can find the corresponding link layer address and forward the packet only after the next hop address is specified When specifying the output interface note that z If the output interface is a NULL 0 interface there is no need to configure the next hop address z You are not recommend...

Page 291: ...onfiguring the default preference applies only to newly created static routes z You can flexibly control static routes by configuring tag values and using the tag values in the routing policy z If the destination IP address and mask are both configured as 0 0 0 0 with the ip route static command the route is the default route 1 3 Detecting Reachability of the Static Route s Nexthop If a static rou...

Page 292: ...ault Note z To configure this feature for an existing static route simply associate the static route with a track entry For a non existent static route configure it and associate it with a Track entry z If a static route needs route recursion the associated track entry must monitor the nexthop of the recursive route instead of that of the static route otherwise a valid route may be mistakenly cons...

Page 293: ...2 Configuring static routes Configure a default route on Switch A SwitchA system view SwitchA ip route static 0 0 0 0 0 0 0 0 1 1 4 2 Configure two static routes on Switch B SwitchB system view SwitchB ip route static 1 1 2 0 255 255 255 0 1 1 4 1 SwitchB ip route static 1 1 3 0 255 255 255 0 1 1 5 6 Configure a default route on Switch C SwitchC system view SwitchC ip route static 0 0 0 0 0 0 0 0 ...

Page 294: ...0 1 InLoop0 Display the IP routing table of Switch B SwitchB display ip routing table Routing Tables Public Destinations 10 Routes 10 Destination Mask Proto Pre Cost NextHop Interface 1 1 2 0 24 Static 60 0 1 1 4 1 Vlan500 1 1 3 0 24 Static 60 0 1 1 5 6 Vlan600 1 1 4 0 30 Direct 0 0 1 1 4 2 Vlan500 1 1 4 2 32 Direct 0 0 127 0 0 1 InLoop0 1 1 5 0 30 Direct 0 0 1 1 5 5 Vlan600 1 1 5 5 32 Direct 0 0 ...

Page 295: ...mall sized networks such as academic networks and simple LANs RIP is not applicable to complex networks RIP is still widely used in practical networking due to easier implementation configuration and maintenance than OSPF and IS IS 2 1 1 RIP Working Mechanism I Basic concepts RIP is a distance vector routing protocol using UDP packets for exchanging information through port 520 RIP uses a hop coun...

Page 296: ...ess timer defines how long a RIP route stays in the suppressed state When the metric of a route is 16 the route enters the suppressed state In the suppressed state only routes which come from the same neighbor and whose metric is less than 16 will be received by the router to replace unreachable routes z The garbage collect timer defines the interval from when the metric of a route becomes 16 to w...

Page 297: ...tes 2 1 3 RIP Version RIP has two versions RIPv1 and RIPv2 RIPv1 a classful routing protocol supports message advertisement via broadcast only RIPv1 protocol messages do not carry mask information which means it can only recognize routing information of natural networks such as Class A B C That is why RIPv1 does not support discontiguous subnets RIPv2 is a classless routing protocol Compared with ...

Page 298: ...0x01 for RIPv1 z AFI Address Family Identifier 2 for IP z IP Address Destination IP address of the route It can be a natural network subnet or a host address z Metric Cost of the route II RIPv2 message format The format of RIPv2 message is similar with RIPv1 Figure 2 2 shows it Figure 2 2 RIPv2 Message Format The differences from RIPv1 are stated as following z Version Version of RIP For RIPv2 the...

Page 299: ...mation when plain text authentication is adopted or including key ID MD5 authentication data length and sequence number when MD5 authentication is adopted Note z RFC 1723 only defines plain text authentication For information about MD5 authentication refer to RFC2082 RIPv2 MD5 Authentication z With RIPv1 you can configure the authentication mode in interface view However the configuration will not...

Page 300: ...cified network network network address Required Disabled by default Note z If you make some RIP configurations in interface view before enabling RIP those configurations will take effect after RIP is enabled z RIP runs only on the interfaces residing on the specified networks Therefore you need to specify the network after enabling RIP to validate RIP on a specific interface z You can enable RIP o...

Page 301: ... version otherwise it uses the RIP version configured on it z With RIPv1 configured an interface sends RIPv1 broadcasts and can receive RIPv1 broadcasts and RIPv1 unicasts z With RIPv2 configured a multicast interface sends RIPv2 multicasts and can receive RIPv2 unicasts broadcasts and multicasts z With RIPv2 configured a broadcast interface sends RIPv2 broadcasts and can receive RIPv1 unicasts an...

Page 302: ... routing feature complete the following tasks z Configure an IP address for each interface and make sure all neighboring routers are reachable to each other z Configure RIP basic functions 2 3 1 Configuring an Additional Routing Metric An additional routing metric can be added to the metric of an inbound or outbound RIP route The outbound additional metric is added to the metric of a sent route th...

Page 303: ... if you want to advertise all subnet routes Follow these steps to enable RIPv2 route automatic summarization To do Use the command Remarks Enter system view system view Enter RIP view rip process id Enable RIPv2 automatic route summarization summary Optional Enabled by default II Advertising a summary route You can configure RIPv2 to advertise a summary route on the specified interface To do so us...

Page 304: ...llow these steps to disable RIP from receiving host routes To do Use the command Remarks Enter system view system view Enter RIP view rip process id Disable RIP from receiving host routes undo host route Required Enabled by default Note RIPv2 can be disabled from receiving host routes but RIPv1 cannot 2 3 4 Advertising a Default Route You can configure RIP to advertise a default route with A speci...

Page 305: ...l number gateway ip prefix name ip prefix ip prefix name gateway ip prefix name import interface type interface number Required Not configured by default Configure the filtering of outgoing routes filter policy acl number ip prefix ip prefix name export protocol process id interface type interface number Required Not configured by default Note z Using the filter policy import command filters incom...

Page 306: ...d Configure a default metric for redistributed routes default cost value Optional The default metric of a redistributed route is 0 by default Redistribute routes from another protocol import route protocol process id allow ibgp cost cost route policy route policy name tag tag Required No redistribution is configured by default 2 4 Configuring RIP Network Optimization Complete the following tasks b...

Page 307: ...er to avoid unnecessary traffic or route oscillation 2 4 2 Configuring Split Horizon and Poison Reverse Note If both split horizon and poison reverse are configured only the poison reverse function takes effect I Enabling split horizon The split horizon function disables an interface from sending routes received from the interface to prevent routing loops between adjacent routers Follow these step...

Page 308: ...outes To do Use the command Remarks Enter system view system view Enter RIP view rip process id Configure the maximum number of load balanced routes maximum load balancing number Optional The default maximum number is 4 2 4 4 Enabling Zero Field Check on Incoming RIPv1 Messages Some fields in the RIPv1 message must be zero These fields are called zero fields You can enable zero field check on rece...

Page 309: ...RIP updates To do Use the command Remarks Enter system view system view Enter RIP view rip process id Enable source IP address check on incoming RIP messages validate source address Optional Enabled by default Note The source IP address check feature should be disabled if a RIP neighbor is not directly connected 2 4 6 Configuring RIPv2 Message Authentication RIPv2 supports two authentication modes...

Page 310: ...ming RIP updates undo validate source address Required Not disabled by default Note You need not use the peer ip address command when the neighbor is directly connected otherwise the neighbor may receive both the unicast and multicast or broadcast of the same routing information 2 5 Displaying and Maintaining RIP To do Use the command Remarks Display RIP current status and configuration informatio...

Page 311: ...P functions Configure Switch A SwitchA system view SwitchA rip SwitchA rip 1 network 192 168 1 0 SwitchA rip 1 network 172 16 0 0 SwitchA rip 1 network 172 17 0 0 SwitchA rip 1 quit Configure Switch B SwitchB system view SwitchB rip SwitchB rip 1 network 192 168 1 0 SwitchB rip 1 network 10 0 0 0 SwitchB rip 1 quit Display the RIP routing table of Switch A SwitchA display rip 1 route Route Flags R...

Page 312: ... Flags Sec 10 2 1 0 24 192 168 1 2 1 0 RA 16 10 1 1 0 24 192 168 1 2 1 0 RA 16 From the routing table you can see RIPv2 uses classless subnet masks Note Since RIPv1 routing information has a long aging time it will still exist until aged out after RIPv2 is configured 2 7 Troubleshooting RIP 2 7 1 No RIP Updates Received Symptom No RIP updates are received when the links work well Analysis After en...

Page 313: ...etwork After displaying the routing table you may find some routes appear and disappear in the routing table intermittently Analysis In the RIP network make sure all the same timers within the whole network are identical and relationships between timers are reasonable For example the timeout timer value should be larger than the update timer value Solution z Use the display rip command to check th...

Page 314: ...o OSPF z OSPF Configuration Task List z Configuring OSPF Basic Functions z Configuring OSPF Area Parameters z Configuring OSPF Network Types z Configuring OSPF Route Control z Configuring OSPF Network Optimization z Configuring OSPF Graceful Restart z Displaying and Maintaining OSPF z OSPF Configuration Examples z Troubleshooting OSPF Configuration 3 1 Introduction to OSPF Note Unless otherwise no...

Page 315: ...OSPF route computation is described as follows z Based on the network topology around itself each router generates Link State Advertisements LSA and sends them to other routers in update packets z Each OSPF router collects LSAs from other routers to compose a LSDB Link State Database An LSA describes the network topology around a router so the LSDB describes the entire network topology of the AS z...

Page 316: ...SPF sends routing information in LSAs which as defined in RFC 2328 have the following types z Router LSA Type 1 LSA originated by all routers flooded throughout a single area only This LSA describes the collected states of the router s interfaces to an area z Network LSA Type 2 LSA originated for broadcast and NBMA networks by the designated router flooded throughout a single area only This LSA co...

Page 317: ...parameters carried in the packet If parameters of the two routers match they become neighbors Adjacency A relationship formed between selected neighboring routers for the purpose of exchanging routing information Not every pair of neighboring routers become adjacent which depends on network types Only by synchronizing the LSDB via exchanging DD packets and LSAs can two routers become adjacent 3 1 ...

Page 318: ...long to one OSPF area 2 Area Border Router ABR An area border router belongs to more than two areas one of which must be the backbone area It connects the backbone area to a non backbone area The connection between an area border router and the backbone area can be physical or logical 3 Backbone Router At least one interface of a backbone router must be attached to the backbone area Therefore all ...

Page 319: ...ity to the backbone area z The backbone area itself must maintain connectivity In practice due to physical limitations the requirements may not be satisfied In this case configuring OSPF virtual links is a solution A virtual link is established between two area border routers via a non backbone area and is configured on both ABRs to take effect The area that provides the non backbone area internal...

Page 320: ...stub area does not distribute Type 5 LSAs into the area so the routing table size and amount of routing information in this area are reduced significantly You can configure the stub area as a totally stub area where the ABR advertises neither the destinations in other areas nor the external routes Stub area configuration is optional and not every area is eligible to be a stub area In general a stu...

Page 321: ... Area 1 Like stub areas virtual links cannot transit NSSA areas Figure 3 5 NSSA area VI Route summarization Route summarization An ABR or ASBR summarizes routes with the same prefix with a single route and distribute it to other areas Via route summarization routing information across areas and the size of routing tables on routers will be reduced improving calculation speed of routers For example...

Page 322: ...e with the cost of an OSPF internal route The cost from a router to the destination of the Type 1 external route the cost from the router to the corresponding ASBR the cost from the ASBR to the destination of the external route A Type 2 external route is an EGP route which has low credibility so OSPF considers the cost from the ASBR to the destination of the Type 2 external route is much bigger th...

Page 323: ...networks are fully meshed non broadcast and multi access P2MP networks are not required to be fully meshed z It is required to elect the DR and BDR on NBMA networks while DR and BDR are not available on P2MP networks z NBMA is the default network type while P2MP is a conversion from other network types such as NBMA in general z On NBMA networks packets are unicast and neighbors are configured manu...

Page 324: ... DR priority of an interface determines its qualification for DR BDR election Interfaces attached to the network and having priorities higher than 0 are election candidates The election votes are hello packets Each router sends the DR elected by itself in a hello packet to all the other routers If two routers on the network declare themselves as the DR the router with the higher DR priority wins I...

Page 325: ...D LSR LSU and LSAck respectively z Packet length Total length of the OSPF packet in bytes including the header z Router ID ID of the advertising router z Area ID ID of the area where the advertising router resides z Checksum Checksum of the message z Autype Authentication type from 0 to 2 corresponding with non authentication simple plaintext authentication and MD5 authentication respectively z Au...

Page 326: ... If two routers have different intervals they cannot become neighbors z Rtr Pri Router priority A value of 0 means the router cannot become the DR BDR z RouterDeadInterval Time before declaring a silent router down If two routers have different time values they cannot become neighbors z Designated Router IP address of the DR interface z Backup Designated Router IP address of the BDR interface z Ne...

Page 327: ...s the last packet of DD packets and set to 1 if more DD Packets are to follow z MS Master Slave The Master Slave bit When set to 1 it indicates that the router is the master during the database exchange process Otherwise the router is the slave z DD Sequence Number Used to sequence the collection of database description packets for ensuring reliability and intactness of DD packets between the mast...

Page 328: ...requested Type 1 for example indicates the Router LSA z Link State ID Determined by LSA type z Advertising Router ID of the router that sent the LSA V LSU packet LSU Link State Update packets are used to send the requested LSAs to peers and each packet carries a collection of LSAs The LSU packet format is shown below Figure 3 13 LSU packet format VI LSAck packet LSAack Link State Acknowledgment pa...

Page 329: ... as shown in the following figure Figure 3 15 LSA header format Major fields z LS age Time in seconds elapsed since the LSA was originated A LSA ages in the LSDB added by 1 per second but does not in transmission z LS type Type of the LSA z Link State ID The contents of this field depend on the LSA s type z LS sequence number Used by other routers to judge new and old LSAs z LS checksum Checksum o...

Page 330: ...r of router links interfaces to the area described in the LSA z Link ID Determined by Link type z Link Data Determined by Link type z Type Link type A value of 1 indicates a point to point link to a remote router a value of 2 indicates a link to a transit network a value of 3 indicates a link to a stub network a value of 4 indicates a virtual link z TOS Number of different TOS metrics given for th...

Page 331: ...cluding the DR itself 3 Summary LSA Network summary LSAs Type 3 LSAs and ASBR summary LSAs Type 4 LSAs are originated by ABRs Other than the difference in the Link State ID field the format of type 3 and 4 summary LSAs is identical Figure 3 18 Summary LSA format Major fields z Link State ID For a Type 3 LSA it is an IP address outside the area for a type 4 LSA it is the router ID of an ASBR outsid...

Page 332: ...rmat Major fields z Link State ID The IP address of another AS to be advertised When describing a default route the Link State ID is always set to Default Destination 0 0 0 0 and the Network Mask is set to 0 0 0 0 z Network Mask The IP address mask for the advertised destination z E External Metric The type of the external metric value which is set to 1 for type 2 external routes and set to 0 for ...

Page 333: ...outing information interactions between different processes seem like interactions between different routing protocols Multiple OSPF processes can use the same RID An interface of a router can only belong to a single OSPF process II Authentication OSPF supports authentication on packets Only packets that pass the authentication are received If hello packets cannot pass authentication no neighbor r...

Page 334: ...e upon receiving the responses from neighbors After reestablishing neighbor relationships the GR Restarter will synchronize the LSDB and exchange routing information with all adjacent GR capable neighbors After that the GR Restarter will update its own routing table and forwarding table based on the new routing information and remove the stale routes In this way the OSPF routing convergence is com...

Page 335: ...ptional Specifying SPF Calculation Interval Optional Specifying the LSA Minimum Repeat Arrival Interval Optional Specifying the LSA Generation Interval Optional Disabling Interfaces from Sending OSPF Packets Optional Configuring Stub Routers Optional Configuring OSPF Authentication Optional Adding the Interface MTU into DD Packets Optional Configuring the Maximum Number of External LSAs in LSDB Op...

Page 336: ...effect locally and has no influence on packet exchange between routers Therefore two routers having different process IDs can exchange packets z Configure an area and specify networks in the area The configurations for routers in an area are performed on the area basis Wrong configurations may cause communication failures even routing information block or routing loops between neighboring routers ...

Page 337: ... area cannot redistribute routes and for this reason NSSA was introduced In NSSA areas Type 7 LSAs NSSA External LSAs can be advertised Type 7 LSAs originate from the ASBR in a NSSA area When arriving at the ABR in the NSSA area these LSAs will be translated into type 5 LSAs for advertisement to other areas Non backbone areas exchange routing information via the backbone area Therefore the backbon...

Page 338: ... advertised by default Note z It is required to use the stub command on routers attached to a stub area z It is required to use the nssa command on routers attached to an NSSA area z Using the default cost command only takes effect on the ABR of a stub area or the ABR ASBR of an NSSA area 3 5 Configuring OSPF Network Types OSPF classifies networks into four types upon link layer protocols Since an...

Page 339: ... Not configured by default The network type of an interface depends on the media type of the interface Note z Configuring a new network type for an interface overwrites the previous one if any z If the two interfaces on a link are both configured as the broadcast NBMA or P2MP type they can not establish the neighbor relationship unless they are on the same network segment 3 5 3 Configuring an NBMA...

Page 340: ...is for actual DR election z The latter is to indicate whether a neighbor has the election right or not If you configure the DR priority for a neighbor as 0 the local router will consider the neighbor has no election right and thus no hello packet is sent to this neighbor reducing the number of hello packets for DR BDR election on networks However if the local router is the DR or BDR it sends hello...

Page 341: ...vailable on an ABR only Not configured by default Follow these steps to configure route summarization when redistributing routes into OSPF on an ASBR To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id Configure ASBR route summarization asbr summary ip address mask mask length tag tag not advertise cost cost Required Available on an ASBR ...

Page 342: ...rocess id router id router id Enter area view area area id Configure ABR Type 3 LSA filtering filter acl number ip prefix ip prefix name import export Required Not configured by default 3 6 5 Configuring an OSPF Cost for an Interface Follow these steps to configure an OSPF cost for an interface To do Use the command Remarks Enter system view system view Enter interface view interface interface typ...

Page 343: ... of routes To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id Configure the maximum number of OSPF routes maximum routes external inter intra number Optional The default number is 12288 3 6 7 Configuring the Maximum Number of Load balanced Routes If several routes with the same cost to the same destination are available configuring them ...

Page 344: ...ults to 10 The priority of OSPF external routes defaults to 150 3 6 9 Configuring OSPF Route Redistribution Follow these steps to configure OSPF route redistribution To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id Configure OSPF to redistribute routes from another protocol import route protocol process id allow ibgp cost cost type typ...

Page 345: ...ributed routes OSPF adds only routes which are not filtered out into Type 5 LSAs or Type 7 LSAs for advertisement z You can configure default parameters such as the cost upper limit tag and type for redistributed routes Tags are used to identify information related to protocols For example when redistributing BGP routes OSPF uses AS IDs as route tags 3 7 Configuring OSPF Network Optimization You c...

Page 346: ...he interface receives no acknowledgement packets after sending a LSA to the neighbor it will retransmit the LSA Follow these steps to configure timers for OSPF packets To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Specify the hello interval ospf timer hello seconds Optional The hello interval on P2P Broadcast interfaces d...

Page 347: ...d links Follow these steps to specify an LSA transmission delay on an interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Specify an LSA transmission delay ospf trans delay seconds Optional 1 second by default 3 7 4 Specifying SPF Calculation Interval The LSDB changes lead to SPF calculations When an OSPF network chan...

Page 348: ...SA Follow these steps to configure the LSA minimum repeat arrival interval To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id Configure the LSA minimum repeat arrival interval lsa arrival interval interval Optional Defaults to 1000 milliseconds Note The interval set with the lsa arrival interval command should be smaller or equal to the ...

Page 349: ...abling Interfaces from Sending OSPF Packets Follow these steps to disable interfaces from sending routing information To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id Disable interfaces from sending OSPF packets silent interface all interface type interface number Optional Not disabled by default Note z Different OSPF processes can dis...

Page 350: ... forwarding as long as there is a route with a smaller cost Follow these steps to configure a router as a stub router To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id Configure the router as a stub router stub router Required Not configured by default Note A stub router has nothing to do with a stub area 3 7 9 Configuring OSPF Authenti...

Page 351: ...be identical 3 7 10 Adding the Interface MTU into DD Packets Generally when an interface sends a DD packet it adds 0 into the Interface MTU field of the DD packet rather than the interface MTU Follow these steps to add the interface MTU into DD packets To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enable OSPF to add the i...

Page 352: ...stem view Enter OSPF view ospf process id router id router id Required Make RFC1583 compatible rfc1583 compatible Optional Compatible by default 3 7 13 Logging Neighbor State Changes Follow these steps to enable the logging of neighbor state changes To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id Enable the logging of neighbor state c...

Page 353: ...abled by default 3 7 15 Enabling the Advertisement and Reception of Opaque LSAs With this feature enabled the OSPF router can receive and advertise Type 9 Type 10 and Type 11 opaque LSAs Follow these steps to enable the advertisement and reception of opaque LSAs To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id Enable the advertisement ...

Page 354: ... can act as a GR Restarter and a GR Helper z Without the graceful restart ietf command used a device can only act as a GR Helper II Configure the non IETF standard OSPF GR capability Follow these steps to configure non IETF standard OSPF GR capability To do Use the command Remarks Enter system view system view Enable OSPF and enter its view ospf process id router id router id Enable the use of lin...

Page 355: ...e OSPF out of band synchronization enable out of band resynchron ization Required Disabled by default Configure for which OSPF neighbors the current router can serve as a GR Helper graceful restart help acl number prefix prefix list Optional The router can server as a GR Helper for any OSPF neighbor by default 3 8 3 Triggering OSPF Graceful Restart Performing the following configuration on an OSPF...

Page 356: ...er statistics Display next hop information display ospf process id nexthop Display routing table information display ospf process id routing interface interface type interface number nexthop nexthop address Display virtual link information display ospf process id vlink Display OSPF request queue information display ospf process id request queue interface type interface number neighbor id Display O...

Page 357: ... OSPF configuration 3 10 1 Configuring OSPF Basic Functions I Network requirements As shown in the following figure all switches run OSPF The AS is split into three areas in which Switch A and Switch B act as ABRs to forward routing information between areas After configuration all switches can learn routes to every network segment in the AS II Network diagram Area 0 Area 1 Area 2 Switch C Vlan in...

Page 358: ...tem view SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 10 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 area 2 SwitchB ospf 1 area 0 0 0 2 network 10 3 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 2 quit SwitchB ospf 1 quit Configure Switch C SwitchC system view SwitchC ospf SwitchC ospf 1 area 1 SwitchC ospf 1 area 0 0 0 1 network 10 2 1 0 0 0 0 255 SwitchC o...

Page 359: ...nt 5 Neighbors Area 0 0 0 1 interface 10 2 1 1 Vlan interface200 s neighbors Router ID 10 4 1 1 Address 10 2 1 2 GR State Normal State Full Mode Nbr is Master Priority 1 DR 10 2 1 1 BDR 10 2 1 2 MTU 0 Dead timer due in 32 sec Neighbor is up for 06 03 12 Authentication Sequence 0 Neighbor state change count 5 Display OSPF routing information on Switch A SwitchA display ospf routing OSPF Process 1 w...

Page 360: ... 0 0 0 1 Type LinkState ID AdvRouter Age Len Sequence Metric Router 10 2 1 1 10 2 1 1 769 36 80000012 0 Router 10 4 1 1 10 4 1 1 1663 48 80000012 0 Network 10 2 1 1 10 2 1 1 769 32 80000010 0 Sum Net 10 5 1 0 10 2 1 1 769 28 80000003 14 Sum Net 10 3 1 0 10 2 1 1 1069 28 8000000F 4 Sum Net 10 1 1 0 10 2 1 1 1069 28 8000000F 2 Sum Asbr 10 3 1 1 10 2 1 1 1069 28 8000000F 2 Display OSPF routing inform...

Page 361: ...00 packet loss round trip min avg max 1 8 16 ms 3 10 2 Configuring an OSPF Stub Area I Network requirements The following figure shows an AS is split into three areas where all switches run OSPF Switch A and Switch B act as ABRs to forward routing information between areas Switch D acts as the ASBR to redistribute routes static routes It is required to configure Area 1 as a Stub area reducing LSAs...

Page 362: ...h C SwitchC display ospf routing OSPF Process 1 with Router ID 10 4 1 1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 10 2 1 0 24 3 Transit 10 2 1 2 10 2 1 1 0 0 0 1 10 3 1 0 24 7 Inter 10 2 1 1 10 2 1 1 0 0 0 1 10 4 1 0 24 3 Stub 10 4 1 1 10 4 1 1 0 0 0 1 10 5 1 0 24 17 Inter 10 2 1 1 10 2 1 1 0 0 0 1 10 1 1 0 24 5 Inter 10 2 1 1 10 2 1 1 0 0 0 1 Routing for ASEs...

Page 363: ...les Routing for Network Destination Cost Type NextHop AdvRouter Area 0 0 0 0 0 4 Inter 10 2 1 1 10 2 1 1 0 0 0 1 10 2 1 0 24 3 Transit 10 2 1 2 10 2 1 1 0 0 0 1 10 3 1 0 24 7 Inter 10 2 1 1 10 2 1 1 0 0 0 1 10 4 1 0 24 3 Stub 10 4 1 1 10 4 1 1 0 0 0 1 10 5 1 0 24 17 Inter 10 2 1 1 10 2 1 1 0 0 0 1 10 1 1 0 24 5 Inter 10 2 1 1 10 2 1 1 0 0 0 1 Total Nets 6 Intra Area 2 Inter Area 4 ASE 0 NSSA 0 Not...

Page 364: ... Intra Area 2 Inter Area 1 ASE 0 NSSA 0 Note After this configuration routing entries on the stub router are further reduced containing only one default external route 3 10 3 Configuring an OSPF NSSA Area I Network requirements The following figure shows an AS is split into three areas where all switches run OSPF Switch A and Switch B act as ABRs to forward routing information between areas It is ...

Page 365: ...spf 1 area 0 0 0 1 quit SwitchC ospf 1 quit Note It is recommended to configure the nssa command with the keyword default route advertise no summary on Switch A an ABR to reduce the routing table size on NSSA routers On other NSSA routers using the nssa command is ok Display OSPF routing information on Switch C SwitchC display ospf routing OSPF Process 1 with Router ID 10 4 1 1 Routing Tables Rout...

Page 366: ...0 Transit 10 3 1 2 10 3 1 1 0 0 0 2 10 4 1 0 24 25 Inter 10 3 1 1 10 3 1 1 0 0 0 2 10 5 1 0 24 10 Stub 10 5 1 1 10 5 1 1 0 0 0 2 10 1 1 0 24 12 Inter 10 3 1 1 10 3 1 1 0 0 0 2 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 3 1 3 0 24 1 Type2 1 10 3 1 1 10 2 1 1 Total Nets 6 Intra Area 2 Inter Area 3 ASE 1 NSSA 0 Note You can see on Switch D an external route imported from the NSSA ar...

Page 367: ...Configure Switch A SwitchA system view Switch A router id 1 1 1 1 Switch A ospf Switch A ospf 1 area 0 Switch A ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 SwitchA ospf 1 area 0 0 0 0 quit SwitchA ospf 1 quit Configure Switch B SwitchB system view SwitchB router id 2 2 2 2 SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 qui...

Page 368: ... BDR 192 168 1 3 MTU 0 Dead timer due in 38 sec Neighbor is up for 00 01 31 Authentication Sequence 0 Neighbor state change count 2 Router ID 3 3 3 3 Address 192 168 1 3 GR State Normal State Full Mode Nbr is Master Priority 1 DR 192 168 1 4 BDR 192 168 1 3 MTU 0 Dead timer due in 31 sec Neighbor is up for 00 01 28 Authentication Sequence 0 Neighbor state change count 2 Router ID 4 4 4 4 Address 1...

Page 369: ...eighbors Router ID 1 1 1 1 Address 192 168 1 1 GR State Normal State Full Mode Nbr is Slave Priority 100 DR 192 168 1 4 BDR 192 168 1 3 MTU 0 Dead timer due in 31 sec Neighbor is up for 00 11 17 Authentication Sequence 0 Neighbor state change count 5 Router ID 2 2 2 2 Address 192 168 1 2 GR State Normal State Full Mode Nbr is Slave Priority 0 DR 192 168 1 4 BDR 192 168 1 3 MTU 0 Dead timer due in ...

Page 370: ...r is Slave Priority 100 DR 192 168 1 1 BDR 192 168 1 3 MTU 0 Dead timer due in 39 sec Neighbor is up for 00 01 40 Authentication Sequence 0 Neighbor state change count 2 Router ID 2 2 2 2 Address 192 168 1 2 GR State Normal State 2 Way Mode None Priority 0 DR 192 168 1 1 BDR 192 168 1 3 MTU 0 Dead timer due in 35 sec Neighbor is up for 00 01 44 Authentication Sequence 0 Neighbor state change count...

Page 371: ...IP Address Type State Cost Pri DR BDR 192 168 1 1 Broadcast DR 1 100 192 168 1 1 192 168 1 3 SwitchB display ospf interface OSPF Process 1 with Router ID 2 2 2 2 Interfaces Area 0 0 0 0 IP Address Type State Cost Pri DR BDR 192 168 1 2 Broadcast DROther 1 0 192 168 1 1 192 168 1 3 Note The interface state DROther means the interface is not the DR BDR 3 10 5 Configuring OSPF Virtual Links I Network...

Page 372: ...area 0 0 0 0 quit SwitchA ospf 1 area 1 SwitchA ospf 1 area 0 0 0 1 network 192 168 1 0 0 0 0 255 SwitchA ospf 1 area 0 0 0 1 quit Configure Switch B SwitchB system view SwitchB ospf 1 router id 2 2 2 2 SwitchB ospf 1 area 1 SwitchB ospf 1 area 0 0 0 1 network 192 168 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 1 quit SwitchB ospf 1 area 2 SwitchB ospf 1 area 0 0 0 2 network 172 16 0 0 0 0 255 255 Swi...

Page 373: ...2 2 2 SwitchA ospf 1 area 0 0 0 1 quit SwitchA ospf 1 quit Configure Switch B SwitchB ospf 1 SwitchB ospf 1 area 1 SwitchB ospf 1 area 0 0 0 1 vlink peer 1 1 1 1 SwitchB ospf 1 area 0 0 0 1 quit Display OSPF routing information on Switch A SwitchA display ospf routing OSPF Process 1 with Router ID 1 1 1 1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 172 16 1 1 16...

Page 374: ...h C Switch B Router ID 1 1 1 1 Router ID 2 2 2 2 Router ID 3 3 3 3 Figure 3 26 Network diagram for OSPF based GR configuration III Configuration procedure 1 Configure Switch A SwitchA system view SwitchA interface vlan interface 100 SwitchA Vlan interface100 ip address 192 1 1 1 255 255 255 0 SwitchA Vlan interface100 quit SwitchA router id 1 1 1 1 SwitchA ospf 100 SwitchA ospf 100 enable link loc...

Page 375: ...witchC ospf 100 SwitchC ospf 100 enable link local signaling SwitchC ospf 100 enable out of band resynchronization SwitchC ospf 100 area 0 SwitchC ospf 100 area 0 0 0 0 network 192 1 1 0 0 0 0 255 SwitchC ospf 100 area 0 0 0 0 quit 4 Verify the configuration After the configurations on Switch A Switch B and Switch C are completed and the switches are running steadily perform OSPF GR on Switch A Sw...

Page 376: ...all other areas If a router connects to more than one area at least one area must be connected to the backbone The backbone cannot be configured as a Stub area In a Stub area all routers cannot receive external routes and all interfaces connected to the Stub area must belong to the Stub area III Solution 1 Use the display ospf peer command to display neighbors 2 Use the display ospf interface comm...

Page 377: ...ned by the International Organization for Standardization ISO to operate on the connectionless network protocol CLNP The IS IS routing protocol has been modified and extended in RFC 1195 by the International Engineer Task Force IETF for application in both TCP IP and OSI reference models and the new one is called Integrated IS IS or Dual IS IS IS IS is an interior gateway protocol IGP used within ...

Page 378: ...signated router is also known as the designated IS or a pseudonode z Network service access point NSAP The NSAP is the ISO network layer address It identifies an abstract network service access point and describes the network address in the ISO reference model II IS IS address structure 1 NSAP As shown in Figure 4 1 the NSAP address consists of the Initial Domain Part IDP and the Domain Specific P...

Page 379: ...host or router 4 SEL The NSAP Selector SEL sometimes present in N SEL is similar with the protocol identifier in IP Different transport layer protocols use different SELs All SELs in IP are 00 5 Routing method Since the area is explicitly defined in the address structure the Level 1 router can easily recognize the packets sent out of the area These packets are forwarded to the Level 2 router The L...

Page 380: ...rea routing information All the Level 2 and Level 1 2 routers must be contiguous to form the backbone in a routing domain Only Level 2 routers can directly communicate with routers outside the routing domain 3 Level 1 2 router A router with both Level 1 and Level 2 router functions is called a Level 1 2 router It can establish the Level 1 neighbor relationship with the Level 1 and Level 1 2 router...

Page 381: ...protocol The Level 1 2 routers connect the Level 1 and Level 2 routers and also form the IS IS backbone together with the Level 2 routers There is no area defined as the backbone in this topology The backbone is composed of all contiguous Level 2 and Level 1 2 routers which can reside in different areas Figure 4 3 IS IS topology Note The IS IS backbone does not need to be a specific Area ...

Page 382: ...IS routing domain is comprised of only one Level 2 area and multiple Level 1 areas A Level 1 area is connected with the Level 2 area rather than other Level 1 areas The routing information of the Level 1 area is sent to the Level 2 area through the Level 1 2 router Therefore the Level 2 router knows the routing information of the entire IS IS routing domain but does not share the information with ...

Page 383: ...here are multiple routers with the same highest DIS priority the one with the highest SNPA Subnetwork Point of Attachment address which is the MAC address on a broadcast network will be selected A router can be the DIS for different levels As shown in Figure 4 4 the same level routers on the same network segment can establish adjacencies This is different from OSPF L1 L2 L1 L2 L1 L2 DIS DIS L1 adj...

Page 384: ...DUs while the specific headers vary by PDU type The following figure shows the PDU format Figure 4 5 PDU format II Common header format Figure 4 6 shows the common header format Intradomain routing protocol discriminator Reserved Version R ID length Version Protocol ID extension Length indicator Maximum area address R R PDU type No of Octets 1 1 1 1 1 1 1 1 Figure 4 6 PDU common header format z In...

Page 385: ...4 Level 1 Complete Sequence Numbers PDU L1 CSNP 25 Level 2 Complete Sequence Numbers PDU L2 CSNP 26 Level 1 Partial Sequence Numbers PDU L1 PSNP 27 Level 2 Partial Sequence Numbers PDU L2 PSNP III Hello The hello packet is used by routers to establish and maintain the neighbor relationship It is also called IS to IS hello PDU IIH For broadcast network the Level 1 router uses the Level 1 LAN IIH an...

Page 386: ...served 01 indicates L1 10 indicates L2 and 11 indicates L1 2 z Source ID The system ID of the router advertising the hello packet z Holding Time If no hello packets are received from a neighbor within the holding time the neighbor is considered dead z PDU Length The total length of the PDU in bytes z Priority DIS priority z LAN ID Includes the system ID and one byte pseudonode ID Figure 4 8 shows ...

Page 387: ...N IIH the P2P IIH has a Local Circuit ID field IV LSP packet format The Link State PDUs LSP carries link state information There are two types Level 1 LSP and Level 2 LSP The Level 2 LSP is sent by the Level 2 router and the Level 1 LSP is sent by the Level 1 router The level 1 2 router can sent both types of the LSPs Two types of LSPs have the same format as shown in Figure 4 9 ...

Page 388: ...erated by the L1 L1 router only related with L1 LSP indicates that the router generating the LSP is connected with multiple areas z OL LSDB Overload Indicates that the LSDB is not complete because the router is running out of system resources In this condition other routers will not send packets to the overloaded router except packets destined to the networks directly connected to the router For e...

Page 389: ...but more efficient SNP contains Complete SNP CSNP and Partial SNP PSNP which are further divided into Level 1 CSNP Level 2 CSNP Level 1 PSNP and Level 2 PSNP CSNP covers the summary of all LSPs in the LSDB to synchronize the LSDB between neighboring routers On broadcast networks CSNP is sent by the DIS periodically 10s by default On point to point networks CSNP is only sent during the first adjace...

Page 390: ...gure 4 12 shows the PSNP packet format Figure 4 12 L1 L2 PSNP format VI CLV The variable fields of PDU are composed of multiple Code Length Value CLV triplets Figure 4 13 shows the CLV format Figure 4 13 CLV format Table 4 2 shows different PDUs contain different CLVs Table 4 2 CLV name and the corresponding PDU type CLV Code Name PDU Type 1 Area Addresses IIH LSP 2 IS Neighbors LSP LSP 4 Partitio...

Page 391: ... and each process corresponds to a unique group of interfaces II IS IS Graceful Restart Note For detailed GR information refer to IP Routing GR Overview After an IS IS GR Restarter restarts IS IS it needs to complete the following two tasks to synchronize the LSDB with its neighbors z To obtain effective IS IS neighbor information without changing adjacencies z To obtain the LSDB contents After th...

Page 392: ...l system is capable of generating 256 LSP fragments 1 Terms z Originating System It is the router actually running IS IS After LSP fragment extension is enabled additional virtual systems can be configured for the router Originating system is the actual IS IS process that originally runs z System ID The system ID of the originating system z Additional System ID It is the additional virtual system ...

Page 393: ...the virtual systems belong to therefore no limitation is imposed on the link state information of the extended LSP fragments advertised by the virtual systems The operation mode of LSP fragment extension is configured based on area and routing level Mode 1 allows the routers supporting and not supporting LSP fragment extension to interoperate with each other but it restricts the link state informa...

Page 394: ...19 Recommendations for Interoperable Networks using IS IS z RFC 3786 Extending the Number of IS IS LSP Fragments Beyond the 256 Limit z RFC 3787 Recommendations for Interoperable IP Networks using IS IS z RFC 3847 Restart signaling for IS IS 4 2 IS IS Configuration Task List Complete the following tasks to configure IS IS Task Remarks Configuring IS IS Basic Functions Required Specifying a Priorit...

Page 395: ...mizing IS IS Network Enabling SNMP Trap Optional Configuring IS IS GR Optional 4 3 Configuring IS IS Basic Functions 4 3 1 Configuration Prerequisites Before the task configure an IP address for each interface making all adjacent nodes reachable to each other at the network layer 4 3 2 Configuration Procedure Follow these steps to configure IS IS basic functions To do Use the command Remarks Enter...

Page 396: ...wever an interface s type can be changed with this command when the router s type is Level 1 2 for the establishment of a specific level adjacency 4 4 Configuring IS IS Routing Information Control 4 4 1 Configuration Prerequisites Before the configuration accomplish the following tasks first z Configure an IP address on each interface and make sure all nodes are reachable z Configure basic IS IS f...

Page 397: ... bandwidth of an interface Interface cost defaults to 10 I Configure an IS IS cost for an interface Follow these steps to configure an interface s cost To do Use the command Remarks Enter system view system view Enter IS IS view isis process id Specify a cost style cost style narrow wide wide compatible compatible narrow compatible relax spf limit Optional narrow by default Return to system view q...

Page 398: ...y default III Enable automatic IS IS cost calculation Follow these steps to enable automatic IS IS cost calculation To do Use the command Remarks Enter system view system view Enter IS IS view isis process id Specify an IS IS cost style cost style narrow wide wide compatible compatible narrow compatible relax spf limit Optional narrow by default Configure a bandwidth reference value for automatic ...

Page 399: ...the interface cost is 40 if the interface bandwidth is in the range of 156 M to 622 M the interface cost is 30 if the interface bandwidth is in the range of 623 M to 2500 M the interface cost is 20 and the default interface cost of 10 is used for any other bandwidths 4 4 4 Configuring the Maximum Number of Equal Cost Routes If there are more than one equal cost routes to the same destination the t...

Page 400: ... Advertising a Default Route Follow these steps to advertise a default route To do Use the command Remarks Enter system view system view Enter IS IS view isis process id Advertise a default route default route advertise route policy route policy name level 1 level 2 level 1 2 Optional Level 2 router generates a default route by default Note The default route is only advertised to routers at the sa...

Page 401: ... policy route policy name tag tag Required No route is redistributed by default If no level is specified routes are redistributed into the Level 2 routing table by default Configure a filtering policy to filter redistributed routes filter policy acl number ip prefix ip prefix name route policy route policy name export isis process id ospf process id rip process id bgp direct static Optional Not co...

Page 402: ... IS functions 4 5 2 Configuring a DIS Priority for an Interface On an IS IS broadcast network a router should be selected as the DIS at a specific level Level 1 or Level 2 You can specify a DIS priority at a level for an interface The bigger the interface s priority value the more likelihood it becomes the DIS Follow these steps to configure a DIS priority for an interface To do Use the command Re...

Page 403: ...ets within the time for receiving the specified hello packets if no hello packets are received on the interface the neighbor is considered dead isis timer holding multiplier value level 1 level 2 Optional 3 by default Specify the interval for sending CSNP packets isis timer csnp seconds level 1 level 2 Optional 10 seconds by default Specify the interval for sending LSP packets isis timer lsp time ...

Page 404: ... applies to the level z On a point to point link if there is no response to a LSP sent by the local router within the specified retransmission interval the LSP is considered lost and the same LSP will be retransmitted On broadcast links responses to the sent LSPs are not required z The interval between hello packets sent by the DIS is 1 3 the hello interval set by the isis timer hello command 4 5 ...

Page 405: ...ptional 900 seconds by default Specify the maximum LSP aging time timer lsp max age seconds Optional 1200 seconds by default Specify LSP generation interval timer lsp generation maximum interval initial interval incremental interval level 1 level 2 Optional 2 seconds by default Enable the LSP flash flooding function flash flood flood count flooding count max timer interval flooding interval level ...

Page 406: ...he router to generate extended LSP fragments 4 5 6 Configuring SPF Parameters When the LSDB changes in an IS IS network a routing calculation starts If the changes happen frequently it will take a lot of system resources You can set the interval for SPF calculation for efficiency consideration The SPF calculation may occupy the CPU for a long time when the routing entries are too many You can spli...

Page 407: ...name is assigned by default Return to system view quit Enter interface view interface interface type interface number Assign a DIS name for the local network isis dis name symbolic name Optional Not assigned by default This command is only applicable on the router with dynamic host name mapping enabled It is invalid on point to point links Note The local host name on the local IS overwrites the re...

Page 408: ...ormation and no password is specified by default Specify the routing domain authentication mode domain authentication mode simple md5 password ip osi Required No authentication is enabled for Level 2 routing information and no password is specified by default Return to system view quit Enter interface view interface interface type interface number Specify the authentication mode and password isis ...

Page 409: ... allow interlevel external Required Not configured by default 4 5 10 Logging the Adjacency Changes Follow these steps to configure this task To do Use the command Remarks Enter system view system view Enter IS IS view isis process id Enable to log the adjacency changes log peer change Required Enabled by default Note With this feature enabled the state information of the adjacency is displayed on ...

Page 410: ...it The IS IS Graceful Restart provides the following features z When restarting ISIS a Graceful Restart capable device will resend connection requests to its neighbors instead of terminating their neighboring relationships z Graceful Restart minimizes network disruption caused by LSDB synchronization before LSP packets generation z When a router starts for the first time it sets the overload bit i...

Page 411: ...t suppress sa Optional By default the SA bit is not set 4 7 Displaying and Maintaining IS IS To do Use the command Remarks Display brief IS IS information display isis brief process id Available in any view Display information about IS IS enabled interfaces display isis interface verbose process id Available in any view Display IS IS license information display isis license Available in any view D...

Page 412: ...tion of an IS IS process reset isis all process id Available in user view Clear the data structure information of an IS IS neighbor reset isis peer system id process id Available in user view 4 8 IS IS Configuration Example 4 8 1 IS IS Basic Configuration I Network requirements As shown in Figure 4 14 Switch A B C and Switch D reside in an IS IS AS Switch A and B are Level 1 switches Switch D is a...

Page 413: ... isis 1 network entity 10 0000 0000 0002 00 SwitchB isis 1 quit SwitchB interface vlan interface 200 SwitchB Vlan interface200 isis enable 1 SwitchB Vlan interface200 quit Configure Switch C SwitchC system view SwitchC isis 1 SwitchC isis 1 network entity 10 0000 0000 0003 00 SwitchC isis 1 quit SwitchC interface vlan interface 100 SwitchC Vlan interface100 isis enable 1 SwitchC Vlan interface100 ...

Page 414: ...ime Length ATT P OL 0000 0000 0001 00 00 0x00000004 0xdf5e 1096 68 0 0 0 0000 0000 0002 00 00 0x00000004 0xee4d 1102 68 0 0 0 0000 0000 0002 01 00 0x00000001 0xdaaf 1102 55 0 0 0 0000 0000 0003 00 00 0x00000009 0xcaa3 1161 111 1 0 0 0000 0000 0003 01 00 0x00000001 0xadda 1112 55 0 0 0 Self LSP Self LSP Extended ATT Attached P Partition OL Overload SwitchB display isis lsdb Database information for...

Page 415: ...00000014 0x194a 1051 111 1 0 0 0000 0000 0003 01 00 0x00000002 0xabdb 854 55 0 0 0 Self LSP Self LSP Extended ATT Attached P Partition OL Overload Level 2 Link State Database LSPID Seq Num Checksum Holdtime Length ATT P OL 0000 0000 0003 00 00 0x00000012 0xc93c 842 100 0 0 0 0000 0000 0004 00 00 0x00000026 0x331 1173 84 0 0 0 0000 0000 0004 01 00 0x00000001 0xee95 668 55 0 0 0 Self LSP Self LSP Ex...

Page 416: ...SIS 1 IPv4 Level 1 Forwarding Table IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags 10 1 1 0 24 10 NULL Vlan100 Direct D L 10 1 2 0 24 20 NULL Vlan100 10 1 1 1 R 192 168 0 0 24 20 NULL Vlan100 10 1 1 1 R 0 0 0 0 0 10 NULL Vlan100 10 1 1 1 R Flags D Direct R Added to RM L Advertised in LSPs U Up Down Bit Set SwitchC display isis route Route information for ISIS 1 ISIS 1 IPv4 Level 1 Fo...

Page 417: ...l 2 Forwarding Table IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags 192 168 0 0 24 10 NULL Vlan300 Direct D L 10 1 1 0 24 20 NULL Vlan300 192 168 0 1 R 10 1 2 0 24 20 NULL Vlan300 192 168 0 1 R 172 16 0 0 16 10 NULL Vlan100 Direct D L Flags D Direct R Added to RM L Advertised in LSPs U Up Down Bit Set 4 8 2 DIS Selection Configuration I Network requirements As shown in Figure 4 15 Sw...

Page 418: ...0001 00 SwitchA isis 1 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 isis enable 1 SwitchA Vlan interface100 quit Configure Switch B SwitchB system view SwitchB isis 1 SwitchB isis 1 network entity 10 0000 0000 0002 00 SwitchB isis 1 quit SwitchB interface vlan interface 100 SwitchB Vlan interface100 isis enable 1 SwitchB Vlan interface100 quit Configure Switch C SwitchC syst...

Page 419: ...tem Id 0000 0000 0002 Interface Vlan interface100 Circuit Id 0000 0000 0003 01 State Up HoldTime 21s Type L1 L1L2 PRI 64 System Id 0000 0000 0003 Interface Vlan interface100 Circuit Id 0000 0000 0003 01 State Up HoldTime 27s Type L1 PRI 64 System Id 0000 0000 0002 Interface Vlan interface100 Circuit Id 0000 0000 0004 01 State Up HoldTime 28s Type L2 L1L2 PRI 64 System Id 0000 0000 0004 Interface V...

Page 420: ...te By using the default DIS priority Switch C is the Level 1 DIS and Switch D is the Level 2 DIS The pseudonodes of Level 1 and Level 2 are 0000 0000 0003 01 and 0000 0000 0004 01 respectively 3 Configure the DIS priority of Switch A SwitchA interface vlan interface 100 SwitchA Vlan interface100 isis dis priority 100 SwitchA Vlan interface100 quit Display IS IS neighbors of Switch A SwitchA displa...

Page 421: ...Interface Vlan interface100 Id IPV4 State IPV6 State MTU Type DIS 001 Up Down 1497 L1 L2 Yes Yes Note After the DIS priority configuration Switch A becomes the Level 1 2 DIS and the pseudonode is 0000 0000 0001 01 Display information about IS IS neighbors and interfaces of Switch C SwitchC display isis peer Peer information for ISIS 1 System Id 0000 0000 0002 Interface Vlan interface100 Circuit Id...

Page 422: ...0000 0000 0001 01 State Up HoldTime 28s Type L2 PRI 64 SwitchD display isis interface Interface information for ISIS 1 Interface Vlan interface100 Id IPV4 State IPV6 State MTU Type DIS 001 Up Down 1497 L1 L2 No No 4 8 3 IS IS Graceful Restart Configuration Example I Network requirements Switch A Switch B and Switch C are interconnected to each other in the same IS IS routing domain These switches ...

Page 423: ...hA isis 1 graceful restart interval 150 SwitchA isis 1 return Configurations for Switch B and Switch C are similar and therefore are omitted here 3 Verify the configuration After Router A establishes adjacencies with Router B and Router C they begin to exchange routing information Restart IS IS on Router A which enters into the restart state and sends connection requests to its neighbors through t...

Page 424: ...d Complete CSNP Not Received Number of T1 Pre Expiry 0 IS IS 1 Level 2 Restart Status Restart Interval 150 SA Bit Supported Total Number of Interfaces 1 Restart Status RESTARTING T3 Timer Status Remaining Time 65535 T2 Timer Status Remaining Time 59 Interface Vlan1 T1 Timer Status Remaining Time 1 RA Not Received Complete CSNP Not Received Number of T1 Pre Expiry 0 ...

Page 425: ...g and Maintaining BGP z BGP Configuration Examples z Troubleshooting BGP Note The term router refers to a router in a generic sense or a Layer 3 switch running routing protocols 5 1 BGP Overview Three early versions of BGP are BGP 1 RFC1105 BGP 2 RFC1163 and BGP 3 RFC1267 The current version in use is BGP 4 RFC1771 BGP 4 is rapidly becoming the defacto Internet exterior routing protocol standard a...

Page 426: ...elopments A router advertising BGP messages is called a BGP speaker which exchanges new routing information with other BGP speakers When a BGP speaker receives a new route or a route better than the current one from another AS it will advertise the route to all the other BGP speakers in the local AS BGP speakers call each other peers and several associated peers form a peer group BGP runs on a rou...

Page 427: ...stablishment The Open message contains the following fields Figure 5 2 BGP open message format z Version This 1 byte unsigned integer indicates the protocol version number of the message The current BGP version is 4 z My Autonomous System This 2 byte unsigned integer indicates the Autonomous System number of the sender z Hold Time When establishing peer relationship two parties negotiate an identi...

Page 428: ...l length of the Path Attributes field in bytes A value of 0 indicates that no Network Layer Reachability Information field is present in this Update message z Path Attributes List of path attributes related to NLRI Each path attribute is a triple attribute type attribute length attribute value of variable length BGP uses these attributes to avoid routing loops perform routing and protocol extensio...

Page 429: ...st be recognized by all BGP routers and must be included in every update message Routing information error occurs without this attribute z Well known discretionary Can be recognized by all BGP routers and optional to be included in every update message as needed z Optional transitive Transitive attribute between ASs A BGP router not supporting this attribute can still receive routes with this attr...

Page 430: ... command have the IGP attribute z EGP Has the second highest priority Routes obtained via EGP have the EGP attribute z incomplete Has the lowest priority The source of routes with this attribute is unknown which does not mean such routes are unreachable The routes redistributed from other routing protocols have the incomplete attribute 2 AS_PATH AS_PATH is a well known mandatory attribute This att...

Page 431: ...ves priority to the route with the shortest AS_PATH length if other factors are the same As shown in the above figure the BGP router in AS50 gives priority to the route passing AS40 for sending information to the destination 8 0 0 0 In some applications you can apply a routing policy to control BGP route selection by modifying the AS_PATH length By configuring an AS path filtering list you can fil...

Page 432: ...cing information refer to BGP Route Selection Figure 5 7 NEXT_HOP attribute 4 MED MULTI_EXIT_DISC The MED attribute is exchanged between two neighboring ASs each of which does not advertise the attribute to any other AS Similar with metrics used by IGP MED is used to determine the best route for traffic going into an AS When a BGP router obtains multiple routes to the same destination but with dif...

Page 433: ... as the best route As shown below traffic from AS20 to AS10 travels through Router C that is selected according to LOCAL_PREF Figure 5 9 LOCAL_PREF attribute 6 COMMUNITY The COMMUNITY attribute is used to simplify routing policy usage and ease management and maintenance It is a collection of destination addresses having identical attributes without physical boundaries in between and having nothing...

Page 434: ...ortest CLUSTER_LIST z Select the route with the smallest ORIGINATOR_ID z Select the route advertised by the router with the smallest Router ID Note z CLUSTER_IDs of route reflectors form a CLUSTER_LIST If a route reflector receives a route that contains its own CLUSTER ID in the CLUSTER_LIST the router discards the route to avoid routing loops z If load balancing is configured the system selects a...

Page 435: ...ancing and adds load balancing to route selection rules Note z BGP implements load balancing only on routes that have the same AS_PATH ORIGIN LOCAL_PREF and MED z BGP load balancing is applicable between EBGPs between IBGPs and between confederations z If multiple routes to the same destination are available BGP selects routes for load balancing according to the configured maximum number of load b...

Page 436: ...outes can BGP advertise these routes to EBGP peers z A BGP speaker advertises all routes to a newly connected peer 5 1 4 IBGP and IGP Synchronization The routing information synchronization between IBGP and IGP is for avoidance of giving wrong directions to routers outside of the local AS If a non BGP router works in an AS a packet forwarded via the router may be discarded due to an unreachable de...

Page 437: ...sappears in the routing table frequently When a route flap occurs the routing protocol sends an update to its neighbor and then the neighbor needs to recalculate routes and modify the routing table Therefore frequent route flaps consume large bandwidth and CPU resources even affect normal operation of the network In most cases BGP is used in complex networks where route changes are very frequent T...

Page 438: ...ed with identical commands The peer group feature simplifies configuration of this kind When a peer is added into a peer group the peer enjoys the same route update policy as the peer group to improve route distribution efficiency Caution If an option is configured both for a peer and for the peer group the latest configuration takes effect IV Community A peer group makes peers in it enjoy the sam...

Page 439: ... a router acts as a route reflector and other routers act as clients connecting to the route reflector The route reflector forwards reflects routing information between clients BGP connections between clients need not be established The router neither a route reflector nor a client is a non client which has to establish connections to the route reflector and non clients as shown below Figure 5 13 ...

Page 440: ...dwidth resources The system supports using related commands to disable route reflection in this case Note After route reflection is disabled between clients routes between a client and a non client can still be reflected VI Confederation Confederation is another method to deal with growing IBGP connections in ASs It splits an AS into multiple sub ASs In each sub AS IBGP peers are fully meshed and ...

Page 441: ... information refer to IP Routing GR Overview 1 To establish a BGP session with a peer a BGP GR Restarter sends an OPEN message with GR capability to the peer 2 Upon receipt of this message the peer is aware that the sending router is capable of Graceful Restart and sends an OPEN message with GR Capability to the GR Restarter to establish a GR session If neither party has the GR capability the sess...

Page 442: ... BGP extended attributes In BGP 4 the three types of attributes for IPv4 namely NLRI NEXT_HOP and AGGREGATOR contains the IP address of the speaker generating the summary route are all carried in updates To support multiple network layer protocols BGP 4 puts information about network layer into NLRI and NEXT_HOP MP BGP introduced two path attributes z MP_REACH_NLRI Multiprotocol Reachable NLRI for...

Page 443: ...nities Attribute z RFC2796 BGP Route Reflection z RFC3065 Autonomous System Confederations for BGP z draft ietf idr restart 08 Graceful Restart Mechanism for BGP 5 2 BGP Configuration Task List Complete the following tasks to configure BGP Task Remarks Configuring BGP Basic Functions Required Configuring BGP Route Redistribution Optional Configuring BGP Route Summarization Optional Advertising a D...

Page 444: ...CP you need to specify IP addresses of peers which may not be neighboring routers z Using logical links can also establish BGP peer relationships z In general IP addresses of loopback interfaces are used to improve stability of BGP connections 5 3 1 Prerequisites The neighboring nodes are accessible to each other at the network layer 5 3 2 Configuration Procedure Follow these steps to configure BG...

Page 445: ...r change Optional Enabled by default Enable the logging of peer state changes for a peer or peer group peer group name ip address log change Optional Enabled by default Specify a preferred value for routes from a peer or peer group peer group name ip address preferred value value Optional The preferred value defaults to 0 Specify the source interface for establishing TCP connections to a peer or p...

Page 446: ...lish TCP connections to the peers when using the outbound interfaces of the best routes as the source interfaces z In general direct physical links should be available between EBGP peers If not you can use the peer ebgp max hop command to establish a TCP connection over multiple hops between two peers You need not use this command for directly connected EBGP peers which employ loopback interfaces ...

Page 447: ... network to the BGP routing table network ip address mask mask length short cut route policy route policy name Optional Not injected by default Note z The ORIGIN attribute of routes redistributed using the import route command is Incomplete z The ORIGIN attribute of networks advertised into the BGP routing table with the network command is IGP These networks must exist in the local IP routing tabl...

Page 448: ...ed if both are configured the manual route summarization takes effect 5 4 4 Advertising a Default Route to a Peer or Peer Group Follow these steps to advertise a default route to a peer or peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Advertise a default route to a peer or peer group peer group name ip address default route advertise route poli...

Page 449: ...ltering policy as needed If several filtering policies are configured they are applied in the following sequence z filter policy export z peer filter policy export z peer as path acl export z peer ip prefix export z peer route policy export Only routes pass the first policy can they go to the next and only routes passing all the configured policies can they be advertised 5 4 6 Configuring BGP Rout...

Page 450: ... can be received from a peer peer group peer group name ip address route limit limit percentage The number is unlimited by default Note z Only routes permitted by the specified filtering policies can they be installed into the local BGP routing table z Members of a peer group can have different route reception filtering policies from the peer group 5 4 7 Enabling BGP and IGP Route Synchronization ...

Page 451: ... name Optional Not configured by default 5 5 Configuring BGP Route Attributes 5 5 1 Prerequisites Before configuring this task you have configured BGP basic functions 5 5 2 Configuration Procedure You can configure BGP route attributes to influence BGP route selection Follow these steps to configure BGP route attributes To do Use the command Remarks Enter system view system view Enter BGP view bgp...

Page 452: ... the comparison of MED of routes from each AS bestroute compare med Optional Not enabled by default Configure the MED attribute Enable the comparison of MED of routes from confederation peers bestroute med confederation Optional Not enabled by default Specify the router as the next hop of routes to a peer peer group peer group name ip address next hop local Optional By default routes to an EBGP pe...

Page 453: ...ault the router takes AS_PATH as a factor for best route selection Specify a fake AS number for a peer peer group peer group name ip address fake as as number Optional Not specified by default This command is only applicable to an EBGP peer or peer group Substitute local AS number for the AS number of a peer peer group in the AS_PATH attribute peer group name ip address substitute as Optional The ...

Page 454: ...s can only find the fake AS number z The peer substitute as command is used only in specific networking environments Inappropriate use of the command may cause routing loops 5 6 Tuning and Optimizing BGP Networks This task involves the following parts 1 Configure BGP timers After establishing a BGP connection two routers send keepalive messages periodically to each other to keep the connection If ...

Page 455: ...iguring this task you have configured BGP basic functions 5 6 2 Configuration Procedure Follow these steps to tune and optimize BGP networks To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Configure keepalive interval and holdtime timer keepalive keepalive hold holdtime Configure BGP timers Configure keepalive interval and holdtime for a peer peer group pee...

Page 456: ...olicy peer group name ip address keep all routes Optional Not kept by default Return to user view return Perform manual soft reset on BGP connections refresh bgp all ip address group group name external internal export import Required Enter system view system view Configure BGP soft reset Enter BGP view bgp as number Enable the clearing of the direct EBGP session on any interface that becomes down...

Page 457: ...a large scale BGP network configuration and maintenance become difficult due to large numbers of BGP peers In this case configuring peer groups makes management easier and improves route distribution efficiency Peer group includes IBGP peer group where peers belong to the same AS and EBGP peer group where peers belong to different ASs If peers in an EBGP group belong to the same external AS the EB...

Page 458: ...the group peer ip address group group name as number as number Optional You can add multiple peers into the group The system will create these peers automatically and specify the local AS number as their AS in BGP view Create an EBGP peer group group group name external Specify a peer and the AS number for the peer peer ip address as number as number Configu re a mixed EBGP peer group Add a peer i...

Page 459: ...igured by default Note z When configuring BGP community you need to configure a routing policy to define the community attribute and apply the routing policy to route advertisement z For routing policy configuration refer to Routing Policy Configuration 5 7 4 Configuring a BGP Route Reflector Follow these steps to configure a BGP route reflector To do Use the command Remarks Enter system view syst...

Page 460: ...ing loops 5 7 5 Configuring a BGP Confederation Follow these steps to configure a BGP confederation To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Configure a confederation ID confederation id as number Configure a BGP confederation Specify sub ASs contained in the confederation confederation peer as as number list Required Not configured by default Enable...

Page 461: ...l restart Required Disabled by default Configure the maximum time allowed for the peer to reestablish a BGP session graceful restart timer restart timer Optional 150 seconds by default Configure the maximum time to wait for the End of RIB marker graceful restart timer wait for rib timer Optional 180 seconds by default Note z In general the maximum time allowed for the peer the GR restarter to rees...

Page 462: ... BGP routing information matching the specified BGP community display bgp routing table community aa nn 1 13 no advertise no export no export subconfed whole match Display routing information matching a BGP community list display bgp routing table community list basic community list number whole match adv community list number 1 16 Display BGP dampened routing information display bgp routing table...

Page 463: ...p external Reset the BGP connections to a peer group reset bgp group group name Reset all IBGP connections reset bgp internal Reset all IPv4 unicast BGP connections reset bgp ipv4 all Available in user view 5 9 3 Clearing BGP Information To do Use the command Remarks Clear dampened MBGP routing information and release suppressed routes reset bgp dampening ip address mask mask length Clear route fl...

Page 464: ...ic configuration III Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure IBGP connections Configure Switch B SwitchB system view SwitchB bgp 65009 SwitchB bgp router id 2 2 2 2 SwitchB bgp peer 9 1 1 2 as number 65009 SwitchB bgp peer 9 1 3 2 as number 65009 SwitchB bgp quit Configure Switch C SwitchC system view SwitchC bgp 65009 SwitchC bgp router id 3 3 3 3 Switc...

Page 465: ...h B SwitchB display bgp peer BGP local router ID 2 2 2 2 Local AS number 65009 Total number of peers 3 Peers in established state 3 Peer V AS MsgRcvd MsgSent OutQ PrefRcv Up Down State 9 1 1 2 4 65009 56 56 0 0 00 40 54 Established 9 1 3 2 4 65009 49 62 0 0 00 44 58 Established 200 1 1 2 4 65008 49 65 0 1 00 44 03 Established You can find Switch B has established BGP connections to other switches ...

Page 466: ...tchC display bgp routing table Total Number of Routes 1 BGP Local router ID is 3 3 3 3 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn i 8 0 0 0 200 1 1 2 0 100 0 65008i Note From the above outputs you can find Switch A has learned no route to AS65009 and Switch C has learned network 8 0 0 0 but th...

Page 467: ...uppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn i 8 0 0 0 200 1 1 2 0 100 0 65008i i 9 1 1 0 24 9 1 3 1 0 100 0 i 9 1 3 0 24 9 1 3 1 0 100 0 i 200 1 1 0 9 1 3 1 0 100 0 You can find the route 8 0 0 0 becomes valid with the next hop being Switch A Ping 8 1 1 1 on Switch C SwitchC ping 8 1 1 1 PING 8 1 1 1 56 data bytes press CTRL_C to break Reply from 8 1...

Page 468: ...ocedure 1 Configure IP addresses for interfaces omitted 2 Configure OSPF omitted 3 Configure the EBGP connection Configure Switch A SwitchA system view SwitchA bgp 65008 SwitchA bgp router id 1 1 1 1 SwitchA bgp peer 3 1 1 1 as number 65009 Inject network 8 1 1 0 24 to the BGP routing table SwitchA bgp network 8 1 1 0 24 SwitchA bgp quit Configure Switch B SwitchB system view SwitchB bgp 65009 Swi...

Page 469: ... ospf SwitchB ospf 1 import route bgp SwitchB ospf 1 quit Display routing table information on Switch C SwitchC display ip routing table Routing Tables Public Destinations 7 Routes 7 Destination Mask Proto Pre Cost NextHop Interface 8 1 1 0 24 O_ASE 150 1 9 1 1 1 Vlan300 9 1 1 0 24 Direct 0 0 9 1 1 2 Vlan300 9 1 1 2 32 Direct 0 0 127 0 0 1 InLoop0 9 1 2 0 24 Direct 0 0 9 1 2 1 Vlan400 9 1 2 1 32 D...

Page 470: ...1 bytes 56 Sequence 1 ttl 254 time 15 ms Reply from 9 1 2 1 bytes 56 Sequence 2 ttl 254 time 31 ms Reply from 9 1 2 1 bytes 56 Sequence 3 ttl 254 time 47 ms Reply from 9 1 2 1 bytes 56 Sequence 4 ttl 254 time 46 ms Reply from 9 1 2 1 bytes 56 Sequence 5 ttl 254 time 47 ms 9 1 2 1 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 15 37 47 ms 5 10 3 B...

Page 471: ...s Configure Switch A SwitchA system view SwitchA bgp 65008 SwitchA bgp router id 1 1 1 1 SwitchA bgp peer 200 1 1 1 as number 65009 SwitchA bgp peer 200 1 2 1 as number 65009 Inject route 8 0 0 0 8 to BGP routing table SwitchA bgp network 8 0 0 0 255 0 0 0 SwitchA bgp quit Configure Switch B SwitchB system view SwitchB bgp 65009 SwitchB bgp router id 2 2 2 2 SwitchB bgp peer 200 1 1 2 as number 65...

Page 472: ...lable and the one with the next hop being 200 1 1 1 is the optimal because the ID of Switch B is smaller 3 Configure loading balancing Configure Switch A SwitchA bgp 65008 SwitchA bgp balance 2 SwitchA bgp quit Display the routing table on Switch A SwitchA display bgp routing table Total Number of Routes 3 BGP Local router ID is 1 1 1 1 Status codes valid best d damped h history i internal s suppr...

Page 473: ...f PrefVal Path Ogn 8 0 0 0 0 0 0 0 0 0 i 9 1 1 0 24 200 1 2 1 0 0 65009i 200 1 1 1 100 0 65009i From the above information you can find the route with the next hop 200 1 2 1 is the best route because its MED 0 is smaller than the MED 100 of the other route with the next hop 200 1 1 1 Switch B 5 10 4 BGP Community Configuration I Network requirements Switch B establishes EBGP connections with Switc...

Page 474: ...itchB bgp peer 200 1 2 1 as number 10 SwitchB bgp peer 200 1 3 2 as number 30 SwitchB bgp quit Configure Switch C SwitchC system view SwitchC bgp 30 SwitchC bgp router id 3 3 3 3 SwitchC bgp peer 200 1 3 1 as number 20 SwitchC bgp quit Display the BGP routing table on Switch B SwitchB display bgp routing table 9 1 1 0 BGP local router ID 2 2 2 2 Local AS number 20 Paths 1 available 1 best BGP rout...

Page 475: ...oute policy comm_policy permit node 0 SwitchA route policy apply community no export SwitchA route policy quit Apply the routing policy SwitchA bgp 10 SwitchA bgp peer 200 1 2 2 route policy comm_policy export SwitchA bgp peer 200 1 2 2 advertise community Display the routing table on Switch B SwitchB display bgp routing table 9 1 1 0 BGP local router ID 2 2 2 2 Local AS number 20 Paths 1 availabl...

Page 476: ... Vlan int300 193 1 1 2 24 Vlan int400 194 1 1 2 24 Vlan int400 194 1 1 1 24 Vlan int300 193 1 1 1 24 Switch C Switch B Switch D AS 200 Route Reflector Figure 5 20 Network diagram for BGP route reflector configuration III Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure BGP connections Configure Switch A SwitchA system view SwitchA bgp 100 SwitchA bgp router id 1 ...

Page 477: ...witch C SwitchC bgp 200 SwitchC bgp peer 193 1 1 2 reflect client SwitchC bgp peer 194 1 1 2 reflect client SwitchC bgp quit 4 Verify the above configuration Display the BGP routing table on Switch B SwitchB display bgp routing table Total Number of Routes 1 BGP Local router ID is 2 2 2 2 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Netwo...

Page 478: ... Interface IP address Device Interface IP address Switch A Vlan int100 200 1 1 1 24 Switch D Vlan int400 10 1 3 2 24 Vlan int200 10 1 1 1 24 Vlan int200 10 1 5 1 24 Vlan int300 10 1 2 1 24 Switch E Vlan int500 10 1 4 2 24 Vlan int400 10 1 3 1 24 Vlan int200 10 1 5 2 24 Vlan int500 10 1 4 1 24 Switch F Vlan int200 9 1 1 1 24 Switch B Vlan int200 10 1 1 2 24 Vlan int100 200 1 1 2 24 Switch C Vlan in...

Page 479: ... quit Configure Switch C SwitchC system view SwitchC bgp 65003 SwitchC bgp router id 3 3 3 3 SwitchC bgp confederation id 200 SwitchC bgp confederation peer as 65001 65002 SwitchC bgp peer 10 1 2 1 as number 65001 SwitchC bgp quit 3 Configure IBGP connections in AS65001 Configure Switch A SwitchA bgp 65001 SwitchA bgp peer 10 1 3 2 as number 65001 SwitchA bgp peer 10 1 3 2 next hop local SwitchA b...

Page 480: ... router id 6 6 6 6 SwitchF bgp peer 200 1 1 1 as number 200 SwitchF bgp network 9 1 1 0 255 255 255 0 SwitchF bgp quit 5 Verify above configuration Display the routing table on Switch B SwitchB display bgp routing table Total Number of Routes 1 BGP Local router ID is 2 2 2 2 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED...

Page 481: ...display bgp routing table 9 1 1 0 BGP local router ID 4 4 4 4 Local AS number 65001 Paths 1 available 1 best BGP routing table entry information of 9 1 1 0 24 From 10 1 3 1 1 1 1 1 Relay Nexthop 0 0 0 0 Original nexthop 10 1 3 1 AS path 100 Origin igp Attribute value MED 0 localpref 100 pref val 0 pre 255 State valid internal best Not advertised to any peers yet 5 10 7 BGP Path Selection Configura...

Page 482: ...ection configuration III Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure OSPF on Switch B C and D Configure Switch B SwitchB system view SwitchB ospf SwitchB ospf area 0 SwitchB ospf 1 area 0 0 0 0 network 192 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 network 194 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 quit Configure Switch C SwitchC sy...

Page 483: ...SwitchB bgp quit Configure Switch C SwitchC bgp 200 SwitchC bgp peer 193 1 1 1 as number 100 SwitchC bgp peer 195 1 1 1 as number 200 SwitchC bgp quit Configure Switch D SwitchD bgp 200 SwitchD bgp peer 194 1 1 2 as number 200 SwitchD bgp peer 195 1 1 2 as number 200 SwitchD bgp quit 4 Configure attributes for route 1 0 0 0 8 making Switch D give priority to the route learned from Switch C z Confi...

Page 484: ...es 2 BGP Local router ID is 194 1 1 1 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn i 1 0 0 0 193 1 1 1 50 100 0 100i i 192 1 1 1 100 100 0 100i You can find route 1 0 0 0 8 is the optimal z Configure different local preferences on Switch B and C for route 1 0 0 0 8 making Switch D give priority ...

Page 485: ...roubleshooting BGP 5 11 1 No BGP Peer Relationship Established I Symptom Display BGP peer information using the display bgp peer command The state of the connection to a peer cannot become established II Analysis To become BGP peers any two routers need to establish a TCP session using port 179 and exchange open messages successfully III Solution 1 Use the display current configuration command to ...

Page 486: ...nual IPv4 Routing H3C S5500 EI Series Ethernet Switches Chapter 5 BGP Configuration 5 62 7 Use the display tcp status command to check the TCP connection 8 Check whether an ACL disabling TCP port 179 is configured ...

Page 487: ...a Routing Policy z Displaying and Maintaining the Routing Policy z Routing Policy Configuration Example z Troubleshooting Routing Policy Configuration Note Routing policy described in this chapter includes both IPv4 routing policy and IPv6 routing policy Configurations of the two are similar and differences are described in related sections 6 1 Introduction to Routing Policy 6 1 1 Routing Policy a...

Page 488: ...tions or next hops of routing information For ACL configuration refer to ACL configuration II IP prefix list IP prefix list plays a role similar to ACL but it is more flexible than ACL and easier to understand When an IP prefix list is applied to filtering routing information its matching object is the destination address of routing information Moreover you can specify the gateway option to indica...

Page 489: ... through the next node Each node comprises a set of if match and apply clauses The if match clauses define the match criteria The matching objects are some attributes of routing information The different if match clauses on a node is in logical AND relationship Only when the matching conditions specified by all the if match clauses on the node are satisfied can routing information pass the node Th...

Page 490: ...ing the system compares the route to each item identified by index number in the ascending order If one item matches the route passes the IP prefix list without needing to match against the next item Follow these steps to define an IPv4 prefix list To do Use the command Remarks Enter system view system view Define an IPv4 prefix list ip ip prefix ip prefix name index index number permit deny ip ad...

Page 491: ...efined by default 6 3 4 Defining a Community List You can define multiple items for a community list that is identified by number During matching the relation between items is logic OR that is if routing information matches one of these items it passes the community list Follow these steps to define a community list To do Use the command Remarks Enter system view system view Define a basic communi...

Page 492: ... can comprise multiple nodes each node contains z if match clauses Define the match criteria that routing information must satisfy The matching objects are some attributes of routing information z apply clauses Specify the actions performed after specified match criteria are satisfied concerning attribute settings for passed routing information 6 4 1 Prerequisites Before configuring this task you ...

Page 493: ...ter routing information routing information that does not meet any node s conditions cannot pass the routing policy If all nodes of the routing policy are set using the deny keyword no routing information can pass it 6 4 3 Defining if match Clauses for the Routing Policy Follow these steps to define if match clauses for a route policy To do Use the command Remarks Enter system view system view Ent...

Page 494: ... Not configured by default Match routes having the specified route type if match route type internal external type1 external type2 external type1or2 is is level 1 is is level 2 nssa external type1 nssa external type2 nssa external type1or 2 Optional Not configured by default Match RIP OSPF or IS IS routes having the specified tag value if match tag value Optional Not configured by default Note z T...

Page 495: ...t set by default Set a cost for routes apply cost value Optional Not set by default Set a cost type for routes apply cost type external internal type 1 type 2 Optional Not set by default Set the extended community attribute for BGP routes apply extcommunity rt as number nn ip address nn 1 16 additive Optional Not set by default Set a next hop for IPv4 routes apply ip address next hop ip address Op...

Page 496: ...r Display BGP extended community list information display ip extcommunity list ext comm list number Display IPv4 prefix list statistics display ip ip prefix ip prefix name Display routing policy information display route policy route policy name Available in any view Clear IPv4 prefix list statistics reset ip ip prefix ip prefix name Available in user view 6 6 Routing Policy Configuration Example ...

Page 497: ...ork entity 10 0000 0000 0001 00 SwitchC isis 1 quit SwitchC interface vlan interface 200 SwitchC Vlan interface200 isis enable SwitchC Vlan interface200 quit SwitchC interface vlan interface 201 SwitchC Vlan interface201 isis enable SwitchC Vlan interface201 quit SwitchC interface vlan interface 202 SwitchC Vlan interface202 isis enable SwitchC Vlan interface202 quit SwitchC interface vlan interfa...

Page 498: ... 0 network 192 168 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 import route isis 1 SwitchB ospf 1 quit Display OSPF routing table on Switch A to view redistributed routes SwitchA display ospf routing OSPF Process 1 with Router ID 192 168 1 1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 192 168 1 0 24 1562 Stub 192 168 1 1 192 168 1 1 0 0 0 0 Rou...

Page 499: ...cy isis2ospf permit node 30 SwitchB route policy quit 6 Apply the routing policy to route redistribution Configure Switch B apply the routing policy when redistributing routes SwitchB ospf SwitchB ospf 1 import route isis 1 route policy isis2ospf SwitchB ospf 1 quit Display the OSPF routing table on Switch A You can find the cost of route 172 17 1 0 24 is 100 tag of route 172 17 1 0 24 is 20 and o...

Page 500: ...ng Failure I Symptom Filtering routing information failed while routing protocol runs normally II Analysis At least one item of the IP prefix list should be configured as permit mode and at least one node in the Route policy should be configured as permit mode III Processing procedure 1 Use the display ip ip prefix command to display IP prefix list information 2 Use the display route policy comman...

Page 501: ...RIPng Basic Functions 2 4 2 2 1 Configuration Prerequisites 2 4 2 2 2 Configuration Procedure 2 4 2 3 Configuring RIPng Route Control 2 4 2 3 1 Configuring an Additional Routing Metric 2 5 2 3 2 Configuring RIPng Route Summarization 2 5 2 3 3 Advertising a Default Route 2 5 2 3 4 Configuring a RIPng Route Filtering Policy 2 6 2 3 5 Configuring a Priority for RIPng 2 6 2 3 6 Configuring RIPng Route...

Page 502: ...7 Configuring OSPFv3 Route Redistribution 3 9 3 6 Tuning and Optimizing an OSPFv3 Network 3 10 3 6 1 Prerequisites 3 10 3 6 2 Configuring OSPFv3 Timers 3 10 3 6 3 Configuring the DR Priority for an Interface 3 11 3 6 4 Ignoring MTU Check for DD Packets 3 12 3 6 5 Disable Interfaces from Sending OSPFv3 Packets 3 12 3 6 6 Enable the Logging on Neighbor State Changes 3 12 3 7 Displaying and Maintaini...

Page 503: ...sing a Default Route to a Peer Peer Group 5 8 5 4 4 Configuring Route Distribution Policy 5 8 5 4 5 Configuring Route Reception Policy 5 9 5 4 6 Configuring IPv6 BGP and IGP Route Synchronization 5 10 5 4 7 Configuring Route Dampening 5 11 5 5 Configuring IPv6 BGP Route Attributes 5 11 5 5 1 Prerequisites 5 11 5 5 2 Configuring IPv6 BGP Preference and Default LOCAL_PREF and NEXT_HOP Attributes 5 1...

Page 504: ...efining Filtering Lists 6 2 6 2 1 Prerequisites 6 2 6 2 2 Defining an IPv6 Prefix List 6 3 6 2 3 Defining an AS Path List 6 3 6 2 4 Defining a Community List 6 4 6 2 5 Defining an Extended Community List 6 4 6 3 Configuring a Routing Policy 6 5 6 3 1 Prerequisites 6 5 6 3 2 Creating a Routing Policy 6 5 6 3 3 Defining if match Clauses for the Routing Policy 6 6 6 3 4 Defining apply Clauses for the...

Page 505: ...modify the static routes 1 1 1 Features of IPv6 Static Routes Similar to IPv4 static routes IPv6 static routes work well in simple IPv6 network environments Their major difference lies in the destination and next hop addresses IPv6 static routes use IPv6 addresses whereas IPv4 static routes use IPv4 addresses 1 1 2 Default IPv6 Route The IPv6 static route that has the destination address configure...

Page 506: ...v6 static routes is 60 1 3 Displaying and Maintaining IPv6 Static Routes To do Use the command Remarks Display IPv6 static route information display ipv6 routing table protocol static inactive verbose Available in any view Remove all IPv6 static routes delete ipv6 static routes all Available in system view Note Using the undo ipv6 route static command can delete a single IPv6 static route while us...

Page 507: ...wo IPv6 static routes on Switch B SwitchB system view SwitchB ipv6 SwitchB ipv6 route static 1 64 4 1 SwitchB ipv6 route static 3 64 5 1 Configure the default IPv6 static route on Switch C SwitchC system view SwitchC ipv6 SwitchC ipv6 route static 0 5 2 3 Configure the IPv6 addresses of hosts and gateways Configure the IPv6 addresses of all the hosts based upon the network diagram configure the de...

Page 508: ... Protocol Direct NextHop 4 1 Preference 0 Interface Vlan200 Cost 0 Destination 4 1 128 Protocol Direct NextHop 1 Preference 0 Interface InLoop0 Cost 0 Destination FE80 10 Protocol Direct NextHop Preference 0 Interface NULL0 Cost 0 Verify the connectivity with the ping command SwitchA ping ipv6 3 1 PING 3 1 56 data bytes press CTRL_C to break Reply from 3 1 bytes 56 Sequence 1 hop limit 254 time 63...

Page 509: ...ation Manual IPv6 Routing H3C S5500 EI Series Ethernet Switches Chapter 1 IPv6 Static Routing Configuration 1 5 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 62 62 63 ms ...

Page 510: ...a routing protocol based on the distance vector D V algorithm RIPng uses UDP packets to exchange routing information through port 521 RIPng uses a hop count to measure the distance to a destination The hop count is referred to as metric or cost The hop count from a router to a directly connected network is 0 The hop count between two directly connected routers is 1 When the hop count is greater th...

Page 511: ...ket Format I Basic format A RIPng packet consists of a header and multiple route table entries RTEs The maximum number of RTEs in a packet depends on the MTU of the sending interface Figure 2 1 shows the packet format of RIPng Figure 2 1 RIPng basic packet format z Command Type of message 0x01 indicates Request 0x02 indicates Response z Version Version of RIPng It can only be 0x01 currently z RTE ...

Page 512: ... length both being 0 and with a metric value of 16 the RIPng router will respond with the entire routing table information in response messages If there are multiple RTEs in the request message the RIPng router will examine each RTE update its metric and send the requested routing information to the requesting router in the response packet II Response packet The response packet containing the loca...

Page 513: ...ace and make sure all nodes are reachable 2 2 2 Configuration Procedure Follow these steps to configure the basic RIPng functions To do Use the command Remarks Enter system view system view Create a RIPng process and enter RIPng view ripng process id Required Not created by default Return to system view quit Enter interface view interface interface type interface number Enable RIPng on the interfa...

Page 514: ...tric is added to the metric of a received route before the route is added into the routing table so the route s metric is changed Follow these steps to configure an inbound outbound additional routing metric To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Specify an inbound routing additional metric ripng metricin value Opt...

Page 515: ...ou can also specify a routing protocol from which to filter routing information redistributed Follow these steps to configure a RIPng route filtering policy To do Use the command Remarks Enter system view system view Enter RIPng view ripng process id Configure a filter policy to filter incoming routes filter policy acl6 number ipv6 prefix ipv6 prefix name import Required By default RIPng does not ...

Page 516: ...te routes from another routing protocol import route protocol process id allow ibgp cost cost route policy route policy name Required No route redistribution is configured by default 2 4 Tuning and Optimizing the RIPng Network This section describes how to tune and optimize the performance of the RIPng network as well as applications under special network environments Before tuning and optimizing ...

Page 517: ...ds for the garbage collect timer Note When adjusting RIPng timers you should consider the network performance and perform unified configurations on routers running RIPng to avoid unnecessary network traffic increase or route oscillation 2 4 2 Configuring Split Horizon and Poison Reverse Note If both the split horizon and poison reverse are configured only the poison reverse function takes effect I...

Page 518: ... Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enable the poison reverse function ripng poison reverse Required Disabled by default 2 4 3 Configuring Zero Field Check on RIPng Packets Some fields in the RIPng packet must be zero These fields are called zero fields With zero field check on RIPng packets enabled if such a field c...

Page 519: ... configuration information of a RIPng process display ripng process id Available in any view Display routes in the RIPng database display ripng process id database Available in any view Display the routing information of a specified RIPng process display ripng process id route Available in any view Display RIPng interface information display ripng process id interface interface type interface numb...

Page 520: ...tch B SwitchB system view SwitchB ipv6 SwitchB ripng 1 SwitchB ripng 1 quit SwitchB interface vlan interface 200 SwitchB Vlan interface200 ripng 1 enable SwitchB Vlan interface200 quit SwitchB interface vlan interface 100 SwitchB Vlan interface100 ripng 1 enable SwitchB Vlan interface100 quit Configure Switch C SwitchC system view SwitchC ipv6 SwitchC ripng 1 SwitchC ripng 1 quit SwitchC interface...

Page 521: ...1 Sec Display the routing table of Switch A SwitchA display ripng 1 route Route Flags A Aging S Suppressed G Garbage collect Peer FE80 200 2FF FE64 8904 on Vlan interface100 Dest 1 64 via FE80 200 2FF FE64 8904 cost 1 tag 0 A 31 Sec Dest 4 64 via FE80 200 2FF FE64 8904 cost 2 tag 0 A 31 Sec Dest 5 64 via FE80 200 2FF FE64 8904 cost 2 tag 0 A 31 Sec Dest 3 64 via FE80 200 2FF FE64 8904 cost 1 tag 0...

Page 522: ...80 20F E2FF FE23 82F5 cost 1 tag 0 A 2 Sec Peer FE80 20F E2FF FE00 100 on Vlan interface200 Dest 4 64 via FE80 20F E2FF FE00 100 cost 1 tag 0 A 5 Sec Dest 5 64 via FE80 20F E2FF FE00 100 cost 1 tag 0 A 5 Sec SwitchA display ripng 1 route Route Flags A Aging S Suppressed G Garbage collect Peer FE80 20F E2FF FE00 1235 on Vlan interface100 Dest 1 64 via FE80 20F E2FF FE00 1235 cost 1 tag 0 A 2 Sec De...

Page 523: ...ription LSR Link State Request LSU Link State Update LSAck Link State Acknowledgment z Mechanisms for finding neighbors and establishing adjacencies z Mechanisms for LSA flooding and aging Differences between OSPFv3 and OSPFv2 z OSPFv3 now runs on a per link basis instead of on a per IP subnet basis z OSPFv3 supports multiple instances per link z OSPFv3 identifies neighbors by Router ID while OSPF...

Page 524: ...nated by ABRs Area Border Routers and flooded throughout the LSA s associated area Each Inter Area Prefix LSA describes a route with IPv6 address prefix to a destination outside the area yet still inside the AS an inter area route z Inter Area Router LSAs Similar to Type 4 LSA of OSPFv2 originated by ABRs and flooded throughout the LSA s associated area Each Inter Area Router LSA describes a route...

Page 525: ... response is received after retransmission interval elapses the router will send again the LSA The retransmission interval must be longer than the round trip time of the LSA in between II LSA delay time Each LSA has an age in the local LSDB incremented by 1 per second but an LSA is not aged on transmission You need to add an LSA delay time into the age time before transmission which is important f...

Page 526: ... Information Management Configuring OSPFv3 Route Redistribution Optional Configuring OSPFv3 Timers Optional Configuring the DR Priority for an Interface Optional Ignoring MTU Check for DD Packets Optional Disable Interfaces from Sending OSPFv3 Packets Optional Tuning and Optimizing an OSPFv3 Network Enable the Logging on Neighbor State Changes Optional 3 3 Configuring OSPFv3 Basic Functions 3 3 1 ...

Page 527: ...ation environments with OSPFv2 Splitting an OSPFv3 AS into multiple areas reduces the number of LSAs on networks and extends OSPFv3 application For those non backbone areas residing on the AS boundary you can configure them as Stub areas to further reduce the size of routing tables on routers in these areas and the number of LSAs Non backbone areas exchange routing information via the backbone are...

Page 528: ...cally z All routers attached to a stub area must be configured with the stub command The keyword no summary is only available on the ABR z If you use the stub command with the keyword no summary on an ABR the ABR distributes a default summary LSA into the area rather than generating an AS external LSA or Inter Area Prefix LSA The stub area of this kind is also known as totally stub area 3 4 3 Conf...

Page 529: ...marization between areas To do Use the command Remarks Enter system view system view Enter OSPFv3 view ospfv3 process id Enter OSPFv3 area view area area id Configure a summary route abr summary ipv6 address prefix length not advertise Required Not configured by default Note The abr summary command is available on ABRs only If contiguous network segments are available in an area you can use the co...

Page 530: ... costs for interfaces to adjust routing calculation Follow these steps to configure the link cost for an OSPFv3 interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure the cost for the interface ospfv3 cost value instance instance id Optional 1 by default 3 5 5 Configuring the Maximum Number of OSPFv3 Load balan...

Page 531: ...ority of OSPFv3 interval routes is 10 and priority of OSPFv3 external routes is 150 3 5 7 Configuring OSPFv3 Route Redistribution Follow these steps to configure OSPFv3 route redistribution To do Use the command Remarks Enter system view system view Enter OSPFv3 view ospfv3 process id Specify a default cost for redistributed routes default cost value Optional Defaults to 1 Redistribute routes from...

Page 532: ...check ignorance for DD packets disabling interfaces from sending OSPFv3 packets OSPFv3 timers z Packet timer Specified to adjust topology convergence speed and network load z LSA delay timer Specified especially for low speed links z SPF timer Specified to protect networks from being over consumed due to frequent network changes For a broadcast network you can configure DR priorities for interface...

Page 533: ... hold interval Optional By default delay interval is 5 seconds and hold interval is 10 seconds Note z The dead interval set on neighboring interfaces cannot be so short Otherwise a neighbor is easily considered down z The LSA retransmission interval cannot be so short otherwise unnecessary retransmissions occur 3 6 3 Configuring the DR Priority for an Interface Follow these steps to configure the ...

Page 534: ...able interfaces from sending OSPFv3 packets To do Use the command Remarks Enter system view system view Enter OSPFv3 view ospfv3 process id Disable interfaces from sending OSPFv3 packets silent interface interface type interface number all Required Not disabled by default Note After an OSPF interface is set to silent direct routes of the interface can still be advertised in Intra Area Prefix LSAs ...

Page 535: ...ternal inter prefix inter router intra prefix link network router link state id originate router router id total Display LSA statistics in OSPFv3 LSDB display ospfv3 lsdb statistic Display OSPFv3 neighbor information display ospfv3 process id area area id peer interface type interface number verbose peer router id Display OSPFv3 neighbor statistics display ospfv3 peer statistic Display OSPFv3 rout...

Page 536: ...d retrans list external inter prefix inter router intra prefix link network router link state id originate router ip address statistics Display OSPFv3 statistics display ospfv3 statistic 3 8 OSPFv3 Configuration Examples 3 8 1 Configuring OSPFv3 Areas I Network requirements In the following figure all switches run OSPFv3 The AS is split into three areas in which Switch B and Switch C act as ABRs t...

Page 537: ...1 SwitchA Vlan interface200 quit Configure Switch B SwitchB system view SwitchB ipv6 SwitchB ospfv3 SwitchB ospf 1 router id 2 2 2 2 SwitchB ospf 1 quit SwitchB interface vlan interface 100 SwitchB Vlan interface100 ospfv3 1 area 0 SwitchB Vlan interface100 quit SwitchB interface vlan interface 200 SwitchB Vlan interface200 ospfv3 1 area 1 SwitchB Vlan interface200 quit Configure Switch C SwitchC ...

Page 538: ...0 0 OSPFv3 Area ID 0 0 0 1 Process 1 Neighbor ID Pri State Dead Time Interface Instance ID 1 1 1 1 1 Full Backup 00 00 38 Vlan200 0 Display OSPFv3 neighbor information on Switch C SwitchC display ospfv3 peer OSPFv3 Area ID 0 0 0 0 Process 1 Neighbor ID Pri State Dead Time Interface Instance ID 2 2 2 2 1 Full Backup 00 00 39 Vlan100 0 OSPFv3 Area ID 0 0 0 2 Process 1 Neighbor ID Pri State Dead Time...

Page 539: ...onfigure Switch C and specify the cost of the default route sent to the stub area as 10 SwitchC ospfv3 SwitchC ospfv3 1 area 2 SwitchC ospfv3 1 area 0 0 0 2 stub SwitchC ospfv3 1 area 0 0 0 2 default cost 10 Display OSPFv3 routing table information on Switch D You can find a default route is added whose cost is the cost of the directly connected route plus the configured cost SwitchD display ospfv...

Page 540: ...re reduced All non direct routes are removed except the default route SwitchD display ospfv3 routing E1 Type 1 external route IA Inter area route I Intra area route E2 Type 2 external route Seleted route OSPFv3 Router with ID 4 4 4 4 Process 1 Destination 0 Type IA Cost 11 NextHop FE80 F40D 0 93D0 1 Interface Vlan400 Destination 2001 2 64 Type I Cost 1 NextHop directly connected Interface Vlan400 ...

Page 541: ...em view SwitchA ipv6 SwitchA ospfv3 SwitchA ospfv3 1 router id 1 1 1 1 SwitchA ospfv3 1 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 ospfv3 1 area 0 SwitchA Vlan interface100 quit Configure Switch B SwitchB system view SwitchB ipv6 SwitchB ospfv3 SwitchB ospfv3 1 router id 2 2 2 2 SwitchB ospfv3 1 quit SwitchB interface vlan interface 200 SwitchB Vlan interface200 ospfv3 1 a...

Page 542: ... Area ID 0 0 0 0 Process 1 Neighbor ID Pri State Dead Time Interface Instance ID 2 2 2 2 1 2 Way DROther 00 00 36 Vlan200 0 3 3 3 3 1 Full Backup 00 00 35 Vlan100 0 4 4 4 4 1 Full DR 00 00 33 Vlan200 0 Display neighbor information on Switch D You can find the neighbor states between Switch D and other switches are all full SwitchD display ospfv3 peer OSPFv3 Area ID 0 0 0 0 Process 1 Neighbor ID Pr...

Page 543: ...play ospfv3 peer OSPFv3 Area ID 0 0 0 0 Process 1 Neighbor ID Pri State Dead Time Interface Instance ID 1 1 1 1 100 Full DROther 00 00 33 Vlan100 0 2 2 2 2 0 Full DROther 00 00 36 Vlan200 0 3 3 3 3 2 Full Backup 00 00 40 Vlan100 0 4 Restart DR BDR election Use the shutdown and undo shutdown commands on interfaces to restart DR BDR election omitted Display neighbor information on Switch A You can f...

Page 544: ...3 interface information using the display ospfv3 interface command 3 Ping the neighbor router s IP address to check connectivity 4 Check OSPF timers The dead interval on an interface must be at least four times the hello interval 5 On a broadcast network at least one interface must have a DR priority higher than 0 3 9 2 Incorrect Routing Information I Symptom OSPFv3 cannot find routes to other are...

Page 545: ...rmation to check integrity 4 Display information about area configuration using the display current configuration configuration command If more than two areas are configured at least one area is connected to the backbone 5 In a Stub area all routers are configured with the stub command 6 If a virtual link is configured use the display ospf vlink command to check the neighbor state ...

Page 546: ...ction to IPv6 IS IS The IS IS routing protocol Intermediate System to Intermediate System intra domain routing information exchange protocol supports multiple network protocols including IPv6 IS IS with IPv6 support is called IPv6 IS IS dynamic routing protocol The international engineer task force IETF defines two type length values TLVs and a new network layer protocol identifier NLPID to enable...

Page 547: ...reachable z Enable IS IS 4 2 2 Configuration Procedure Follow these steps to configure the basic functions of IPv6 IS IS To do Use command to Remarks Enter system view system view Enable an IS IS process and enter IS IS view isis process id Required Not enabled by default Configure the network entity title for the IS IS process network entity net Required Not configured by default Enable IPv6 for ...

Page 548: ...level 2 level 1 2 route policy route policy name Optional No IPv6 default route is defined by default Configure IPv6 IS IS to filter incoming routes ipv6 filter policy acl6 number ipv6 prefix ipv6 prefix name route policy route policy name import Optional No filtering policy is defined by default Configure IPv6 IS IS to redistribute routes from another routing protocol ipv6 import route protocol p...

Page 549: ...iew Display IS IS license information display isis license Available in any view Display LSDB information display isis lsdb l1 l2 level 1 level 2 lsp id lsp id lsp name lspname local verbose process id Available in any view Display IS IS mesh group information display isis mesh group process id Available in any view Display the mapping table between the host name and system ID display isis name ta...

Page 550: ... and Switch C are in area 10 while Switch D is in area 20 II Network diagram Figure 4 1 Network diagram for IPv6 IS IS basic configuration III Configuration procedure 1 Configure IPv6 addresses for interfaces omitted 2 Configure IPv6 IS IS Configure Switch A SwitchA system view SwitchA isis 1 SwitchA isis 1 is level level 1 SwitchA isis 1 network entity 10 0000 0000 0001 00 SwitchA isis 1 ipv6 ena...

Page 551: ...witchC Vlan interface100 isis ipv6 enable 1 SwitchC Vlan interface100 quit SwitchC interface vlan interface 200 SwitchC Vlan interface200 isis ipv6 enable 1 SwitchC Vlan interface200 quit SwitchC interface vlan interface 300 SwitchC Vlan interface300 isis ipv6 enable 1 SwitchC Vlan interface300 quit Configure Switch D SwitchD system view SwitchD isis 1 SwitchD isis 1 is level level 2 SwitchD isis ...

Page 552: ...P Configuration 5 1 IPv6 BGP Overview BGP 4 manages only IPv4 routing information thus other network layer protocols such as IPv6 are not supported To support multiple network layer protocols IETF extended BGP 4 by introducing IPv6 BGP that is defined in RFC 2858 multiprotocol extensions for BGP 4 To implement IPv6 support IPv6 BGP puts IPv6 network layer information into the attributes of network...

Page 553: ...IPv6 BGP Route Redistribution Optional Advertising a Default Route to a Peer Peer Group Optional Configuring Route Distribution Policy Optional Configuring Route Reception Policy Optional Configuring IPv6 BGP and IGP Route Synchronization Optional Controlling Route Distribution and Reception Configuring Route Dampening Optional Configuring IPv6 BGP Preference and Default LOCAL_PREF and NEXT_HOP At...

Page 554: ...6 peer To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Not enabled by default Specify a router ID router id router id Optional Required if no IP addresses configured for Loopback interface and other interfaces Enter IPv6 address family view ipv6 family Specify an IPv6 peer and its AS number peer ipv6 address as number as number Required Not configu...

Page 555: ...ue is 0 Note If you both reference a routing policy and use the command peer ipv6 group name ipv6 address preferred value value to set a preferred value for routes from a peer the routing policy sets a non zero preferred value for routes matching it Other routes not matching the routing policy uses the value set with the command If the preferred value in the routing policy is zero the routes match...

Page 556: ...ability will not affect TCP connection establishment z To establish multiple BGP connections to a BGP router you need to specify on the local router the respective source interfaces for establishing TCP connections to the peers on the peering BGP router otherwise the local BGP router may fail to establish TCP connections to the peers when using the outbound interfaces of the best routes as the sou...

Page 557: ...ystem view system view Enter BGP view bgp as number Required Enter IPv6 address family view ipv6 family Configure a description for a peer peer group peer ipv6 group name ipv6 address description description text Optional Not configured by default Note The peer group to be configured with a description must have been created 5 3 8 Disabling Session Establishment to a Peer Peer Group Follow these s...

Page 558: ...group peer ipv6 group name ipv6 address log change Optional Enabled by default Note Refer to the part discussing IPv4 routing commands for information about the log peer change command 5 4 Controlling Route Distribution and Reception The task includes routing information filtering routing policy application and route dampening 5 4 1 Prerequisites Before configuring this task you have z Enabled the...

Page 559: ...ing a Default Route to a Peer Peer Group Follow these steps to configure to advertise default route to a peer peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Enter IPv6 address family view ipv6 family Advertise a default route to a peer peer group peer ipv6 group name ipv6 address default route advertise route policy route policy name Re...

Page 560: ...acl6 number export Required Not specified by default Specify an AS path ACL to filer routes advertised to a peer peer group peer ipv6 group name ipv6 address as path acl as path acl number export Required Not specified by default Specify an IPv6 prefix list to filer routes advertised to a peer peer group peer ipv6 group name ipv6 address ipv6 prefix ipv6 prefix name export Required Not specified b...

Page 561: ... peer peer group peer ipv6 group name ipv6 address as path acl as path acl number import Required Not specified by default Specify an IPv6 prefix list to filter routing information imported from a peer peer group peer ipv6 group name ipv6 address ipv6 prefix ipv6 prefix name import Required Not specified by default Specify the upper limit of address prefixes imported from a peer peer group peer ip...

Page 562: ...and IGP synchronization Required Not enabled by default 5 4 7 Configuring Route Dampening Follow these steps to configure BGP route dampening To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Enter IPv6 address family view ipv6 family Configure IPv6 BGP route dampening parameters dampening half life reachable half life unreachable reuse suppress ceil...

Page 563: ...e Optional The value defaults to 100 Advertise routes to a peer peer group with the local router as the next hop peer ipv6 group name ipv6 address next hop local Required By default the feature is available for routes advertised to the EBGP peer peer group but not available to the IBGP peer peer group Note z To make sure an IBGP peer can find the correct next hop you can configure routes advertise...

Page 564: ...t 5 5 4 Configuring the AS_PATH Attribute Follow these steps to configure the AS_PATH attribute To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Enter IPv6 address family view ipv6 family Allow the local AS number to appear in AS_PATH of routes from a peer peer group and specify the repeat times peer ipv6 group name ipv6 address allow as loop number...

Page 565: ... is checked z IPv6 BGP connection soft reset After modifying a route selection policy you have to reset IPv6 BGP connections to make the new one take effect causing a short time disconnection The current IPv6 BGP implementation supports the route refresh feature that enables dynamic IPv6 BGP routing table refresh without needing to disconnect IPv6 BGP links With this feature enabled on all IPv6 BG...

Page 566: ...terval for sending the same update to a peer peer group peer ipv6 group name ipv6 address route update interval seconds Optional The interval for sending the same update to an IBGP peer or an EBGP peer defaults to 15 seconds or 30 seconds Note z Timers configured using the timer command have lower priority than timers configured using the peer timer command z The holdtime interval must be at least...

Page 567: ...ons manually refresh bgp ipv6 all ipv6 address group ipv6 group name external internal export import Required Note If the peer keep all routes command is used all routes from the peer peer group will be saved regardless of whether the filtering policy is available These routes will be used to generate IPv6 BGP routes after soft reset is performed 5 6 4 Configuring the Maximum Number of Load Balanc...

Page 568: ...nity between IPv6 BGP peers is not limited by AS To guarantee connectivity between IBGP peers you need to make them fully meshed but it becomes unpractical when there are too many IBGP peers Using route reflectors or confederation can solve it In a large scale AS both of them can be used Confederation configuration of IPv6 BGP is identical to that of BGP4 so it is not mentioned here The following ...

Page 569: ...eer group group ipv6 group name external Required Configure the AS number for the peer group peer ipv6 group name as number as number Required Not configured by default Add an IPv6 peer into the peer group peer ipv6 address group ipv6 group name Required Not added by default Note z To create a pure EBGP peer group you need to specify an AS number for the peer group z If a peer was added into an EB...

Page 570: ...BGP Community I Advertise community attribute to a peer peer group Follow these steps to advertise community attribute to a peer peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Not enabled by default Enter IPv6 address family view ipv6 family Advertise community attribute to a peer peer group peer ipv6 group name ipv6 address advertise c...

Page 571: ...icy to route advertisement 5 7 4 Configuring an IPv6 BGP Route Reflector Follow these steps to configure an IPv6 BGP route reflector To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Enter IPv6 address family view ipv6 family Configure the router as a route reflector and specify a peer peer group as a client peer ipv6 group name ipv6 address reflect ...

Page 572: ... routing information display bgp ipv6 network Display IPv6 BGP AS path information display bgp ipv6 paths as regular expression Display IPv6 BGP peer peer group information display bgp ipv6 peer ipv6 group name log info ipv6 address log info verbose Display IPv6 BGP routing table information display bgp ipv6 routing table ipv6 address prefix length Display IPv6 BGP routing information matching an ...

Page 573: ...tatistic Display IPv6 BGP routing information matching a regular expression display bgp ipv6 routing table regular expression as regular expression Display IPv6 BGP routing statistics display bgp ipv6 routing table statistic 5 8 2 Resetting IPv6 BGP Connections To do Use the command Remarks Perform soft reset on IPv6 BGP connections refresh bgp ipv6 ipv6 address all external group ipv6 group name ...

Page 574: ... figure are all IPv6 BGP switches Between Switch A and Switch B is an EBGP connection Switch B Switch C and Switch D are IBGP fully meshed II Network diagram Figure 5 1 IPv6 BGP basic configuration network diagram III Configuration procedure 1 Configure IPv6 addresses for interfaces omitted 2 Configure IBGP connections Configure Switch B SwitchB system view SwitchB ipv6 SwitchB bgp 65009 SwitchB b...

Page 575: ...router id 4 4 4 4 SwitchD bgp ipv6 family SwitchD bgp af ipv6 peer 9 1 1 as number 65009 SwitchD bgp af ipv6 peer 9 2 1 as number 65009 SwitchD bgp af ipv6 quit SwitchD bgp quit 3 Configure the EBGP connection Configure Switch A SwitchA system view SwitchA ipv6 SwitchA bgp 65008 SwitchA bgp router id 1 1 1 1 SwitchA bgp ipv6 family SwitchA bgp af ipv6 peer 10 1 as number 65009 SwitchA bgp af ipv6 ...

Page 576: ...rs 2 Peers in established state 2 Peer V AS MsgRcvd MsgSent OutQ PrefRcv Up Down State 9 3 1 4 65009 4 4 0 0 00 02 18 Established 9 2 2 4 65009 4 5 0 0 00 01 52 Established Switch A and B established an EBGP connection Switch B C and D established IBGP connections with each other 5 9 2 IPv6 BGP Route Reflector Configuration I Network requirements Switch B receives an EBGP update and sends it to Sw...

Page 577: ...hB bgp ipv6 family SwitchB bgp af ipv6 peer 100 1 as number 100 SwitchB bgp af ipv6 peer 101 1 as number 200 SwitchB bgp af ipv6 peer 101 1 next hop local Configure Switch C SwitchC system view SwitchC ipv6 SwitchC bgp 200 SwitchC bgp router id 3 3 3 3 SwitchC bgp ipv6 family SwitchC bgp af ipv6 peer 101 2 as number 200 SwitchC bgp af ipv6 peer 102 2 as number 200 Configure Switch D SwitchD system...

Page 578: ... any two routers need to establish a TCP session using port 179 and exchange open messages successfully III Processing steps 1 Use the display current configuration command to verify the peer s AS number 2 Use the display bgp ipv6 peer command to verify the peer s IPv6 address 3 If the loopback interface is used check whether the peer connect interface command is configured 4 If the peer is not di...

Page 579: ...tch criteria can be set beforehand and then apply them to a routing policy for route distribution reception and redistribution 6 1 2 Filters Routing protocols can use six filters ACL IP prefix list AS path ACL community list extended community list and routing policy I ACL When defining an ACL you can specify IP addresses and prefixes to match destinations or next hops of routing information For A...

Page 580: ...in logic OR relationship Each node is a match unit and the system compares each node to a packet in the order of node sequence number Once a node is matched the routing policy is passed and the packet will not go through the next node Each node comprises a set of if match and apply clauses The if match clauses define the match criteria The matching objects are some attributes of routing informatio...

Page 581: ... index index number deny permit ipv6 address prefix length greater equal min prefix length less equal max prefix length Required Not defined by default Note If all items are set to the deny mode no routes can pass the IPv6 prefix list Therefore you need to define the permit 0 less equal 128 item following multiple deny mode items to allow other IPv6 routing information to pass For example the foll...

Page 582: ...stem view Define a basic community list ip community list basic comm list num deny permit community number list internet no advertise no export no export subconfed Define a communi ty list Define an advanced community list ip community list adv comm list num deny permit regular expression Required to define either Not defined by default 6 2 5 Defining an Extended Community List You can define mult...

Page 583: ...fy The matching objects are some attributes of routing information z apply clauses Specify the actions performed after specified match criteria are satisfied concerning attribute settings for passed routing information 6 3 1 Prerequisites Before configuring this task you have completed z Filtering list configuration z Routing protocol configuration You also need to decide on z Name of the routing ...

Page 584: ...tion that does not meet any node s conditions cannot pass the routing policy If all nodes of the routing policy are set using the deny keyword no routing information can pass it 6 3 3 Defining if match Clauses for the Routing Policy Follow these steps to define if match clauses for a route policy To do Use the command Remarks Enter system view system view Enter routing policy view route policy rou...

Page 585: ... having the specified tag value if match tag value Optional Not configured by default Note z The if match clauses of a route policy are in logic AND relationship namely routing information has to satisfy all if match clauses before being executed with apply clauses z You can specify no or multiple if match clauses for a routing policy If no if match clause is specified and the routing policy is in...

Page 586: ...te for IPv6 BGP routes apply extcommunity rt as number nn ip address nn 1 16 additive Optional Not set by default Set a next hop for IPv6 routes apply ipv6 next hop ipv6 address Optional Not set by default Redistribute routes to a specified ISIS level apply isis level 1 level 1 2 level 2 Optional Not configured by default Set a local preference for IPv6 BGP routes apply local preference preference...

Page 587: ...licy information display route policy route policy name Clear IPv6 prefix statistics reset ip ipv6 prefix ipv6 prefix name Available in any view 6 5 Routing Policy Configuration Example 6 5 1 Applying Routing Policy When Redistributing IPv6 Routes I Network requirements z Enable RIPng on Switch A and Switch B z Configure three static routes on Switch A and apply a routing policy when redistributin...

Page 588: ... 11 2 SwitchA ipv6 route static 40 32 11 2 Configure routing policy SwitchA ip ipv6 prefix a index 10 permit 30 32 SwitchA route policy static2ripng deny node 0 SwitchA route policy if match ipv6 address prefix list a SwitchA route policy quit SwitchA route policy static2ripng permit node 10 SwitchA route policy quit Enable RIPng and redistribute static routes SwitchA ripng SwitchA ripng 1 import ...

Page 589: ...1 cost 1 tag 0 A 3 Sec 6 6 Troubleshooting Routing Policy Configuration 6 6 1 IPv6 Routing Information Filtering Failure I Symptom Filtering routing information failed while routing protocol runs normally II Analysis At least one item of the IPv6 prefix list should be configured as permit mode and at least one node of the Route policy should be configured as permit mode III Processing procedure 1 ...

Page 590: ... 16 1 4 4 Configuring the Number of Attempts to Send an NS Message for DAD 1 19 1 5 Configuring PMTU Discovery 1 19 1 5 1 Configuring a Static PMTU for a Specified IPv6 Address 1 19 1 5 2 Configuring the Aging Time for PMTU 1 20 1 6 Configuring IPv6 TCP Properties 1 20 1 7 Configuring ICMPv6 Packet Sending 1 21 1 7 1 Configuring the Maximum ICMPv6 Error Packets Sent in an Interval 1 21 1 7 2 Enabl...

Page 591: ...ration Example 3 6 3 4 Configuring 6to4 Tunnel 3 9 3 4 1 Configuration Prerequisites 3 9 3 4 2 Configuration Procedure 3 9 3 4 3 Configuration Example 3 11 3 5 Configuring ISATAP Tunnel 3 15 3 5 1 Configuration Prerequisites 3 15 3 5 2 Configuration Procedure 3 15 3 5 3 Configuration Example 3 17 3 6 Displaying and Maintaining Tunneling Configuration 3 19 3 7 Troubleshooting Tunneling Configuratio...

Page 592: ...ation Example z Troubleshooting IPv6 Basics Configuration Note The term router or the router icon in this document refers to a router in a generic sense or a Layer 3 Ethernet switch running a routing protocol 1 1 IPv6 Overview Internet Protocol Version 6 IPv6 also called IP next generation IPng was designed by the Internet Engineering Task Force IETF as the successor to Internet Protocol Version 4...

Page 593: ...ation Fragment offset F TTL Protocol Header checksum Source address 32 bits Destination address 32 bits Options Padding IPv4 header Basic IPv6 header Figure 1 1 Comparison between IPv4 packet header format and basic IPv6 packet header format II Adequate address space The source and destination IPv6 addresses are both 128 bits 16 bytes long IPv6 can provide 3 4 x 1038 addresses to completely meet t...

Page 594: ...rol Message Protocol Version 6 ICMPv6 messages that manages the information exchange between neighbor nodes on the same link The group of ICMPv6 messages takes the place of Address Resolution Protocol ARP message Internet Control Message Protocol version 4 ICMPv4 router discovery message and ICMPv4 redirection message to provide a series of other functions VIII Flexible extension headers IPv6 canc...

Page 595: ...n an IPv4 address An IPv6 address prefix is written in IPv6 address prefix length notation where IPv6 address is an IPv6 address in any of the notations and prefix length is a decimal number indicating how many bits from the utmost left of an IPv6 address are the address prefix II IPv6 address classification IPv6 addresses fall into three types unicast address multicast address and anycast address...

Page 596: ... unicast addresses III Unicast address There are several forms of unicast address assignment in IPv6 including aggregatable global unicast address link local address and site local address z The aggregatable global unicast address equivalent to an IPv4 public address is provided for network service providers The type of address allows efficient route prefix aggregation to restrict the number of gl...

Page 597: ...d to acquire the link layer addresses of neighbor nodes on the same link and is also used for duplicate address detection DAD Each IPv6 unicast or anycast address has one corresponding solicited node address The format of a solicited node multicast address is as follows FF02 0 0 0 0 1 FFXX XXXX Where FF02 0 0 0 0 1 FF is permanent and consists of 104 bits and XX XXXX is the last 24 bits of an IPv6...

Page 598: ...e types and functions of ICMPv6 messages used by the NDP Table 1 3 Types and functions of ICMPv6 messages ICMPv6 message Number Function Used to acquire the link layer address of a neighbor Used to verify whether the neighbor is reachable Neighbor solicitation NS message 135 Used to perform a duplicate address detection Used to respond to an NS message Neighbor advertisement NA message 136 When th...

Page 599: ...ion in IPv4 a node acquires the link layer addresses of neighbor nodes on the same link through NS and NA messages Figure 1 3 shows how node A acquires the link layer address of node B Figure 1 3 Address resolution The address resolution procedure is as follows 1 Node A multicasts an NS message The source address of the NS message is the IPv6 address of an interface of node A and the destination a...

Page 600: ...1 4 Duplicate address detection The DAD procedure is as follows 1 Node A sends an NS message whose source address is the unassigned address and destination address is the corresponding solicited node multicast address of the IPv6 address to be detected The NS message contains the IPv6 address 2 If node B uses this IPv6 address node B returns an NA message The NA message contains the IPv6 address o...

Page 601: ...he address prefix accordingly z An automatically generated address is applicable within the valid lifetime and will be removed when the valid lifetime times out V Redirection When a host is started its routing table may contain only the default route to the gateway When certain conditions are satisfied the gateway sends an ICMPv6 redirect message to the source host so that the host can select a be...

Page 602: ...d then sends it 4 Step 2 to step 3 are repeated until the destination host receives the packet In this way the minimum MTU of all links in the path from the source host to the destination host is determined 1 1 5 Introduction to IPv6 DNS In the IPv6 network a Domain Name System DNS supporting IPv6 converts domain names into IPv6 addresses instead of IPv4 addresses However just like an IPv4 DNS an ...

Page 603: ...bnet Anycast Addresses z RFC 3307 Allocation Guidelines for IPv6 Multicast Addresses z RFC 3513 Internet Protocol Version 6 IPv6 Addressing Architecture z RFC 3596 DNS Extensions to Support IP Version 6 1 2 IPv6 Basics Configuration Task List Complete the following tasks to perform IPv6 basics configuration Task Remarks Configuring Basic IPv6 Functions Required Configuring IPv6 NDP Optional Config...

Page 604: ... addresses are configured manually IPv6 link local addresses can be configured in either of the following ways z Automatic generation The device automatically generates a link local address for an interface according to the link local address prefix FE80 64 and the link layer address of the interface z Manual assignment IPv6 link local addresses can be assigned manually Follow these steps to confi...

Page 605: ...d link local address is removed the automatically generated link local address takes effect z The manual assignment takes precedence over the automatic generation That is if you first adopt the automatic generation and then the manual assignment the manually assigned link local address will overwrite the automatically generated one If you first adopt the manual assignment and then the automatic ge...

Page 606: ... entry for a VLAN interface z After a static neighbor entry is configured by using the first method the device needs to resolve the corresponding Layer 2 port information of the VLAN interface z If you adopt the second method to configure a static neighbor entry you should ensure that the corresponding VLAN interface exists and that the layer 2 port specified by port type port number belongs to th...

Page 607: ...e value of this parameter to fill the Cur Hop Limit field in IPv6 headers Meanwhile the value of this parameter is equal to the value of the Cur Hop Limit field in response messages of the device Prefix information options After receiving the prefix information advertised by the device the hosts on the same link can perform stateless autoconfiguration operations M flag This field determines whethe...

Page 608: ...ce considers the neighbor is reachable within the reachable time If the device needs to send a packet to a neighbor after the reachable time expires the device will again confirm whether the neighbor is reachable Note The values of the Retrans Timer field and the Reachable Time field configured for an interface are sent to hosts via RA messages Furthermore this interface sends NS messages at inter...

Page 609: ...fetime preferred lifetime no autoconfig off link Optional By default no prefix information is configured in RA messages and the IPv6 address of the interface sending RA messages is used as the prefix information Set the M flag bit to 1 ipv6 nd autoconfig managed address flag Optional By default the M flag bit is set to 0 that is hosts acquire IPv6 addresses through stateless autoconfiguration Set ...

Page 610: ...trans timer command it continues to send an NS message If it still does not receive a response after the number of attempts to send an NS message reaches the maximum the acquired address is considered available Follow these steps to configure the attempts to send an NS message for DAD To do Use the command Remarks Enter system view system view Enter interface view interface interface type interfac...

Page 611: ...TU to send packets through the PMTU mechanism The aging time is invalid for static PMTU Follow these steps to configure the aging time for PMTU To do Use the command Remarks Enter system view system view Configure aging time for PMTU ipv6 pathmtu age age time Optional 10 minutes by default 1 6 Configuring IPv6 TCP Properties The IPv6 TCP properties you can configure include z synwait timer When a ...

Page 612: ...token bucket namely the number of tokens in the bucket In addition you can set the update period of the token bucket namely the interval for updating the number of tokens in the token bucket to the configured capacity One token allows one ICMPv6 error packet to be sent Each time an ICMPv6 error packet is sent the number of tokens in a token bucket decreases by 1 If the number of ICMPv6 error packe...

Page 613: ...ress When applying such applications as Telnet you can directly use a host name and the system will resolve the host name into an IPv6 address Each host name can correspond to only one IPv6 address Follow these steps to configure static IPv6 domain name resolution To do Use the command Remarks Enter system view system view Configure a host name and the corresponding IPv6 address ipv6 host hostname...

Page 614: ...lve and dns domain commands are the same as those of IPv4 DNS For details about the commands refer to DNS Commands 1 9 Displaying and Maintaining IPv6 Basics Configuration To do Use the command Remarks Display DNS suffix information display dns domain dynamic Display IPv6 dynamic domain name cache information display dns ipv6 dynamic host Display IPv6 DNS server information display dns ipv6 server...

Page 615: ...6 TCP connection statistics display tcp ipv6 statistics Display the IPv6 TCP connection status display tcp ipv6 status Display the IPv6 UDP connection statistics display udp ipv6 statistics Available in any view Clear IPv6 dynamic domain name cache information reset dns ipv6 dynamic host Clear IPv6 neighbor information reset ipv6 neighbors all dynamic interface interface type interface number stat...

Page 616: ...on III Configuration procedure z Configuration on Switch A Enable the IPv6 packet forwarding function SwitchA system view SwitchA ipv6 Configure VLAN interface 2 to automatically generate a link local address SwitchA interface vlan interface 2 SwitchA Vlan interface2 ipv6 address auto link local Configure an EUI 64 address for VLAN interface 2 SwitchA Vlan interface2 ipv6 address 2001 64 eui 64 Sp...

Page 617: ... is 2001 64 3001 1 subnet is 3001 64 Joined group address es FF02 1 FF00 1 FF02 1 FF49 8048 FF02 2 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses Display the IPv6 information of the interface on Switch B SwitchB Vlan interface2 display ipv6 interface...

Page 618: ...rom FE80 20F E2FF FE00 1 bytes 56 Sequence 2 hop limit 255 time 60 ms Reply from FE80 20F E2FF FE00 1 bytes 56 Sequence 3 hop limit 255 time 60 ms Reply from FE80 20F E2FF FE00 1 bytes 56 Sequence 4 hop limit 255 time 70 ms Reply from FE80 20F E2FF FE00 1 bytes 56 Sequence 5 hop limit 255 time 60 ms FE80 20F E2FF FE00 1 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss ro...

Page 619: ...6 Sequence 4 hop limit 255 time 70 ms Reply from 3001 2 bytes 56 Sequence 5 hop limit 255 time 60 ms 3001 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 50 60 70 ms 1 11 Troubleshooting IPv6 Basics Configuration I Symptom The peer IPv6 address cannot be pinged II Solution z Use the display current configuration command in any view or the displa...

Page 620: ...e that supports both IPv4 and IPv6 is called a dual stack node A dual stack node configured with an IPv4 address and an IPv6 address can have both IPv4 and IPv6 packets transmitted For an upper layer application supporting both IPv4 and IPv6 either TCP or UDP can be selected at the transport layer while IPv6 stack is preferred at the network layer Figure 2 1 illustrates the IPv4 IPv6 dual stack in...

Page 621: ... an IPv6 address ipv6 address ipv6 address prefix length ipv6 address prefix le ngth Configure IPv6 global unicast address or local address Configure an IPv6 address in the EUI 64 format ipv6 address ipv6 address prefix le ngth eui 64 Use either command By default no local address or global unicast address is configured on an interface Automatically create an IPv6 link local address ipv6 address a...

Page 622: ...is a virtual point to point connection In practice the virtual interface that supports only point to point connections is called tunnel interface One tunnel provides one channel to transfer encapsulated packets Packets can be encapsulated and decapsulated at both ends of a tunnel Tunneling refers to the whole process from data encapsulation to data transfer to data decapsulation Note NTP related c...

Page 623: ...ulated packet goes through the tunnel to reach the device at the destination end of the tunnel The device at the destination end decapsulates the packet if the destination address of the encapsulated packet is the device itself 4 The destination device forwards the packet according to the destination address in the decapsulated IPv6 packet If the destination address is the device itself the device...

Page 624: ...tunnel An automatic 6to4 tunnel is a point to multipoint tunnel and is used to connect multiple isolated IPv6 networks over an IPv4 network to remote IPv6 networks The embedded IPv4 address in an IPv6 address is used to automatically acquire the destination of the tunnel The automatic 6to4 tunnel adopts 6to4 addresses The address format is 2002 abcd efgh subnet number interface ID 64 where abcd ef...

Page 625: ...ure 3 2 Principle of ISATAP tunnel 3 2 Tunneling Configuration Task List Complete the following tasks to configure the tunneling feature Task Remarks Configuring IPv6 Manual Tunnel Optional Configuring 6to4 Tunnel Optional Configuring IPv6 over IPv4 GRE tunnel Configuring ISATAP Tunnel Optional 3 3 Configuring IPv6 Manual Tunnel 3 3 1 Configuration Prerequisites IP addresses are configured for int...

Page 626: ...re a link local IPv6 address ipv6 address ipv6 address link local Optional A link local address will automatically be created when an IPv6 global unicast address or site local address is configured Specify the IPv6 manual tunnel mode tunnel protocol ipv6 ipv4 Required By default the tunnel mode is manual The same tunnel type should be configured at both ends of the tunnel Otherwise packet delivery...

Page 627: ...he packet instead of the IPv4 address of the tunnel destination and set the next hop to the tunnel interface number or network address at the local end of the tunnel Such configurations must be performed at both ends of the tunnel z Before configuring dynamic routes you must enable the dynamic routing protocol on the tunnel interfaces at both ends For related configurations refer to IPv6 Routing C...

Page 628: ...itEthernet 1 0 2 SwitchA vlan100 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 ip address 192 168 100 1 255 255 255 0 SwitchA Vlan interface100 quit Configure a manual IPv6 tunnel SwitchA interface tunnel 0 SwitchA Tunnel0 ipv6 address 3001 1 64 SwitchA Tunnel0 source vlan interface 100 SwitchA Tunnel0 destination 192 168 50 1 SwitchA Tunnel0 tunnel protocol ipv6 ipv4 Configu...

Page 629: ...tunnel protocol ipv6 ipv4 Configure the tunnel to reference link aggregation group 1 in tunnel interface view SwitchB Tunnel0 aggregation group 1 IV Configuration verification After the above configurations display the status of the tunnel interfaces on Switch A and Switch B respectively SwitchA display ipv6 interface tunnel 0 Tunnel0 current state UP Line protocol current state UP IPv6 is enabled...

Page 630: ...imit 64 time 31 ms Reply from 3001 2 bytes 56 Sequence 2 hop limit 64 time 16 ms Reply from 3001 2 bytes 56 Sequence 3 hop limit 64 time 1 ms Reply from 3001 2 bytes 56 Sequence 4 hop limit 64 time 15 ms Reply from 3001 2 bytes 56 Sequence 5 hop limit 64 time 15 ms 3001 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 15 31 ms 3 4 Configuring 6...

Page 631: ...is configured for the tunnel interface ipv6 address auto link local Configure an IPv6 address for the tunnel interface Configure an IPv6 link local address ipv6 address ipv6 address link local Optional By default a link local address will automatically be generated when an IPv6 global unicast address or site local address is configured Set a 6to4 tunnel tunnel protocol ipv6 ipv4 6to4 Required By d...

Page 632: ...et can be forwarded normally You can configure static or dynamic routes You should perform this configuration at both ends of the tunnel z The automatic tunnel interfaces encapsulated with the same protocol cannot share the same source IP address z Automatic tunnels do not support dynamic routing z When you configure a static route you need to configure a route to the destination address the desti...

Page 633: ...egation group 1 mode manual SwitchA link aggregation group 1 service type tunnel SwitchA interface GigabitEthernet 1 0 1 SwitchA GigabitEthernet1 0 1 stp disable SwitchA GigabitEthernet1 0 1 port link aggregation group 1 SwitchA GigabitEthernet1 0 1 quit Configure an IPv4 address for VLAN interface 100 SwitchA vlan 100 SwitchA vlan100 port GigabitEthernet 1 0 2 SwitchA vlan100 quit SwitchA interfa...

Page 634: ...chA ipv6 route static 2002 16 tunnel 0 z Configuration on Switch B Enable IPv6 SwitchB system view SwitchB ipv6 Configure a link aggregation group Disable STP on the port before adding it into the link aggregation group SwitchB link aggregation group 1 mode manual SwitchB link aggregation group 1 service type tunnel SwitchB interface GigabitEthernet 1 0 1 SwitchB GigabitEthernet1 0 1 stp disable S...

Page 635: ... to reference link aggregation group 1 in tunnel interface view SwitchB Tunnel0 aggregation group 1 SwitchB Tunnel0 quit Configure a static route whose destination address is 2002 16 and the next hop is the tunnel interface SwitchB ipv6 route static 2002 16 tunnel 0 IV Configuration verification After the above configuration ping Host B from Host A or ping Host A from Host B D ping6 s 2002 201 101...

Page 636: ...te a tunnel interface and enter tunnel interface view interface tunnel number Required By default there is no tunnel interface on the device ipv6 address ipv6 address prefix length ipv6 address prefix leng th Configure an IPv6 global unicast address or site local address ipv6 address ipv6 address prefix leng th eui 64 Required Use either command By default no IPv6 global unicast address is configu...

Page 637: ... the same network segment a forwarding route through the tunnel to the peer must be configured so that the encapsulated packet can be forwarded normally You can configure static or dynamic routes at both ends of the tunnel z The automatic tunnel interfaces encapsulated with the same protocol cannot share the same source IP address z Automatic tunnels do not support dynamic routing z When you confi...

Page 638: ...gregation group Disable STP on the port before adding it into the link aggregation group Switch link aggregation group 1 mode manual Switch link aggregation group 1 service type tunnel Switch interface GigabitEthernet 1 0 1 Switch GigabitEthernet1 0 1 stp disable Switch GigabitEthernet1 0 1 port link aggregation group 1 Switch GigabitEthernet1 0 1 quit Configure addresses for interfaces Switch vla...

Page 639: ...e host running the Windows XP On a Windows XP based host the ISATAP interface is usually interface 2 Configure the IPv4 address of the ISATAP router on the interface to complete the configuration on the host Before doing that display the ISATAP interface information C ipv6 if 2 Interface 2 Automatic Tunneling Pseudo Interface Guid 48FCE3FC EC30 E50E F1A7 71172AEEE3AE does not use Neighbor Discover...

Page 640: ...enerates the address 2001 5efe 2 1 1 2 Meanwhile uses Switch Discovery is displayed indicating that the switch discovery function is enabled on the host At this time ping the IPv6 address of the tunnel interface of the switch If the address is successfully pinged an ISATAP tunnel is established IV Configuration verification After the above configurations the ISATAP host can access the host in the ...

Page 641: ...l commands to view whether the physical interface of the tunnel source is up If the physical interface is down use the debugging tunnel event command in user view to view the cause 2 Another possible cause is that the tunnel destination is unreachable Use the display ipv6 routing table or display ip routing table command to view whether the tunnel destination is reachable If no routing entry is av...

Page 642: ...rotocols and Standards 2 6 2 2 IGMP Snooping Configuration Task List 2 7 2 3 Configuring Basic Functions of IGMP Snooping 2 8 2 3 1 Configuration Prerequisites 2 8 2 3 2 Enabling IGMP Snooping 2 8 2 3 3 Configuring the Version of IGMP Snooping 2 9 2 4 Configuring IGMP Snooping Port Functions 2 9 2 4 1 Configuration Prerequisites 2 9 2 4 2 Configuring Aging Timers for Dynamic Ports 2 10 2 4 3 Confi...

Page 643: ... 6 3 2 MLD Snooping Configuration Task List 3 6 3 3 Configuring Basic Functions of MLD Snooping 3 7 3 3 1 Configuration Prerequisites 3 7 3 3 2 Enabling MLD Snooping 3 7 3 3 3 Configuring the Version of MLD Snooping 3 8 3 4 Configuring MLD Snooping Port Functions 3 8 3 4 1 Configuration Prerequisites 3 8 3 4 2 Configuring Aging Timers for Dynamic Ports 3 9 3 4 3 Configuring Static Ports 3 10 3 4 4...

Page 644: ...1 5 3 Displaying and Maintaining IPv6 Multicast VLAN 5 2 5 4 IPv6 Multicast VLAN Configuration Examples 5 3 Chapter 6 IGMP Configuration 6 1 6 1 IGMP Overview 6 1 6 1 1 IGMP Versions 6 1 6 1 2 Work Mechanism of IGMPv1 6 1 6 1 3 Enhancements Provided by IGMPv2 6 3 6 1 4 Enhancements in IGMPv3 6 4 6 1 5 Protocols and Standards 6 6 6 2 IGMP Configuration Task List 6 6 6 3 Configuring Basic Functions ...

Page 645: ... SM 7 19 7 3 1 PIM SM Configuration Task List 7 19 7 3 2 Configuration Prerequisites 7 19 7 3 3 Enabling PIM SM 7 20 7 3 4 Configuring a BSR 7 21 7 3 5 Configuring an RP 7 25 7 3 6 Configuring PIM SM Register Messages 7 28 7 3 7 Disabling RPT to SPT Switchover 7 29 7 4 Configuring PIM SSM 7 30 7 4 1 PIM SSM Configuration Task List 7 30 7 4 2 Configuration Prerequisites 7 30 7 4 3 Enabling PIM SM 7...

Page 646: ...tion 8 11 8 4 3 Configuring an MSDP Mesh Group 8 12 8 4 4 Configuring MSDP Peer Connection Control 8 12 8 5 Configuring SA Messages Related Parameters 8 13 8 5 1 Configuration Prerequisites 8 13 8 5 2 Configuring SA Message Content 8 13 8 5 3 Configuring SA Request Messages 8 14 8 5 4 Configuring an SA Message Filtering Rule 8 15 8 5 5 Configuring SA Message Cache 8 16 8 6 Displaying and Maintaini...

Page 647: ...ute Match Rule 9 8 9 3 5 Configuring Multicast Load Splitting 9 8 9 3 6 Configuring a Multicast Forwarding Range 9 9 9 3 7 Configuring the Multicast Forwarding Table Size 9 9 9 3 8 Tracing a Multicast Path 9 10 9 4 Displaying and Maintaining Multicast Routing and Forwarding 9 11 9 5 Configuration Examples 9 12 9 5 1 Changing an RPF Route 9 12 9 5 2 Creating an RPF Route 9 14 9 6 Troubleshooting Mu...

Page 648: ... point to multipoint data transmission By allowing high efficiency point to multipoint data transmission over a network multicast greatly saves network bandwidth and reduces network load With the multicast technology a network operator can easily provide new value added services such as live Webcasting Web TV distance learning telemedicine Web radio real time videoconferencing and other bandwidth ...

Page 649: ...number of hosts that need the information If a large number of users need the information the information source needs to send a copy of the same information to each of these users This means a tremendous pressure on the information source and the network bandwidth As we can see from the information transmission process unicast is not suitable for batch transmission of information II Broadcast In ...

Page 650: ...ific hosts moreover broadcast transmission is a significant usage of network resources III Multicast As discussed above the unicast and broadcast techniques are unable to provide point to multipoint data transmissions with the minimum network consumption The multicast technique has solved this problem When some hosts on the network need multicast information the multicast source Source in the figu...

Page 651: ...ted an increase of the number of hosts will not remarkably add to the network load z Over broadcast As multicast data is sent only to the receivers that need it multicast uses the network bandwidth reasonably and brings no waste of network resources and enhances network security 1 1 2 Roles in Multicast The following roles are involved in multicast transmission z An information sender is referred ...

Page 652: ...ins another group Note z A multicast source does not necessarily belong to a multicast group Namely a multicast source is not necessarily a multicast data receiver z A multicast source can send data to multiple multicast groups at the same time and multiple multicast sources can send data to the same multicast group at the same time 1 1 3 Advantages and Applications of Multicast I Advantages of mu...

Page 653: ...es a multicast address range that is different from that of the ASM model and dedicated multicast forwarding paths are established between receivers and the specified multicast sources 1 3 Multicast Architecture IP multicast addresses the following questions z Where should the multicast source transmit information to multicast addressing z What receivers exist on the network host registration z Wh...

Page 654: ... Address block Description 224 0 0 0 to 224 0 0 255 Reserved permanent group addresses The IP address 224 0 0 0 is reserved and other IP addresses can be used by routing protocols and for topology searching protocol maintenance and so on Commonly used permanent group addresses are listed in Table 1 3 A packet destined for an address in this block will not be forwarded beyond the local subnet regar...

Page 655: ...3 Unassigned 224 0 0 4 Distance Vector Multicast Routing Protocol DVMRP routers 224 0 0 5 Open Shortest Path First OSPF routers 224 0 0 6 OSPF designated routers backup designated routers 224 0 0 7 Shared Tree ST routers 224 0 0 8 ST hosts 224 0 0 9 Routing Information Protocol version 2 RIPv2 routers 224 0 0 11 Mobile agents 224 0 0 12 Dynamic Host Configuration Protocol DHCP server relay agent 2...

Page 656: ...he scope of the IPv6 internetwork for which the multicast traffic is intended Possible values of this field are given in Table 1 4 z Reserved 80 bits all set to 0 currently z Group ID 112 bits identifying the multicast group For details about this field refer to RFC 3306 Table 1 4 Values of the Scope field Value Meaning 0 3 F Reserved 1 Node local scope 2 Link local scope 4 Admin local scope 5 Sit...

Page 657: ...address and only 23 bits of the remaining 28 bits are mapped to a MAC address so five bits of the multicast IPv4 address are lost As a result 32 multicast IPv4 addresses map to the same MAC address Therefore in Layer 2 multicast forwarding a device may receive some multicast data addressed for other IPv4 multicast groups and such redundant data needs to be filtered by the upper layer 2 IPv6 multic...

Page 658: ... Snooping IGMP multicast VLAN PIM and MSDP are for IPv4 MLD Snooping MLD IPv6 multicast VLAN and IPv6 PIM are for IPv6 This section provides only general descriptions about applications and functions of the Layer 2 and Layer 3 multicast protocols in a network For details of these protocols refer to the respective chapters I Layer 3 multicast protocols Layer 3 multicast protocols include multicast ...

Page 659: ...ceivers Among a variety of mature intra domain multicast routing protocols protocol independent multicast PIM is a popular one Based on the forwarding mechanism PIM comes in two modes dense mode often referred to as PIM DM and sparse mode often referred to as PIM SM z An inter domain multicast routing protocol is used for delivery of multicast information between two ASs So far mature solutions in...

Page 660: ...bandwidth and extra burden on the Layer 3 device 1 4 Multicast Packet Forwarding Mechanism In a multicast model a multicast source sends information to the host group identified by the multicast group address in the destination address field of IP multicast packets Therefore to deliver multicast packets to receivers located in different parts of the network multicast routers on the forwarding path...

Page 661: ... Group Management Protocol Snooping IGMP Snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups 2 1 1 Principle of IGMP Snooping By analyzing received IGMP messages a Layer 2 device running IGMP Snooping establishes mappings between ports and multicast IP addresses and forwards multicast data based on these mappings As shown in Figure 2 1...

Page 662: ... 1 Before and after IGMP Snooping is enabled on the Layer 2 device 2 1 2 Basic Concepts in IGMP Snooping I IGMP Snooping related ports As shown in Figure 2 2 Router A connects to the multicast source IGMP Snooping runs on Switch A and Switch B Host A and Host C are receiver hosts namely multicast group members Router A Switch A Switch B Eth1 0 1 Eth1 0 2 Eth1 0 3 Eth1 0 1 Eth1 0 2 Receiver Receive...

Page 663: ... document a router port is a port on the switch that leads the switch to a Layer 3 multicast device rather than a port on a router z An IGMP snooping enabled switch deems that all its ports on which IGMP general queries with the source address other than 0 0 0 0 or PIM hello messages are received to be router ports II Aging timers for dynamic ports in IGMP Snooping and related messages and actions...

Page 664: ...ng in its router port list the switch adds it into its router port list and sets an aging timer for this router port II When receiving a membership report A host sends an IGMP report to the multicast router in the following circumstances z Upon receiving an IGMP query a multicast group member host responds with an IGMP report z When intended to join a multicast group a host sends an IGMP report to...

Page 665: ...g entry for the member port corresponding to the host from the forwarding table when its aging timer expires When an IGMPv2 or IGMPv3 host leaves a multicast group the host sends an IGMP leave group message to the multicast router When the switch hears a group specific IGMP leave group message on a member port it first checks whether a forwarding table entry for that group exists and if one exists...

Page 666: ...d an IGMP Snooping switch processes multicast protocol messages differently under different conditions specifically as follows 1 If only IGMP is enabled or both IGMP and PIM are enabled on the switch the switch handles multicast protocol messages in the normal way 2 In only PIM is enabled on the switch z The switch broadcasts IGMP messages as unknown messages in the VLAN z Upon receiving a PIM hel...

Page 667: ...ining Optional Configuring IGMP Snooping Port Functions Configuring Fast Leave Processing Optional Enabling IGMP Snooping Querier Optional Configuring IGMP Queries and Responses Optional Configuring IGMP Snooping Querier Configuring Source IP Address of IGMP Queries Optional Configuring a Multicast Group Filter Optional Configuring Multicast Source Port Filtering Optional Configuring the Function ...

Page 668: ...regation group view are effective only for the master port For a given port a configuration made in IGMP Snooping view is effective only if the same configuration is not made in Ethernet port view or port group view 2 3 Configuring Basic Functions of IGMP Snooping 2 3 1 Configuration Prerequisites Before configuring the basic functions of IGMP Snooping complete the following task z Configure the c...

Page 669: ...flooded in the VLAN z IGMP Snooping version 3 can process IGMPv1 IGMPv2 and IGMPv3 messages Follow these steps to configure the version of IGMP Snooping To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the version of IGMP Snooping igmp snooping version version number Optional Version 2 by default Caution If you switch IGMP Snooping from version 3 t...

Page 670: ...g port list of the forwarding table entry for that multicast group when the aging timer of the port for that group expires If multicast group memberships change frequently you can set a relatively small value for the member port aging timer and vice versa I Configuring aging timers for dynamic ports globally Follow these steps to configure aging timers for dynamic ports globally To do Use the comm...

Page 671: ...e command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enter the corresponding view Enter port group view port group manual port group name aggregation agg id Use either command Configure the port s as static member port s igmp snooping static group group address source ip source_address vlan vlan id Required Disabled by default Configure...

Page 672: ...nsolicited IGMP report through that port z After a port is configured as a simulated member host the switch responds to IGMP general queries by sending IGMP reports through that port z When the simulated joining function is disabled on a port the switch sends an IGMP leave group message through that port Follow these steps to configure simulated joining To do Use the command Remarks Enter system v...

Page 673: ...t leave processing helps improve bandwidth and resource usage I Configuring fast leave processing globally Follow these steps to configure fast leave processing globally To do Use the command Remarks Enter system view system view Enter IGMP Snooping view igmp snooping Enable fast leave processing fast leave vlan vlan list Required Disabled by default II Configuring fast leave processing on a port ...

Page 674: ...bling IGMP Snooping Querier In an IP multicast network running IGMP a multicast router or Layer 3 multicast switch is responsible for sending IGMP general queries so that all Layer 3 multicast devices can establish and maintain multicast forwarding entries thus to forward multicast traffic correctly at the network layer This router or Layer 3 switch is called IGMP querier However a Layer 2 multica...

Page 675: ...GMP report to the corresponding multicast group An appropriate setting of the maximum response time for IGMP queries allows hosts to respond to queries quickly and avoids bursts of IGMP traffic on the network caused by reports simultaneously sent by a large number of hosts when the corresponding timers expire simultaneously z For IGMP general queries you can configure the maximum response time to ...

Page 676: ...nterval is larger than the maximum response time for IGMP general queries Otherwise multicast group members may be deleted by mistake 2 5 4 Configuring Source IP Address of IGMP Queries Upon receiving an IGMP query whose source IP address is 0 0 0 0 on a port the switch will not set that port as a router port This may prevent multicast forwarding entries from being correctly created at the data li...

Page 677: ... z ACL rule for multicast group filtering z The maximum number of multicast groups that can pass the ports 2 6 2 Configuring a Multicast Group Filter On an IGMP Snooping enabled switch the configuration of a multicast group allows the service provider to define restrictions on multicast programs available to different users In an actual application when a user requests a multicast program the user...

Page 678: ...hernet port view interface interface type interface number Enter the correspondin g view Enter port group view port group manual port group name aggregation agg id Use either command Configure a multicast group filter igmp snooping group policy acl number vlan vlan list Required No filter is configured by default namely hosts can join any multicast group 2 6 3 Configuring Multicast Source Port Fil...

Page 679: ...gregation agg id Use either command Enable multicast source port filtering igmp snooping source deny Required Disabled by default Note When enabled to filter IPv4 multicast data based on the source ports the device is automatically enabled to filter IPv6 multicast data based on the source ports 2 6 4 Configuring the Function of Dropping Unknown Multicast Data Unknown multicast data refers to multi...

Page 680: ...ice directly connected with it will receive duplicate IGMP reports from these members With the IGMP report suppression function enabled within each query cycle the Layer 2 device forwards only the first IGMP report per multicast group to the Layer 3 device and will not forward the subsequent IGMP reports from the same multicast group to the Layer 3 device This helps reduce the number of packets be...

Page 681: ...the system deletes all the forwarding entries persistent to that port from the IGMP Snooping forwarding table and applies the static or simulated joins again until the number of multicast groups joined by the port comes back within the configured threshold 2 6 7 Configuring Multicast Group Replacement For some special reasons the number of multicast groups that can be joined on the current switch ...

Page 682: ... to configure multicast group replacement on a port or a group of ports To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enter the corresponding view Enter port group view port group manual port group name aggregation agg id Use either command Configure multicast group replacement igmp snooping overflow replace vlan vlan...

Page 683: ...r view Note z The reset igmp snooping group command works only on an IGMP Snooping enabled VLAN but not on a VLAN with IGMP enabled on its VLAN interface z The reset igmp snooping group command cannot clear IGMP Snooping forwarding table entries for static joins 2 8 IGMP Snooping Configuration Examples 2 8 1 Configuring Simulated Joining I Network requirements z As shown in Figure 2 3 Router A con...

Page 684: ...led configuration steps are omitted 2 Configure Router A Enable IP multicast routing enable PIM DM on each interface and enable IGMPv2 on GigabitEthernet 1 0 1 RouterA system view RouterA multicast routing enable RouterA interface GigabitEthernet 1 0 1 RouterA GigabitEthernet1 0 1 igmp enable RouterA GigabitEthernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA interface GigabitEthernet 1 ...

Page 685: ...n 224 1 1 1 vlan 100 SwitchA GigabitEthernet1 0 4 quit 4 Verify the configuration View the detailed information about IGMP Snooping multicast groups in VLAN 100 on Switch A SwitchA display igmp snooping group vlan 100 verbose Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port A Aggregation port C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan i...

Page 686: ...oops the forwarding path from Switch A to Switch C is blocked under normal conditions and multicast traffic flows to the receivers Host A and Host C attached to Switch C only along the path of Switch A Switch B Switch C z Now it is required to configure GigabitEthernet 1 0 3 that connects Switch A to Switch C as a static router port so that multicast traffic can flows to the receivers nearly unint...

Page 687: ...ddress and subnet mask for each interface as per Figure 2 4 The detailed configuration steps are omitted 2 Configure Router A Enable IP multicast routing enable PIM DM on each interface and enable IGMP on GigabitEthernet 1 0 1 RouterA system view RouterA multicast routing enable RouterA interface GigabitEthernet 1 0 1 RouterA GigabitEthernet1 0 1 igmp enable RouterA GigabitEthernet1 0 1 pim dm Rou...

Page 688: ...hB igmp snooping quit Create VLAN 100 assign GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 to this VLAN and enable IGMP Snooping in the VLAN SwitchB vlan 100 SwitchB vlan100 port GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 SwitchB vlan100 igmp snooping enable SwitchB vlan100 quit 5 Configure Switch C Enable IGMP Snooping globally SwitchC system view SwitchC igmp snooping SwitchC igmp snooping qu...

Page 689: ...D 00 03 23 MAC group s MAC group address 0100 5e01 0101 Host port s total 1 port GE1 0 2 As shown above GigabitEthernet 1 0 3 of Switch A has become a static router port 2 8 3 IGMP Snooping Querier Configuration I Network requirements z As shown in Figure 2 5 in a Layer 2 only network environment Switch C is connected to the multicast source Source through GigabitEthernet 1 0 3 At least one receiv...

Page 690: ...hA igmp snooping quit Create VLAN 100 and add GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 to VLAN 100 SwitchA vlan 100 SwitchA vlan100 port GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 Enable IGMP Snooping in VLAN 100 and configure the IGMP Snooping querier feature SwitchA vlan100 igmp snooping enable SwitchA vlan100 igmp snooping querier Set the source IP address of IGMP general queries and gr...

Page 691: ...GigabitEthernet 1 0 3 SwitchC vlan100 igmp snooping enable 4 Verify the configuration View the IGMP message statistics on Switch C SwitchC vlan100 display igmp snooping statistics Received IGMP general queries 3 Received IGMPv1 reports 0 Received IGMPv2 reports 4 Received IGMP leaves 0 Received IGMPv2 specific queries 0 Sent IGMPv2 specific queries 0 Received IGMPv3 reports 0 Received IGMPv3 repor...

Page 692: ...icast groups II Analysis z The ACL rule is incorrectly configured z The multicast group policy is not correctly applied z The function of dropping unknown multicast data is not enabled so unknown multicast data is flooded z Certain ports have been configured as static member ports of multicasts groups and this configuration conflicts with the configured multicast group policy III Solution 1 Use th...

Page 693: ... Use the display igmp snooping group command to check whether any port has been configured as a static member port of any multicast group If so check whether this configuration conflicts with the configured multicast group policy If any conflict exists remove the port as a static member of the multicast group ...

Page 694: ...w Multicast Listener Discovery Snooping MLD Snooping is an IPv6 multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups 3 1 1 Introduction to MLD Snooping By analyzing received MLD messages a Layer 2 device running MLD Snooping establishes mappings between ports and multicast MAC addresses and forwards IPv6 multicast data based on these mappings As...

Page 695: ...re 3 1 Before and after MLD Snooping is enabled on the Layer 2 device 3 1 2 Basic Concepts in MLD Snooping I MLD Snooping related ports As shown in Figure 2 2 Router A connects to the multicast source MLD Snooping runs on Switch A and Switch B Host A and Host C are receiver hosts namely IPv6 multicast group members Router A Switch A Switch B Eth1 0 1 Eth1 0 2 Eth1 0 3 Eth1 0 1 Eth1 0 2 Receiver Re...

Page 696: ...s MLD Snooping forwarding table Note z Whenever mentioned in this document a router port is a router connecting port on the switch rather than a port on a router z On an MLD snooping enabled switch the ports that received MLD general queries with the source address other than 0 0 or IPv6 PIM hello messages are router ports II Aging timers for dynamic ports in MLD Snooping Table 3 1 Aging timers fo...

Page 697: ... its router port list and sets an aging timer for this router port II Membership reports A host sends an MLD report to the multicast router in the following circumstances z Upon receiving an MLD query an IPv6 multicast group member host responds with an MLD report z When intended to join an IPv6 multicast group a host sends an MLD report to the multicast router to announce that it is interested in...

Page 698: ... or if its outgoing port list does not contain the port the switch discards the MLD done message instead of forwarding it to any port z If the forwarding table entry exists and its outgoing port list contains the port the switch forwards the done message to all router ports in the VLAN Because the switch does not know whether any other hosts attached to the port are still listening to that IPv6 mu...

Page 699: ...ks to configure MLD Snooping Task Remarks Enabling MLD Snooping Required Configuring Basic Functions of MLD Snooping Configuring the Version of MLD Snooping Optional Configuring Aging Timers for Dynamic Ports Optional Configuring Static Ports Optional Configuring Simulated Joining Optional Configuring MLD Snooping Port Functions Configuring Fast Leave Processing Optional Enabling MLD Snooping Quer...

Page 700: ...ggregation group view are effective only for the master port For a given port a configuration made in MLD Snooping view is effective only if the same configuration is not made in Ethernet port view or port group view 3 3 Configuring Basic Functions of MLD Snooping 3 3 1 Configuration Prerequisites Before configuring the basic functions of MLD Snooping complete the following tasks z Configure the c...

Page 701: ...d in the VLAN z MLD Snooping version 2 can process MLDv1 and MLDv2 messages Follow these steps to configure the version of MLD Snooping To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the version of MLD Snooping mld snooping version version number Optional Version 1 by default Caution If you switch MLD Snooping from version 2 to version 1 the syst...

Page 702: ...mer of the port for that group expires If IPv6 multicast group memberships change frequently you can set a relatively small value for the member port aging timer and vice versa I Configuring aging timers for dynamic ports globally Follow these steps to configure aging timers for dynamic ports globally To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping ...

Page 703: ...oup ipv6 group address source ip ipv6 source address vlan vlan id Required Disabled by default Configure the port s as static router port s mld snooping static router port vlan vlan id Required Disabled by default Note z The IPv6 static S G joining function is available only if a valid IPv6 multicast source address is specified and MLD Snooping version 2 is currently running on the switch z A stat...

Page 704: ... Enter Ethernet port view interface interface type interface number Enter the corresponding view Enter port group view port group manual port group name aggregation agg id Use either command Configure simulated joining mld snooping host join ipv6 group address source ip ipv6 source address vlan vlan id Required Disabled by default Note z Each simulated host is equivalent to an independent host For...

Page 705: ... leave processing on a port or a group of ports To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enter the corresponding view Enter port group view port group manual port group name aggregation agg id Use either command Enable fast leave processing mld snooping fast leave vlan vlan list Required Disabled by default Cauti...

Page 706: ... does not support MLD and therefore cannot send MLD general queries by default By enabling MLD Snooping querier on a Layer 2 switch in a VLAN where multicast traffic needs to be Layer 2 switched only and no Layer 3 multicast devices are present the Layer 2 switch will act as the MLD querier to send periodic MLD queries thus allowing multicast forwarding entries to be established and maintained at ...

Page 707: ...eld z For MLD multicast address specific queries you can configure the MLD last member query interval to fill their Max Response time field Namely for MLD multicast address specific queries the maximum response time equals to the MLD last member query interval I Configuring MLD queries and responses globally Follow these steps to configure MLD queries and responses globally To do Use the command R...

Page 708: ...ies Follow these steps to configure source IPv6 addresses of MLD queries To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the source IPv6 address of MLD general queries mld snooping general query source ip current interface ipv6 address Optional FE80 02FF FFFF FE00 0 001 by default Configure the source IPv6 address of MLD multicast address specific...

Page 709: ...this port in the MLD Snooping forwarding table otherwise the switch drops this report message Any IPv6 multicast data that fails the ACL check will not be sent to this port In this way the service provider can control the VOD programs provided for multicast users I Configuring an IPv6 multicast group filter globally Follow these steps to configure an IPv6 multicast group globally To do Use the com...

Page 710: ...ture is disabled on a port the port can be connected with both multicast sources and IPv6 multicast receivers I Configuring IPv6 multicast source port filtering globally Follow these steps to configure IPv6 multicast source port filtering To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Enable IPv6 multicast source port filtering source deny port int...

Page 711: ...the switch drops all unknown IPv6 multicast data received z With the function of dropping unknown IPv6 multicast data disabled the switch floods unknown IPv6 multicast data in the VLAN to which the unknown IPv6 multicast data belongs Follow these steps to enable dropping unknown IPv6 multicast data in a VLAN To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id E...

Page 712: ...nooping Enable MLD report suppression report aggregation Optional Enabled by default 3 6 6 Configuring Maximum Multicast Groups that that Can Be Joined on a Port By configuring the maximum number of IPv6 multicast groups that can be joined on a port or a group of ports you can limit the number of multicast programs available to VOD users thus to control the traffic on the port Follow these steps c...

Page 713: ... number configured for the switch or the port In addition in some specific applications an IPv6 multicast group newly joined on the switch needs to replace an existing IPv6 multicast group automatically A typical example is channel switching namely by joining the new multicast a user automatically switches from the current IPv6 multicast group to the one To address this situation you can enable th...

Page 714: ...re the maximum number of IPv6 multicast groups allowed on a port refer to Configuring Maximum Multicast Groups that that Can Be Joined on a Port before configuring IPv6 multicast group replacement Otherwise the IPv6 multicast group replacement functionality will not take effect 3 7 Displaying and Maintaining MLD Snooping To do Use the command Remarks View the information about MLD Snooping multica...

Page 715: ...llowing configuration so that multicast data can be forwarded through GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 even if Host A and Host B temporarily stop receiving IPv6 multicast data for some unexpected reasons II Network diagram Source Router A Switch A Receiver Receiver Host B Host A Host C GE1 0 1 GE1 0 4 GE1 02 GE1 0 3 MLD querier 1 1 64 GE1 0 1 2001 1 64 GE1 0 2 1 2 64 VLAN100 Figure ...

Page 716: ... through GigabitEthernet 1 0 4 to this VLAN and enable MLD Snooping in the VLAN SwitchA vlan 100 SwitchA vlan100 port GigabitEthernet 1 0 1 to GigabitEthernet 1 0 4 SwitchA vlan100 mld snooping enable SwitchA vlan100 quit Enable simulated host joining on GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 SwitchA interface GigabitEthernet 1 0 3 SwitchA GigabitEthernet1 0 3 mld snooping host join ff1e ...

Page 717: ...ents z As shown in Figure 3 4 Router A connects to an IPv6 multicast source Source through GigabitEthernet 1 0 2 and to Switch A through GigabitEthernet 1 0 1 z MLD is to run on Router A and MLD Snooping is to run on Switch A Switch B and Switch C with Router A acting as the MLD querier z Suppose STP runs on the network To avoid data loops the forwarding path from Switch A to Switch C is blocked u...

Page 718: ... 1 0 3 G E 1 0 1 GE1 0 2 E t h 1 0 1 GE1 0 2 Host C Host B Host A Receiver Receiver G E 1 0 3 G E 1 0 4 GE1 0 5 Figure 3 4 Network diagram for static router port configuration III Configuration procedure 1 Enable IPv6 forwarding and configure the IPv6 address of each interface Enable IPv6 forwarding and configure an IP address and prefix length for each interface as per Figure 3 4 2 Configure Rout...

Page 719: ...3 SwitchA GigabitEthernet 1 0 3 mld snooping static router port vlan 100 SwitchA GigabitEthernet 1 0 3 quit 4 Configure Switch B Enable MLD Snooping globally SwitchB system view SwitchB mld snooping SwitchB mld snooping quit Create VLAN 100 assign GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 to this VLAN and enable MLD Snooping in the VLAN SwitchB vlan 100 SwitchB vlan100 port GigabitEthernet 1...

Page 720: ... D 00 01 30 GE1 0 3 S IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Attribute Host Port Host port s total 1 port GE1 0 2 D 00 03 23 MAC group s MAC group address 3333 0000 0101 Host port s total 1 port GE1 0 2 As shown above GigabitEthernet 1 0 3 of Switch A has become a static router port 3 8 3 MLD Snooping Querier Configuration I Network requiremen...

Page 721: ...AN 100 and add GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 to VLAN 100 SwitchA vlan 100 SwitchA vlan100 port GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 Enable MLD Snooping in VLAN 100 and configure the MLD Snooping querier feature SwitchA vlan100 mld snooping enable SwitchA vlan100 mld snooping querier 2 Configure Switch B Enable IPv6 forwarding and enable MLD Snooping globally SwitchB system...

Page 722: ...00 mld snooping enable 4 Verify the configuration View the MLD message statistics on Switch C SwitchC vlan100 display mld snooping statistics Received MLD general queries 3 Received MLDv1 specific queries 0 Received MLDv1 reports 4 Received MLD dones 0 Sent MLDv1 specific queries 0 Received MLDv2 reports 0 Received MLDv2 reports with right and wrong records 0 Received MLDv2 specific queries 0 Rece...

Page 723: ...ncorrectly configured z The IPv6 multicast group policy is not correctly applied z The function of dropping unknown IPv6 multicast data is not enabled so unknown IPv6 multicast data is flooded z Certain ports have been configured as static member ports of IPv6 multicasts groups and this configuration conflicts with the configured IPv6 multicast group policy III Solution 1 Use the display acl ipv6 ...

Page 724: ...e display mld snooping group command to check whether any port has been configured as a static member port of any IPv6 multicast group If so check whether this configuration conflicts with the configured IPv6 multicast group policy If any conflict exists remove the port as a static member of the IPv6 multicast group ...

Page 725: ...nsmission when Multicast VLAN runs Source Router A Switch A Host A Receiver Host B Receiver Host C Receiver VLAN 30 VLAN 20 VLAN 10 Switch A Host A Receiver Host B Receiver Host C Receiver VLAN 30 VLAN 20 VLAN 10 Figure 4 1 Before and after multicast VLAN is enabled on the Layer 2 device To solve this problem you can enable the multicast VLAN feature on Switch A namely configure the VLANs to which...

Page 726: ... series Ethernet switch supports a maximum of one multicast VLAN and 127 sub VLANs Caution z You cannot configure any multicast VLAN or a sub VLAN of a multicast VLAN on a device with IP multicast routing or routing enabled z After a VLAN is configured into a multicast VLAN IGMP Snooping must be enabled in the VLAN before the multicast VLAN feature can be implemented while it is not necessary to e...

Page 727: ...ched to Switch A need the multicast data II Network diagram Source Router A Switch A Host A Receiver Host B Receiver Host C Receiver GE1 0 2 GE1 0 3 Vlan int1024 10 110 1 2 24 GE1 0 1 VLAN 13 VLAN 11 GE1 0 4 1 1 1 1 24 GE1 0 2 1 1 1 2 24 GE1 0 1 10 110 1 1 24 VLAN 12 VLAN 1024 IGMP querier Figure 4 2 Network diagram for multicast VLAN configuration III Configuration procedure 1 Configure an IP add...

Page 728: ...hA vlan11 port GigabitEthernet 1 0 2 SwitchA vlan11 quit The configuration for VLAN 12 and VLAN 13 is similar to the configuration for VLAN 11 Create VLAN 1024 assign GigabitEthernet 1 0 1 to this VLAN and enable IGMP Snooping in the VLAN SwitchA vlan 1024 SwitchA vlan1024 port GigabitEthernet 1 0 1 SwitchA vlan1024 igmp snooping enable SwitchA vlan1024 quit Configure VLAN 1024 as multicast VLAN a...

Page 729: ...transmission when IPv6 multicast VLAN runs Source Router A Switch A Host A Receiver Host B Receiver Host C Receiver VLAN 30 VLAN 20 VLAN 10 Switch A Host A Receiver Host B Receiver Host C Receiver VLAN 30 VLAN 20 VLAN 10 Figure 5 1 Before and after IPv6 multicast VLAN is enabled on the Layer 2 device To solve this problem you can enable the IPv6 multicast VLAN feature on Switch A namely configure ...

Page 730: ... VLAN must exist z The total number of sub VLANs of an IPv6 multicast VLAN must not exceed the system defined limit an S5500 EI series Ethernet switch supports a maximum of one IPv6 multicast VLAN and 127 sub VLANs Caution z You cannot enable IPv6 multicast VLAN on a device with IPv6 multicast routing enabled z After a VLAN is configured into an IPv6 multicast VLAN MLD Snooping must be enabled in ...

Page 731: ...igabitEthernet 1 0 2 through GigabitEthernet 1 0 4 of Switch A z Configure the IPv6 multicast VLAN feature so that Router A just sends IPv6 multicast data to VLAN 1024 rather than to each VLAN when the three hosts attached to Switch A need the IPv6 multicast data II Network diagram Source Router A Switch A Host A Receiver Host B Receiver Host C Receiver GE1 0 2 GE1 0 3 Vlan int1024 2001 2 64 GE1 0...

Page 732: ...itchA mld snooping quit Create VLAN 11 and add GigabitEthernet 1 0 2 into VLAN 11 SwitchA vlan 11 SwitchA vlan11 port GigabitEthernet 1 0 2 SwitchA vlan11 quit The configuration for VLAN 12 and VLAN 13 is similar The detailed configuration steps are omitted Create VLAN 1024 add GigabitEthernet 1 0 1 to VLAN 1024 and enable MLD Snooping in this VLAN SwitchA vlan 1024 SwitchA vlan1024 port GigabitEt...

Page 733: ...osts to establish and maintain their multicast group memberships to immediately neighboring multicast routers 6 1 1 IGMP Versions So far there are three IGMP versions z IGMPv1 documented in RFC 1112 z IGMPv2 documented in RFC 2236 z IGMPv3 documented in RFC 3376 All IGMP versions support the Any Source Multicast ASM model In addition IGMPv3 can be directly used to implement the Source Specific Mul...

Page 734: ...ast data addressed to G2 as shown in Figure 6 1 The basic process that the hosts join the multicast groups is as follows 1 The IGMP querier Router B in the figure periodically multicasts IGMP queries with the destination address of 224 0 0 1 to all hosts and routers on the local subnet 2 Upon receiving a query message Host B or Host C the delay timer of whichever expires first sends an IGMP report...

Page 735: ...ve any report addressed to that multicast group so the routers will delete the multicast forwarding entries corresponding to that multicast group after a period of time 6 1 3 Enhancements Provided by IGMPv2 Compared with IGMPv1 IGMPv2 provides the querier election mechanism and Leave Group mechanism I Querier election mechanism In IGMPv1 the DR elected by the Layer 3 multicast routing protocol suc...

Page 736: ...p within the maximum response time it will maintain the memberships of the group otherwise the querier will assume that no hosts on the subnet are still interested in multicast traffic to that group and will stop maintaining the memberships of the group 6 1 4 Enhancements in IGMPv3 Note The support for the Exclude mode varies with device models Built upon and being compatible with IGMPv1 and IGMPv...

Page 737: ... S2 G Thus only multicast data from Source 1 will be delivered to Host B II Enhancements in query and report capabilities 1 Query message carrying the source addresses IGMPv3 supports not only general queries feature of IGMPv1 and group specific queries feature of IGMPv2 but also group and source specific queries z A general query does not carry a group address nor a source address z A group speci...

Page 738: ... BLOCK indicates that the Source Address fields in this Group Record contain a list of the sources that the system no longer wishes to hear from for packets sent to the specified multicast address If the change was to an Include source list these are the addresses that were deleted from the list if the change was to an Exclude source list these are the addresses that were added to the list 6 1 5 P...

Page 739: ...ic functions of IGMP complete the following tasks z Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer z Configure PIM DM or PIM SM Before configuring the basic functions of IGMP prepare the following data z IGMP version z Multicast group and multicast source addresses for static group member configuration z ACL rule for multicast group ...

Page 740: ...low these steps to configure an IGMP version on an interface To do Use the command Description Enter system view system view Enter interface view interface interface type interface number Configure an IGMP version on the interface igmp version version number Optional IGMPv2 by default 6 3 4 Configuring a Static Member of a Multicast Group After an interface is configured as a static member of a mu...

Page 741: ...ssage when it joins or leaves a multicast group In other words the interface will not become a real member of the multicast group 6 3 5 Configuring a Multicast Group Filter You can configure a multicast group filter in IGMP Snooping For details see Configuring a Multicast Group Filter 6 4 Adjusting IGMP Performance Note For the configuration tasks described in this section z Configurations perform...

Page 742: ...ending whether it carries the Router Alert option in the IP header z By default for the consideration of compatibility the device does not check the Router Alert option namely it processes all the IGMP messages it received In this case IGMP messages are directly passed to the upper layer protocol no matter whether the IGMP messages carry the Router Alert option or not z To enhance the device perfo...

Page 743: ...which is 1 4 of the IGMP query interval Upon receiving an IGMP leave message the IGMP querier sends last member query count IGMP group specific queries at the IGMP last member query interval Both startup query count and last member query count are set to the IGMP querier robustness variable IGMP is robust to robustness variable minus 1 packet losses on a network Therefore a greater value of the ro...

Page 744: ...mand Description Enter system view system view Enter IGMP view igmp Configure the IGMP query interval timer query interval Optional 60 seconds by default Configure the IGMP querier robustness variable robust count robust value Optional 2 by default Configure the maximum response time for IGMP general queries max response time interval Optional 10 seconds by default Configure the IGMP last member q...

Page 745: ...lues of these three parameters are 60 seconds 2 and 10 seconds respectively so the default value of the other querier present interval 60 2 10 2 125 seconds z If statically configured the other querier present interval takes the configured value Caution z Make sure that the other querier present interval is greater than the IGMP query interval otherwise the IGMP querier may change frequently on th...

Page 746: ...IGMP routing table display igmp routing table source address mask mask mask length group address mask mask mask length Available in any view Clear IGMP forwarding entries reset igmp group all interface interface type interface number all group address mask mask mask length source address mask mask mask length Available in user view Clear Layer 2 port information about IGMP multicast groups reset i...

Page 747: ...es in the PIM network through VLAN interface 101 z Switch B and Switch C connect to N2 through their respective VLAN interface 200 and to other devices in the PIM network through VLAN interface 201 and VLAN interface 202 respectively z IGMPv3 is required between Switch A and N1 IGMPv2 is required between the other two switches and N2 with Switch B as the IGMP querier II Network diagram Ethernet Et...

Page 748: ...IGMP version 2 on VLAN interface 200 SwitchB system view SwitchB multicast routing enable SwitchB interface vlan interface 200 SwitchB Vlan interface200 igmp enable SwitchB Vlan interface200 igmp version 2 SwitchB Vlan interface200 quit Enable IP multicast routing on Switch C and enable IGMP version 2 on VLAN interface 200 SwitchC system view SwitchC multicast routing enable SwitchC interface vlan...

Page 749: ...s of the interface 3 Check that multicast routing is enabled Carry out the display current configuration command to check whether the multicast routing enable command has been executed If not carry out the multicast routing enable command in system view to enable IP multicast routing In addition check that IGMP is enabled on the corresponding interfaces 4 Check that the interface is in normal stat...

Page 750: ...in inconsistency of memberships z In addition although IGMP routers are compatible with hosts all routers on the same subnet must run the same version of IGMP Inconsistent IGMP versions running on routers on the same subnet will also lead to inconsistency of IGMP memberships III Solution 1 Check the IGMP configuration Carry out the display current configuration command to view the IGMP configurati...

Page 751: ...generated by any unicast routing protocol such as routing information protocol RIP open shortest path first OSPF intermediate system to intermediate system IS IS or border gateway protocol BGP Independent of the unicast routing protocols running on the device multicast routing can be implemented as long as the corresponding multicast routing entries are created through unicast routes PIM uses the ...

Page 752: ...dically that is pruned branches resume multicast forwarding when the pruned state times out and then data is re flooded down these branches and then are pruned again z When a new receiver on a previously pruned branch joins a multicast group to reduce the join latency PIM DM uses a graft mechanism to resume data forwarding to that branch Generally speaking the multicast forwarding path is a source...

Page 753: ... nodes without receivers downstream are pruned A router having no receivers downstream sends a prune message to the upstream node to tell the upstream node to delete the corresponding interface from the outgoing interface list in the S G entry and stop forwarding subsequent packets addressed to that multicast group down to this node Note z An S G entry contains the multicast source address S multi...

Page 754: ...ulticast group to reduce the join latency PIM DM uses a graft mechanism to resume data forwarding to that branch The process is as follows 1 The node that needs to receive multicast data sends a graft message hop by hop toward the source as a request to join the SPT again 2 Upon receiving this graft message the upstream node puts the interface on which the graft was received into the forwarding st...

Page 755: ...0 0 13 through the interface on which the packet was received The assert message contains the following information the multicast source address S the multicast group address G and the preference and metric of the unicast route to the source By comparing these parameters either Router A or Router B becomes the unique forwarder of the subsequent S G packets on the multi access subnet The comparison...

Page 756: ...a specific multicast group the router connected to this receiver sends a join message to the RP corresponding to that multicast group The path along which the message goes hop by hop to the RP forms a branch of the RPT z When a multicast source sends a multicast packet to a multicast group the router directly connected with the multicast source first registers the multicast source with the RP by s...

Page 757: ...oin messages to the RP the DR at the multicast source side sends register messages to the RP Note z A DR is elected on a multi access subnet by means of comparison of the priorities and IP addresses carried in hello messages An elected DR is substantially meaningful to PIM SM PIM DM itself does not require a DR However if IGMPv1 runs on any multi access network in a PIM DM domain a DR must be elec...

Page 758: ...ssen the RP burden and optimize the topological structure of the RPT each multicast group should have its own RP Therefore a bootstrap mechanism is needed for dynamic RP election For this purpose a bootstrap router BSR should be configured As the administrative core of a PIM SM domain the BSR collects advertisement messages C RP Adv messages from candidate RPs C RPs and chooses the appropriate C R...

Page 759: ...receiver joins a multicast group G it uses an IGMP message to inform the directly connected DR 2 Upon getting the receiver information the DR sends a join message which is hop by hop forwarded to the RP corresponding to the multicast group 3 The routers along the path from the DR to the RP form an RPT branch Each router on this branch generates a G entry in its forwarding table The means any multi...

Page 760: ... inform the RP about the existence of the multicast source Source Server Host A Host B Host C Receiver Receiver Multicast packets SPT Join message Register message RP DR Figure 7 6 Multicast registration As shown in Figure 7 6 the multicast source registers with the RP as follows 1 When the multicast source S sends the first multicast packet to a multicast group G the DR directly connected with th...

Page 761: ...warding table and thus an SPT branch is established 2 Subsequently the receiver side DR sends a prune message hop by hop to the RP Upon receiving this prune message the RP forwards it toward the multicast source thus to implement RPT to SPT switchover After the RPT to SPT switchover multicast data can be directly sent from the source to the receivers PIM SM builds SPTs through RPT to SPT switchove...

Page 762: ...region must be geographically independent of every other one as shown in Figure 7 7 Figure 7 7 Relationship between BSR admin scope regions and the global scope zone in geographic space BSR admin scope regions are geographically separated from one another Namely a router must not serve different BSR admin scope regions In other words different BSR admin scope regions contain different routers wher...

Page 763: ...scope zone and each BSR admin scope region have their own C RPs and BSR These devices are effective only in their respective admin scope regions Namely the BSR election and RP election are implemented independently within each admin scope region z Each BSR admin scope region has its own boundary The multicast information such as C RP Adv messages and BSR bootstrap messages can be transmitted only ...

Page 764: ...cast source discovery protocol MSDP for discovering sources in other PIM domains Compared with the ASM model the SSM model only needs the support of IGMPv3 and some subsets of PIM SM The operation mechanism of PIM SSM can be summarized as follows z Neighbor discovery z DR election z SPT building I Neighbor discovery PIM SSM uses the same neighbor discovery mechanism as in PIM DM and PIM SM Refer t...

Page 765: ...e source S as its root and receivers as its leaves This SPT is the transmission channel in PIM SSM z If not the PIM SM process is followed the DR needs to send a G join message to the RP and a multicast source registration process is needed Note In PIM SSM the channel concept is used to refer to a multicast group and the channel subscription concept is used to refer to a join message 7 1 7 Protoco...

Page 766: ...Before configuring PIM DM prepare the following data z The interval between state refresh messages z Minimum time to wait before receiving a new refresh message z TTL value of state refresh messages z Graft retry period 7 2 3 Enabling PIM DM With PIM DM enabled a router sends hello messages periodically to discover PIM neighbors and processes messages from PIM neighbors When deploying a PIM DM dom...

Page 767: ...t of pruned interfaces the router directly connected with the multicast source periodically sends an S G state refresh message which is forwarded hop by hop along the initial multicast flooding path of the PIM DM domain to refresh the prune timer state of all the routers on the path A router may receive multiple state refresh messages within a short time of which some may be duplicated messages To...

Page 768: ...efresh messages state refresh ttl ttl value Optional 255 by default 7 2 6 Configuring PIM DM Graft Retry Period In PIM DM graft is the only type of message that uses the acknowledgment mechanism In a PIM DM domain if a router does not receive a graft ack message from the upstream router within the specified time after it sends a graft message the router keeps sending new graft messages at a config...

Page 769: ...R Configuring global C BSR parameters Optional Configuring a static RP Optional Configuring a C RP Optional Enabling auto RP Optional Configuring an RP Configuring C RP timers Optional Configuring PIM SM Register Messages Optional Disabling RPT to SPT Switchover Optional Configuring PIM Common Information Optional 7 3 2 Configuration Prerequisites Before configuring PIM SM complete the following t...

Page 770: ...enabled a router sends hello messages periodically to discover PIM neighbors and processes messages from PIM neighbors When deploying a PIM SM domain you are recommended to enable PIM SM on all interfaces of non border routers border routers are PIM enabled routers located on the boundary of BSR admin scope regions Follow these steps to enable PIM SM To do Use the command Remarks Enter system view...

Page 771: ...C BSR make sure that router is PIM SM enabled The BSR election process is as follows z Initially every C BSR assumes itself to be the BSR of this PIM SM domain and uses its interface IP address as the BSR address to send bootstrap messages z When a C BSR receives the bootstrap message of another C BSR it first compares its own priority with the other C BSR s priority carried in the message The C B...

Page 772: ...ess range and thus this kind of attacks can be prevented The above mentioned preventive measures can partially protect the security of BSRs in a network However if a legal BSR is controlled by an attacker the above mentioned problem will also occur Follow these steps to complete basic C BSR configuration To do Use the command Remarks Enter system view system view Enter PIM view pim Configure an in...

Page 773: ... elected from multitudinous C BSRs to serve different multicast groups The C RPs in a BSR admin scope region send C RP Adv messages to only the corresponding BSR The BSR summarizes the advertisement messages into an RP set and advertises it to all the routers in the BSR admin scope region All the routers use the same algorithm to get the RP addresses corresponding to specific multicast groups Foll...

Page 774: ...ghout the network periodically Any C BSR that receives a bootstrap message maintains the BSR state for a configurable period of time BSR state timeout during which no BSR election takes place When the BSR state times out a new BSR election process will be triggered among the C BSRs Follow these steps to configure global C BSR parameters To do Use the command Remarks Enter system view system view E...

Page 775: ... Caution In configuration make sure that the bootstrap interval is smaller than the bootstrap timeout time 7 3 5 Configuring an RP An RP can be manually configured or dynamically elected through the BSR mechanism For a large PIM network static RP configuration is a tedious job Generally static RP configuration is just a backup means for the dynamic RP election mechanism to enhance the robustness a...

Page 776: ...u need to configure a legal C RP address range and the range of multicast groups to be served on the BSR In addition because every C BSR has a chance to become the BSR you need to configure the same filtering policy on all C BSRs Follow these steps to configure a C RP To do Use the command Remarks Enter system view system view Enter PIM view pim Configure an interface to be a C RP c rp interface t...

Page 777: ...C RP Adv messages to the BSR The BSR learns the RP set information from the received messages and encapsulates its own IP address together with the RP set information in its bootstrap messages The BSR then floods the bootstrap messages to all PIM routers 224 0 0 13 in the network Each C RP encapsulates a timeout value in its C RP Adv message Upon receiving this message the BSR obtains this timeout...

Page 778: ...bility this method of checksum calculation is not recommended When receivers stop receiving multicast data addressed to a certain multicast group through the RP that is the RP stops serving the receivers of a specific multicast group or when the RP formally starts receiving multicast data from the multicast source the RP sends a register stop message to the source side DR Upon receiving this messa...

Page 779: ...mentioned parameters on the receiver side DR and the RP only Since both the DR and RP are elected however you should carry out these configurations on the routers that may win the DR election and on the C RPs that may win RP elections 7 3 7 Disabling RPT to SPT Switchover Initially multicast traffic flows along an RPT to the receivers By default the last hop switch initiates an RPT to SPT switchov...

Page 780: ...eives the first multicast packet from the RPT no matter how big the traffic rate threshold is set this threshold is not configurable on a switch 7 4 Configuring PIM SSM Note The PIM SSM model needs the support of IGMPv3 Therefore be sure to enable IGMPv3 on PIM routers with multicast receivers 7 4 1 PIM SSM Configuration Task List Complete these tasks to configure PIM SSM Task Remarks Enabling PIM...

Page 781: ...fault Enter interface view interface interface type interface number Enable PIM SM pim sm Required Disabled by default Caution All the interfaces of the same router must work in the same PIM mode 7 4 4 Configuring the SSM Group Range As for whether the information from a multicast source is delivered to the receivers based on the PIM SSM model or the PIM SM model this depends on whether the group ...

Page 782: ...ing PIM Common Information Note For the configuration tasks described in this section z Configurations performed in PIM view are effective to all interfaces while configurations performed in interface view are effective to the current interface only z If the same function or parameter is configured in both PIM view and interface view the configuration performed in interface view is given priority ...

Page 783: ... interface level value z Assert timeout time global value interface value z Join prune interval global value interface level value z Join prune timeout global value interface value z Multicast source lifetime z Maximum size of join prune messages z Maximum number of S G entries in a join prune message 7 5 3 Configuring a PIM Filter No matter in a PIM DM domain or a PIM SM domain routers can check ...

Page 784: ... flag bit You can configure this parameter on all routers in the PIM domain If different LAN delay or override interval values result from the negotiation among all the PIM routers the largest value will take effect The LAN delay setting will cause the upstream routers to delay processing received prune messages If the LAN delay setting is too small it may cause the upstream router to stop forward...

Page 785: ...m view Enter PIM view pim Configure the priority for DR election hello option dr priority priority Optional 1 by default Configure PIM neighbor timeout time hello option holdtime interval Optional 105 seconds by default Configure the prune delay time LAN delay hello option lan delay interval Optional 500 milliseconds by default Configure the prune override interval hello option override interval i...

Page 786: ...r waits a random period which is equal to or smaller than the maximum delay between hello messages before sending out a hello message This avoids collisions that occur when multiple PIM routers send hello messages simultaneously Any router that has lost assert election will prune its downstream interface and maintain the assert state for a period of time When the assert state times out the assert ...

Page 787: ...fault Configure the multicast source lifetime source lifetime interval Optional 210 seconds by default II Configuring PIM common timers on an interface Follow these steps to configure PIM common timers on an interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure the hello interval pim timer hello interval Optio...

Page 788: ...e command Remarks Enter system view system view Enter PIM view pim Configure the maximum size of a join prune message jp pkt size packet size Optional 8 100 bytes by default Configure the maximum number of S G entries in a join prune message jp queue size queue size Optional 1 020 by default 7 6 Displaying and Maintaining PIM To do Use the command Remarks View the BSR information in the PIM SM dom...

Page 789: ...able group address mask mask length mask source address mask mask length mask incoming interface interface type interface number register outgoing interface include exclude match interface type interface number register mode mode type flags flag value fsm Available in any view View the RP information display pim rp info group address Available in any view Reset PIM control message counters reset p...

Page 790: ...address Switch A Vlan int100 10 110 1 1 24 Switch D Vlan int300 10 110 5 1 24 Vlan int103 192 168 1 1 24 Vlan int103 192 168 1 2 24 Switch B Vlan int200 10 110 2 1 24 Vlan int101 192 168 2 2 24 Vlan int101 192 168 2 1 24 Vlan int102 192 168 3 2 24 Switch C Vlan int200 10 110 2 2 24 Vlan int102 192 168 3 1 24 Figure 7 10 Network diagram for PIM DM configuration III Configuration procedure 1 Configu...

Page 791: ...similar to that on Switch A Enable IP multicast routing on Switch D and enable PIM DM on each interface SwitchD system view SwitchD multicast routing enable SwitchD interface vlan interface 300 SwitchD Vlan interface300 pim dm SwitchD Vlan interface300 quit SwitchD interface vlan interface 103 SwitchD Vlan interface103 pim dm SwitchD Vlan interface103 quit SwitchD interface vlan interface 101 Swit...

Page 792: ...ding Switches on the SPT path Switch A and Switch D have their S G entries Host A registers with Switch A and a G entry is generated on Switch A You can use the display pim routing table command to view the PIM routing table information on each switch For example View the PIM routing table information on Switch A SwitchA display pim routing table Total 1 G entry 1 S G entry 225 1 1 1 Protocol pim ...

Page 793: ...ast The receiver groups of different organizations form stub networks and one or more receiver hosts exist in each stub network The entire PIM domain operates in the sparse mode not divided into different BSR admin scope regions z Host A and Host C are multicast receivers in two stub networks z Switch D connects to the network that comprises the multicast source Source through VLAN interface 300 z...

Page 794: ...gure 7 11 Network diagram for PIM SM domain configuration III Configuration procedure 1 Configure the interface IP addresses and unicast routing protocol for each switch Configure the IP address and subnet mask for each interface as per Figure 7 11 Detailed configuration steps are omitted here Configure the OSPF protocol for interoperation among the switches in the PIM SM domain Ensure the network...

Page 795: ...nd a C RP Configure the service scope of RP advertisements and the positions of the C BSR and C RP on Switch E SwitchE system view SwitchE acl number 2005 SwitchE acl basic 2005 rule permit source 225 1 1 0 0 0 0 255 SwitchE acl basic 2005 quit SwitchE pim SwitchE pim c bsr vlan interface 102 SwitchE pim c rp vlan interface 102 group policy 2005 SwitchE pim quit 4 Verify the configuration Carry ou...

Page 796: ...0 Hash mask length 30 State Elected Scope Not scoped Uptime 00 00 18 Next BSR message scheduled at 00 01 52 Candidate BSR Address 192 168 9 2 Priority 0 Hash mask length 30 State Pending Scope Not scoped Candidate RP 192 168 9 2 Vlan interface102 Priority 0 HoldTime 150 Advertisement Interval 60 Next advertisement scheduled at 00 00 48 To view the RP information discovered on a switch use the disp...

Page 797: ...tch A SwitchA display pim routing table Total 1 G entry 1 S G entry 225 1 1 1 RP 192 168 9 2 Protocol pim sm Flag WC UpTime 00 13 46 Upstream interface Vlan interface102 Upstream neighbor 192 168 9 2 RPF prime neighbor 192 168 9 2 Downstream interface s information Total number of downstreams 1 1 Vlan interface100 Protocol igmp UpTime 00 13 46 Expires 00 03 06 10 110 5 100 225 1 1 1 RP 192 168 9 2...

Page 798: ...ration Example I Network requirements z Receivers receive VOD information through multicast The receiver groups of different organizations form stub networks and one or more receiver hosts exist in each stub network The entire PIM domain operates in the SSM mode z Host A and Host C are multicast receivers in two stub networks z Switch D connects to the network that comprises the multicast source S...

Page 799: ... Figure 7 12 Network diagram for PIM SSM configuration III Configuration procedure 1 Configure the interface IP addresses and unicast routing protocol for each switch Configure the IP address and subnet mask for each interface as per Figure 7 12 Detailed configuration steps are omitted here Configure the OSPF protocol for interoperation among the switches in the PIM SM domain Ensure the network la...

Page 800: ... range Configure the SSM group range to be 232 1 1 0 24 one Switch A SwitchA acl number 2000 SwitchA acl basic 2000 rule permit source 232 1 1 0 0 0 0 255 SwitchA acl basic 2000 quit SwitchA pim SwitchA pim ssm policy 2000 SwitchA pim quit The configuration on Switch B Switch C Switch D and Switch E is similar to that on Switch A 4 Verify the configuration Carry out the display pim interface comma...

Page 801: ...ires The information on Switch B and Switch C is similar to that on Switch A View the PIM routing table information on Switch D SwitchD display pim routing table Total 0 G entry 1 S G entry 10 110 5 100 232 1 1 1 Protocol pim ssm Flag LOC UpTime 00 12 05 Upstream interface Vlan interface300 Upstream neighbor NULL RPF prime neighbor NULL Downstream interface s information Total number of downstream...

Page 802: ...dependent of PIM The RPF interface must be PIM enabled and the RPF neighbor must also be a PIM neighbor If PIM is not enabled on the router where the RPF interface or the RPF neighbor resides the establishment of a multicast distribution tree will surely fail causing abnormal multicast forwarding z Because a hello message does not carry the PIM mode information a router running PIM is unable to kn...

Page 803: ... table II Analysis z If a multicast forwarding boundary has been configured through the multicast boundary command any multicast packet will be kept from crossing the boundary and therefore no routing entry can be created in the PIM routing table z In addition the source policy command is used to filter received multicast packets If the multicast data fails to pass the ACL rule defined in this com...

Page 804: ...No Unicast Route Between BSR and C RPs in PIM SM I Symptom C RPs cannot unicast advertise messages to the BSR The BSR does not advertise bootstrap messages containing C RP information and has no unicast route to any C RP An RPT cannot be established correctly or the DR cannot perform source register with the RP II Analysis z The C RPs periodically send C RP Adv messages to the BSR by unicast If a ...

Page 805: ...st route to the RP 2 Check the RP and BSR information PIM SM needs the support of the RP and BSR Use the display pim bsr info command to check whether the BSR information is available on each router and then use the display pim rp info command to check whether the RP information is correct 3 View PIM neighboring relationships Use the display pim neighbor command to check whether the normal PIM nei...

Page 806: ...ast source information in other PIM SM domains In the basic PIM SM mode a multicast source registers only with the RP in the local PIM SM domain and the multicast source information of a domain is isolated from that of another domain As a result the RP is aware of the source information only within the local domain and a multicast distribution tree is built only within the local domain to deliver ...

Page 807: ...outer MSDP peers created on PIM SM routers that assume different roles function differently 1 MSDP peers on RPs z Source side MSDP peer the MSDP peer nearest to the multicast source Source typically the source side RP like RP 1 The source side RP creates SA messages and sends the messages to its remote MSDP peer to notify the MSDP peer of the locally registered multicast source information A sourc...

Page 808: ...y elected from C RPs To enhance network robustness a PIM SM network typically has more than one C RP As the RP election result is unpredictable MSDP peering relationships should be built among all C RPs so that the winner C RP is always on the MSDP interconnection map while loser C RPs will assume the role of common PIM SM routers on the MSDP interconnection map II Implementing inter domain multic...

Page 809: ...ress S the multicast group address G and the address of the RP which has created this SA message namely RP 1 3 On MSDP peers each SA message is subject to a reverse path forwarding RPF check and multicast policy based filtering so that only SA messages that have arrived along the correct path and passed the filtering are received and forwarded This avoids delivery loops of SA messages In addition ...

Page 810: ...on RPs in other PIM SM domains The receivers can override the RPs in other domains and directly join the multicast source based SPT III RPF check rules for SA messages As shown in Figure 8 3 there are five autonomous systems in the network AS 1 through AS 5 with IGP enabled on routers within each AS and EBGP as the interoperation protocol among different ASs Each AS contains at least one PIM SM do...

Page 811: ... RP 2 Because the SA message is from an MSDP peer RP 2 in the same AS and the MSDP peer is the next hop on the optimal path to the source side RP RP 3 accepts the message and forwards it to other peers RP 4 and RP 5 3 When RP 4 and RP 5 receive the SA message from RP 3 Because the SA message is from an MSDP peer RP 3 in the same mesh group RP 4 and RP 5 both accept the SA message but they do not f...

Page 812: ...ing MSDP peers Anycast RP refers to such an application that enables load balancing and redundancy backup between two or more RPs within a PIM SM domain by configuring the same IP address for and establishing MSDP peering relationships between these RPs As shown in Figure 8 4 within a PIM SM domain a multicast source sends multicast data to multicast group G and Receiver is a member of the multica...

Page 813: ...t directly joins the SPT rooted at Source The significance of Anycast RP is as follows z Optimal RP path A multicast source registers with the nearest RP so that an SPT with the optimal path is built a receiver joins the nearest RP so that an RPT with the optimal path is built z Load balancing between RPs Each RP just needs to maintain part of the source group information within the PIM SM domain ...

Page 814: ... an SA Message Filtering Rule Optional Configuring SA Messages Related Parameters Configuring SA Message Cache Optional 8 3 Configuring Basic Functions of MSDP Note All the configuration tasks should be carried out on RPs in PIM SM domains and each of these RPs acts as an MSDP peer 8 3 1 Configuration Prerequisites Before configuring the basic functions of MSDP complete the following tasks z Confi...

Page 815: ... devices that are a pair of MSDP peers Follow these steps to create an MSDP peer connection To do Use the command Remarks Enter system view system view Enter MSDP view msdp Create an MSDP peer connection peer peer address connect interface interface type interface number Required No MSDP peer connection created by default Note If an interface of the router is shared by an MSDP peer and a BGP peer ...

Page 816: ...protocol so that all devices in the domain are interoperable at the network layer z Configuring basic functions of MSDP Before configuring an MSDP peer connection prepare the following data z Description information of MSDP peers z Name of an MSDP mesh group z MSDP peer connection retry interval 8 4 2 Configuring MSDP Peer Description With the MSDP peer description information the administrator ca...

Page 817: ...ltiple MSDP peers you can create a mesh group with these MSDP peers Follow these steps to create an MSDP mesh group To do Use the command Remarks Enter system view system view Enter MSDP view msdp Create an MSDP peer as a mesh group member peer peer address mesh group name Required An MSDP peer does not belong to any mesh group by default Note z Before grouping multiple routers into an MSDP mesh g...

Page 818: ...he domain are interoperable at the network layer z Configuring basic functions of MSDP Before configuring SA message delivery prepare the following data z ACL as a filtering rule for SA request messages z ACL as an SA message creation rule z ACL as a filtering rule for receiving or forwarding SA messages z Minimum TTL value of multicast packets encapsulated in SA messages z Maximum SA message cach...

Page 819: ...check Follow these steps to configure the SA message content To do Use the command Remarks Enter system view system view Enter MSDP view msdp Enable encapsulation of a register message encap data enable Optional Disabled by default Configure the interface address as the RP address in SA messages originating rp interface type interface number Optional PIM RP address by default 8 5 3 Configuring SA ...

Page 820: ... the SA messages z By configuring a filtering rule for receiving or forwarding SA messages you can enable the router to filter the S G forwarding entries to be advertised when receiving or forwarding an SA message so that the propagation of multicast source information is controlled at SA message reception or forwarding z An SA message with encapsulated multicast data can be forwarded to a designa...

Page 821: ...P peer in the next cycle z If there is an SA message in the cache the router will obtain the information of all active sources directly from the SA message and join the corresponding SPT To protect the router against denial of service DoS attacks you can configure the maximum number of SA messages the route can cache Follow these steps to configure the SA message cache To do Use the command Remark...

Page 822: ...set msdp statistics peer address Available in user view 8 7 MSDP Configuration Examples 8 7 1 Inter AS Multicast Configuration Leveraging BGP Routes I Network requirements z There are two ASs in the network AS 100 and AS 200 respectively OSPF is running within each AS and BGP is running between the two ASs z PIM SM 1 belongs to AS 100 while PIM SM 2 and PIM SM 3 belong to AS 200 z Each PIM SM doma...

Page 823: ... 1 24 Vlan int400 10 110 7 1 24 Vlan int102 192 168 3 1 24 Source 1 10 110 2 100 24 Vlan int101 192 168 1 2 24 Source 2 10 110 5 100 24 Loop0 2 2 2 2 32 Figure 8 5 Network diagram for inter AS multicast configuration leveraging BGP routes III Configuration procedure 1 Configure the interface IP addresses and unicast routing protocol for each switch Configure the IP address and subnet mask for each...

Page 824: ...on on Switch A Configure a PIM domain border on Switch B SwitchB interface vlan interface 101 SwitchB Vlan interface101 pim bsr boundary SwitchB Vlan interface101 quit The configuration on Switch C and Switch E is similar to the configuration on Switch B 3 Configure C BSRs and C RPs Configure Loopback 0 as a C BSR and a C RP on Switch B SwitchB pim SwitchB pim c bsr loopback 0 SwitchB pim c rp loo...

Page 825: ...DP peers Configure an MSDP peer on Switch B SwitchB msdp SwitchB msdp peer 192 168 1 2 connect interface vlan interface 101 SwitchB msdp quit Configure an MSDP peer on Switch C SwitchC msdp SwitchC msdp peer 192 168 1 1 connect interface vlan interface 101 SwitchC msdp peer 192 168 3 2 connect interface vlan interface 102 SwitchC msdp quit Configure MSDP peers on Switch E SwitchE msdp SwitchE msdp...

Page 826: ...peering relationships on Switch E SwitchE display bgp peer BGP local router ID 3 3 3 3 Local AS number 200 Total number of peers 1 Peers in established state 1 Peer V AS MsgRcvd MsgSent OutQ PrefRcv Up Down State 192 168 3 1 4 200 16 14 0 1 00 10 58 Established To view the BGP routing table information on the switches use the display bgp routing table command For example View the BGP routing table...

Page 827: ...lationships on Switch B SwitchB display msdp brief MSDP Peer Brief Information Configured Up Listen Connect Shutdown Down 1 1 0 0 0 0 Peer s Address State Up Down time AS SA Count Reset Count 192 168 1 2 Up 00 12 27 200 13 0 View the brief information about MSDP peering relationships on Switch C SwitchC display msdp brief MSDP Peer Brief Information Configured Up Listen Connect Shutdown Down 2 2 0...

Page 828: ...essages 0 0 Incoming outgoing SA requests 0 0 Incoming outgoing SA responses 0 0 Incoming outgoing data packets 0 0 8 7 2 Inter AS Multicast Configuration Leveraging Static RPF Peers I Network requirements z There are two ASs in the network AS 100 and AS 200 respectively OSPF is running within each AS and BGP is running between the two ASs z PIM SM 1 belongs to AS 100 while PIM SM 2 and PIM SM 3 b...

Page 829: ...00 10 110 5 1 24 Vlan int200 10 110 3 1 24 Switch E Vlan int105 10 110 6 1 24 Switch B Vlan int103 10 110 1 1 24 Vlan int102 192 168 3 2 24 Vlan int101 192 168 1 1 24 Loop0 3 3 3 3 32 Vlan int102 192 168 3 1 24 Switch F Vlan int105 10 110 6 2 24 Loop0 1 1 1 1 32 Vlan int400 10 110 7 1 24 Switch C Vlan int101 192 168 1 2 24 Source 1 10 110 2 100 24 Vlan int104 10 110 4 1 24 Source 2 10 110 5 100 24...

Page 830: ...Switch C Switch D Switch E and Switch F is similar to the configuration on Switch A Configure PIM domain borders on Switch B SwitchB interface vlan interface 102 SwitchB Vlan interface102 pim bsr boundary SwitchB Vlan interface102 quit SwitchB interface vlan interface 101 SwitchB Vlan interface101 pim bsr boundary SwitchB Vlan interface101 quit The configuration on Switch C and Switch E is similar...

Page 831: ...r 192 168 3 2 rp policy list c SwitchE msdp quit 5 Verify the configuration Carry out the display bgp peer command to view the BGP peering relationships between the switches If the command gives no output information a BGP peering relationship has not been established between the switches When the multicast source in PIM SM 1 Source 1 and the multicast source in PIM SM 2 Source 2 send multicast in...

Page 832: ... 40 13 0 8 7 3 Anycast RP Configuration I Network requirements z The PIM SM domain has multiple multicast sources and receivers OSPF runs within the domain to provide unicast routes z It is required to configure the anycast RP application so that the receiver side DRs and the source side DRs can initiate a Join message to their respective RPs that are the topologically nearest to them z On Switch ...

Page 833: ... 2 1 24 Vlan int103 10 110 2 1 24 Loop0 2 2 2 2 32 Vlan int101 192 168 1 1 24 Loop10 4 4 4 4 32 Loop0 1 1 1 1 32 Loop20 10 1 1 1 32 Loop10 3 3 3 3 32 Switch E Vlan int400 10 110 6 1 24 Loop20 10 1 1 1 32 Vlan int104 10 110 4 2 24 Figure 8 7 Network diagram for anycast RP configuration III Configuration procedure 1 Configure the interface IP addresses and unicast routing protocol for each switch Co...

Page 834: ...nterface loopback 20 SwitchB LoopBack20 pim sm SwitchB LoopBack20 quit The configuration on Switch A Switch C Switch D and Switch E is similar to the configuration on Switch B 3 Configure C BSRs and C RPs Configure Loopback 10 as a C BSR and Loopback 20 as a C RP on Switch B SwitchB pim SwitchB pim c bsr loopback 10 SwitchB pim c rp loopback 20 SwitchB pim quit The configuration on Switch D is sim...

Page 835: ... 0 0 0 0 Peer s Address State Up Down time AS SA Count Reset Count 1 1 1 1 Up 00 10 18 0 0 To view the PIM routing information on the switches use the display pim routing table command When Source 1 10 110 5 100 24 sends multicast data to multicast group G 225 1 1 1 Receiver 1 joins multicast group G By comparing the PIM routing information displayed on Switch B with that displayed on Switch D you...

Page 836: ...data to multicast group G When Source 2 10 110 6 100 24 sends multicast data to G Receiver 2 joins G By comparing the PIM routing information displayed on Switch B with that displayed on Switch D you can see that Switch D acts now as the RP for Source 2 and Receiver 2 View the PIM routing information on Switch B SwitchB display pim routing table No information is output on Switch B View the PIM ro...

Page 837: ...e TCP connection setup will fail if there is a consistency between the local interface address and the MSDP peer address configured on the router z If no route is available between the MSDP peers the TCP connection setup will also fail III Solution 1 Check that a route is available between the routers Carry out the display ip routing table command to check whether the unicast route between the rou...

Page 838: ...ment and make sure that ACL rule can filter appropriate S G entries 8 8 3 Inter RP Communication Faults in Anycast RP Application I Symptom RPs fail to exchange their locally registered S G entries with one another in the Anycast RP application II Analysis z In the Anycast RP application RPs in the same PIM SM domain are configured to be MSDP peers to achieve load balancing among the RPs z An MSDP...

Page 839: ...3 Check the configuration of the originating rp command In the Anycast RP application environment be sure to use the originating rp command to configure the RP address in the SA messages which must be the local interface address 4 Verify that the C BSR address is different from the anycast RP address ...

Page 840: ...t Routing and Forwarding In multicast implementations multicast routing and forwarding are implemented by three types of tables z Each multicast routing protocol has its own multicast routing table such as PIM routing table z The information of different multicast routing protocols forms a general multicast routing table z The multicast forwarding table is directly used to control the forwarding o...

Page 841: ...ting S G entry this means that the S G entry is correct but the packet arrived from a wrong path The packet is to be discarded z If the result of the RPF check shows that the RPF interface is not the incoming interface of the existing S G entry this means that the S G entry is no longer valid The router replaces the incoming interface of the S G entry with the interface on which the packet actuall...

Page 842: ...RPF interface and the RPF neighbor 2 Then the router selects one from these two optimal routes as the RPF route The selection is as follows z If configured to use the longest match principle the router selects the longest match route from the two if these two routes have the same mask the route selects the route with a higher priority if the two routes have the same priority the router selects the...

Page 843: ...packet actually arrived The RPF check succeeds and the packet is forwarded 9 1 3 Multicast Static Routes If the topology structure of a multicast network is the same as that of a unicast network receivers can receive multicast data via unicast routes However the topology structure of a multicast network may differ from that of a unicast network and some routers may support only unicast but not mul...

Page 844: ...and then to Switch C 9 1 4 Multicast Traceroute The multicast traceroute utility is used to trace the path that a multicast stream flows down from the multicast source to the last hop router I Concepts in multicast traceroute 1 Last hop router If a router has one of its interfaces connecting to the subnet the given destination address is on and if the router is able to forward multicast streams fr...

Page 845: ...response packet and then sends the completed packet via unicast to the multicast traceroute querier 9 2 Configuration Task List Complete these tasks to configure multicast routing and forwarding Task Remarks Enabling IP Multicast Routing Required Configuring Multicast Static Routes Optional Configuring a Multicast Route Match Rule Optional Configuring Multicast Load Splitting Optional Configuring ...

Page 846: ...dresses even if configured on interfaces For details about primary and secondary IP addresses refer to IP Addressing and Performance Configuration 9 3 3 Configuring Multicast Static Routes Based on the application environment a multicast static route has the following two functions z Changing an RPF route If the multicast topology structure is the same as the unicast topology in a network the deli...

Page 847: ...n interface by means of the interface type interface number command argument combination if the interface type of that switch is Loopback or VLAN interface instead you can designate an RPF neighbor only by specifying an address rpf nbr address 9 3 4 Configuring a Multicast Route Match Rule If more than one route exists to the same subnet a router chooses a route based on the sequence of route conf...

Page 848: ...ng packets sent from the local device or receive multicast packets Follow these steps to configure a multicast forwarding range To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure a multicast forwarding boundary multicast boundary group address mask mask length Required No forwarding boundary by default 9 3 7 Configur...

Page 849: ...hese steps to configure the multicast forwarding table size To do Use the command Remarks Enter system view system view Configure the maximum number of downstream nodes for a single route in the multicast forwarding table multicast forwarding table downstream limit limit Optional The default is 128 Configure the maximum number of routing entries in the multicast forwarding table multicast forwardi...

Page 850: ...sk mask mask length group address mask mask mask length incoming interface interface type interface number register outgoing interface exclude include match interface type interface number register Available in any view View the information of the multicast static routing table display multicast routing table static config source address mask length mask Available in any view View the RPF route in...

Page 851: ...cast forwarding table the corresponding route entry will also be deleted from the multicast routing table 9 5 Configuration Examples 9 5 1 Changing an RPF Route I Network requirements z PIM DM runs in the network All switches in the network support multicast z Switch A Switch B and Switch C run OSPF z Typically Receiver can receive the multicast data from Source through the path Switch A Switch B ...

Page 852: ... 1 0 SwitchB system view SwitchB multicast routing enable SwitchB interface vlan interface 100 SwitchB Vlan interface100 igmp enable SwitchB Vlan interface100 pim dm SwitchB Vlan interface100 quit SwitchB interface vlan interface 101 SwitchB Vlan interface101 pim dm SwitchB Vlan interface101 quit SwitchB interface vlan interface 102 SwitchB Vlan interface102 pim dm SwitchB Vlan interface102 quit E...

Page 853: ... Use the display multicast rpf info command to view the information about the RPF route to Source on Switch B SwitchB display multicast rpf info 50 1 1 100 RPF information about source 50 1 1 100 RPF interface Vlan interface101 RPF neighbor 20 1 1 2 Referenced route mask 50 1 1 0 24 Referenced route type multicast static Route selection rule preference preferred Load splitting rule disable As show...

Page 854: ...uration steps are omitted here Enable OSPF on Switch B and Switch C Ensure the network layer interoperation among Switch B and Switch C Ensure that the switches can dynamically update their routing information by leveraging the unicast routing protocol The specific configuration steps are omitted here 2 Enable IP multicast routing and enable PIM DM and IGMP Enable IP multicast routing on Switch C ...

Page 855: ...tatic route on Switch B specifying Switch A as its RPF neighbor on the route to Source 2 SwitchB ip rpf route static 50 1 1 100 24 30 1 1 2 Configure a multicast static route on Switch C specifying Switch B as its RPF neighbor on the route to Source 2 SwitchC ip rpf route static 50 1 1 100 24 20 1 1 2 4 Verify the configuration Use the display multicast rpf info command to view the RPF routes to S...

Page 856: ...lticast static route has been correctly configured and the route entry exists 2 In the configuration you can use the display multicast routing table static command to view the information of multicast static routes to verify that the multicast static route has been correctly configured and the route entry exists in the multicast routing table 3 Check the next hop interface type of the multicast st...

Page 857: ...n 1 Use the display pim routing table command to check whether the corresponding S G entries exist on the router If so the router has received the multicast data otherwise the router has not received the data 2 Use the display multicast boundary command to view the multicast boundary information on the interfaces Use the multicast boundary command to change the multicast forwarding boundary settin...

Page 858: ... a Guest VLAN 1 17 1 3 1 Configuration Prerequisites 1 17 1 3 2 Configuration Procedure 1 17 1 4 Displaying and Maintaining 802 1x 1 18 1 5 802 1x Configuration Example 1 18 1 6 Guest VLAN Configuration Example 1 21 1 7 ACL Assignment Configuration Example 1 24 Chapter 2 EAD Fast Deployment Configuration 2 1 2 1 EAD Fast Deployment Overview 2 1 2 2 Configuring EAD Fast Deployment 2 1 2 2 1 Configu...

Page 859: ...4 2 1 MAC Authentication Timers 4 2 4 2 2 Quiet MAC Address 4 2 4 2 3 VLAN Assigning 4 3 4 2 4 ACL Assigning 4 3 4 3 Configuring MAC Authentication 4 3 4 3 1 Configuration Prerequisites 4 3 4 3 2 Configuration Procedure 4 4 4 4 Displaying and Maintaining MAC Authentication 4 5 4 5 MAC Authentication Configuration Examples 4 5 4 5 1 Local MAC Authentication Configuration Example 4 5 4 5 2 RADIUS Ba...

Page 860: ...et as a common port access control mechanism As a port based network access control protocol 802 1x authenticates and controls accessing devices at the level of port A device connected to an 802 1x enabled port of an access control device can access the resources on the LAN only after passing authentication To get more information about 802 1x go to these topics z Architecture of 802 1x z Operatio...

Page 861: ... Remote Authentication Dial in User Service RADIUS server maintains user information like username password VLAN that the user belongs to committed access rate CAR parameters priority and ACLs The above systems involve three basic concepts PAE controlled port control direction I PAE Port access entity PAE refers to the entity that performs the 802 1x algorithm and protocol operations z The authent...

Page 862: ...st the traffic from the supplicant Note Currently the devices support only denying the traffic from the supplicant 1 1 2 Operation of 802 1x The 802 1x authentication system employs the Extensible Authentication Protocol EAP to exchange authentication information between the supplicant PAE authenticator PAE and authentication server Figure 1 2 Operation of 802 1x z Between the supplicant PAE and a...

Page 863: ...kes the value 0x888E z Protocol version Version of the EAPOL protocol supported by the EAPOL frame sender z Type Type of the EAPOL frame Table 1 1 shows the defined types of EAPOL frames Table 1 1 Types of EAPOL frames Type Description EAP Packet a value of 0x00 Frame for carrying authentication information present between an authenticator system and the authentication server A frame of this type ...

Page 864: ...pe of EAP Packet carries an EAP packet in its Packet body field The format of the EAP packet is shown in Figure 1 4 Figure 1 4 EAP packet format z Code Type of the EAP packet which can be Request Response Success or Failure An EAP packet of the type of Success or Failure has no Data field and has a length of 4 An EAP packet of the type of Request or Response has a Data field in the format shown in...

Page 865: ... multiple EAP Message attributes Figure 1 6 Encapsulation format of the EAP Message attribute II Message Authenticator Figure 1 7 shows the encapsulation format of the Message Authenticator attribute The Message Authenticator attribute is used to prevent access requests from being snooped during EAP or CHAP authentication It must be included in any packet with the EAP Message attribute otherwise t...

Page 866: ...urity and PEAP Protected Extensible Authentication Protocol z EAP MD5 EAP MD5 authenticates the identity of a supplicant The RADIUS server sends an MD5 challenge through an EAP Request MD5 Challenge packet to the supplicant Then the supplicant encrypts the password with the offered challenge z EAP TLS With EAP TLS a supplicant and the RADIUS server verify each other s security certificates and ide...

Page 867: ...username of the supplicant 3 When the supplicant receives the EAP Request Identity packet it encapsulates the username in an EAP Response Identity packet and sends the packet to the authenticator 4 Upon receiving the EAP Response Identity packet the authenticator relays the packet in a RADIUS Access Request packet to the authentication server 5 When receiving the RADIUS Access Request packet the R...

Page 868: ...o grant the access request of the supplicant After the supplicant gets online the authenticator periodically sends handshake requests to the supplicant to check whether the supplicant is still online By default if two consecutive handshake attempts end up with failure the authenticator concludes that the supplicant has gone offline and performs the necessary operations guaranteeing that the authen...

Page 869: ...mode Different from the authentication process in EAP relay mode it is the authenticator that generates the random challenge for encrypting the user password information in EAP termination authentication process Consequently the authenticator sends the challenge together with the username and encrypted password information from the supplicant to the RADIUS server for authentication 1 1 6 802 1x Ti...

Page 870: ...e from the server it retransmits the request z Handshake timer handshake period After a supplicant passes authentication the authenticator sends to the supplicant handshake requests at this interval to check whether the supplicant is online If the authenticator receives no response after sending the allowed maximum number of handshake requests it considers that the supplicant is offline z Quiet ti...

Page 871: ... the message The device depending on the link type of the port used to log in adds the port to the assigned VLAN according to the following rules z If the port link type is Access the port leaves its current VLAN and joins the assigned VLAN z If the port link type is Trunk the assigned VLAN is allowed to pass the current trunk port The default VLAN ID of the port is that of the assigned VLAN z If ...

Page 872: ...port link type in the similar way as described in VLAN assigning When a supplicant added into the guest VLAN initiates another authentication process if the authentication is not successful the supplicant stays in the guest VLAN otherwise two cases may occur z The authentication server assigns a VLAN The port leaves the guest VLAN and joins the assigned VLAN If the supplicant goes offline the port...

Page 873: ...t to lan access For detailed configuration of the RADIUS client refer to AAA RADIUS HWTACACS Configuration 1 2 2 Configuring 802 1x Globally Follow these steps to configure 802 1x globally To do Use the command Remarks Enter system view system view Enable 802 1x globally dot1x Required Disabled by default Set the authentication method dot1x authentication method chap eap pap Optional CHAP by defau...

Page 874: ... quiet timer dot1x quiet period Optional Disabled by default Note that z For 802 1x to take effect on a port you must enable it both globally in system view and for the port in system view or Ethernet interface view z You can also enable 802 1x and set port access control parameters that is the port access control mode port access method and the maximum number of users for a port in Ethernet inter...

Page 875: ... by default Set the port access control method for the port dot1x port method macbased portbased Optional macbased by default Set the maximum number of users for the port dot1x max user user number Optional By default the maximum number of concurrent users accessing a port is 256 Enable online user handshake dot1x handshake Optional Enabled by default Enable multicast trigger dot1x multicast trigg...

Page 876: ...er retrieve information nor disconnect the supplicant by using the username However you can use items such as IP address and connection index number to do so 1 3 Configuring a Guest VLAN 1 3 1 Configuration Prerequisites z Enable 802 1x z Set the port access control method to portbased for the port z Set the port access control mode to auto for the port z Create the VLAN to be specified as the gue...

Page 877: ... from a user side device include VLAN tags and 802 1x and guest VLAN are enabled on the access port you are recommended to configure different VLAN IDs for the Voice VLAN the default port VLAN and the guest VLAN of 802 1x 1 4 Displaying and Maintaining 802 1x To do Use the command Remarks Display 802 1x session information statistics or configuration information of specified or all ports display d...

Page 878: ... packets to the accounting server every 15 minutes z Specify the switch to remove the domain name from the username before passing the username to the RADIUS server z Set the username of the 802 1x user as localuser and the password as localpass and specify to use plain text mode Enable the idle cut function to get the user offline whenever the user remains idle for over 20 minutes II Network diag...

Page 879: ...erver and the accounting server Sysname radius radius1 key authentication secret Set the interval for the device to retransmit packets to the RADIUS server and the maximum number of transmission attempts Sysname radius radius1 timer response timeout 5 Sysname radius radius1 retry 5 Set the interval for the device to send real time accounting packets to the RADIUS server Sysname radius radius1 time...

Page 880: ...port access control method Optional The default answers the requirement Sysname dot1x port method macbased interface GigabitEthernet 1 0 1 1 6 Guest VLAN Configuration Example I Network requirements As shown in Figure 1 11 z A host is connected to port GigabitEthernet 1 0 1 of the switch and must pass 802 1x authentication to access the Internet z The authentication server run RADIUS and is in VLA...

Page 881: ...server Authenticator server Supplicant VLAN 10 GE1 0 4 VLAN 1 GE1 0 1 VLAN 5 GE1 0 2 VLAN 2 GE1 0 3 Switch Figure 1 11 Network diagram for guest VLAN configuration Internet Update server Authenticator server Supplicant VLAN 10 GE1 0 4 GuestVlan 10 GE1 0 1 VLAN 5 GE1 0 2 VLAN 2 GE1 0 3 VLAN 10 Switch Figure 1 12 Network diagram with VLAN 10 as the guest VLAN ...

Page 882: ...ary accounting 10 11 1 1 1813 Sysname radius 2000 key authentication abc Sysname radius 2000 key accounting abc Sysname radius 2000 user name format without domain Sysname radius 2000 quit Configure domain system and specify to use RADIUS scheme 2000 for users of the domain Sysname domain system Sysname isp system authentication default radius scheme 2000 Sysname isp system authorization default r...

Page 883: ...u can also use the display vlan 10 command in the following cases to verify whether the configured guest VLAN functions z When no users log in z When a user fails the authentication z When a user goes offline 1 7 ACL Assignment Configuration Example I Network requirements As shown in Figure 1 14 a host is connected to port GigabitEthernet1 0 1 of the device and must pass 802 1x authentication to a...

Page 884: ...omain 2000 Sysname isp 2000 authentication default radius scheme 2000 Sysname isp 2000 authorization default radius scheme 2000 Sysname isp 2000 accounting default radius scheme 2000 Sysname isp 2000 quit Configure ACL 3000 to deny packets destined for 10 0 0 1 Sysname acl number 3000 Sysname acl adv 3000 rule 0 deny ip destination 10 0 0 1 0 Enable 802 1x globally Sysname dot1x Enable 802 1x for ...

Page 885: ...Operation Manual 802 1x HABP MAC Authentication H3C S5500 EI Series Ethernet Switches Chapter 1 802 1x Configuration 1 26 5 packet s transmitted 0 packet s received 100 00 packet loss ...

Page 886: ...nctions to implement fast deployment of EAD scheme To support the fast deployment of EAD schemes 802 1x provides the following two mechanisms 1 Limit on accessible network resources Before successful 802 1x authentication a user can access only specific IP segments each of which may have one or more servers Users can download EAD client software or obtain dynamic IP address from the servers 2 IE U...

Page 887: ...onfigured by default Note z Currently MAC authentication and port security cannot work together with EAD fast deployment Once MAC authentication or port security is enabled globally the EAD fast deployment is disabled automatically z If no freely accessible network segment is configured a user cannot obtain a dynamic IP address before passing 802 1x authentication To solve this problem you can con...

Page 888: ...t When there are a large number of users you can shorten the timeout time to improve the ACL usage efficiency Follow these steps to set the EAD rule timeout time To do Use the command Remarks Enter system view system view Set EAD rule timeout time dot1x timer ead timeout ead timeout value Optional 30 minutes by default 2 3 Displaying and Maintaining EAD Fast Deployment To do Use the command Remark...

Page 889: ...client software 2 Configure the Switch to support EAD fast deployment Configure the IP addresses of the interfaces omitted Configure the free IP Sysname system view Sysname dot1x free ip 192 168 1 0 24 Configure the redirect URL for client software download Sysname dot1x url http 192 168 1 3 Enable 802 1x globally Sysname dot1x Enable 802 1x on the port Sysname interface GigabitEthernet 1 0 1 Sysn...

Page 890: ...er the user is not redirected to the specified URL Analysis z The address is in the string format In this case the operating system of the host regards the string a website name and tries to have it resolved If the resolution fails the operating system sends an ARP request with the address in the format other than X X X X The redirection function does redirect this kind of ARP request z The addres...

Page 891: ...and MAC authentication allowing communication among switches HABP is built on the client server model Typically the HABP server sends HABP requests to the client periodically to collect the MAC address es of the attached switch es The client responds to the requests and forwards the HABP requests to the attached switch es The HABP server usually runs on the administrative device while the HABP cli...

Page 892: ...BP to work in client mode on a device connected to the administrative device Since HABP is enabled and works in client mode by default this configuration task is optional Follow these steps to configure an HABP client To do Use the command Remarks Enter system view system view Enable HABP habp enable Optional Enabled by default Configure HABP to work in client mode undo habp server Optional HABP w...

Page 893: ...on Dial In User Service RADIUS based MAC authentication z Local MAC authentication For detailed information about RADIUS authentication and local authentication refer to AAA RADIUS HWTACACS Configuration After determining the authentication mode to be used you can choose the type of MAC authentication username including z MAC address where the MAC address of a user serves as both the username and ...

Page 894: ...rs 4 2 Related Concepts 4 2 1 MAC Authentication Timers The following timers function in the process of MAC authentication z Offline detect timer At this interval the device checks to see whether an online user has gone offline Once detecting that a user becomes offline the device sends to the RADIUS server a stop accounting notice z Quiet timer Whenever a user fails MAC authentication the device ...

Page 895: ...the user can access those restricted network resources 4 2 4 ACL Assigning ACLs assigned by an authorization server are referred to as authorization ACLs which are designed to control access to network resources with a very fine granularity When a user logs in if the RADIUS server is configured with authorization ACLs the device will permit or deny data flows traversing through the port through wh...

Page 896: ...nter system view system view Enable MAC authentication globally mac authentication Required Disabled by default mac authentication interface interface list Enable MAC authentication for specified ports interface interface type interface number mac authentication quit Required Disabled by default Specify the ISP domain for MAC authentication mac authentication domain isp name Optional The default I...

Page 897: ...tion group nor enable MAC authentication on a port added into an aggregation group 4 4 Displaying and Maintaining MAC Authentication To do Use the command Remarks Display the global MAC authentication information or the MAC authentication information about specified ports display mac authentication interface interface list Available in any view Clear the MAC authentication statistics reset mac aut...

Page 898: ...ication Sysname domain aabbcc net Sysname isp aabbcc net authentication lan access local Sysname isp aabbcc net quit Enable MAC authentication globally Sysname mac authentication Enable MAC authentication for port GigabitEthernet 1 0 1 Sysname mac authentication interface GigabitEthernet 1 0 1 Specify the ISP domain for MAC authentication Sysname mac authentication domain aabbcc net Set the MAC au...

Page 899: ... MAC ADDR Authenticate state AuthIndex 00e0 fc12 3456 MAC_AUTHENTICATOR_SUCCESS 29 4 5 2 RADIUS Based MAC Authentication Configuration Example I Network requirements As illustrated in Figure 4 2 a host is connected to the device through port GigabitEthernet 1 0 1 The device authenticates the host through the RADIUS server z MAC authentication is required on every port to control user access to the...

Page 900: ...n globally Sysname mac authentication Enable MAC authentication for port GigabitEthernet 1 0 1 Sysname mac authentication interface GigabitEthernet 1 0 1 Specify the ISP domain for MAC authentication Sysname mac authentication domain 2000 Set the MAC authentication timers Sysname mac authentication timer offline detect 180 Sysname mac authentication timer quiet 3 Sysname mac authentication user na...

Page 901: ...ver to assign ACL 3000 z On port Ethernet 1 0 of the switch enable MAC authentication and configure ACL 3000 After the host passes MAC authentication the RADIUS server assigns ACL 3000 to port Ethernet 1 0 of the switch As a result the host can access the Internet but cannot access the FTP server whose IP address is 10 0 0 1 II Network diagram Figure 4 3 Network diagram for ACL assigning III Confi...

Page 902: ...l number 3000 Sysname acl adv 3000 rule 0 deny ip destination 10 0 0 1 0 Sysname acl adv 3000 quit Enable MAC authentication globally Sysname mac authentication Enable MAC authentication for port GigabitEthernet1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 mac authentication After completing the above configurations you can use the ping command to verify whether the AC...

Page 903: ...cation Authorization Servers 1 24 1 4 3 Configuring the RADIUS Accounting Servers and Relevant Parameters 1 25 1 4 4 Setting the Shared Key for RADIUS Packets 1 27 1 4 5 Setting the Maximum Number of RADIUS Request Retransmission Attempts 1 27 1 4 6 Setting the Supported RADIUS Server Type 1 28 1 4 7 Setting the Status of RADIUS Servers 1 28 1 4 8 Configuring Attributes Related to the Data Sent to...

Page 904: ...ying and Maintaining RADIUS 1 39 1 6 3 Displaying and Maintaining HWTACACS 1 40 1 7 AAA RADIUS HWTACACS Configuration Examples 1 40 1 7 1 AAA for Telnet Users by a HWTACACS Server 1 40 1 7 2 AAA for Telnet Users by Separate Servers 1 42 1 8 Troubleshooting AAA RADIUS HWTACACS 1 44 1 8 1 Troubleshooting RADIUS 1 44 1 8 2 Troubleshooting HWTACACS 1 45 ...

Page 905: ...A RADIUS HWTACACS Configuration Examples z Troubleshooting AAA RADIUS HWTACACS 1 1 AAA RADIUS HWTACACS Overview This section covers these topics z Introduction to AAA z Introduction to RADIUS z Introduction to HWTACACS 1 1 1 Introduction to AAA Authentication Authorization and Accounting AAA provides a uniform framework for configuring these three security functions to implement network security m...

Page 906: ...ns are described as follows z Authentication Identifies remote users and judges whether a user is legal z Authorization Grants different users different rights For example a user logging into the server can be granted the permission to access and print the files in the server z Accounting Records all network service usage information of users including the service type start and end time and traff...

Page 907: ...L access It uses authentication and authorization to provide access service and uses accounting to collect and record usage of network resources by users I Client server model z Client The RADIUS client runs on the NASs located throughout the network It passes user information to designated RADIUS servers and acts on the response for example rejects or accepts user access requests z Server The RAD...

Page 908: ...ation Protocol PAP and Challenge Handshake Authentication Protocol CHAP of Point to Point Protocol PPP In addition a RADIUS server can act as the client of another AAA server to provide proxy authentication or accounting service III Basic message exchange process of RADIUS For the interaction among the host the RADIUS client and the RADIUS server see Figure 1 3 Figure 1 3 Basic message exchange pr...

Page 909: ...scriber accesses the network resources 7 The host requests the RADIUS client to tear down the connection and the RADIUS client sends a stop accounting request Accounting Request to the RADIUS server 8 The RADIUS server returns a stop accounting response Accounting Response and stops accounting 9 The subscriber stops network resource accessing IV RADIUS packet structure RADIUS uses UDP to transmit ...

Page 910: ...requested to start the accounting or to end the accounting 5 Accounting Response From the server to the client The server sends to the client a packet of this type to notify that it has received the Accounting Request and has correctly recorded the accounting information 2 The Identifier field 1 byte long is for matching request packets and response packets and detecting retransmitted request pack...

Page 911: ...ime 3 CHAP Password 47 Acct Input Packets 4 NAS IP Address 48 Acct Output Packets 5 NAS Port 49 Acct Terminate Cause 6 Service Type 50 Acct Multi Session Id 7 Framed Protocol 51 Acct Link Count 8 Framed IP Address 52 Acct Input Gigawords 9 Framed IP Netmask 53 Acct Output Gigawords 10 Framed Routing 54 unassigned 11 Filter ID 55 Event Timestamp 12 Framed MTU 56 59 unassigned 13 Framed Compression ...

Page 912: ...work 85 Acct Interim Interval 39 Framed AppleTalk Zone 86 Acct Tunnel Packets Lost 40 Acct Status Type 87 NAS Port Id 41 Acct Delay Time 88 Framed Pool 42 Acct Input Octets 89 unassigned 43 Acct Output Octets 90 Tunnel Client Auth id 44 Acct Session Id 91 Tunnel Server Auth id Note The attribute types listed in Table 1 2 are defined by RFC 2865 RFC 2866 RFC 2867 and RFC 2568 V RADIUS extended attr...

Page 913: ... AAA mainly for such users as Point to Point Protocol PPP users Virtual Private Dial up Network VPDN users and terminal users In a typical HWTACACS application a terminal user needs to log onto the device for operations Working as the HWTACACS client the device sends the username and password to the HWTACACS sever for authentication After passing authentication and being authorized the user can lo...

Page 914: ...ocol packets are simple and authorization is combined with authentication Supports authorized use of configuration commands For example an authenticated login user can be authorized to configure the device Does not support authorized use of configuration commands II Basic message exchange process of HWTACACS The following takes Telnet user as an example to describe how HWTACACS performs user authe...

Page 915: ... authorization 14 The user logs in successfully 15 Start accounting request 16 Accounting response indicating the start of accounting 17 The user logs off 18 Stop accounting request 19 Stop accounting response 10 Authentication continuance packet with the login password Figure 1 6 Basic message exchange process of HWTACACS for a Telnet user 1 A Telnet user applies to access the NAS 2 Upon receivin...

Page 916: ...t pushes the configuration interface of the NAS to the user 15 The HWTACACS client sends a start accounting request to the HWTACACS server 16 The HWTACACS server sends back an accounting response indicating that it has received the start accounting request 17 The user logs off 18 The HWTACACS client sends a stop accounting request to the HWTACACS server 19 The HWTACACS server sends back a stop acc...

Page 917: ...ser Connections Forcibly Optional II RADIUS configuration task list Task Remarks Creating a RADIUS Scheme Required Specifying the RADIUS Authentication Authorization Servers Required Configuring the RADIUS Accounting Servers and Relevant Parameters Optional Setting the Shared Key for RADIUS Packets Required Setting the Maximum Number of RADIUS Request Retransmission Attempts Optional Setting the S...

Page 918: ...on users login users such as SSH Telnet FTP and terminal access users and command line users that is command line authentication users Except for command line users you can configure separate authentication authorization accounting policies for all the other type of users Command line users can be configured with authorization policy independently 1 3 1 Configuration Prerequisites For remote authe...

Page 919: ...d first z If a user enters a username without an ISP domain name the device uses the authentication scheme for the default ISP domain to authenticate the user 1 3 3 Configuring ISP Domain Attributes Follow these steps to configure ISP domain attributes To do Use the command Remarks Enter system view system view Create an ISP domain and enter ISP domain view domain isp name Required Place the ISP d...

Page 920: ...ing access or service request The authentication process neither sends authorization information to a supplicant nor triggers any accounting You can configure AAA to use only authentication If you do not perform any authentication configuration the system default ISP domain uses the local authentication scheme Before configuring an authentication scheme complete these three tasks z For RADIUS or H...

Page 921: ... for a specific access mode z With a RADIUS authentication scheme configured AAA accepts only the authentication result from the RADIUS server The response from the RADIUS server does include the authorization information when the authentication is successful but the authentication process ignores the information z With the radius scheme radius scheme name local or hwtacacs scheme hwtacacs scheme ...

Page 922: ...eme otherwise it does not take effect 2 Determine the access mode or service type to be configured With AAA you can configure an authorization scheme specifically for each access mode and service type limiting the authorization protocols that can be used for access 3 Determine whether to configure an authorization scheme for all access modes or service types Follow these steps to configure an AAA ...

Page 923: ... is not available z If the primary authentication scheme is local or none the system performs local authorization or does not perform any authorization rather than uses the RADIUS or HWTACACS scheme z Authorization information of the RADIUS server is sent to the RADIUS client along with the authorization response message therefore you cannot specify a separate RADIUS server If you use RADIUS for a...

Page 924: ...ystem view Create an ISP domain and enter ISP domain view domain isp name Required Enable the accounting optional feature accounting optional Optional Disabled by default Specify the default accounting scheme for all types of users accounting default hwtacacs scheme hwtacacs scheme name local local none radius scheme radius scheme name local Optional Local by default Specify the accounting scheme ...

Page 925: ...ses the RADIUS or HWTACACS scheme z With the access mode of login accounting is not supported for FTP services 1 3 7 Configuring Local User Attributes For local authentication you must create a local user and configure the attributes A local user represents a set of users configured on a device which are uniquely identified by the username For a user requesting network service to pass local authen...

Page 926: ...ice but do not specify a directory that the user can access the user can access the root directory of the device by default Set the directory accessible to FTP SFTP users work directory directory name Optional By default FTP SFTP users can access the root directory Set the priority level of the user level level Optional 0 by default Set attributes for a LAN access user attribute access limit max u...

Page 927: ...user using RSA public key authentication the commands that can be used depend on the level configured on the user interface For details regarding authentication method and command level refer to Login Configuration and System Maintaining and Debugging Configuration respectively z Both the service type and level commands can be used to specify user priority The one used later has the final effect z...

Page 928: ...ADIUS server For these settings to take effect you must reference the RADIUS scheme containing those settings in ISP domain view For information about the commands for referencing a scheme refer to Configuring AAA 1 4 1 Creating a RADIUS Scheme Before performing other RADIUS configurations follow these steps to create a RADIUS scheme and enter RADIUS scheme view To do Use the command Remarks Enter...

Page 929: ...tication authorization servers respectively At a moment a server can be the primary authentication authorization server for a scheme and the secondary authentication authorization servers for another scheme z The IP addresses of the primary and secondary authentication authorization servers for a scheme cannot be the same Otherwise the configuration fails 1 4 3 Configuring the RADIUS Accounting Se...

Page 930: ...ry accounting servers respectively or specify one server to function as both Besides because RADIUS uses different UDP ports to receive authentication authorization and accounting packets the port for authentication authorization must be different from that for accounting z You can set the maximum number of stop accounting request transmission buffer allowing the device to buffer and resend a stop...

Page 931: ... string Required No key by default Note The shared key configured on the device must be the same as that configured on the RADIUS server 1 4 5 Setting the Maximum Number of RADIUS Request Retransmission Attempts Because RADIUS uses UDP packets to carry data the communication process is not reliable If a NAS receives no response from the RADIUS server before the response timeout timer expires it is...

Page 932: ...the RADIUS server type is standard Note z If you change the type of RADIUS server the data stream destined to the original RADIUS server will be restored to the default unit z When a third party RADIUS is used you can configure the RADIUS server to standard or extended When CAMS server is used you must RADIUS server to extended 1 4 7 Setting the Status of RADIUS Servers When a primary server authe...

Page 933: ... of the primary RADIUS accounting server state primary accounting active block Set the status of the secondary RADIUS authentication authorizati on server state secondary authentication active block Set the status of the secondary RADIUS accounting server state secondary accounting active block Optional active for every server configured with IP address in the RADIUS scheme Note z If both the prim...

Page 934: ...p ip address quit Set the source IP address of the device to send RADIUS packets In system view radius nas ip ip address Use either command By default the outbound port serves as the source IP address to send RADIUS packets Note z Some earlier RADIUS servers cannot recognize usernames that contain an ISP domain name therefore before sending a username including a domain name to such a RADIUS serve...

Page 935: ...n IP address configured If the secondary server is reachable the primary server will resume active after the period specified by this timer and the secondary server s state does not change z Real time accounting interval realtime accounting This timer defines the interval for performing real time accounting of users After this timer is set the switch will send accounting information of online user...

Page 936: ...the accounting on function is executed as soon as the device restarts and completes its configuration In case that the majority of the RADIUS servers a device can be configured with 16 schemes at most fail to respond to the accounting on packets the number of accounting on packet retransmission attempts is too big or the accounting on packet retransmission interval is too long the device will not ...

Page 937: ... view radius scheme radius scheme name Required Not defined by default Configure an IP address for the security policy server security policy server ip address Optional Not configured by default Note z If the RADIUS server and the security policy server reside on the same physical device you do not need to configure the IP address of the security policy server z The specified security policy serve...

Page 938: ...ured z A scheme can be deleted only when it is not referenced 1 5 2 Specifying the HWTACACS Authentication Servers Follow these steps to specify the HWTACACS authentication servers To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Configure the IP address and port ...

Page 939: ...uired Not defined by default Configure the IP address and port of the primary HWTACACS authorization server primary authorization ip address port number Required The defaults are as follows 0 0 0 0 for the IP address and 49 for the TCP port Configure the IP address and port of the secondary HWTACACS authorization server secondary authorization ip address port number Required The defaults are as fo...

Page 940: ...op accounting requests getting no responses stop accounting buffer enable Optional Enabled by default Set the maximum number of stop accounting request transmission attempts retry stop accounting retry times Optional 100 by default Note z The IP addresses of the primary and secondary accounting servers cannot be the same Otherwise the configuration fails z You can remove an accounting server only ...

Page 941: ...CS server To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Specify the format of the username to be sent to a HWTACACS server user name format with domain without domain Optional By default the ISP domain name is included in the username Specify the unit for data ...

Page 942: ...stem view Create a HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Set the TACACS server response timeout timer timer response timeout seconds Optional 5 seconds by default Set the quiet timer for the primary server timer quiet minutes Optional 5 minutes by default Set the real time accounting interval timer realtime accounting mi...

Page 943: ...ice type ftp lan access ssh telnet terminal state active block user name user name vlan vlan id Available in any view 1 6 2 Displaying and Maintaining RADIUS To do Use the command Remarks Display the configuration information of a specified RADIUS scheme or all RADIUS schemes display radius scheme radius scheme name Available in any view Display statistics about RADIUS packets display radius stati...

Page 944: ...tics accounting all authentication authorization Available in user view Clear buffered stop accounting requests that get no responses reset stop accounting buffer hwtacacs scheme hwtacacs scheme name Available in user view 1 7 AAA RADIUS HWTACACS Configuration Examples 1 7 1 AAA for Telnet Users by a HWTACACS Server I Network requirements As shown in Figure 1 7 configure the switch to use the HWTA...

Page 945: ...vty0 4 quit Configure the HWTACACS scheme Switch hwtacacs scheme hwtac Switch hwtacacs hwtac primary authentication 10 1 1 1 49 Switch hwtacacs hwtac primary authorization 10 1 1 1 49 Switch hwtacacs hwtac primary accounting 10 1 1 1 49 Switch hwtacacs hwtac key authentication expert Switch hwtacacs hwtac key authorization expert Switch hwtacacs hwtac key accounting expert Switch hwtacacs hwtac us...

Page 946: ...server is used for authorization Its IP address is 10 1 1 2 On the switch set the shared keys for packets exchanged with the TACACS server to expert Configure the switch to remove the domain name from a user name before sending the user name to the HWTACACS server The RADIUS server is used for accounting Its IP address is 10 1 1 1 On the switch set the shared keys for packets exchanged with the RA...

Page 947: ...DIUS scheme Switch radius scheme rd Switch radius rd primary accounting 10 1 1 1 1813 Switch radius rd key accounting expert Switch radius rd server type extended Switch radius rd user name format without domain Switch radius rd quit Create local user named telnet Switch local user telnet Switch luser telnet service type telnet Switch luser telnet password simple telnet Configure the AAA schemes o...

Page 948: ...is correct 5 The same shared key is configured on both the RADIUS server and the NAS Symptom2 RADIUS packets cannot reach the RADIUS server Analysis 1 The communication link between the NAS and the RADIUS server is down at the physical layer and data link layer 2 The NAS is not configured with the IP address of the RADIUS server 3 The UDP ports for authentication authorization and accounting are n...

Page 949: ...cation authorization and accounting but in fact the services are provided by different servers Solution Check that 1 The accounting port number is correctly set 2 The authentication authorization server and the accounting server are correctly configured on the NAS 1 8 2 Troubleshooting HWTACACS Refer to Troubleshooting RADIUS if you encounter a HWTACACS fault ...

Page 950: ...a VLAN Interface 1 4 1 2 3 Setting Aging Time for Dynamic ARP Entries 1 5 1 2 4 Enabling the ARP Entry Check 1 5 1 2 5 ARP Configuration Example 1 6 1 3 Configuring Gratuitous ARP 1 6 1 3 1 Introduction to Gratuitous ARP 1 6 1 3 2 Configuring Gratuitous ARP 1 6 1 4 Displaying and Maintaining ARP 1 7 Chapter 2 Proxy ARP Configuration 2 1 2 1 Proxy ARP Overview 2 1 2 2 Enabling Proxy ARP 2 1 2 3 Dis...

Page 951: ...ol ARP is used to resolve an IP address into a data link layer address An IP address is the address of a host at the network layer To send a network layer packet to a destination host the device must know the data link layer address such as the MAC address of the destination host To this end the IP address must be resolved into the corresponding data link layer address Note Unless otherwise stated...

Page 952: ...is being sent to 1 1 3 ARP Address Resolution Process Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B as show in Figure 1 2 The resolution process is as follows 1 Host A looks in its ARP mapping table to see whether there is an ARP entry for Host B If Host A finds it Host A uses the MAC address in the entry to encapsulate the IP packet into a data li...

Page 953: ...ble contains ARP entries which fall into two categories dynamic and static 1 A dynamic entry is automatically created and maintained by ARP It can get aged be updated by a new ARP packet or be overwritten by a static ARP entry When the aging timer expires or the port goes down the corresponding dynamic ARP entry will be removed 2 A static ARP entry is manually configured and maintained It cannot g...

Page 954: ...ed Follow these steps to configure a static ARP entry To do Use the command Remarks Enter system view system view Configure a permanent static ARP entry arp static ip address mac address vlan id interface type interface number Required No permanent static ARP entry is configured by default Configure a non permanent static ARP entry arp static ip address mac address Required No non permanent static...

Page 955: ...entries To do Use the command Remarks Enter system view system view Set aging time for dynamic ARP entries arp timer aging aging time Optional 20 minutes by default 1 2 4 Enabling the ARP Entry Check The ARP entry check can control the device to learn multicast MAC addresses With the ARP entry check enabled the device cannot learn any ARP entry with a multicast MAC address Configuring such a stati...

Page 956: ...000 Sysname vlan interface10 quit Sysname arp static 192 168 1 1 000f e201 0000 10 gigabitethernet1 0 10 1 3 Configuring Gratuitous ARP 1 3 1 Introduction to Gratuitous ARP A gratuitous ARP packet is a special ARP packet in which the source IP address and destination IP address are both the IP address of the sender the source MAC address is the MAC address of the sender and the destination MAC add...

Page 957: ...Remarks Display the ARP entries in the ARP mapping table display arp all dynamic static vlan vlan id interface interface type interface number begin exclude include string count Available in any view Display the ARP entries for a specified IP address display arp ip address begin exclude include string Available in any view Display the aging time for dynamic ARP entries display arp timer aging Avai...

Page 958: ... Layer 3 communication between VLAN interfaces isolated at Layer 2 or located on different networks In one of the following cases you need to enable the local proxy ARP z Devices connected to different isolated Layer 2 ports in the same VLAN on a switch need to implement Layer 3 communication z With the isolate user vlan function enabled on a device attached to a switch devices in different second...

Page 959: ...les 2 4 1 Proxy ARP Configuration Example I Network requirements Host A and Host D have IP addresses of the same network segment Host A belongs to VLAN 1 and Host D belongs to VLAN 2 Configure proxy ARP on the device to enable the communication between the two hosts II Network diagram Vlan int1 192 168 10 99 24 192 168 10 100 16 0000 0c94 36aa 192 168 20 200 16 0000 0c94 36dd Switch Subnet B Subne...

Page 960: ...g to the same VLAN and are connected to GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 of Switch B respectively z Switch B is connected to Switch A via GigabitEthernet 1 0 1 z GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 isolated at Layer 2 can implement Layer 3 communication II Network diagram SwitchB GE1 0 1 GE1 0 3 GE1 0 2 Host A 192 168 10 99 16 Host B 192 168 10 200 16 GE1 0 2 VLAN 2 Vlan...

Page 961: ... GigabitEthernet1 0 3 quit 2 Configure Switch A Configure an IP address of VLAN interface 2 SwitchA vlan 2 SwitchA vlan2 port gigabitethernet 1 0 2 SwitchA vlan2 quit SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 192 168 10 100 255 255 0 0 Ping Host B on Host A to verify that the two hosts cannot be pinged through which indicates they are isolated at Layer 2 Configure local...

Page 962: ... Server on an Interface 2 4 2 5 Configuring an Address Pool for the DHCP Server 2 5 2 5 1 Configuration Task List 2 5 2 5 2 Creating a DHCP Address Pool 2 5 2 5 3 Configuring an Address Allocation Mode 2 6 2 5 4 Configuring a Domain Name Suffix for the Client 2 8 2 5 5 Configuring DNS Servers for the Client 2 8 2 5 6 Configuring WINS Servers and NetBIOS Node Type for the Client 2 9 2 5 7 Configuri...

Page 963: ... Configuration 3 9 3 5 DHCP Relay Agent Configuration Example 3 10 3 6 Troubleshooting DHCP Relay Agent Configuration 3 11 Chapter 4 DHCP Client Configuration 4 1 4 1 Introduction to DHCP Client 4 1 4 2 Enabling the DHCP Client on an Interface 4 2 4 3 Displaying and Maintaining the DHCP Client 4 2 4 4 DHCP Client Configuration Example 4 3 Chapter 5 DHCP Snooping Configuration 5 1 5 1 DHCP Snooping...

Page 964: ...Operation Manual DHCP H3C S5500 EI Series Ethernet Switches Table of Contents iii 6 3 Displaying and Maintaining BOOTP Client Configuration 6 3 6 4 BOOTP Client Configuration Example 6 3 ...

Page 965: ...while with the wide application of wireless networks the frequent movement of laptops across networks requires that the IP addresses be changed accordingly Therefore related configurations on hosts become more complex Dynamic Host Configuration Protocol DHCP was introduced to solve these problems DHCP is built on a client server model in which the client sends a configuration request and then the ...

Page 966: ...ssigned address to the client z Automatic allocation DHCP assigns a permanent IP address to a client z Dynamic allocation DHCP assigns an IP address to a client for a limited period of time which is called a lease Most clients obtain their addresses in this way 1 2 2 Dynamic IP Address Allocation Process Figure 1 2 Dynamic IP address allocation process As shown in the figure above a DHCP client ob...

Page 967: ...P addresses offered by other DHCP servers are assignable to other clients 1 2 3 IP Address Lease Extension The IP address dynamically allocated by a DHCP server to a client has a lease After the lease duration elapses the IP address will be reclaimed by the DHCP server If the client wants to use the IP address again it has to extend the lease duration After the half lease duration elapses the DHCP...

Page 968: ...e BROADCAST B flag If this flag is set to 0 the DHCP server sent a reply back by unicast if this flag is set to 1 the DHCP server sent a reply back by broadcast The remaining bits of the flags field are reserved for future use z ciaddr Client IP address z yiaddr your client IP address assigned by the server z siaddr Server IP address from which the clients obtained configuration parameters z giadd...

Page 969: ... It specifies the DNS server IP address to be assigned to the client z Option 51 IP address lease option z Option 53 DHCP message type option It identifies the type of the DHCP message z Option 55 Parameter request list option It is used by a DHCP client to request specified configuration parameters The option contains values that correspond to the parameters requested by the client z Option 66 TF...

Page 970: ...adding formats vary with vendors Currently the device supports two padding formats normal and verbose 1 Normal padding format The padding contents for sub options in the normal padding format are z sub option 1 Padded with the VLAN ID and number of the port that received the client s request The following figure gives its format The value of the sub option type is 1 and that of the circuit ID type...

Page 971: ...t an IP address along with specified voice parameters from the DHCP server Option 184 involves the following sub options z Sub option 1 IP address of the primary network calling processor which is a server serving as the network calling control source and providing program downloads z Sub option 2 IP address of the backup network calling processor that DHCP clients will contact when the primary on...

Page 972: ...apter 1 DHCP Overview 1 8 1 5 Protocols and Standards z RFC2131 Dynamic Host Configuration Protocol z RFC2132 DHCP Options and BOOTP Vendor Extensions z RFC1542 Clarifications and Extensions for the Bootstrap Protocol z RFC 3046 DHCP Relay Agent Information Option ...

Page 973: ...ion Examples z Troubleshooting DHCP Server Configuration Note z The DHCP server configuration is supported only on VLAN interfaces and loopback interfaces The secondary IP address pool configuration is not supported on loopback interfaces z DHCP Snooping must be disabled on the DHCP server 2 1 Introduction to DHCP Server 2 1 1 Application Environment The DHCP server is well suited to the network w...

Page 974: ...ld has no such configuration or z Overridden if the lower level child has such configuration Note The IP address lease does not enjoy the inheritance attribute II Principles for selecting an address pool The DHCP server observes the following principles to select an address pool to assign IP addresses to clients 1 If there is an address pool where an IP address is statically bound to the MAC addre...

Page 975: ...f the DHCP server resides to avoid wrong IP address allocation 2 1 3 IP Address Allocation Sequence A DHCP server assigns an IP address to a client according to the following sequence 1 The IP address manually bound to the client s MAC address or ID 2 The IP address that was ever assigned to the client 3 The IP address designated by the Option 50 field in a DHCP DISCOVER message 4 The first assign...

Page 976: ...e subaddress keyword is valid only when the server and client are on the same subnet If a DHCP relay agent exists in between regardless of subaddress the DHCP server will select an IP address from the address pool of the subnet which contains the primary IP address of the DHCP relay agent s interface connected to the client When the DHCP server and client are on the same subnet the server will z W...

Page 977: ...n Name Suffix for the Client Configuring DNS Servers for the Client Configuring WINS Servers and NetBIOS Node Type for the Client Configuring the BIMS Server Information for the Client Configuring Gateways for the Client Configuring Option 184 Parameters for the Client with Voice Service Configuring the TFTP Server and Bootfile Name for the Client Configuring Self Defined DHCP Options Optional 2 5...

Page 978: ...n the client with the MAC address or ID requests an IP address the DHCP server will find the IP address from the binding for the client A DHCP address pool now supports only one static binding which can be a MAC to IP or ID to IP binding Follow these steps to configure the static binding in a DHCP address pool To do Use the command Remarks Enter system view system view Enter DHCP address pool view...

Page 979: ...st be identical to the ID displayed by using the display dhcp client verbose command on the client Otherwise the client cannot obtain an IP address II Configuring dynamic address allocation You need to specify one and only one address range using a mask for the dynamic address allocation To avoid address conflicts the DHCP server excludes IP addresses used by the GW FTP server and so forth from dy...

Page 980: ...ss pool on the DHCP server to provide the clients with the domain name suffix With this suffix assigned the client needs only input part of a domain name and the system will add the domain name suffix for name resolution For details about DNS refer to DNS Configuration of this manual Follow these steps to configure a domain name suffix in the DHCP address pool To do Use the command Remarks Enter s...

Page 981: ...node The b node client sends the destination name in a broadcast message The destination returns its IP address to the client after receiving the message z p peer to peer node The p node client sends the destination name in a unicast message to the WINS server and the WINS server returns the destination IP address z m mixed node A combination of broadcast first and peer to peer second The m node c...

Page 982: ...re the BIMS server IP address port number and shared key in the DHCP address pool To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Specify the BIMS server IP address port number and shared key bims server ip ip address port port number sharekey key Required Not specified by default 2 5 8 Configuring Gateways for the Client DHCP ...

Page 983: ...then can initiate a call using parameters in Option 184 Follow these steps to configure option 184 parameters in the DHCP address pool To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Specify the IP address of the primary network calling processor voice config ncp ip ip address Required Not specified by default Specify the IP ad...

Page 984: ...ot get such parameters it will perform system initialization without loading any configuration file To implement auto configuration you need to specify the IP address and name of a TFTP server and the bootfile name in the DHCP address pool on the DHCP server but you do not need to perform any configuration on the DHCP client When option 55 in the requesting client message contains parameters of op...

Page 985: ...or extension Follow these steps to configure a self defined DHCP option in the DHCP address pool To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Configure a self defined DHCP option option code ascii ascii string hex hex string 1 16 ip address ip address 1 8 Required No DHCP option is configured by default Table 2 1 Description...

Page 986: ...gure the DHCP address pool 2 6 2 Enabling Unauthorized DHCP Server Detection There are unauthorized DHCP servers on networks which reply DHCP clients with wrong IP addresses With this feature enabled upon receiving a DHCP request the DHCP server will record the IP address of the DHCP server which assigned an IP address to the DHCP client and the receiving interface The administrator can use this i...

Page 987: ...tem view Specify the number of ping packets dhcp server ping packets number Optional One ping packet by default The value 0 indicates that no ping operation is performed Configure a timeout waiting for ping responses dhcp server ping timeout milliseconds Optional 500 ms by default The value 0 indicates that no ping operation is performed 2 7 Configuring the Handling Mode for Option 82 When the DHC...

Page 988: ...ct all ip ip address Display information about lease expiration display dhcp server expired all ip ip address pool pool name Display information about assignable IP addresses display dhcp server free ip Display IP addresses excluded from dynamic allocation in the DHCP address pool display dhcp server forbidden ip Display information about bindings display dhcp server ip in use all ip ip address po...

Page 989: ...IP address to clients in subnet 10 1 1 0 24 which is subnetted into 10 1 1 0 25 and 10 1 1 128 25 z The IP addresses of VLAN interfaces 1 and 2 on Switch A are 10 1 1 1 25 and 10 1 1 129 25 respectively z In the address pool 10 1 1 0 25 the address lease duration is ten days and twelve hours domain name suffix aabbcc com DNS server address 10 1 1 2 gateway 10 1 1 126 and WINS server 10 1 1 4 z In ...

Page 990: ...witchA dhcp server forbidden ip 10 1 1 126 SwitchA dhcp server forbidden ip 10 1 1 254 Configure DHCP address pool 0 address range client domain name suffix and DNS server address SwitchA dhcp server ip pool 0 SwitchA dhcp pool 0 network 10 1 1 0 mask 255 255 255 0 SwitchA dhcp pool 0 domain name aabbcc com SwitchA dhcp pool 0 dns list 10 1 1 2 SwitchA dhcp pool 0 quit Configure DHCP address pool ...

Page 991: ... Analysis A host on the subnet may have the same IP address III Solution 1 Disconnect the client s network cable and ping the client s IP address on another host with a long timeout time to check whether there is a host using the same IP address 2 If a ping response is received the IP address has been manually configured on the host Execute the dhcp server forbidden ip command on the DHCP server t...

Page 992: ...figuration is supported only VLAN interfaces z DHCP Snooping must be disabled on the DHCP relay agent 3 1 Introduction to DHCP Relay Agent 3 1 1 Application Environment Since DHCP clients request IP addresses via broadcast messages the DHCP server and clients must be on the same subnet Therefore a DHCP server must be available on each subnet It is not practical DHCP relay agent solves the problem ...

Page 993: ...hown in the figure above the DHCP relay agent works as follows 1 After receiving a DHCP DISCOVER or DHCP REQUEST broadcast message from a DHCP client the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the message to the designated DHCP server in unicast mode 2 Based on the giaddr field the DHCP server returns an IP address and other configuration parameters...

Page 994: ...ption 82 padded in normal format Option 82 Replace verbose Forward the message after replacing the original Option 82 with the Option 82 padded in verbose format normal Forward the message after adding the Option 82 padded in normal format no Option 82 verbose Forward the message after adding the Option 82 padded in verbose format 3 2 Configuration Task List Complete the following tasks to configu...

Page 995: ...terface view Interface interface type interface number Enable the DHCP relay agent on the current interface dhcp select relay Required With DHCP enabled interfaces work in the DHCP server mode Note If the DHCP client obtains an IP address via the DHCP relay agent the address pool of the subnet which the IP address of the DHCP relay agent belongs to must be configured on the DHCP server Otherwise t...

Page 996: ...ervers and those of relay agent s interfaces cannot be on the same subnet Otherwise the client cannot obtain an IP address z A DHCP server group can correlate with one or multiple DHCP relay agent interfaces while a relay agent interface can only correlate with one DHCP server group Using the dhcp relay server select command repeatedly overwrites the previous configuration However if the specified...

Page 997: ...ure IP to MAC bindings on the DHCP relay agent so that users can access external network using fixed IP addresses For avoidance of invalid IP address configuration you can configure the DHCP relay agent to check whether a requesting client s IP and MAC addresses match a binding on it both dynamic and static bindings If not the client cannot access outside networks via the DHCP relay agent Follow t...

Page 998: ...inquish its IP address In this case the DHCP relay agent simply conveys the message to the DHCP server thus it does not remove the IP address from its bindings To solve this the DHCP relay agent can update dynamic bindings at a specified interval The DHCP relay agent uses the IP address of a client and the MAC address of the DHCP relay interface to regularly send a DHCP REQUEST message to the DHCP...

Page 999: ... With the unauthorized DHCP server detection enabled the device puts a record once for each DHCP server The administrator needs to find unauthorized DHCP servers from the log information After the recorded information of a DHCP server is cleared a new record will be put for the DHCP server 3 3 6 Configuring the DHCP Relay Agent to Support Option 82 I Prerequisites You need to complete the followin...

Page 1000: ...d not configure any padding format z If sub option 1 node identifier of Option 82 is padded with the device name sysname of a node the device name must contain no spaces Otherwise the DHCP relay agent will drop the message 3 4 Displaying and Maintaining DHCP Relay Agent Configuration To do Use the command Remarks Display information about DHCP server groups correlated to a specified or all interfa...

Page 1001: ...ients reside The IP address of VLAN interface 1 is 10 10 1 1 24 and IP address of VLAN interface 2 is 10 1 1 2 24 that communicates with the DHCP server 10 1 1 1 24 As shown in the figure below Switch A forwards messages between DHCP clients and the DHCP server II Network diagram Switch B DHCP server Switch A DHCP relay agent DHCP client DHCP client DHCP client DHCP client Vlan int2 10 1 1 2 24 Vl...

Page 1002: ... subnets routes in between must be reachable 3 6 Troubleshooting DHCP Relay Agent Configuration I Symptom DHCP clients cannot obtain any configuration parameters via the DHCP relay agent II Analysis Some problems may occur with the DHCP relay agent or server configuration Enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state ...

Page 1003: ... the same device Otherwise DHCP Snooping entries may fail to be generated or the DHCP client may fail to obtain an IP address 4 1 Introduction to DHCP Client With the DHCP client enabled on an interface the interface will use DHCP to obtain configuration parameters such as an IP address from the DHCP server For S5500 EI series Ethernet switches operating as DHCP clients the vendor and device infor...

Page 1004: ...ration will overwrite the previous configuration z After the DHCP client is enabled on an interface no secondary IP address is configurable for the interface z If the IP address assigned by the DHCP server shares a network segment with the IP addresses of other interfaces on the device the DHCP client enabled interface will not request any IP address of the DHCP server unless the conflicted IP add...

Page 1005: ...ddress II Network diagram See Figure 2 1 III Configuration procedure The following is the configuration on Switch B shown in Figure 2 1 Enable the DHCP client on VLAN interface 1 SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address dhcp alloc Note To implement the DHCP client server model you need to perform related configuration on the DHCP server For details ...

Page 1006: ...een the DHCP client and relay agent or between the DHCP client and server z The DHCP Snooping enabled device cannot be a DHCP server or DHCP relay agent z You are not recommended to enable the DHCP client BOOTP client and DHCP Snooping on the same device Otherwise DHCP Snooping entries may fail to be generated or the BOOTP client DHCP client may fail to obtain an IP address 5 1 DHCP Snooping Overv...

Page 1007: ...or indirectly should be configured as a trusted port so that the DHCP snooping device can forward reply messages from the DHCP server ensuring the DHCP clients to obtain IP addresses from the authorized DHCP server As shown in Figure 5 1 GE1 0 1 on Switch B is connected with Switch A a DHCP server GE1 0 1 should be configured as a trusted port so that it can forward replies from Switch A Figure 5 ...

Page 1008: ...the location information of the DHCP client The administrator can locate the DHCP client to further implement security control and accounting For more information refer to Relay agent option Option 82 If DHCP snooping supports Option 82 it will handle a client s request according to the contents defined in Option 82 if any The handling strategies are described in the table below If a reply returne...

Page 1009: ... in verbose format normal Forward the message after adding the Option 82 padded in normal format no Option 82 verbose Forward the message after adding the Option 82 padded in verbose format Note The handling strategy and padding format for Option 82 on the DHCP Snooping device are the same as those on the relay agent 5 2 Configuring DHCP Snooping Basic Functions Follow these steps to configure DHC...

Page 1010: ... to enable the DHCP Snooping function before configuring DHCP Snooping to support Option 82 5 3 2 Configuring DHCP Snooping to Support Option 82 Follow these steps to configure DHCP snooping to support Option 82 To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable DHCP Snooping to support Option 82 dhcp snooping infor...

Page 1011: ...g and Maintaining DHCP Snooping To do Use the command Remarks Display DHCP snooping address binding information display dhcp snooping Display information about trusted ports display dhcp snooping trust Available in any view Clear DHCP snooping address binding information reset dhcp snooping all ip ip address Available in user view 5 5 DHCP Snooping Configuration Example I Network requirements z Sw...

Page 1012: ...quit Configure DHCP Snooping to support Option 82 on GigabitEthernet 1 0 2 SwitchB interface gigabitethernet 1 0 2 SwitchB GigabitEthernet1 0 2 dhcp snooping information enable Configure the padding format to verbose for Option 82 on GigabitEthernet 1 0 2 SwitchB GigabitEthernet1 0 2 dhcp snooping information format verbose node identifier sysname SwitchB GigabitEthernet1 0 2 quit Configure DHCP S...

Page 1013: ...and the DHCP Snooping on the same device Otherwise DHCP Snooping entries may fail to be generated or the BOOTP client may fail to obtain an IP address 6 1 Introduction to BOOTP Client This section covers these topics z BOOTP Application z Obtaining an IP Address Dynamically z Protocols and Standards 6 1 1 BOOTP Application After you specify an interface of a device as a BOOTP client the interface ...

Page 1014: ... in the following dynamic IP address acquisition A BOOTP client dynamically obtains an IP address from a BOOTP server in the following way 1 The BOOTP client broadcasts a BOOTP request which contains its own MAC address 2 The BOOTP server receives the request and searches the configuration file for the corresponding IP address according to the MAC address of the BOOTP client The BOOTP server then ...

Page 1015: ...ddress 6 3 Displaying and Maintaining BOOTP Client Configuration To do Use the command Remarks Display related information on a BOOTP client display bootp client interface interface type interface number Available in any view 6 4 BOOTP Client Configuration Example I Network requirement Switch B s port belonging to VLAN 1 is connected to the LAN VLAN interface 1 obtains an IP address from the DHCP ...

Page 1016: ...net Switches Chapter 6 BOOTP Client Configuration 6 4 Note To make the BOOTP client to obtain an IP address from the DHCP server you need to perform additional configurations on the DHCP server For details refer to DHCP Server Configuration Examples ...

Page 1017: ...3 4 IPv6 ACL Step 1 7 1 3 5 Effective Period of an IPv6 ACL 1 7 Chapter 2 IPv4 ACL Configuration 2 1 2 1 Creating a Time Range 2 1 2 1 1 Configuration Procedure 2 1 2 1 2 Configuration Examples 2 2 2 2 Configuring a Basic IPv4 ACL 2 2 2 2 1 Configuration Prerequisites 2 3 2 2 2 Configuration Procedure 2 3 2 2 3 Configuration Examples 2 4 2 3 Configuring an Advanced IPv4 ACL 2 4 2 3 1 Configuration...

Page 1018: ...1 Configuration Prerequisites 3 1 3 2 2 Configuration Procedure 3 1 3 2 3 Configuration Examples 3 2 3 3 Configuring an Advanced IPv6 ACL 3 3 3 3 1 Configuration Prerequisites 3 3 3 3 2 Configuration Procedure 3 3 3 3 3 Configuration Examples 3 5 3 4 Copying an IPv6 ACL 3 5 3 4 1 Configuration Prerequisites 3 5 3 4 2 Configuration Procedure 3 5 3 5 Displaying and Maintaining IPv6 ACLs 3 6 3 6 IPv6...

Page 1019: ...om accessing networks and to control network traffic and save network resources Access control lists ACL are often used to filter packets with configured matching rules ACLs are sets of rules or sets of permit or deny statements that decide what packets can pass and what should be rejected based on matching criteria such as source MAC address destination MAC address source IP address destination I...

Page 1020: ... that does not match the ACL z When an ACL is referenced by a piece of software to control Telnet SNMP and Web login users the switch denies all packets that do not match the ACL 1 2 Introduction to IPv4 ACL This section covers these topics z IPv4 ACL Classification z IPv4 ACL Naming z IPv4 ACL Match Order z IPv4 ACL Step z Effective Period of an IPv4 ACL z IP Fragments Filtering with IPv4 ACL 1 2...

Page 1021: ... rules in the order in which they are configured z auto where depth first match is performed The term depth first match has different meanings for different types of ACLs I Depth first match for a basic IPv4 ACL The following shows how your switch performs depth first match in a basic IPv4 ACL 1 Sort rules by source IP address wildcard first and compare packets against the rule configured with mor...

Page 1022: ...ks look at the destination MAC address masks Then compare packets against the rule configured with more ones in the destination MAC address mask prior to the other 3 If the numbers of ones in the destination MAC address masks are the same the one configured first is compared prior to the other The comparison of a packet against an ACL stops once a match is found The packet is then processed as per...

Page 1023: ...ly All subsequent non first fragments are handled in the way the first fragments are handled This causes security risk as attackers may fabricate non first fragments to attack your network As for the configuration of a rule of an IPv4 ACL the fragment keyword specifies that the rule applies to non first fragment packets only and does not apply to non fragment packets or the first fragment packets ...

Page 1024: ...re compared against in the order in which they are configured z auto where depth first match is performed I Depth first match for a basic IPv6 ACL The following shows how your switch performs depth first match in a basic IPv6 ACL 1 Sort rules by source IPv6 address wildcard first and compare packets against the rule configured with a longer prefix in the source IPv6 address wildcard prior to other...

Page 1025: ...refix lengths in the destination IPv6 address wildcards are the same look at the Layer 4 port number TCP UDP port number Then compare packets against the rule configured with the lower port number prior to the other 5 If the port numbers are the same compare packets against the rule configured first prior to the other The comparison of a packet against an ACL stops once a match is found The packet...

Page 1026: ... Periodic time range which recurs periodically on the day or days of the week z Absolute time range which takes effect only in a period of time and does not recur 2 1 1 Configuration Procedure Follow these steps to create a time range To do Use the command Remarks Enter system view system view Create a time range time range time name start time to end time days from time1 date1 to time2 date2 from...

Page 1027: ...s z With no start time specified the time range is from the earliest time that the system can express that is 00 00 01 01 1970 to the end time With no end time specified the time range is from the time the configuration takes effect to the latest time that the system can express that is 24 00 12 31 2100 z Up to 256 time ranges can be defined 2 1 2 Configuration Examples Create a periodic time rang...

Page 1028: ...ce sour addr sour wildcard any time range time name Required To create multiple rules repeat this step Note that the logging keyword is not supported if the ACL is to be referenced by a QoS policy for traffic classification Set a rule numbering step step step value Optional The default step is 5 Create an IPv4 ACL description description text Optional By default no IPv4 ACL description is present ...

Page 1029: ... step is 5 rule 0 deny source 1 1 1 1 0 2 3 Configuring an Advanced IPv4 ACL Advanced IPv4 ACLs filter packets based on source IP address destination IP address protocol carried on IP and other protocol header fields such as the TCP UDP source port TCP UDP destination port ICMP message type and ICMP message code In addition advanced IPv4 ACLs allow you to filter packets based on three priority cri...

Page 1030: ... multiple rules repeat this step Note that if the ACL is to be referenced by a QoS policy for traffic classification the logging and reflective keywords are not supported and the operator argument cannot be z neq if the policy is for the inbound traffic z gt lt neq or range if the policy is for the outbound traffic Set a rule numbering step step step value Optional The default step is 5 Create an ...

Page 1031: ...255 destination 202 38 160 0 0 0 0 255 destination port eq 80 Verify the configuration Sysname acl adv 3000 display acl 3000 Advanced ACL 3000 named none 1 rule ACL s step is 5 rule 0 permit tcp source 129 9 0 0 0 0 255 255 destination 202 38 160 0 0 0 0 255 destination port eq www 2 4 Configuring an Ethernet Frame Header ACL Ethernet frame header ACLs filter packets based on Layer 2 protocol head...

Page 1032: ...equired To create multiple rules repeat this step Note that the lsap keyword is not supported if the ACL is to be referenced by a QoS policy for traffic classification Set a rule numbering step step step value Optional The default step is 5 Create an ACL description description text Optional By default no IPv4 ACL description is present Create a rule description rule rule id comment text Optional ...

Page 1033: ...thernetframe 4000 display acl 4000 Ethernet frame ACL 4000 named none 1 rule ACL s step is 5 rule 0 deny cos excellent effort 2 5 Copying an IPv4 ACL This feature allows you to copy an existent IPv4 ACL to generate a new one which is of the same type and has the same match order match rules rule numbering step and descriptions as the source IPv4 ACL 2 5 1 Configuration Prerequisites Make sure that...

Page 1034: ...t ACL uses of a switch display acl resource Available in any view Display the configuration and state of a specified or all time ranges display time range time name all Available in any view Clear statistics about a specified or all IPv4 ACLs that are referenced by upper layer software reset acl counter acl number all name acl name Available in user view 2 7 IPv4 ACL Configuration Example 2 7 1 Ne...

Page 1035: ...orking day 2 Define an ACL to control access to the salary query server Configure a rule to control access of the R D Department to the salary query server Switch acl number 3000 Switch acl adv 3000 rule deny ip source 192 168 2 0 0 0 0 255 destination 192 168 4 1 0 0 0 0 time range trname Switch acl adv 3000 quit Configure a rule to control access of the Marketing Department to the salary query s...

Page 1036: ...tch behavior b_market quit Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd Switch qos policy p_rd Switch qospolicy p_rd classifier c_rd behavior b_rd Switch qospolicy p_rd quit Configure QoS policy p_market to use traffic behavior b_market for class c_market Switch qos policy p_market Switch qospolicy p_market classifier c_market behavior b_market Switch qospolicy p_market qu...

Page 1037: ...ng a Basic IPv6 ACL Basic IPv6 ACLs filter packets based on source IPv6 address They are numbered in the range 2000 to 2999 3 2 1 Configuration Prerequisites If you want to reference a time range to a rule define it with the time range command first 3 2 2 Configuration Procedure Follow these steps to configure a basic IPv6 ACL To do Use the command Remarks Enter system view system view Create and ...

Page 1038: ...By default no rule description is present Note that z You will fail to create or modify a rule if its permit deny statement is exactly the same as another rule In addition if the ACL match order is set to auto rather than config you cannot modify ACL rules z You may use the display acl command to verify rules configured in an ACL If the match order for this ACL is auto rules are displayed in the d...

Page 1039: ...ol header fields such as the TCP UDP source port TCP UDP destination port ICMP message type and ICMP message code Advanced IPv6 ACLs are numbered in the range 3000 to 3999 Compared with basic IPv6 ACLs they allow of more flexible and accurate filtering 3 3 1 Configuration Prerequisites If you want to reference a time range to a rule define it with the time range command first 3 3 2 Configuration P...

Page 1040: ...y is for the outbound traffic Set a rule numbering step step step value Optional The default step is 5 Create an ACL description description text Optional By default no IPv6 ACL description is present Create a rule description rule rule id comment text Optional By default no rule description is present Note that z You will fail to create or modify a rule if its permit deny statement is exactly the...

Page 1041: ...ou to copy an existent IPv6 ACL to generate a new one which is of the same type and has the same match order match rules rule numbering step and descriptions as the source IPv6 ACL 3 4 1 Configuration Prerequisites Make sure that the source IPv4 ACL exists while the destination IPv4 ACL does not 3 4 2 Configuration Procedure Follow these steps to copy an IPv6 ACL To do Use the command Remarks Ente...

Page 1042: ...ailable in any view Clear statistics about a specified or all IPv6 ACLs that are referenced by upper layer software reset acl ipv6 counter acl6 number all name acl6 name Available in user view 3 6 IPv6 ACL Configuration Example 3 6 1 Network Requirements As shown in Figure 3 1 a company interconnects its departments through the switch Configure an ACL to deny access of the R D department to extern...

Page 1043: ...ure traffic behavior b_rd to deny matching packets Switch traffic behavior b_rd Switch behavior b_rd filter deny Switch behavior b_rd quit Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd Switch qos policy p_rd Switch qospolicy p_rd classifier c_rd behavior b_rd Switch qospolicy p_rd quit Apply QoS policy p_rd to interface GigabitEthernet 1 0 1 Switch interface GigabitEthernet...

Page 1044: ...ation 2 1 2 1 2 Priority 2 2 2 2 TP and LR Overview 2 5 2 3 Traffic Evaluation and Token Bucket 2 5 2 3 1 Token Bucket 2 5 2 3 2 Evaluating Traffic with a Token Bucket 2 5 2 3 3 Complicated Evaluation 2 6 2 3 4 TP 2 6 2 3 5 LR 2 7 2 4 LR Configuration 2 7 2 4 1 LR Configuration Procedure 2 7 2 4 2 LR Configuration Examples 2 7 2 5 Displaying and Maintaining LR 2 8 Chapter 3 QoS Policy Configuratio...

Page 1045: ...ring the Port Priority 5 4 5 3 1 Configuration Prerequisites 5 4 5 3 2 Configuration Procedure 5 4 5 3 3 Configuration Examples 5 5 5 4 Configuring Port Priority Trust Mode 5 5 5 4 1 Configuration Prerequisites 5 5 5 4 2 Configuration Procedure 5 5 5 4 3 Configuration Examples 5 6 5 5 Displaying and Maintaining Priority Mapping 5 6 Chapter 6 Applying a QoS Policy to VLANs 6 1 6 1 Overview 6 1 6 2 ...

Page 1046: ...Operation Manual QoS H3C S5500 EI Series Ethernet Switches Table of Contents iii 7 4 2 Configuration Procedure 7 3 ...

Page 1047: ... determined by the order in which packets arrive All the packets share the resources of the network Network resources available to the packets completely depend on the time they arrive This service policy is known as Best effort which delivers the packets to their destination with the best effort with no assurance and guarantee for delivery delay jitter packet loss ratio reliability and so on The ...

Page 1048: ...stination To meet these requirements the network service capability need to be further improved 1 4 Occurrence and Influence of Congestion and the Countermeasures QoS issues that traditional networks face are mainly caused by congestion Congestion means reduced service rate and extra delay introduced because of relatively insufficient resource provisioned 1 4 1 Occurrence of Congestion Congestion ...

Page 1049: ... it cannot solve all the problems that cause network congestion A more effective way to solve network congestion problems is to enhance the function of the network layer in traffic control and resource assignment to provide differentiated services for different requirements and to assign and utilize resources correctly In the process of resource assignment and traffic control the direct or indirec...

Page 1050: ...ongestion avoidance mechanism will drop packets and regulate traffic to solve the overload of the network z TS TS is a traffic control measure to regulate the output rate of the traffic actively TS regulates the traffic to match the network resources that can be provided by the downstream devices so as to avoid unnecessary packet loss and congestion Among the traffic management techniques traffic ...

Page 1051: ...ffic classification is generally based on the information in the packet header and rarely based on the content of the packet The classification result is unlimited in range They can be a small range specified by a quintuplet source address source port number protocol number destination address and destination port number or all the packets to a certain network segment Generally the precedence of b...

Page 1052: ...he range of 0 to 15 z RFC2474 re defines the ToS field in the IP packet header which is called the DS field The first six bit 0 to bit 5 bits of the DS field indicate DSCP precedence in the range of 0 to 63 The last two bits bit 6 and bit 7 are reserved bits Table 2 1 Description on IP Precedence IP Precedence decimal IP Precedence binary Description 0 000 Routine 1 001 priority 2 010 immediate 3 ...

Page 1053: ...S class This class comes from the IP ToS field and includes eight subclasses z Best Effort BE class This class is a special class without any assurance in the CS class The AF class can be degraded to the BE class if it exceeds the limit Current IP network traffic belongs to this class by default Table 2 2 Description on DSCP precedence values DSCP value decimal DSCP value binary Description 46 101...

Page 1054: ... a 2 byte Tag Control Information TCI TPID is a new class defined by IEEE to indicate a packet with an 802 1Q tag Figure 2 3 describes the detailed contents of an 802 1Q tag header Figure 2 3 802 1Q tag headers In the figure above the 3 bit priority field in TCI is 802 1p precedence in the range of 0 to 7 In the figure above the priority field three bits in length in TCI is 802 1p precedence also ...

Page 1055: ...etermine whether or not the traffic exceeds the set threshold Traffic control policies are adopted only when the traffic exceeds the set threshold Generally token bucket is used for evaluating traffic 2 3 Traffic Evaluation and Token Bucket 2 3 1 Token Bucket A token bucket can be considered as a container with a certain capacity to hold tokens The system puts tokens into the bucket at a pre set r...

Page 1056: ... rate PIR z Excess burst size EBS Two token buckets are used in this evaluation Their rates of putting tokens into the buckets are CIR and PIR respectively and their sizes are CBS and EBS respectively the two buckets are called C bucket and E bucket respectively for short representing different permitted burst levels In each evaluation you can implement different regulation policies in different c...

Page 1057: ...eceived if there are enough tokens in the token bucket otherwise they will be dropped Compared to TP port rate limiting applies to all the packets passing a port It is a simpler solution if you want to limit the rate of all the packets passing a port 2 4 LR Configuration 2 4 1 LR Configuration Procedure Follow these steps to configure LR To do Use the command Remarks Enter system view system view ...

Page 1058: ...face view Sysname interface GigabitEthernet 1 0 1 Configure LR parameter and limit the outbound rate to 640 kbps Sysname GigabitEthernet1 0 1 qos lr outbound cir 640 2 5 Displaying and Maintaining LR To do Use the command Remarks Display the LR configuration of an interface display qos lr interface interface type interface number Available in any view ...

Page 1059: ...tion rules You can use commands to define a series of rules to classify packets Additionally you can use commands to define the relationship among classification rules and and or z and The devices considers a packet to be of a specific class when the packet matches all the specified classification rules z or The device considers a packet be of a specific class when the packet matches one of the sp...

Page 1060: ...define the class as required for the policy to be associated with accounting TP Use the if match match criteria command to define the class as required for the policy to be associated with car Traffic filtering Use the if match match criteria command to define the class as required for the policy to be associated with filter Traffic mirroring Use the if match match criteria command to define the c...

Page 1061: ...lass To do Use the command Remarks Enter system view system view Create a class and enter the corresponding class view traffic classifier classifier name operator and or Required By default the and keyword is specified That is the relation between the rules in the class view is logic AND This operation leads you to class view Define a rule used to match packets if match match criteria Required mat...

Page 1062: ... address dscp dscp list Specifies to match packets by DSCP precedence The dscp list argument is a list of DSCP values You can provide up to eight space separated DSCP values for this argument DSCP is in the range of 0 to 63 ip precedence ip precedence lis t Specifies to match packets by IP precedence The ip precedence list argument is a list of IP precedence values You can provide up to eight spac...

Page 1063: ...1 Network requirements Configure a class named test to match the packets with their IP precedence being 6 2 Configuration procedure Enter system view Sysname system view Create the class This operation leads you to class view Sysname traffic classifier test Define the classification rule Sysname classifier test if match ip precedence 6 3 4 3 Defining a Traffic Behavior To define a traffic behavior...

Page 1064: ...ion group agg id next hop ipv4 add ipv4 add ipv6 add interface type interface number ipv6 add interface type interface number Remark the customer network VLAN ID for packets remark customer vlan id vlan id value Remark DSCP value for packets remark dscp dscp value Remark 802 1p precedence for packets remark dot1p 8021p Remark drop precedence for packets remark drop precedence drop precedence value...

Page 1065: ...iate a traffic behavior with a class To do Use the command Remarks Enter system view system view Create a policy This operation leads you to policy view qos policy policy name Specify the traffic behavior for a class classifier classifier name behavior behavior name Required Note In a QoS policy with multiple class to traffic behavior associations if the action of creating an outer VLAN tag the ac...

Page 1066: ...cy command whether or not the inbound outbound keyword can take effect depends on the actions defined in the traffic behavior as described in Table 3 3 Table 3 3 The support for the inbound direction and the outbound direction Action Inbound Outbound Traffic accounting Supported Supported TP Supported Supported Traffic filtering Supported Supported Traffic mirroring Supported Supported Configuring...

Page 1067: ...r action except the traffic filtering action or the action of setting 802 1p precedence cannot be configured in the same traffic behavior z When the action of mirroring traffic is applied in the outbound direction any other action cannot be configured in the same traffic behavior II Configuration example 1 Network requirements Configure a policy named test to associate the traffic behavior named t...

Page 1068: ...t a class and the corresponding actions associated by a policy display qos policy user defined policy name classifier classifier name Display the information about the policies applied on a port display qos policy interface interface type interface number inbound outbound Display the information about a traffic behavior display traffic behavior user defined behavior name Display the information ab...

Page 1069: ...loss may cause the transmitting device to retransmit the packets because the lost packets time out which causes a malicious cycle The core of congestion management is how to schedule the resources and determine the sequence of forwarding packets when congestion occurs 4 2 Congestion Management Policy Queuing technology is generally adopted to solve the congestion problem The queuing technology is ...

Page 1070: ...rease in order In queue scheduling SP sends packets in the queue with higher priority strictly following the priority order from high to low When the queue with higher priority is empty packets in the queue with lower priority are sent You can put critical service packets into the queues with higher priority and put non critical service such as e mail packets into the queues with lower priority In...

Page 1071: ...eue with the lowest priority can be assured of 5 Mbps of bandwidth at least thus avoiding the disadvantage of SP queue scheduling algorithm that packets in low priority queues are possibly not to be served for a long time Another advantage of WRR queue scheduling algorithm is that though the queues are scheduled in turn the service time for each queue is not fixed that is to say if a queue is empt...

Page 1072: ...e SP queue scheduling algorithm qos sp Required By default all the ports adopt the WRR queue scheduling algorithm with the weight values assigned to queue 0 through queue 7 being 1 2 3 4 5 9 13 and 15 4 3 2 Configuration Examples I Network requirements Configure GigabitEthernet1 0 1 to adopt SP queue scheduling algorithm II Configuration procedure Enter system view Sysname system view Configure an...

Page 1073: ...orithm with the weight values assigned to queue 0 through queue 7 being 1 2 3 4 5 9 13 and 15 4 4 2 Configuration Examples I Network requirements Configure WRR queue scheduling algorithm on GigabitEthernet1 0 1 and assign weight 1 2 4 6 8 10 12 and 14 to queue 0 through queue 7 II Configuration procedure Enter system view Sysname system view Configure the WRR queues on GigabitEthernet1 0 1 port Sy...

Page 1074: ...ity of each queue while the queues in the WRR queue scheduling group are scheduled according the weight value of each queue 4 5 1 Configuration Procedure Follow these steps to configure SP WRR queues To do Use the command Remarks Enter system view system view Enter port view interface interface type interface number Enter port view or port group view Enter port group view port group manual port gr...

Page 1075: ...orithm on GigabitEthernet1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 qos wrr 0 group sp Sysname GigabitEthernet1 0 1 qos wrr 1 group sp Sysname GigabitEthernet1 0 1 qos wrr 2 group sp Sysname GigabitEthernet1 0 1 qos wrr 3 group sp Sysname GigabitEthernet1 0 1 qos wrr 4 group 1 weight 2 Sysname GigabitEthernet1 0 1 qos wrr 5 group 1 weight 4 Sysname GigabitEthernet1 ...

Page 1076: ...ore likely a packet is dropped S5500 EI series Ethernet switches provide the following two priority trust modes z Trusting the DSCP precedence of received packets In this mode the switch searches the dscp dot1p dp dscp mapping table based on the DSCP precedence of the received packet for the 802 1p precedence drop precedence DSCP precedence to be used to mark the packet Then the switch searches th...

Page 1077: ...0 1 0 0 2 1 0 3 3 0 4 4 0 5 5 0 6 6 0 7 7 0 Table 5 2 The default values of dscp dp mapping dscp dot1p mapping and dscp dscp mapping Imported priority value dscp dp mapping dscp dot1p mapping dscp dscp mapping DSCP precedence dscp Drop precedence dp 802 1p precedence dot1p DSCP precedence dscp 0 to 7 0 0 0 8 to 15 0 1 8 16 to 23 0 2 16 24 to 31 0 3 24 32 to 39 0 4 32 40 to 47 0 5 40 48 to 55 0 6 4...

Page 1078: ...a priority mapping table To do Use the command Remarks Enter system view system view Enter priority mapping table view qos map table dot1p dp dot1p lp dscp dot1p dscp dp dscp dscp Required To configure a priority mapping table you need to enter the corresponding priority mapping table view Configure priority mapping parameters import import value list export export value Required The newly configu...

Page 1079: ... export 3 5 3 Configuring the Port Priority By default if a port receives packets without 802 1q tags the switch takes the priority of the receiving port as the 802 1p precedence of the received packets searches the dot1p lp dp mapping table for the corresponding local precedence and drop precedence according to the 802 1p precedence of the received packets and then marks the received packets with...

Page 1080: ...priority is 0 5 3 3 Configuration Examples I Network requirements Configure the port priority to 7 II Configuration procedure Enter system view Sysname system view Configure port priority of GigabitEthernet1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 qos priority 7 5 4 Configuring Port Priority Trust Mode You can configure the switch to trust the DSCP precedence of th...

Page 1081: ... dscp Required By default the 802 1p precedence of the received packets is trusted 5 4 3 Configuration Examples I Network requirements Configure to trust the DSCP precedence of the received packets II Configuration procedure Enter system view Sysname system view Enter port view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 Configure to trust the DSCP precedence of the receiv...

Page 1082: ...nd traffic on a VLAN A QoS policy is not effective on dynamic VLANs for example VLANs created by GVRP 6 2 Applying a QoS Policy to VLANs 6 2 1 Configuration Prerequisites z The QoS policy to be applied is defined Refer to Configuring a QoS Policy for policy defining z VLANs where the QoS policy is to be applied are determined 6 2 2 Configuration Procedure Follow these steps to apply a QoS policy t...

Page 1083: ... ACL 2000 with CIR as 64 kbps The exceeding packets are dropped z Apply the VLAN policy test to the inbound direction of VLAN 200 VLAN 300 VLAN 400 VLAN 500 VLAN 600 VLAN 700 VLAN 800 and VLAN 900 6 4 2 Configuration Procedure Enter system view Sysname system view Create a class and enter class view Sysname traffic classifier cl1 Define a classification rule Sysname classifier cl1 if match acl 200...

Page 1084: ...tion Manual QoS H3C S5500 EI Series Ethernet Switches Chapter 6 Applying a QoS Policy to VLANs 6 3 Apply the policy to specific VLANs Sysname qos vlan policy test vlan 200 300 400 500 600 700 800 900 inbound ...

Page 1085: ...traffic on a mirrored port is replicated and sent to a destination port that is a mirroring port z Mirroring to CPU The desired traffic on a mirrored port is replicated and sent to the CPU on the board of the port for further analysis z Mirroring to VLAN The desired traffic on a mirrored port is replicated and sent to a VLAN where the traffic is broadcast and all the ports if available in the VLAN...

Page 1086: ...display traffic behavior user defined behavior name Display the configuration information about the user defined policy display qos policy user defined policy name Available in any view 7 4 Traffic Mirroring Configuration Examples 7 4 1 Network Requirements The user s network is as described below z Host A with the IP address 192 168 0 1 and Host B are connected to GigabitEthernet1 0 1 of the swit...

Page 1087: ...fier 1 if match acl 2000 Sysname classifier 1 quit Configure a traffic behavior and define the action of mirroring traffic to GigabitEthernet1 0 2 in the traffic behavior Sysname traffic behavior 1 Sysname behavior 1 mirror to interface GigabitEthernet 1 0 2 Sysname behavior 1 quit Configure a QoS policy and associate traffic behavior 1 with classification rule 1 Sysname qos policy 1 Sysname polic...

Page 1088: ...ing 1 2 1 1 3 Other Functions Supported by Port Mirroring 1 3 1 2 Configuring Local Port Mirroring 1 3 1 3 Configuring Remote Port Mirroring 1 4 1 3 1 Configuring a Remote Source Mirroring Group 1 4 1 3 2 Configuring a Remote Destination Port Mirroring Group 1 5 1 4 Displaying and Maintaining Port Mirroring 1 7 1 5 Port Mirroring Configuration Examples 1 7 1 5 1 Local Port Mirroring Configuration ...

Page 1089: ...e packets duplicated to the destination mirroring port on these devices so as to monitor and troubleshoot the network Host Data monitoring device Network Source mirroring port Destination mirroring port Figure 1 1 A port mirroring implementation 1 1 1 Classification of Port Mirroring There are two kinds of port mirroring local port mirroring and remote port mirroring z Local port mirroring copies ...

Page 1090: ... mirroring group and remote destination port mirroring group Figure 1 2 illustrates a remote port mirroring implementation Figure 1 2 A remote mirroring implementation The devices in Figure 1 2 function as follows z Source device Source device contains source mirroring ports and remote source port mirroring groups are created on source devices A source device duplicates the packets passing the sou...

Page 1091: ...do Use the command Remarks Enter system view system view Create a local mirroring group mirroring group group id local Required In system view mirroring group group id mirroring port mirroring port list both inbound outbound interface interface type interface number mirroring group group id mirroring port both inbound outbound Add ports to the port mirroring group as source ports In interface view...

Page 1092: ...ese steps to configure a remote port mirroring group To do Use the command Remarks Enter system view system view Create a remote source mirroring group mirroring group group id remote source Required In system view mirroring group group id mirroring port mirroring port list both inbound outbound interface interface type interface number mirroring group group id mirroring port both inbound outbound...

Page 1093: ... the outbound mirroring port otherwise the mirroring function may be affected z Only existing static VLANs can be configured as remote port mirroring VLANs To remove a VLAN operating as a remote port mirroring VLAN you need to restore it to a normal VLAN first A remote port mirroring group gets invalid if the corresponding remote port mirroring VLAN is removed z A port can belong to only one port ...

Page 1094: ... vlan rprobe vlan id tagged untagged Perform one of these three operations according to the port type Note z The remote destination mirroring port cannot be a member port of the current mirroring group z The remote destination mirroring port can be an access trunk or hybrid port It must be assigned to the remote mirroring VLAN z Do not enable STP RSTP or MSTP on the remote destination mirroring po...

Page 1095: ...rough GigabitEthernet 1 0 1 z Marketing department is connected to Switch C through GigabitEthernet 1 0 2 z Data monitoring device is connected to Switch C through GigabitEthernet 1 0 3 The administrator wants to monitor the packets received on and sent from the R D department and the marketing department through the data monitoring device Use the local port mirroring function to meet the requirem...

Page 1096: ...ernet1 0 3 After finishing the configuration you can monitor all the packets received and sent by R D department and Marketing department on the Data monitoring device 1 5 2 Remote Port Mirroring Configuration Example I Network requirements The departments of a company connect to each other through Ethernet switches z Department 1 is connected to GigabitEthernet 1 0 1 of Switch A z Department 2 is...

Page 1097: ... the remote port mirroring VLAN and port GigabitEthernet 1 0 2 to which the data monitoring device is connected as the destination port II Network diagram Figure 1 4 Network diagram for remote port mirroring configuration III Configuration procedure 1 Configure Switch A the source device Create a remote source port mirroring group SwitchA system view SwitchA mirroring group 1 remote source Create ...

Page 1098: ...itchB interface GigabitEthernet 1 0 2 SwitchB GigabitEthernet1 0 2 port link type trunk SwitchB GigabitEthernet1 0 2 port trunk permit vlan 2 3 Configure Switch C the destination device Configure port GigabitEthernet 1 0 1 as a trunk port and configure the port to permit the packets of VLAN 2 SwitchC system view SwitchC interface GigabitEthernet 1 0 1 SwitchC GigabitEthernet1 0 1 port link type tr...

Page 1099: ...irroring H3C S5500 EI Series Ethernet Switches Chapter 1 Port Mirroring Configuration 1 11 After finishing the configuration you can monitor all the packets sent by Department 1 and Department 2 on the Data monitoring device ...

Page 1100: ...he Management Device and the Member Devices Within a Cluster 1 15 1 3 9 Configuring the Destination MAC Address of Cluster Management Multicast Packets 1 15 1 3 10 Configuring Cluster Member Management 1 16 1 4 Configuring the Member Devices 1 17 1 4 1 Enabling NDP Globally and for Specific Ports 1 17 1 4 2 Enabling NTDP Globally and for Specific Ports 1 17 1 4 3 Manually Collecting NTDP Informati...

Page 1101: ...aining Cluster Management z Cluster Management Configuration Examples 1 1 Cluster Management Overview 1 1 1 Cluster Management Definition A cluster is an aggregation of a group of communication devices Cluster management is to implement management of large numbers of distributed network devices Cluster management is implemented through Huawei Group Management Protocol version 2 HGMPv2 By employing...

Page 1102: ...z Allowing simultaneous software upgrading and parameter configuring on multiple devices free of topology and distance limitations 1 1 2 Roles in a Cluster The devices in a cluster play different roles according to their different functions and status You can specify the role a device plays The following three roles exist in a cluster management device member device and candidate device z Manageme...

Page 1103: ...e after being added to a cluster z A member device becomes a candidate device after it is removed from the cluster z A management device becomes a candidate device only after the cluster is removed 1 1 3 How a Cluster Works HGMPv2 consists of the following three protocols z Neighbor Discovery Protocol NDP z Neighbor Topology Discovery Protocol NTDP z Cluster A cluster configures and manages the de...

Page 1104: ...onding entry in the NDP table is updated otherwise only the holdtime of the entry is updated If no NDP information from the neighbor is received within the holdtime the corresponding entry is removed from the NDP table NDP runs on the data link layer and therefore supports different network layer protocols II Introduction to NTDP NTDP is a protocol used to collect network topology information NTDP...

Page 1105: ...to control the speed of the NTDP topology collection request advertisement z Upon receiving an NTDP topology collection request the device does not forward it instead it waits for a period of time and then forwards the NTDP topology collection request on the first NTDP enabled port z On the same device except the first port each NTDP enabled port waits for a period of time and then forwards the NT...

Page 1106: ...nterval three times of the interval to send handshake packets it changes the status of the member device from Active to Connect Likewise if a member device fails to receive the handshake packets from the management device in an interval three times of the interval to send handshake packets the status of the member device will also be changed from Active to Connect z If this management device in in...

Page 1107: ...Therefore z If the packets from the management VLAN cannot pass a port the device connected with the port cannot be added to the cluster Therefore if the ports including the subtending ports connecting the management device and the member candidate devices prohibit the packets from the management VLAN you can set the packets from the management VLAN to pass the ports on candidate devices with the ...

Page 1108: ...tional Configuring the Management Device Configuring Cluster Member Management Optional Enabling NDP Globally and for Specific Ports Optional Enabling NTDP Globally and for Specific Ports Optional Manually Collecting NTDP Information Enabling the Cluster Function Optional Configuring the Member Devices Deleting a Member Device from a Cluster Optional Configuring Access Between the Management Devic...

Page 1109: ...rmally you must enable NDP both globally and on the specified port z If the subtending port or the port connecting the management device to a member candidate device is a port of a member in an aggregation group you must enable NDP on all member ports of the aggregation group at the same time Otherwise NDP will work abnormally z You are recommended to disable NDP on the port which connects with th...

Page 1110: ...vice to hold NDP packets cannot be shorter than the interval to send NDP packets otherwise the NDP table may become instable 1 3 3 Enabling NTDP Globally and for Specific Ports Follow these steps to enable NTDP globally and for specific ports To do Use the command Remarks Enter system view system view Enable NTDP globally ntdp enable Optional Enabled by default interface interface type interface n...

Page 1111: ...ommended to disable NDP on the port which connects with the devices that do not need to join the cluster preventing the management device from adding the device which needs not to join the cluster and collecting the topology information of this device 1 3 4 Configuring NTDP Parameters Follow these steps to configure NTDP parameters To do Use the command Remarks Enter system view system view Config...

Page 1112: ...ult 1 3 7 Establishing a Cluster Before establishing a cluster you need to configure a private IP address pool for the devices to be added to the cluster When a candidate device is added to a cluster the management device assigns a private IP address to it for the candidate device to communicate with other devices in the cluster This enables you to manage and maintain member devices in a cluster t...

Page 1113: ...agement VLAN pass the ports Otherwise you must configure the packets from the management VLAN to pass these ports For the configuration procedure refer to VLAN Configuration in the Access Volume z You must configure the IP address pool before establishing a cluster and configure it on the management device only If a cluster has already been established you are not allowed to change the IP address ...

Page 1114: ...r predefined hop counts and starts to automatically add them to the cluster You can use Ctrl C anytime during the adding process to exit cluster auto building However this will only stop adding new devices into the cluster and devices already added in the cluster are not removed Follow these steps to automatically establish a cluster To do Use the command Remarks Enter system view system view Spec...

Page 1115: ...figuring the Destination MAC Address of Cluster Management Multicast Packets By default the destination MAC address of cluster management multicast packets including NDP NTDP and HABP packets is 010f e200 0002 which IEEE reserved for later use Since some devices cannot forward the multicast packets with the destination MAC address of 010f e200 0002 cluster management packets cannot traverse these ...

Page 1116: ...command Remarks Enter system view system view Enter cluster view cluster Add a candidate device to the cluster add member member number mac address mac address password password Optional Remove a member device from the cluster delete member member number to black list Required II Rebooting a member device Communication between the management and member devices may be interrupted due to some config...

Page 1117: ...formation 1 4 4 Enabling the Cluster Function Refer to Enabling the Cluster Function 1 4 5 Deleting a Member Device from a Cluster To do Use the command Remarks Enter system view system view Enter cluster view cluster Delete a member device from the cluster undo administrator address Required 1 5 Configuring Access Between the Management Device and Its Member Devices After having successfully conf...

Page 1118: ...defined level by the management device if authentication is passed z When a candidate device is added to a cluster and becomes a member device its super password will be automatically synchronized to the management device Therefore after a cluster is established you are not recommended to modify the super password of the member device including management device and member devices of the cluster o...

Page 1119: ...ministrator as correct You can get the information of a node and its neighbors from the current topology Based on the information you can manage and maintain the whitelist by adding deleting or modifying a node z Topology management blacklist A blacklist is a list of devices that are not allowed to join a cluster unless the administrator manually removes them from the list A blacklist contains the...

Page 1120: ...andard topology to the FTP server or the local Flash topology save to ftp server local flash Optional Restore the standard topology information from the FTP server or the local Flash topology restore from ftp server local flash Optional You must ensure that the topology is correct before restoring it as the device itself cannot judge the correctness in topology 1 7 2 Configuring Interaction for a ...

Page 1121: ...ared by the member devices in the cluster tftp server ip address Required By default no TFTP server is configured for a cluster Configure the log host shared by the member devices in the cluster logging host ip address Required By default no log host is configured for a cluster Configure the SNMP NM host shared by the member devices in the cluster snmp host ip address community string read string1...

Page 1122: ... address mac address member id member number View the current blacklist of the cluster display cluster black list View the information of candidate devices display cluster candidates mac address mac address verbose Display the current topology information or the topology path between two devices display cluster current topology mac address mac address to mac address mac address member id member nu...

Page 1123: ...elongs to VLAN 2 whose interface IP address is 163 172 55 1 24 The network management interface of the management device is VLAN interface 2 VLAN 2 is the network management NM interface of the management device z All the devices in the cluster use the same FTP server and TFTP server which share one IP address 63 172 55 1 24 z The SNMP NMS and log host share one IP address 69 172 55 4 24 z The man...

Page 1124: ...ment device Enable NDP globally and for the GigabitEthernet1 0 2 GigabitEthernet1 0 3 ports Switch system view Switch ndp enable Switch interface GigabitEthernet1 0 2 Switch GigabitEthernet1 0 2 ndp enable Switch GigabitEthernet1 0 2 quit Switch interface GigabitEthernet1 0 3 Switch GigabitEthernet1 0 3 ndp enable Switch GigabitEthernet1 0 3 quit Configure the period for the receiving device to ke...

Page 1125: ... device to candidate devices as a Trunk port and allow packets from the management VLAN to pass Switch interface GigabitEthernet 1 0 2 Switch GigabitEthernet 1 0 2 port link type trunk Switch GigabitEthernet 1 0 2 port trunk permit vlan 10 Switch GigabitEthernet 1 0 2 quit Switch interface GigabitEthernet 1 0 3 Switch GigabitEthernet 1 0 3 port link type trunk Switch GigabitEthernet 1 0 3 port tru...

Page 1126: ...re the network management interface aabbcc_0 Switch vlan 2 aabbcc_0 Switch vlan2 port GigabitEthernet 1 0 1 aabbcc_0 Switch quit aabbcc_0 Switch interface vlan interface 2 aabbcc_0 Switch Vlan interface2 ip address 163 172 55 1 24 aabbcc_0 Switch Vlan interface2 quit aabbcc_0 Switch cluster aabbcc_0 Switch cluster nm interface vlan interface 2 Note z Upon completion of the above configurations you...

Page 1127: ... Ethernet Switches Table of Contents i Table of Contents Chapter 1 UDP Helper Configuration 1 1 1 1 Introduction to UDP Helper 1 1 1 2 Configuring UDP Helper 1 1 1 3 Displaying and Maintaining UDP Helper 1 2 1 4 UDP Helper Configuration Example 1 2 ...

Page 1128: ...agent that converts UDP broadcast packets into unicast packets and forwards them to a specified destination server With UDP Helper enabled the device decides whether to forward a received UDP broadcast packet according to the UDP destination port number of the packet z If the destination port number of the packet matches the one pre configured on the device the device modifies the destination IP a...

Page 1129: ...udp helper port dns specify the same UDP port number z The configuration of all UDP ports is removed if you disable UDP Helper z You can configure up to 20 destination servers on a VLAN interface 1 3 Displaying and Maintaining UDP Helper To do Use the command Remarks Displays the information of forwarded UDP packets display udp helper server interface Vlan interface vlan id Available in any view C...

Page 1130: ... A to the network segment 10 2 0 0 16 is available Enable UDP Helper SwitchA system view SwitchA udp helper enable Enable the forwarding broadcast packets with the UDP destination port number 55 SwitchA udp helper port 55 Specify the server with the IP address of 10 2 1 1 as the destination server to which UDP packets are to be forwarded SwitchA interface vlan interface 1 SwitchA Vlan interface1 i...

Page 1131: ... Enabling SNMP Logging 1 6 1 4 Trap Configuration 1 7 1 4 1 Configuration Prerequisites 1 7 1 4 2 Configuration Procedure 1 7 1 5 Displaying and Maintaining SNMP 1 9 1 6 SNMP Configuration Example 1 9 1 7 SNMP Logging Configuration Example 1 11 Chapter 2 RMON Configuration 2 1 2 1 RMON Overview 2 1 2 1 1 Introduction 2 1 2 1 2 Working Mechanism 2 1 2 1 3 RMON Groups 2 2 2 2 Configuring RMON 2 3 2 ...

Page 1132: ...ous devices and thus realizes automatic management of products from different manufacturers Offering only the basic set of functions SNMP makes the management tasks independent of both the physical features of the managed devices and the underlying networking technology Thus SNMP achieves effective management of devices from different manufacturers especially in small high speed and low cost netwo...

Page 1133: ...t it supports more data types such as Counter64 and Counter32 and it provides various error codes thus being able to distinguish errors in more detail z SNMPv3 offers an authentication that is implemented with a User Based Security Model USM You can set the authentication and privacy functions The former is used to authenticate the validity of the sending end of the authentication packets preventi...

Page 1134: ... 1 B Figure 1 2 MIB tree 1 2 SNMP Configuration As configurations for SNMPv3 differ substantially from those of SNMPv1 and SNMPv2c their SNMP functionalities will be introduced separately below Follow these steps to configure SNMPv3 To do Use the command Remarks Enter system view system view Enable SNMP Agent snmp agent Optional Disabled by default You can enable SNMP Agent through this command or...

Page 1135: ... Required If the cipher keyword is specified the arguments auth password and priv password are considered as cipher text password Configure the maximum size of an SNMP packet that can be received or sent by an SNMP agent snmp agent packet max size byte count Optional 1 500 bytes by default Configure the engine ID for a local SNMP agent snmp agent local engineid engineid Optional Company ID and dev...

Page 1136: ...p snmp agent usm user v1 v2c user name group name acl acl number Use either approach Both commands can be used to configure SNMP NMS access rights The second command was introduced to be compatible with SNMPv3 The community name configured on NMS should be consistent with the username configured on the Agent Configure the maximum size of an SNMP packet that can be received or sent by an SNMP agent...

Page 1137: ...ult Configure SNMP log output rules info center source module name default channel channel number channel name debug level severity state state log level severity state state trap level severity state state Optional By default SNMP logs are output to loghost and logfile only To output SNMP logs to other destinations such as console or monitor terminal you need to set the output destinations with t...

Page 1138: ...to enable the device to send Traps globally snmp agent trap enable bgp configuration flash ospf process id ospf trap list standard authentication coldstart linkdown linkup warmstart system voice vrrp authfailure newmaster Optional All types of Traps are allowed by default Enter interface view interface interface type interface number Set to enable the device to send Traps of interface state change...

Page 1139: ...e interface type interface number interface number subnum ber Optional Extend the standard linkUp linkDown Traps defined in RFC snmp agent trap if mib link extended Optional Standard linkUp linkDown Traps defined in RFC are used by default Configure the queue size for sending Traps snmp agent trap queue size size Optional 100 by default Configure the lifetime for Traps snmp agent trap life seconds...

Page 1140: ...send Traps and whether their Trap sending is enabled or not display snmp agent trap list Display SNMP v3 agent user information display snmp agent usm user engineid engineid username user name group group name Display SNMP v1 or v2c agent community information display snmp agent community read write Display MIB view information for an SNMP agent display snmp agent mib view exclude include viewname...

Page 1141: ...Sysname vlan2 port ethernet 1 0 Sysname vlan2 interface vlan interface 2 Sysname Vlan interface2 ip address 1 1 1 1 255 255 255 0 Sysname Vlan interface2 quit Configure the contact person and physical location information of the switch Sysname snmp agent sys info contact Mr Wang Tel 3306 Sysname snmp agent sys info location telephone closet 3rd floor Enable the sending of Traps to the NMS with an ...

Page 1142: ...on on Agent II Network diagram Figure 1 4 Network diagram for SNMP logging III Configuration procedure Note The configurations for NMS and Agent are omitted Enable logging display on the terminal optional enabled by default Sysname terminal monitor Sysname terminal logging Enable the information center to output the system information with the severity of informational to the Console port Sysname ...

Page 1143: ... time when SNMP log is generated seqNO Sequence number of the SNMP log srcIP IP address of NMS op SNMP operation type GET or SET node Node name of the SNMP operations and OID of the instance erroIndex Error index with 0 meaning no error errorstatus Error status with noError meaning no error value Value set when the SET operation is performed This field is meaning the value obtained with the GET op...

Page 1144: ...or remote network devices in a more proactive and effective way It reduces traffic between network management station NMS and agent facilitating large network management RMON comprises two parts NMSs and agents running on network devices z Each RMON NMS administers the agents within its administrative domain z An RMON agent resides on a network monitor or probe for an interface It monitors and gat...

Page 1145: ...and controls the generation and notifications of the events triggered by the alarms defined in the alarm group and the private alarm group The events can be handled in one of the following ways z Logging events in the event log table z Sending traps to NMSs z Both logging and sending traps z No action II Alarm group The RMON alarm group monitors specified alarm variables such as statistics on a po...

Page 1146: ... can cause an alarm event That is the rising alarm and falling alarm are alternate IV History group The history group controls the periodic statistical sampling of data such as bandwidth utilization number of errors and total number of packets Note that each value provided by the group is a cumulative sum during a sampling period V Ethernet statistics group The statistics group monitors port utili...

Page 1147: ...y number buckets number interval sampling interval owner text Optional Create an entry in the statistics table rmon statistics entry number owner text Optional Exit Ethernet interface view quit Create an entry in the alarm table rmon alarm entry number alarm variable sampling interval absolute delta rising threshold threshold value1 event entry1 falling threshold threshold value2 event entry2 owne...

Page 1148: ...ctions on the configuration of RMON Entry Parameters to be compared Event Event description description string event type log trap logtrap or none and community name trap community or log trapcommunity History Sampling interval interval sampling interval Statistics Only one statistics entry can be created on an interface Alarm Alarm variable alarm variable sampling interval sampling interval sampl...

Page 1149: ...Create an entry in the RMON Ethernet statistics table to gather statistics on GigabitEthernet 1 0 1 and logging is enabled after received bytes exceed the specified threshold II Network diagram Figure 2 1 Network diagram for RMON on a switch III Configuration procedure Configure RMON to gather statistics for interface GigabitEthernet 1 0 1 Sysname system view Sysname interface GigabitEthernet 1 0 ...

Page 1150: ...ysname system view Sysname rmon event 1 log owner 1 rmon Configure an alarm group to sample received bytes on GigabitEthernet 1 0 1 When the received bytes exceed the upper or below the lower limit logging is enabled Sysname rmon alarm 1 1 3 6 1 2 1 16 1 1 1 4 1 delta rising threshold 1000 1 falling threshold 100 1 owner 1 rmon Sysname display rmon alarm 1 Alarm table 1 owned by 1 rmon is VALID Sa...

Page 1151: ...ing the Interface to Send NTP Messages 1 12 1 4 2 Disabling an Interface from Receiving NTP Messages 1 13 1 4 3 Configuring the Maximum Number of Dynamic Sessions Allowed 1 13 1 5 Configuring Access Control Rights 1 13 1 5 1 Configuration Prerequisites 1 14 1 5 2 Configuration Procedure 1 14 1 6 Configuring NTP Authentication 1 15 1 6 1 Configuration Prerequisites 1 15 1 6 2 Configuration Procedur...

Page 1152: ...hronizes timekeeping among distributed time servers and clients NTP runs over the User Datagram Protocol UDP using UDP port 123 The purpose of using NTP is to keep consistent timekeeping among all clock dependent devices within the network so that the devices can provide diverse applications based on the consistent time For a local system running NTP its time can be synchronized by other reference...

Page 1153: ... between the backup server and all the clients Advantages of NTP z NTP uses a stratum to describe the clock precision and is able to synchronize time among all devices within the network z NTP supports access control and MD5 authentication z NTP can unicast multicast or broadcast protocol messages 1 1 2 How NTP Works Figure 1 1 shows the basic work flow of NTP Switch A and Switch B are interconnec...

Page 1154: ...The time stamp is 10 00 00 am T1 z When this NTP message arrives at Switch B it is timestamped by Switch B The timestamp is 11 00 01 am T2 z When the NTP message leaves Switch B Switch B timestamps it The timestamp is 11 00 02 am T3 z When Switch A receives the NTP message the local time of Switch A is 10 00 03 am T4 Up to now Switch A has sufficient information to calculate the following two impo...

Page 1155: ...chronization message is encapsulated in a UDP message in the format shown in Figure 1 2 LI VN Mode Stratum Poll Precision 0 7 15 23 31 Root delay 32 bits Root dispersion 32 bits Reference identifier 32 bits Receive timestamp 64 bits Transmit timestamp 64 bits Authenticator optional 96 bits Reference timestamp 64 bits Originate timestamp 64 bits 1 4 Figure 1 2 Clock synchronization message format M...

Page 1156: ... precision of the local clock z Root Delay roundtrip delay to the primary reference source z Root Dispersion the maximum error of the local clock relative to the primary reference source z Reference Identifier Identifier of the particular reference source z Reference Timestamp the local time at which the local clock was last set or corrected z Originate Timestamp the local time at which the reques...

Page 1157: ... Symmetric peers mode A switch working in the symmetric active mode periodically sends clock synchronization messages with the Mode field in the message set to 1 symmetric active the switch that receives this message automatically enters the symmetric passive mode and sends a reply with the Mode field in the message set to 2 symmetric passive By exchanging messages the symmetric peers mode is esta...

Page 1158: ...on messages to the user configured multicast address or if no multicast address is configured to the default NTP multicast address 224 0 1 1 with the Mode field in the messages set to 5 multicast mode Clients listen to the multicast messages from servers After a client receives the first multicast message the client and the server start to exchange messages with the Mode field set to 3 client mode...

Page 1159: ...8 associations at the same time including static associations and dynamic associations A static association refers to an association that a user has manually created by using an NTP command while a dynamic association is a temporary association created by the system during operation A dynamic association will be removed if the system fails to receive messages from it over a specific long time In t...

Page 1160: ...host address rather than a broadcast address a multicast address or the IP address of the local clock z When the interface sending the NTP packet is specified by the source interface argument the source IP address of the NTP packet will be configured as the primary IP address of the specified interface z A switch can act as a server to synchronize the clock of other switches only after its clock h...

Page 1161: ...ace used to send NTP messages is specified by the source interface argument the source IP address of the NTP message will be configured as the primary IP address of the specified interface z Typically at least one of the symmetric active and symmetric passive peers has been synchronized otherwise the clock synchronization will not proceed z You can configure multiple symmetric passive peers by rep...

Page 1162: ...erface view interface interface type interface number Enter the interface used to send NTP broadcast messages Configure the switch to work in the NTP broadcast server mode ntp service broadcast server authentication keyid keyid version number Required Note A broadcast server can synchronize broadcast clients only after its clock has been synchronized 1 3 4 Configuring NTP Multicast Mode The multic...

Page 1163: ...number Enter the interface used to send NTP multicast message Configure the switch to work in the NTP multicast server mode ntp service multicast server ip address authentication keyid keyid ttl ttl number version number Required Note z A multicast server can synchronize broadcast clients only after its clock has been synchronized z You can configure up to 1024 multicast clients among which 128 ca...

Page 1164: ...and Remarks Enter system view system view Enter interface view interface interface type interface number Disable the interface from receiving NTP messages ntp service in interface disable Required An interface is enabled to receive NTP messages by default 1 4 3 Configuring the Maximum Number of Dynamic Sessions Allowed To do Use the command Remarks Enter system view system view Configure the maxim...

Page 1165: ... peer switch to perform synchronization and control query to the local switch and also permits the local switch to synchronize its clock to the peer switch From the highest NTP service access control right to the lowest one are peer server synchronization and query When a switch receives an NTP request it will perform an access control right match and will use the first matched right 1 5 1 Configu...

Page 1166: ...cation function cannot be normally enabled z For the server client mode or symmetric mode you need to associate the specified authentication key on the client symmetric active peer if in the symmetric peer mode with the corresponding NTP server symmetric passive peer if in the symmetric peer mode Otherwise the NTP authentication feature cannot be normally enabled z For the broadcast server mode or...

Page 1167: ...er ip address peer name authentication keyid keyid Required You can associate a non existing key with an NTP server To enable NTP authentication you must configure the key and specify it as a trusted key after associating the key with the NTP server Note After you enable the NTP authentication feature for the client make sure that you configure for the client an authentication key that is the same...

Page 1168: ...ate a non existing key with an NTP server To enable NTP authentication you must configure the key and specify it as a trusted key after associating the key with the NTP server Note The procedure of configuring NTP authentication on a server is the same as that on a client and the same authentication key must be configured on both the server and client sides 1 7 Displaying and Maintaining NTP To do...

Page 1169: ... as the reference source with the stratum level of 2 SwitchA system view SwitchA ntp service refclock master 2 2 Configuration on Switch B View the NTP status of Switch B before clock synchronization SwitchB display ntp service status Clock status unsynchronized Clock stratum 16 Reference clock ID none Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 7 Clock offset 0 00...

Page 1170: ...session information of Switch B which shows that an association has been set up between Switch B and Switch A SwitchB display ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 127 127 1 0 2 63 64 3 75 5 31 0 16 5 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 1 8 2 Configuring the NTP Symmetric Mode I Network r...

Page 1171: ...rver 3 0 1 31 3 Configuration on Switch C after Switch B is synchronized to Switch A Specify the local clock as the reference source with the stratum level of 1 SwitchC system view SwitchC ntp service refclock master 1 Configure Switch B as a symmetric peer after local synchronization SwitchC ntp service unicast peer 3 0 1 32 In the step above Switch B and Switch C are configured as symmetric peer...

Page 1172: ...association has been set up between Switch B and Switch C SwitchB display ntp service sessions source reference stra reach poll now offset delay disper 245 3 0 1 31 127 127 1 0 2 15 64 24 10535 0 19 6 14 5 1234 3 0 1 33 LOCL 1 14 64 27 77 0 16 0 14 8 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 2 1 8 3 Configuring NTP Broadcast Mode I Network requiremen...

Page 1173: ...es through VLAN interface 2 SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service broadcast server 2 Configuration on Switch D Configure Switch D to work in the broadcast client mode and receive broadcast messages on VLAN interface 2 SwitchD system view SwitchD interface vlan interface 2 SwitchD Vlan interface2 ntp service broadcast client 3 Configuration on Switch A Configure Swi...

Page 1174: ...itch D is 3 while that of Switch C is 2 View the NTP session information of Switch D which shows that an association has been set up between Switch D and Switch C SwitchD display ntp service sessions source reference stra reach poll now offset delay disper 1234 3 0 1 31 127 127 1 0 2 254 64 62 16 0 32 0 16 6 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations ...

Page 1175: ...erface vlan interface 2 SwitchC Vlan interface2 ntp service multicast server 2 Configuration on Switch D Configure Switch D to work in the multicast client mode and receive multicast messages on VLAN interface 2 SwitchD system view SwitchD interface vlan interface 2 SwitchD Vlan interface2 ntp service multicast client Because Switch D and Switch C are on the same subnet Switch D can receive the mu...

Page 1176: ...3 selected 4 candidate 5 configured Total associations 1 3 Configuration on Switch B Because Switch A and Switch C are on different subnets you must enable IGMP on Switch B before Switch A can receive multicast messages from Switch C Enable IP multicast routing and IGMP SwitchB system view SwitchB multicast routing enable SwitchB interface vlan interface 2 SwitchB Vlan interface2 pim dm SwitchB Vl...

Page 1177: ...tch C is 2 View the NTP session information of Switch A which shows that an association has been set up between Switch A and Switch C SwitchA display ntp service sessions source reference stra reach poll now offset delay disper 1234 3 0 1 31 127 127 1 0 2 255 64 26 16 0 40 0 16 6 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 Note Refer to the Multicast...

Page 1178: ...keyid 42 authentication mode md5 aNiceKey Specify the key as key as a trusted key SwitchB ntp service reliable authentication keyid 42 Specify Switch A as the NTP server SwitchB ntp service unicast server 1 0 1 11 authentication keyid 42 Before Switch B can synchronize its clock to that of Switch A you need to enable NTP authentication for Switch A Perform the following configuration on Switch A E...

Page 1179: ...B which shows that an association has been set up Switch B and Switch A SwitchB display ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 127 127 1 0 2 63 64 3 75 5 31 0 16 5 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 1 8 6 Configuring NTP Broadcast Mode with Authentication I Network requirements z Switch C...

Page 1180: ...ntication keyid 88 authentication mode md5 123456 SwitchC ntp service reliable authentication keyid 88 Specify Switch C as an NTP broadcast server and specify an authentication key SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service broadcast server authentication keyid 88 2 Configuration on Switch D Configure NTP authentication SwitchD system view SwitchD ntp service authentica...

Page 1181: ...cy 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 7 Clock offset 0 0000 ms Root delay 31 00 ms Root dispersion 8 31 ms Peer dispersion 34 30 ms Reference time 16 01 51 713 UTC Apr 20 2007 C6D95F6F B6872B02 As shown above Switch D has been synchronized to Switch B and the clock stratum level of Switch D is 3 while that of Switch C is 2 View the NTP session information of Switch D which ...

Page 1182: ... Configuring the DNS Client 1 4 1 2 1 Configuring Static Domain Name Resolution 1 4 1 2 2 Configuring Dynamic Domain Name Resolution 1 5 1 3 Configuring the DNS Proxy 1 5 1 4 Displaying and Maintaining DNS 1 6 1 5 DNS Configuration Examples 1 6 1 5 1 Static Domain Name Resolution Configuration Example 1 6 1 5 2 Dynamic Domain Name Resolution Configuration Example 1 7 1 5 3 DNS Proxy Configuration ...

Page 1183: ...sses With DNS you can use easy to remember domain names in some applications and let the DNS server translate them into correct IP addresses There are two types of DNS services static and dynamic After a user specifies a name the device checks the local static name resolution table for an IP address If no IP address is available it contacts the DNS server for dynamic name resolution which takes mo...

Page 1184: ...eceiving a response from the DNS server Figure 1 1 Dynamic domain name resolution Figure 1 1 shows the relationship between the user program DNS client and DNS server The resolver and cache comprise the DNS client The user program and DNS client can run on the same device or different devices while the DNS server and the DNS client usually run on different devices Dynamic domain name resolution al...

Page 1185: ...fix for another query z If the dot is at the end of the domain name for example aabbcc com the resolver will consider it a fully qualified domain name FQDN and return the query result successful or failed Hence the dot at the end of the domain name is called the terminating symbol Currently the device supports static and dynamic DNS services Note If an alias is configured for a domain name on the ...

Page 1186: ...e table the DNS proxy returns a DNS reply to the client 3 If the requested information does not exist in the static domain name resolution table the DNS proxy sends the request to the designated DNS server for domain name resolution 4 After receiving a reply from the DNS server the DNS proxy forwards the reply to the DNS client 1 2 Configuring the DNS Client 1 2 1 Configuring Static Domain Name Re...

Page 1187: ...lution To do Use the command Remarks Enter system view system view Enable dynamic domain name resolution dns resolve Required Disabled by default Specify a DNS server dns server ip address Required Not specified by default Configure a domain name suffix dns domain domain name Optional Not configured by default Note You may configure up to six DNS servers and ten DNS suffixes 1 3 Configuring the DN...

Page 1188: ...1 5 DNS Configuration Examples 1 5 1 Static Domain Name Resolution Configuration Example I Network requirements Switch uses the static domain name resolution to access Host with IP address 10 1 1 2 through domain name host com II Network diagram Figure 1 3 Network diagram for static domain name resolution III Configuration procedure Configure a mapping between host name host com and IP address 10 ...

Page 1189: ...r is 2 1 1 2 16 and the name suffix is com z Switch serving as a DNS client uses the dynamic domain name resolution and the suffix to access the host with the domain name host com and the IP address 3 1 1 1 16 II Network diagram Figure 1 4 Network diagram for dynamic domain name resolution III Configuration procedure Note z Before performing the following configuration make sure that there is a ro...

Page 1190: ...rver configuration page Select Start Programs Administrative Tools DNS Create zone com In Figure 1 5 right click Forward Lookup Zones select New zone and then follow the instructions to create a new zone Figure 1 5 Create a zone Create a mapping between the host name and IP address Figure 1 6 Add a host ...

Page 1191: ...NS server 2 1 1 2 Sysname dns server 2 1 1 2 Configure com as the name suffix Sysname dns domain com 3 Configuration verification Execute the ping host command on the device to verify that the communication between the device and the host is normal and that the corresponding destination IP address is 3 1 1 1 Sysname ping host Trying DNS resolve press CTRL_C to break Trying DNS server 2 1 1 2 PING ...

Page 1192: ...onfiguration Example I Network requirements z Specify Switch A as the DNS server of Switch B the DNS client z Switch A acts as a DNS proxy The IP address of the real DNS server is 4 1 1 1 z Switch B implements domain name resolution through Switch A II Network diagram Figure 1 8 Network diagram for DNS proxy III Configuration procedure Note Before performing the following configuration assume that...

Page 1193: ...esolve Specify the DNS server 2 1 1 2 SwitchB dns server 2 1 1 2 4 Configuration verification Execute the ping host com command on Switch B to verify that the host can be pinged after the host s IP address 3 1 1 1 is resolved SwitchB ping host com Trying DNS resolve press CTRL_C to break Trying DNS server 2 1 1 2 PING host com 3 1 1 1 56 data bytes press CTRL_C to break Reply from 3 1 1 1 bytes 56...

Page 1194: ...dns dynamic host command to verify that the specified domain name is in the cache z If there is no defined domain name check that dynamic domain name resolution is enabled and the DNS client can communicate with the DNS server z If the specified domain name is in the cache but the IP address is incorrect check that the DNS client has the correct IP address of the DNS server z Verify the mapping be...

Page 1195: ...onfiguration File for Next Startup 1 10 1 3 Displaying and Maintaining Device Configuration 1 12 Chapter 2 FTP Configuration 2 1 2 1 FTP Overview 2 1 2 1 1 Introduction to FTP 2 1 2 1 2 Implementation of FTP 2 1 2 2 Configuring the FTP Client 2 2 2 2 1 Establishing an FTP Connection 2 2 2 2 2 Configuring the FTP Client 2 4 2 2 3 FTP Client Configuration Example 2 6 2 3 Configuring the FTP Server 2...

Page 1196: ...h the path excluded to indicate a file in the current path The filename can be 1 to 91 characters in length 1 1 File System Management This section covers these topics z File System Overview z Directory Operations z File Operations z Storage Device Operations z File System Prompt Mode Setting z File System Operations 1 1 1 File System Overview A major function of the file system is to manage stora...

Page 1197: ...z The directory to be removed must be empty meaning before you remove a directory you must delete all the files and the subdirectory under this directory For file deletion refer to the delete command and for subdirectory deletion refer to the rmdir command z After the execution of the rmdir command the files in this directory will be automatically deleted for ever 1 1 3 File Operations File operat...

Page 1198: ...ew Enter system view system view Execute the batch file execute filename Optional Note You can create a file by copying or downloading or using the save command Caution z Empty the recycle bin timely with the reset recycle bin command to save memory space z As the delete unreserved file url command deletes a file permanently and the action cannot be undone use it with caution z The execute command...

Page 1199: ... z If storage device partitioning is supported on the device the name of the partition device is composed of the physical device name and partition number The serial numbers of partitions are displayed in numbers such as 0 1 or 2 Note Currently the storage device on an S5500 EI series Ethernet switch is the Flash only which is named flash II Memory space management You can use the fixdisk command ...

Page 1200: ...a loss z quiet where the system does not do that in any cases To prevent undesirable consequence resulted from misoperations the alert mode is preferred To do Use the command Remarks Enter system view system view Set the operation prompt mode of the file system file prompt alert quiet Optional The default is alert 1 1 6 File System Operations Example Display the files and the subdirectory under th...

Page 1201: ...figuration z Erasing the Startup Configuration File z Specifying a Configuration File for Next Startup z Backing up Restoring the Configuration File for Next Startup 1 2 1 Configuration File Overview A configuration file saves the device configurations in command lines in text format You can view configuration information conveniently through the configuration files I Types of configuration The co...

Page 1202: ... file from a device you can specify to remove the main or backup configuration file Or if it is a file having both the main and backup attributes you can specify to erase the main or backup attribute of the file z When setting the configuration file for next startup you can specify the main backup attribute of the file IV Startup with the configuration file The following steps are taken during sys...

Page 1203: ...nd has backup attribute the file will have both main and backup attributes after execution of this command If the filename you entered is different from that existing in the system this command will erase its main attribute to allow only one main attribute configuration file in the device z Backup attribute When you use the save safely backup command to save the current configuration the configura...

Page 1204: ...h the default configuration next time it is powered on You may need to erase the configuration file for one of these reasons z After you upgrade software the original configuration file does not match the new software z The startup configuration file is corrupted or not the one you need When main backup attributes are supported the following two situations exist z While the reset saved configurati...

Page 1205: ... the file as the backup startup configuration file z You can also use the startup saved configuration cfgfile backup command to set the file as backup startup configuration file Follow the step below to specify a configuration file for next startup To do Use the command Remarks Specify a configuration file for next startup startup saved configuration cfgfile backup main Required Available in user ...

Page 1206: ...tartup command in user view to verify if you have set the startup configuration file and use the dir command to verify if this file exists If the file is set as NULL or does not exist the backup will be unsuccessful III Restoring the startup configuration file To do Use the command Remarks Restore the startup configuration file restore startup configuration from src addr filename Required Availabl...

Page 1207: ...uration file used for this and next startup display startup Available in any view Display the validated configuration in current view display this by linenum Available in any view Display current configuration display current configuration configuration configuration controller interface interface type interface number by linenum begin include exclude text Available in any view Note For detailed d...

Page 1208: ...text file transmission 2 1 2 Implementation of FTP FTP adopts the server client model Your switch can function either as client or as server as shown in Figure 2 1 They work in the following way z When the switch serves as the FTP client a PC user first telnets or connects to the switch through an emulation program then executes the ftp command to establish the connection to the remote FTP server ...

Page 1209: ...essfully access the FTP server You can specify one by configuring the source address of the packets of the FTP client to meet the requirement of the security policy of the FTP client You can configure the source address by configuring the source interface or source IP address The primary IP address configured on the source interface is the source address of the transmitted packets The source addre...

Page 1210: ...terface determined by the routing protocol as the source IP address to communicate with the FTP server by default Exit to system view quit Log onto the remote FTP server directly in user view ftp server address service port source interface interface type interface number ip source ip address ftp Log onto the remote FTP server indirectly in FTP client view open server address service port Use eith...

Page 1211: ...nnection the device can perform the following operations for the authorized directory To do Use the command Remarks Display help information of FTP related commands supported by the remote FTP server remotehelp protocol command Optional Enable information display in a detailed manner verbose Optional Enabled by default Use other username to relog after logging onto the FTP server successfully user...

Page 1212: ...te specified file on the FTP server delete remotefile Optional Delete specified directory on the FTP server rmdir directory Optional Disconnect with the FTP server without exiting the FTP client view disconnect Optional Equal to the close command Disconnect with the FTP server without exiting the FTP client view close Optional Equal to the disconnect command Disconnect with the FTP server and exit...

Page 1213: ...etwork FTP Client 10 2 2 1 16 Console FTP Server 10 1 1 1 16 Figure 2 2 Network diagram for FTPing an image file from an FTP server III Configuration procedure Check files on your device Remove those redundant to ensure adequate space for the startup file to be downloaded Sysname dir Directory of flash 0 drw Dec 07 2005 10 00 57 filename 1 drw Jan 02 2006 14 27 51 logfile 2 rw 1216 Jan 02 2006 14 ...

Page 1214: ... Caution Startup files for next startup must be saved under the root directory You can copy or move a file to change the path of it to the root directory For description of the corresponding command refer to the System Maintaining and Debugging part of the manual 2 3 Configuring the FTP Server 2 3 1 Configuring FTP Server Operating Parameters The FTP server uses two modes to update files when you ...

Page 1215: ...on between them is terminated Set the file update mode in FTP ftp update fast normal Optional Normal update is used by default 2 3 2 Configuring Authentication and Authorization for Accessing FTP Server To allow an FTP user to access certain directories on the FTP server you need to create an account for the user authorizing access to the directories and associating the username and password with ...

Page 1216: ...el level Optional 0 by default To upload files to an FTP server you need to set the FTP user level to 3 Note If FTP server performs authentication authorization and accounting AAA policy on FTP client AAA related parameters should be configured on the FTP server For more information about the local user password service type ftp and work directory commands and the AAA related configuration refer t...

Page 1217: ... directory Sysname luser abc service type ftp Sysname luser abc work directory flash Sysname luser abc quit Enable FTP server Sysname ftp server enable Sysname quit Check files on your device Remove those redundant to ensure adequate space for the startup file to be uploaded Sysname dir Directory of flash 0 drw Dec 07 2005 10 00 57 filename 1 drw Jan 02 2006 14 27 51 logfile 2 rw 1216 Jan 02 2006 ...

Page 1218: ...M program through FTP you must execute the bootrom upgrade command to refresh the system configuration You can use the boot loader command to specify the uploaded file as the main startup file for next startup Then restart the device and the startup file of the device is updated Sysname boot loader file bbb bin main Sysname reboot Caution Startup files for next startup must be saved under the root...

Page 1219: ...and Maintaining FTP To do Use the command Remarks Display the configuration of the FTP client display ftp client configuration Available in any view Display the configuration of the FTP server display ftp server Available in any view Display detailed information about logged in FTP users display ftp user Available in any view ...

Page 1220: ...cation Therefore it is more suitable where complex interaction is not needed between client and server TFTP uses the UDP port 69 for data transmission For TFTP basic operation refer to RFC 1350 In TFTP file transfer is initiated by the client z In a normal file downloading process the client sends a read request to the TFTP server receives data from the server and then sends the acknowledgement to...

Page 1221: ...tart up because the original system file is not overwritten This mode is securer but consumes more memory You are recommended to use the latter mode or use a filename not existing in the current directory as the target filename when downloading startup file or configuration file Multiple routes may exist for a TFTP client to successfully access the TFTP server You can specify one by configuring th...

Page 1222: ...er ip source ip address Optional A device uses the source address determined by the routing protocol to communicate with the TFTP server by default Return to user view quit Download or upload a file in IPv4 network tftp server address get put sget source filename destination filename source interface interface type interface number ip source ip address Optional Download or upload a file in IPv6 ne...

Page 1223: ...d for the client z On your device VLAN interface 1 is assigned an IP address 1 1 1 1 16 Make sure that the port connected to PC belongs to the same VLAN z TFTP a startup file from PC for upgrading and a configuration file config cfg to PC for backup II Network diagram Figure 3 2 Smooth upgrading using the TFTP client function III Configuration procedure 1 Configure PC TFTP Server the configuration...

Page 1224: ... available Sysname tftp 1 2 1 1 get aaa bin bbb bin Upload a configuration file config cfg to the TFTP server Sysname tftp 1 2 1 1 put config cfg configback cfg You can use the boot loader command to specify the uploaded file as the main startup file for next startup Then restart the device and the startup file of the device is updated Sysname boot loader file bbb bin main Sysname reboot Caution S...

Page 1225: ...g to Output System Information to a Monitor Terminal 1 9 1 2 4 Setting to Output System Information to a Log Host 1 10 1 2 5 Setting to Output System Information to the Trap Buffer 1 11 1 2 6 Setting to Output System Information to the Log Buffer 1 12 1 2 7 Setting to Output System Information to the SNMP NMS 1 13 1 2 8 Configuring Synchronous Information Output 1 14 1 3 Displaying and Maintaining...

Page 1226: ...information center offers a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems Note By default the information center is enabled An enabled information center affects the system performance in some degree due to information classification and output Such impact becomes more obvious in the event that there is enormous informa...

Page 1227: ...tion of all severities will be output III Ten channels and six output destinations of system information The system supports six information output destinations including the console monitor logbuffer loghost trapbuffer and SNMP The system supports ten channels The channels 0 through 5 have their default channel names and are associated with six output destinations by default Both the channel name...

Page 1228: ...n Note Configurations for the six output destinations function independently and take effect only after the information center is enabled IV Outputting system information by source module The system is composed of a variety of protocol modules board drivers and configuration modules The system information can be classified filtered and output by source module Some source module names and descripti...

Page 1229: ...ation exchange protocol module LAGG Link Aggregation module LINE Line module MSDP Multicast Source Discovery Protocol module MSTP Multiple Spanning Tree Protocol module NAT Network Address Translation module NTP Network Time Protocol module PKI Public Key Infrastructure module OSPF Open Shortest Path First module POE Power over Ethernet module QoS Quality of Service module RDS Radius module RM Rou...

Page 1230: ... alarm or debugging information respectively z This format is the standard format of system information After the system information is sent to the log host the displayed format depends on the tools you use to view the logs Below is an example of the format of log information to be output to a log host 188 Sep 28 15 33 46 235 2005 MyDevice SHELL 5 LOGIN Console login from aux0 What follows is a de...

Page 1231: ...t generates system information You can enter the info center source command in system view to view the module list Refer to Table 1 3 for module name and description Between module and level is a V Level Severity System information can be divided into eight levels based on its severity from 0 to 7 Refer to Table 1 1 for definition and description of these severity levels Note that there is a forwa...

Page 1232: ...information center info center enable Optional Enabled by default Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default channel names Configure the channel through which system information can be output to the console info center console channel channel number channel name Optional System information is output ...

Page 1233: ...ble d informat ional Enable d warning s Disable d debuggi ng Log buffer default all module s Enable d warning s Disable d debuggi ng Disable d debuggi ng SNMP NMS default all module s Disable d debuggi ng Enable d warning s Disable d debuggi ng II Enabling the display of system information on the console After setting to output system information to the console you need to enable the associated di...

Page 1234: ...Optional Enabled by default Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default channel names Configure the channel through which system information can be output to a monitor terminal info center monitor channel channel number channel name Optional System information is output to the monitor terminal by defa...

Page 1235: ...red Disabled by default Enable the display of log information on a monitor terminal terminal logging Optional Enabled by default Enable the display of trap information on a monitor terminal terminal trapping Optional Enabled by default 1 2 4 Setting to Output System Information to a Log Host To do Use the command Remarks Enter system view system view Enable information center info center enable Op...

Page 1236: ... output rules of the system information Configure the format of the time stamp for log information info center timestamp loghost date no year date none Optional date by default 1 2 5 Setting to Output System Information to the Trap Buffer To do Use the command Remarks Enter system view system view Enable information center info center enable Optional Enabled by default Name the channel with a spec...

Page 1237: ...mand Remarks Enter system view system view Enable information center info center enable Optional Enabled by default Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default channel names Configure the channel through which system information can be output to the log buffer and specify the buffer size info center l...

Page 1238: ...formation can be output to the SNMP NMS info center snmp channel channel number channel name Optional System information is output to the SNMP NMS by default with channel 5 known as snmpagent as the default channel Configure the output rules of the system information info center source module name default channel channel number channel name debug level severity state state log level severity state...

Page 1239: ...le synchronous information output info center synchronous Required Disabled by default Note z If you do not input any information following the current command line prompt the system does not display any command line prompt after system information output z In the interaction mode you are prompted for some information input If the input is interrupted by system output no system prompt will be made...

Page 1240: ...ss of 1 2 0 1 16 z Log information with severity higher than informational will be output to the log host z The source modules are ARP and IP II Network diagram Figure 1 1 Network diagram for outputting log information to a Unix log host III Configuration procedure Before the configuration make sure that there is a route between Device and PC 1 Configuring the device Enable information center Sysn...

Page 1241: ...mation output rule allow log information of ARP and IP modules with severity equal to or higher than informational to be output to the log host Sysname info center source arp channel loghost log level informational state on Sysname info center source ip channel loghost log level informational state on 2 Configuring the log host The following configurations were performed on SunOS 4 0 which has sim...

Page 1242: ...og host Step three After the log file information has been created and the configuration file etc syslog conf has been modified ensure that the configuration file etc syslog conf is reread ps ae grep syslogd 147 kill HUP 147 After the above configurations the system will be able to keep log information in the related file 1 4 2 Outputting Log Information to a Linux Log Host I Network requirements ...

Page 1243: ...rations for different channels are different you need to disable the output of log trap and debugging information of all modules on the specified channel loghost in this example first and then configure the output rule as needed so that unnecessary information will not be output Configure the information output rule allow log information of all modules with severity equal to or higher than informa...

Page 1244: ...erwise the log information may not be output properly to the log host Step 3 After the log file information has been created and the etc syslog conf file has been modified issue the following commands to display the process ID of syslogd terminate a syslogd process and restart syslogd using the r option ps ae grep syslogd 147 kill 9 147 syslogd r Note Ensure that the syslogd process is started wit...

Page 1245: ... information of all modules on the specified channel console in this example first and then configure the output rule as needed so that unnecessary information will not be output Configure the information output rule allow log information of ARP and IP modules with severity equal to or higher than informational to be output to the console Sysname info center source arp channel console log level in...

Page 1246: ...story Commands 1 16 1 2 8 Command Line Error Information 1 16 Chapter 2 System Maintaining and Debugging 2 1 2 1 System Maintaining and Debugging Overview 2 1 2 1 1 Introduction to System Maintaining and Debugging 2 1 2 1 2 Introduction to System Debugging 2 2 2 2 System Maintaining and Debugging 2 3 2 2 1 System Maintaining 2 3 2 2 2 System Debugging 2 4 2 3 System Maintaining Example 2 5 Chapter...

Page 1247: ...ering Exiting System View z Configuring the Device Name z Configuring the System Clock z Configuring a Banner z Configuring CLI Hotkeys z Configuring User Levels and Command Levels z Displaying and Maintaining Basic Configurations 1 1 1 Entering Exiting System View Follow these steps to enter exit system view To do Use the command Remarks Enter system view from user view system view Return to user...

Page 1248: ... user view II Displaying the system clock The system clock is displayed by system time stamp which is the same as that displayed by the display clock command The system clock is decided by the commands clock datetime clock timezone and clock summer time If these three commands are not configured the display clock command displays the original system clock If you combine these three commands in dif...

Page 1249: ...time 3 00 2007 3 3 Display 03 00 00 zone time Sat 03 03 2007 If the original system clock is not in the summer time range the original system clock is displayed Configure clock summer time ss one off 1 00 2006 1 1 1 00 2006 8 8 2 Display 01 00 00 UTC Sat 01 01 2005 3 If the original system clock is in the summer time range the original system clock summer offset is displayed Configure clock summer...

Page 1250: ... the summer time range date time is displayed Configure clock summer time ss one off 1 00 2007 1 1 1 00 2007 8 8 2 and clock datetime 3 00 2007 1 1 Display 03 00 00 ss Mon 01 01 2007 Configure clock timezone zone time add 1 and clock summer time ss one off 1 00 2007 1 1 1 00 2007 8 8 2 Display 02 00 00 zone time Sat 01 01 2005 If the value of the original system clock zone offset is not in the sum...

Page 1251: ...n the summer time range date time is displayed Configure clock timezone zone time add 1 clock summer time ss one off 1 00 2008 1 1 1 00 2008 8 8 2 and clock datetime 1 30 2008 1 1 Display 23 30 00 zone time Mon 12 31 2007 1 2 3 and 1 or 1 3 2 and 1 date time is in the summer time range If the value of date time summer offse t is not in the summer time range date time summer offse t is displayed If...

Page 1252: ...e not part of the banner information In this case the input text together with the command keywords cannot exceed 510 characters The other is to input all the banner information in multiple lines by pressing the Enter key In this case up to 2000 characters can be input The latter input mode can be achieved in the following three ways z Press the Enter key directly after the command keywords and en...

Page 1253: ...keys display hotkey Available in any view Refer to Table 1 2 for hotkeys reserved by the system Note By default the Ctrl G Ctrl L and Ctrl O hotkeys are configured with command line and the Ctrl T and Ctrl U commands are NULL z Ctrl G corresponds to the display current configuration command z Ctrl L corresponds to the display ip routing table command z Ctrl O corresponds to the undo debugging all ...

Page 1254: ... at the current cursor position and to the right of the cursor Esc F Moves the cursor to the front of the next continuous string to the right Esc N Moves the cursor down by one line available before you press the Enter key Esc P Moves the cursor up by one line available before you press the Enter key Esc Specifies the cursor as the beginning of the clipboard Esc Specifies the cursor as the ending ...

Page 1255: ...el and command level To do Use the command Remarks Switch the user level super level Optional Available in user view Enter system view system view Configure the password for switching the user level super password level user level simple cipher password Optional By default no password is configured Configure the command level in system view command privilege level level view view command Optional ...

Page 1256: ...Configurations To do Use the command Remarks Display information on system version display version Display information on the system clock display clock Display information on terminal users display users all Display the configurations saved in the storage device display saved configuration by linenum Display the current validated configurations display current configuration configuration configur...

Page 1257: ...us Information Output z undo Form of a Command z Edit Features z CLI Display z Saving History Commands z Command Line Error Information 1 2 1 Introduction to CLI CLI is an interaction interface between devices and users Through CLI you can configure your devices by entering commands and view the output information and verify your configurations thus facilitating your configuration and management o...

Page 1258: ...and copy Copy from one file to another debugging Enable system debugging functions delete Delete a file dir List files on a file system display Display current system information omitted 2 Enter a command and a separated by a space If is at the position of a keyword all the keywords are given with a brief description Sysname terminal debugging Send debug information to terminal logging Send log in...

Page 1259: ...he system will display a command line prompt and your input so far and you can continue your operations from where you were stopped You can use the info center synchronous command to enable synchronous information output For the detailed description of this function refer to Information Center Configuration 1 2 4 undo Form of a Command Adding the keyword undo can form an undo command Almost every ...

Page 1260: ... the next line If there are several matches or no match at all the system does not modify the incomplete keyword and displays it again in the next line Note When editing command line you can use other shortcut keys For details see Table 1 2 besides the shortcut keys defined in Table 1 4 or you can define shortcut keys by yourself For details see Configuring CLI Hotkeys 1 2 6 CLI Display I Filterin...

Page 1261: ... and zoo but not z Hyphen It connects two values the smaller one before it and the bigger one after it to indicate a range together with For example 1 9 means numbers from 1 to 9 inclusive a h means from a to h inclusive Selects one character from the group For example 1 36A can match only one character among 1 2 3 6 and A A group of characters It is usually used with or For example 123A means a s...

Page 1262: ...n of the history command max size command refer to Login Commands The following table lists the operations that you can perform Follow these steps to access history commands To do Use the key command Result View the history commands display history command Displays the commands that you have entered Access the previous history command Up arrow key or Ctrl P Displays the earlier history command if ...

Page 1263: ...rmation Cause The command was not found The keyword was not found Parameter type error Unrecognized command found at position The parameter value is beyond the allowed range Incomplete command found at position Incomplete command Ambiguous command found at position Ambiguous command Too many parameters Too many parameters Wrong parameter found at position Wrong parameter ...

Page 1264: ... If the network is functioning properly the destination device responds by sending an ICMP echo reply to the source device after receiving the ICMP echo request 3 If there is network failure the source device displays timeout or destination unreachable 4 Display related statistics Output of the ping command includes z Information on the destination s responses towards each ICMP echo request if the...

Page 1265: ... a TTL expired ICMP message which gives the source device the address of the second router 5 The above process continues until the ultimate destination device is reached In this way the source device can trace the addresses of all the routers that have been used to get to the destination device 2 1 2 Introduction to System Debugging The device provides various debugging functions For the majority ...

Page 1266: ...other directions For details refer to Information Center Configuration 2 2 System Maintaining and Debugging 2 2 1 System Maintaining To do Use the command Remarks ping ip a source ip c count f h ttl i interface type interface number m interval n p pad q r s packet size t timeout tos tos v remote system Optional Used in IPv4 network Available in any view Check whether a specified IP address can be ...

Page 1267: ...he command when configuring the ping command z Only the directly connected segment address can be pinged if the outgoing interface is specified with the i argument 2 2 2 System Debugging To do Use the command Remarks Enable the terminal monitoring of system information terminal monitor Optional The terminal monitoring on the console is enabled by default and that on the monitoring terminal is disa...

Page 1268: ...al debugging and terminal monitor commands refer to the Information Center Commands part of the manual 2 3 System Maintaining Example I Network requirements z The IP address of the destination device is 10 1 1 4 z Display the routers used while packets are forwarded from the current device to the destination device II Network diagram omitted here III Configuration procedure Sysname tracert 10 1 1 ...

Page 1269: ...he file name without a path consists of 1 to 91 characters 3 1 Device Management Overview Through the device management function you can view the current working state of a device configure running parameters and perform daily device maintenance and management Currently the following device management functions are available z Rebooting a Device z Specifying a Boot ROM File for the Next Device Boo...

Page 1270: ...delay commands can reboot a device As a result the ongoing services will be interrupted Be careful to use these commands z If a primary boot file fails or does not exist the device cannot be rebooted with this command In this case you can re specify a primary boot file to reboot the device or you can power off the device then power it on and the system automatically uses the secondary boot file to...

Page 1271: ...rage device to upgrade Boot ROM programs that are running on the device Since the Boot ROM programs vary with devices users are easily confused and make serious mistakes when upgrading Boot ROM After the validity check function is enabled the device will strictly check the Boot ROM upgrade files for correctness and version configuration information to ensure a successful upgrade You are recommende...

Page 1272: ... you can clear all 16 bit interface indexes saved but not used in the current system in user view After the above operation z For a re created interface the new interface index may not be consistent with the original one z For existing interfaces their interface indexes remain unchanged Follow the step below to clear the 16 bit interface indexes not used in the current system To do Use the command...

Page 1273: ...I series Ethernet switches refer to H3C S5500 EI Series Ethernet Switches Installation Manual II Identifying pluggable transceivers As pluggable transceivers are of various types and from different vendors you can perform the following configurations to identify main parameters of the pluggable transceivers including transceiver type connector type central wavelength of the laser sent transfer dis...

Page 1274: ...rs such as temperature voltage laser bias current TX power and RX power When these parameters are abnormal you can take corresponding measures to prevent transceiver faults Follow these steps to display pluggable transceiver information To do Use the command Remarks Display the current alarm information of the pluggable transceiver s display transceiver alarm interface interface type interface num...

Page 1275: ...ny view Display the reboot type of a device display reboot type Available in any view Display the reboot time of a device display schedule reboot Available in any view 3 4 Device Management Configuration Example 3 4 1 Remote Upgrade Configuration Example I Network requirements z Device serves as the FTP Client The aaa bin program and the boot btm program are both saved under the aaa directory of t...

Page 1276: ...ew FTP Server ftp server enable Set the FTP username to aaa and password to hello FTP Server local user aaa FTP Server luser aaa password cipher hello Configure the user to have access to the aaa directory FTP Server luser aaa service type ftp ftp directory flash aaa z Configuration on Device Caution If the size of the Flash on the device is not large enough delete the original application program...

Page 1277: ...er view ftp bye Device Enable the validity check function for Boot ROM file upgrade Device system view Device bootrom update security check enable Device quit Upgrade the Boot ROM file of the device Device bootrom update file boot btm Specify the application program for the next boot Device boot loader file aaa bin main Reboot the device The application program is upgraded after the reboot Device ...

Page 1278: ... 12 1 6 6 Configuring the SNMP Test 1 14 1 6 7 Configuring the TCP Test 1 15 1 6 8 Configuring the UDP echo Test 1 16 1 6 9 Configuring the DLSw Test 1 18 1 7 Configuring the Collaboration Function 1 19 1 8 Configuring Trap Delivery 1 20 1 9 Configuring Optional Parameters Common to an NQA Test Group 1 20 1 10 Scheduling an NQA Test Group 1 22 1 11 Displaying and Maintaining NQA 1 22 1 12 NQA Conf...

Page 1279: ...ets and provides you with network performance and service quality parameters such as jitter TCP connection delay FTP connection delay and file transfer rate With the NQA test results you can 1 Know network performance in time and then take corresponding measures 2 Diagnose and locate network faults 1 1 2 Features of NQA I Supporting multiple test types Ping can use only the Internet Control Messag...

Page 1280: ...lt z Upon receiving the detection result the Track module changes the status of the Track object accordingly and informs the application modules The Track module works between the application modules and the detection modules and is mainly used to obscure the difference of various detection modules to provide a unified interface for application modules z The application modules then deal with the ...

Page 1281: ...ed one test is performed at a regular interval and you can set the interval as needed One NQA test involves multiple consecutive probes and you can set the number of the probes In different test types probe has different meanings z For a TCP or DLSw test one probe means one connection z For a UDP jitter test the number of packets sent in one probe depends on the probe packet number command z For a...

Page 1282: ...ice 1 1 4 NQA Test Operation After you create a test group and enter the test group view you can configure related test parameters Test parameters vary with the test type For details see the configuration procedure below To perform an NQA test successfully make the following configurations on the NQA client 1 Enable the NQA client 2 Create a test group and configure test parameters according to th...

Page 1283: ...ing an NQA Test Group Required 1 3 Configuring the NQA Server Before performing TCP UDP echo or UDP jitter tests you need to configure the NQA server on the peer device The NQA server makes a response to the request originated by the NQA client by listening to the specified destination address and port number Follow these steps to configure the NQA server To do Use the command Remarks Enter system...

Page 1284: ...ollow theses steps to create an NQA test group To do Use the command Remarks Enter system view system view Create an NQA test group and enter the NQA test group view nqa entry admin name operation tag Required Note If you execute the nqa entry command to enter the test group view with test type configured you will enter the test type view of the test group directly 1 6 Configuring an NQA Test Grou...

Page 1285: ... address of an interface as the source IP address of an ICMP echo request source interface interface type interface number Optional By default no interface address is specified as the source IP address of ICMP probe requests If you use the source ip command to configure the source IP address of ICMP echo probe requests the source interface command is invalid The interface specified by this command...

Page 1286: ...you need to configure the DHCP server If the NQA DHCP client and the DHCP server are not in the same network segment you need to configure a DHCP relay For the configuration of DHCP server and DHCP relay refer to DHCP Configuration II Configuring the DHCP test Follow these steps to configure the DHCP test To do Use the command Remarks Enter system view system view Enter NQA test group view nqa ent...

Page 1287: ...erver For the FTP server configuration refer to File System Management Configuration II Configuring the FTP test Follow these steps to configure the FTP test To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Configure the test type as FTP and enter test type view type ftp Required Configure the destination address for a test op...

Page 1288: ...he FTP client filename file name Required By default no file is specified Configure common optional parameters Refer to Configuring Optional Parameters Common to an NQA Test Group Optional 1 6 4 Configuring the HTTP Test The HTTP test is used to test the connection with a specified HTTP server and the time required to obtain data from the HTTP server I Configuration prerequisites Before performing...

Page 1289: ...s specified The source IP address must be that of an interface on the device and the interface must be up Otherwise the test will fail Configure the operation type operation get post Optional By default the operation type for the HTTP is get that is obtaining data from the HTTP server Configure the website that an HTTP test visits url url Required Configure the HTTP version used in the HTTP test h...

Page 1290: ... source z Upon receiving the packet the source calculates the delay jitter and the network status can be analyzed I Configuration prerequisites A UDP jitter test requires cooperation between the NQA server and the NQA client Before the UDP jitter test make sure that the UDP listening function is configured on the NQA server II Configuring the UDP jitter test Follow these steps to configure the UDP...

Page 1291: ...string of fill characters of an ICMP probe packet is the string corresponding to the ASCII code 00 to 09 by default Configure the number of consecutive packets in a UDP jitter probe probe packet number packet number Optional 10 by default Configure the interval for sending consecutive packets probe packet interval packet interval Optional 20 milliseconds by default Configure the time for waiting f...

Page 1292: ...I Configuring the SNMP test Follow these steps to configure the SNMP test To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Configure the test type as SNMP and enter test type view type snmp Required Configure the destination address for a test operation destination ip ip address Required By default no destination IP address is...

Page 1293: ...he setup time for the connection I Configuration prerequisites A TCP test requires cooperation between the NQA server and the NQA client The TCP listening function needs to be configured on the NQA server before the TCP test II Configuring the TCP test Follow these steps to configure the TCP test To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin ...

Page 1294: ...st be that of an interface on the device and the interface must be up Otherwise the test will fail Configure common optional parameters Refer to Configuring Optional Parameters Common to an NQA Test Group Optional 1 6 8 Configuring the UDP echo Test Note You are not recommended to perform an NQA UDP test on ports from 1 to 1023 known ports Otherwise the NQA test will fail or the corresponding serv...

Page 1295: ...ust be the IP address of the listening service configured on the NQA server Configure the destination port destination port port number Required By default no destination port number is configured for a test operation The destination port number must be the port number of the listening service configured on the NQA server Configure the size of probe packets sent data size size Optional 100 bytes b...

Page 1296: ...device I Configuration prerequisites Enable the DLSw function on the peer device before DLSw test II Configuring the DLSw test Follow these steps to configure the DLSw test To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Configure the test type as DLSw and enter test type view type dlsw Required Configure the destination addr...

Page 1297: ...command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Enter test type view of the test group type dhcp dlsw ftp http icmp echo snmp tcp udp echo The collaboration function is not supported in UDP jitter tests Create a Reaction entry reaction item num checked element probe fail threshold type consecutive occurrences action type none trigger only ...

Page 1298: ...a entry admin name operation tag Enter test type view of the test group type dhcp dlsw ftp http icmp echo snmp tcp udp echo udp jitter Configure to send traps to network management server under specified conditions reaction trap probe failure consecutive probe failure s test complete test failure cumulate probe failures Optional No traps are sent to the network management server by default 1 9 Con...

Page 1299: ...new test is not started Configure the number of probes in a test probe count times Optional By default one probe is performed in a test Configure the NQA probe timeout time probe timeout timeout Optional By default the timeout time is 3000 milliseconds This parameter is not available for a UDP jitter test Configure the maximum number of history records that can be saved in a test group history rec...

Page 1300: ...mpleted II Scheduling an NQA test group Follow these steps to schedule an NQA test group To do Use the command Remarks Enter system view system view Schedule an NQA test group nqa schedule admin name operation tag start time now lifetime forever Required Configure the maximum number of the tests that the NQA client can simultaneously perform nqa agent max concurrent number Optional The default num...

Page 1301: ...st type icmp echo DeviceA nqa admin test icmp echo destination ip 10 2 2 2 Configure optional parameters DeviceA nqa admin test icmp echo probe count 10 DeviceA nqa admin test icmp echo probe timeout 500 DeviceA nqa admin test icmp echo quit Enable the ICMP echo test operation DeviceA nqa schedule admin test start time now lifetime forever Display results of an ICMP echo test DeviceA display nqa r...

Page 1302: ... view SwitchA nqa entry admin test SwitchA nqa admin test type dhcp SwitchA nqa admin test dhcp operation interface vlan interface 2 SwitchA nqa admin test dhcp quit Enable the DHCP test SwitchA nqa schedule admin test start time now lifetime forever Display results of one DHCP test SwitchA display nqa result admin test NQA entry admin admin tag test test results Send operation times 1 Receive res...

Page 1303: ...viceA system view DeviceA nqa entry admin test DeviceA nqa admin test type ftp DeviceA nqa admin test ftp destination ip 10 2 2 2 DeviceA nqa admin test ftp source ip 10 1 1 1 DeviceA nqa admin test ftp operation put DeviceA nqa admin test ftp username admin DeviceA nqa admin test ftp password systemtest DeviceA nqa admin test ftp filename config txt DeviceA nqa admin test ftp quit Enable the FTP ...

Page 1304: ...iagram for the HTTP test III Configuration procedure Create an HTTP test group and configure related test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type http DeviceA nqa admin test http destination ip 10 2 2 2 DeviceA nqa admin test http operation get DeviceA nqa admin test http url index htm DeviceA nqa admin test http http version v1 0 DeviceA nqa admin t...

Page 1305: ...itter of packet transmission between Device A and Device B II Network diagram Figure 1 7 Network diagram for UDP jitter test III Configuration procedure 1 Configure Device B Enable the NQA server and configure the listening IP address as 10 2 2 2 and port number as 9000 DeviceB system view DeviceB nqa server enable DeviceB nqa server udp echo 10 2 2 2 9000 2 Configure Device A Create a UDP jitter ...

Page 1306: ... Failures due to other errors 0 UDP jitter results RTT number 10 SD max delay 23 DS max delay 23 Min positive SD 1 Min positive DS 1 Max positive SD 1 Max positive DS 1 Positive SD number 2 Positive DS number 2 Positive SD sum 2 Positive DS sum 16 Positive SD average 1 Positive DS average 8 Positive SD square sum 2 Positive DS square sum 226 Min negative SD 1 Min negative DS 1 Max negative SD 15 M...

Page 1307: ...ameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type snmp DeviceA nqa admin test snmp destination ip 10 2 2 2 DeviceA nqa admin test snmp quit Enable the SNMP query test DeviceA nqa schedule admin test start time now lifetime forever Display results of an SNMP test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP addre...

Page 1308: ...qa server enable DeviceB nqa server tcp connect 10 2 2 2 9000 2 Configure Device A Create a TCP test group and configure related test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type tcp DeviceA nqa admin test tcp destination ip 10 2 2 2 DeviceA nqa admin test tcp destination port 9000 DeviceA nqa admin test tcp quit Enable the TCP test DeviceA nqa schedule a...

Page 1309: ...10 Network diagram for the UDP echo test III Configuration procedure 1 Configure Device B Enable the NQA server and configure the listening IP address as 10 2 2 2 and port number as 8000 DeviceB system view DeviceB nqa server enable DeviceB nqa server udp echo 10 2 2 2 8000 2 Configure Device A Create a UDP echo test group and configure related test parameters DeviceA system view DeviceA nqa entry...

Page 1310: ...error 0 Failures due to internal error 0 Failures due to other errors 0 1 12 9 DLSw Test Configuration Example I Network requirements Use the NQA DLSw function to test the response time of the DLSw device II Network diagram Figure 1 11 Network diagram for the DLSw test III Configuration procedure Create a DLSw test group and configure related test parameters DeviceA system view DeviceA nqa entry a...

Page 1311: ...sponse times 1 Min Max Average round trip time 19 19 19 Square Sum of round trip time 361 Last succeeded probe time 2007 03 27 15 32 48 5 Extend results Packet lost in test 0 Failures due to timeout 0 Failures due to disconnect 0 Failures due to no connection 0 Failures due to sequence error 0 Failures due to internal error 0 Failures due to other errors 0 ...

Page 1312: ... 1 13 1 2 7 Displaying and Maintaining VRRP for IPv4 1 14 1 3 Configuring VRRP for IPv6 1 15 1 3 1 VRRP for IPv6 Configuration Task List 1 15 1 3 2 Enabling Users to Ping Virtual IPv6 Addresses 1 15 1 3 3 Configuring the Association Between Virtual IPv6 Address and MAC Address 1 16 1 3 4 Creating Standby Group and Configuring Virtual IPv6 Address 1 17 1 3 5 Configuring Standby Group Priority Preem...

Page 1313: ... that VRRP involves can only be VLAN interfaces unless otherwise specified 1 1 Introduction to VRRP 1 1 1 VRRP Overview Normally as shown in Figure 1 1 you can configure a default route with the gateway as the next hop for every host on a network segment allowing all packets destined to the other network segments to be sent over the default route to the gateway and then be forwarded by the gateway...

Page 1314: ...default links without changing configurations such as dynamic routing protocols route discovery protocols when a device fails and prevent network interruption due to a single link failure There are two VRRP versions VRRPv2 and VRRPv3 VRRPv2 is based on IPv4 while VRRPv3 is based on IPv6 The two versions implement the same functions but provide different commands 1 1 2 VRRP Standby Group Overview V...

Page 1315: ...the master switch to act as the gateway and the other two are backup switches Caution z The IP address of the virtual router can be either an unused IP address on the segment where z the standby group resides or the IP address of an interface on a switch in the standby group In the latter case the switch is called the IP address owner z In a VRRP standby group there can only be one IP address owne...

Page 1316: ...mode in a network facing possible security problems A switch sending a packet fills the authentication key into the packet and the switch receiving the packet compares its local authentication key with that of the received packet If the two authentication keys are the same the received VRRP packet is considered real and valid otherwise the received packet is considered an invalid one z md5 MD5 aut...

Page 1317: ...case it regards itself as the master and sends VRRP advertisements to start a new master switch election in a standby group 1 1 4 Format of VRRP Packets VRRP uses multicast packets The switch acting as the master sends VRRP packets periodically to declare its existence VRRP packets are also used for checking the parameters of the virtual router and electing the master I IPv4 based VRRP packet form...

Page 1318: ... is 0 for any other authentication modes II IPv6 based VRRP packet format Version Type Virtual Rtr ID Priority Count IPv6 Addrs Auth Type Adver Int Checksum IPv6 address 1 Authentication data 1 Authentication data 2 IPv6 address n 0 7 15 23 31 3 Figure 1 4 IPv6 based VRRP packet format As shown in Figure 1 4 an IPv6 based VRRP packet consists of the following fields z Version Version number of the...

Page 1319: ...with that of its own If its priority is higher it becomes the master otherwise it remains a backup z In non preemption mode the switch in the standby group remains as a master or backup as long as the master does not fail The backup will no become the master even if the former is configured with a higher priority z If the timer of a backup expires but the backup still does not receive any VRRP adv...

Page 1320: ...he state of listening If Switch A fails Switch B and Switch C will elect for the new master The new master takes over the forwarding task to provide services to hosts on the LAN II Load balancing You can create more than one standby group on an interface of a switch allowing the switch to be the master of one standby group but a backup of another at the same time In load balancing mode multiple sw...

Page 1321: ...andby group 3 Switch C is the master Switch A and Switch B are the backups For load balancing among Switch A Switch B and Switch C hosts on the LAN need to be configured to use standby group 1 2 and 3 as the default gateways respectively When configuring VRRP priorities ensure that each switch holds such a priority in each standby group that it will take the expected role in the group 1 2 Configur...

Page 1322: ...ween Virtual IP Address and MAC Address After the virtual IP address of a standup group is associated with a MAC address the master switch takes the configured MAC address as the source MAC address of the packets to be sent so that the hosts in the internal network can learn the association between the IP address and the MAC address and thus forward the packets to be forwarded to the other network...

Page 1323: ...dress by default Caution You should configure this function before creating a standby group Otherwise you cannot modify the mapping between the virtual IP address and the MAC address 1 2 4 Creating Standby Group and Configuring Virtual IP Address You need to configure a virtual IP address for a standby group when creating the standby group A VRRP standby group is created automatically when you spe...

Page 1324: ... a switch in the standby group In the latter case the switch is called the IP address owner z The virtual IP address of the standby group cannot be 0 0 0 0 255 255 255 255 loopback address non A B C address and other illegal IP addresses such as 0 0 0 1 z Only when the configured virtual IP address and the interface IP address belong to the same segment and are legal host addresses can the standby...

Page 1325: ...vrid virtual router id preempt mode timer delay delay value Optional The switch in the standby group works in preemption mode and the preemption delay is 0 seconds by default Configure the interface to be tracked vrrp vrid virtual router id track interface interface type interface number reduced priority reduced Optional No interface is being tracked by default Caution z The priority of an IP addr...

Page 1326: ...d by default Do not create a standby group before executing this command Note z You may configure different authentication modes and authentication keys for the standby groups on an interface However the members of the same standby group must use the same authentication mode and authentication key z Factors like excessive traffic or different timer setting on switches can cause the Backup timer to...

Page 1327: ... Address Optional Creating Standby Group and Configuring Virtual IPv6 Address Required Configuring Standby Group Priority Preemption Mode and Interface Tracking Optional Configuring VRRP Packet Attributes Optional 1 3 2 Enabling Users to Ping Virtual IPv6 Addresses You can configure whether the master switch responds to the received ICMPv6 echo requests that is whether the virtual IPv6 address of ...

Page 1328: ...r a standby group after the standby group is created and the virtual IPv6 address is associated with the virtual MAC address With such association adopted the hosts in the internal network need not update the association between IPv6 address and MAC address when the master switch changes z Virtual IPv6 address is associated with real MAC address of the interface When an IP address owner exists in ...

Page 1329: ... standby group I Configuration prerequisites Before creating standby group and configuring virtual IPv6 address you should first configure the IPv6 address of the interface and ensure that the virtual IPv6 address to be configured is in the same network segment as the IPv6 address of the interface II Configuration procedure Follow these steps to create standby group and configure its virtual IPv6 ...

Page 1330: ...n decide which switch in the standby group serves as the Master Follow these steps to configure standby group priority preemption mode and interface tracking To do Use the command Remarks Enter system view system view Enter the specified interface view interface interface type interface number Configure the priority of the switch in the standby group vrrp ipv6 vrid virtual router id priority prior...

Page 1331: ...nterface interface type interface number Configure the authentication mode and authentication key when the standby groups send and transmit VRRP packets vrrp ipv6 vrid virtual router id authentication mode simple key Optional Authentication is not performed by default Configure the time interval for the Master in the standby group to send VRRP advertisement vrrp ipv6 vrid virtual router id timer a...

Page 1332: ...er vrid virtual router id Available in user view 1 4 IPv4 Based VRRP Configuration Examples This section provides these configuration examples z Single VRRP Standby Group Configuration Example z VRRP Interface Tracking Configuration Example z Multiple VRRP Standby Group Configuration Example 1 4 1 Single VRRP Standby Group Configuration Example I Network requirements z Host A needs to access Host ...

Page 1333: ...witchA interface vlan interface 2 SwitchA Vlan interface2 ip address 202 38 160 1 255 255 255 0 Create standby group 1 and set its virtual IP address to be 202 38 160 111 SwitchA Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Set the priority of Switch A in standby group 1 to 110 SwitchA Vlan interface2 vrrp vrid 1 priority 110 Set Switch A to work in preemption mode The preemption delay is...

Page 1334: ... Status UP State Master Config Pri 110 Run Pri 110 Preempt Mode YES Delay Time 5 Auth Type NONE Virtual IP 202 38 160 111 Virtual MAC 0000 5e00 0101 Master IP 202 38 160 1 Display detailed information of standby group 1 on Switch B SwitchB Vlan interface2 display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 1 Admin...

Page 1335: ... by Switch B 1 4 2 VRRP Interface Tracking Configuration Example I Network requirements z Host A needs to access Host B on the Internet using 202 38 160 111 24 as its default gateway z Switch A and Switch B belong to standby group 1 with the virtual IP address of 202 38 160 111 z If Switch A operates normally packets sent from Host A to Host B are forwarded by Switch A if Switch A is in work but i...

Page 1336: ...ation mode simple hello Set the interval for Master to send VRRP advertisement to five seconds SwitchA Vlan interface2 vrrp vrid 1 timer advertise 5 Set the interface to be tracked SwitchA Vlan interface2 vrrp vrid 1 track interface vlan interface 3 reduced 30 2 Configure Switch B Configure VLAN 2 SwitchB system view SwitchB vlan 2 SwitchB vlan2 port GigabitEthernet 1 0 5 SwitchB vlan2 quit Switch...

Page 1337: ...itchB Vlan interface2 display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 5 Admin Status UP State Backup Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 0 Auth Type SIMPLE TEXT Key hello Virtual IP 202 38 160 111 Master IP 202 38 160 1 The above information indicates that in standby group 1 Switch A is the ...

Page 1338: ...Vlan interface2 VRID 1 Adver Timer 5 Admin Status UP State Master Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 0 Auth Type SIMPLE TEXT Key hello Virtual IP 202 38 160 111 Virtual MAC 0000 5e00 0101 Master IP 202 38 160 2 The above information indicates that if VLAN interface 3 on Switch A is not available the priority of Switch A is reduced to 80 and it becomes the backup Switch B become...

Page 1339: ...nterface2 ip address 202 38 160 1 255 255 255 0 Create a standby group 1 and set its virtual IP address to 202 38 160 111 SwitchA Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Configure the priority of Switch A in standby group 1 to 110 SwitchA Vlan interface2 vrrp vrid 1 priority 110 Create a standby group 2 and set its virtual IP address to 202 38 160 112 SwitchA Vlan interface2 vrrp vri...

Page 1340: ...tailed information of the standby group on Switch A SwitchA Vlan interface2 display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 1 Admin Status UP State Master Config Pri 110 Run Pri 110 Preempt Mode YES Delay Time 0 Auth Type NONE Virtual IP 202 38 160 111 Virtual MAC 0000 5e00 0101 Master IP 202 38 160 1 Interfac...

Page 1341: ...tch A in standby group 2 Switch A is the backup Switch B is the master and the host with the default gateway of 202 38 160 112 24 accesses the Internet through Switch B 1 5 IPv6 Based VRRP Configuration Examples This section provides these configuration examples z Single VRRP Standby Group Configuration Example z VRRP Interface Tracking Configuration Example z Multiple VRRP Standby Group Configura...

Page 1342: ...t 1 0 5 SwitchA vlan2 quit SwitchA interface vlan interface 2 SwitchA Vlan interface2 ipv6 address fe80 1 link local SwitchA Vlan interface2 ipv6 address 1 1 64 Create a standby group 1 and set its virtual IP address to FE80 10 SwitchA Vlan interface2 vrrp ipv6 vrid 1 virtual ip fe80 10 link local Set the priority of Switch A in standby group 1 to 110 SwitchA Vlan interface2 vrrp ipv6 vrid 1 prior...

Page 1343: ...pv6 command to verify the configuration Display detailed information of standby group 1 on Switch A SwitchA Vlan interface2 display vrrp ipv6 verbose IPv6 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 100 Admin Status UP State Master Config Pri 110 Run Pri 110 Preempt Mode YES Delay Time 0 Auth Type NONE Virtual IP FE80 10 Virtual MA...

Page 1344: ... Vlan interface2 VRID 1 Adver Timer 100 Admin Status UP State Master Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 0 Auth Type NONE Virtual IP FE80 10 Virtual MAC 0000 5e00 0201 Master IP FE80 2 The above information indicates that if Switch A fails Switch B becomes the master and packets sent from Host A to Host B are forwarded by Switch B 1 5 2 VRRP Interface Tracking Configuration Exam...

Page 1345: ...ink local SwitchA Vlan interface2 ipv6 address 1 1 64 Create a standby group 1 and set its virtual IP address to FE80 10 SwitchA Vlan interface2 vrrp ipv6 vrid 1 virtual ip fe80 10 link local Set the priority of Switch A in standby group 1 to 110 SwitchA Vlan interface2 vrrp ipv6 vrid 1 priority 110 Set the authentication mode for standby group 1 to simple and authentication key to hello SwitchA V...

Page 1346: ...ipv6 vrid 1 authentication mode simple hello Set the VRRP advertisement interval to 500 centiseconds SwitchB Vlan interface2 vrrp ipv6 vrid 1 timer advertise 500 Set Switch B to work in preemption mode The preemption delay is five seconds SwitchB Vlan interface2 vrrp ipv6 vrid 1 preempt mode timer delay 5 3 Verify the configuration After the configuration Host B can be pinged through on Host A You...

Page 1347: ...through Host B on Host A You can use the display vrrp ipv6 command to view the detailed information of the standby group If Switch A is in work but its interface VLAN interface 3 is not available the detailed information of standby group 1 on Switch A is displayed SwitchA Vlan interface2 display vrrp ipv6 verbose IPv6 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan...

Page 1348: ...t becomes the backup Switch B becomes the master and packets sent from Host A to Host B are forwarded by Switch B 1 5 3 Multiple VRRP Standby Group Configuration Example I Network requirements z In the network some hosts use FE80 10 as their default gateway and some hosts use FE80 20 as their default gateway z Load sharing and mutual backup between default gateways can be implemented by using VRRP...

Page 1349: ...itchB vlan2 port GigabitEthernet 1 0 5 SwitchB vlan2 quit SwitchB interface vlan interface 2 SwitchB Vlan interface2 ipv6 address fe80 2 link local SwitchB Vlan interface2 ipv6 address 1 2 64 Create standby group 1 and set its virtual IP address to FE80 10 SwitchB Vlan interface2 vrrp ipv6 vrid 1 virtual ip fe80 10 link local Create standby group 2 and set its virtual IP address to FE80 20 SwitchB...

Page 1350: ...0 2 Display detailed information of the standby group on Switch B SwitchB Vlan interface2 display vrrp ipv6 verbose IPv6 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 100 Admin Status UP State Backup Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 0 Auth Type NONE Virtual IP FE80 10 Master IP FE80 1 Interface Vlan interface2 V...

Page 1351: ...requently Analysis This error is probably due to the inconsistent configuration of the other switch in the standby group or that a device is attempting to send illegitimate VRRP packets Solution z In the first case modify the configuration z In the latter case you have to resort to non technical measures Symptom 2 Multiple masters are present in the same standby group Analysis z If presence of mul...

Page 1352: ...s Ethernet Switches Chapter 1 VRRP Configuration 1 40 Symptom 3 Frequent VRRP state transition Analysis The VRRP advertisement interval is set too short Solution Increase the interval to sent VRRP advertisement or introduce a preemption delay ...

Page 1353: ...13 1 3 3 Configuring Whether First time Authentication is Supported 1 13 1 3 4 Establishing a Connection Between the SSH Client and the Server 1 15 1 4 Displaying and Maintaining SSH 1 15 1 5 SSH Server Configuration Examples 1 16 1 5 1 When Using Password Authentication 1 16 1 5 2 When Using Publickey Authentication 1 18 1 6 SSH Client Configuration Examples 1 24 1 6 1 When Using Password Authent...

Page 1354: ...Operation Manual SSH H3C S5500 EI Series Ethernet Switches Table of Contents ii 2 3 6 Terminating the Connection to the Remote SFTP Server 2 6 2 4 SFTP Configuration Example 2 6 ...

Page 1355: ...evice can not only work as an SSH server to support connections with SSH clients but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server Note Currently when acting as an SSH server the device supports two SSH versions SSH2 and SSH1 When acting as an SSH client the device supports SSH2 only 1 1 1 Algorithm and Key Algorithm is a set o...

Page 1356: ...If the signature is correct this means that the data originates from user 1 Revest Shamir Adleman Algorithm RSA and Digital Signature Algorithm DSA are both asymmetric key algorithms RSA can be used for data encryption and signature whereas DSA is used for signatures only Note Currently SSH2 supports both RSA and DSA 1 1 3 SSH Operating Process The session establishment between an SSH client and t...

Page 1357: ...ersion it decides to use The server compares the version carried in the packet with that of its own to determine whether it can cooperate with the client z If the negotiation is successful the server and the client proceed with key and algorithm negotiation otherwise the server breaks the TCP connection Note All the packets involved in the above steps are transferred in plain text II Key and algor...

Page 1358: ... timeout and the session is torn down SSH provides two authentication methods password authentication and publickey authentication In password authentication z The client encrypts the username and password encapsulates them into a password authentication request and sends the request to the server z Upon receiving the request the server decrypts the username and password compares them against thos...

Page 1359: ...ient an SSH_SMSG_SUCCESS packet and goes on to the interactive session stage with the client Otherwise the server sends back to the client an SSH_SMSG_FAILURE packet indicating that the processing fails or it cannot resolve the request V Interactive session In this stage the server and the client exchanges data in this way z The client encrypts and sends the command to be executed to the server z ...

Page 1360: ...rd authentication users Configuring an SSH User Optional Setting the SSH Management Parameters Optional Note As a client uses either RSA or DSA algorithm for authentication and different clients may support different algorithms the server needs to generate both RSA and DSA key pairs for successful authentication 1 2 2 Enabling SSH Server Follow these steps to enable SSH server To do Use the comman...

Page 1361: ... information about the authentication mode and protocol inbound commands refer to Login Commands z If you configure a user interface to support SSH be sure to configure the corresponding authentication method with the authentication mode scheme command z For a user interface configured to support SSH you cannot configure the authentication mode password command and the authentication mode none com...

Page 1362: ... display or export the local RSA or DSA host key for setting the host key on the remote end Follow these steps to display or export an RSA or DSA host key To do Use the command Remarks Enter system view system view Display the local RSA host key on the screen in a specified format or export it to a specified file public key local export rsa openssh ssh1 ssh2 filename Display the local DSA host key...

Page 1363: ...ou can manually copy the client s public key configuration to the server In the latter case the system automatically converts the public key to a string coded using the PKCS standard Before importing the public key you must upload the public key file in binary to the server through FTP or TFTP Caution z When the device functions as the SSH server you cannot use Secure CRT 4 07 to upload the client...

Page 1364: ...ey view public key code end When you exit public key code view the system automatically saves the public key Return from public key view to system view peer public key end II Importing a client public key from a public key file Follow these steps to import a public key from a public key file To do Use the command Remarks Enter system view system view Import the public key from a public key file pu...

Page 1365: ...FTP stelnet or the secure Telnet protocol refers to the traditional SSH service For information about stelnet refer to SSH2 0 Overview sftp represents the secure FTP protocol For information about sftp refer to SFTP Overview z For successful login through SFTP you must set the user service type to sftp or all z You can set the service type of an SSH user to stelnet or all if the user does not need...

Page 1366: ...ompatible with SSH1 z Setting the server key pair update interval applicable to users using SSH1 client z Setting the SSH user authentication timeout period z Setting the maximum number of SSH authentication attempts Setting the above parameters can help avoid malicious guess at and cracking of the keys and usernames securing your SSH connections Follow these steps to set the SSH management parame...

Page 1367: ...ess Interface for the SSH client This configuration task allows you to specify a source IP address or interface for the client to access the SSH server improving service manageability To do Use the command Remarks Enter system view system view Specify a source IPv4 address or interface for the SSH client ssh client source ip ip address interface interface type interface number Specify a source IP ...

Page 1368: ... system view system view Enable the device to support first time authentication ssh client first time enable Optional By default first time authentication is supported on a client II Disable first time authentication For successful authentication of an SSH client not supporting first time authentication the server host public key must be configured on the client and the public key name must be spe...

Page 1369: ...t and the IPv6 server and specify the preferred key exchange algorithm encryption algorithms and HMAC algorithms for them ssh2 ipv6 server port number identity key dsa rsa prefer ctos cipher aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Use either command in user ...

Page 1370: ... secure data exchange z Password authentication is required II Network diagram SSH client SSH server Host Switch 192 168 0 2 24 Vlan int1 192 168 0 1 24 Figure 1 2 Network diagram for SSH server configuration using password authentication III Configuration procedure Configure the SSH server Generate RSA and DSA key pairs and enable the SSH server Switch system view Switch public key local create r...

Page 1371: ...ser client001 service type ssh level 3 Switch luser client001 quit Specify the service type for user client001 as Stelnet and the authentication method as password Switch ssh user client001 service type stelnet authentication type password Configure the SSH client Note There are a variety of SSH client software such as PuTTY OpenSSH and so on The following is an example of configuring SSH client u...

Page 1372: ... the username client001 and password aabbcc 1 5 2 When Using Publickey Authentication I Network requirements z As shown in Figure 1 4 a local SSH connection is established between the host SSH client and the switch SSH server for secure data exchange z Publickey authentication is used the algorithm is RSA II Network diagram SSH client SSH server Host Switch 192 168 1 56 24 Vlan int1 192 168 1 40 2...

Page 1373: ...e scheme Enable the user interface to support SSH Switch ui vty0 4 protocol inbound ssh Set the user command privilege level to 3 Switch ui vty0 4 user privilege level 3 Switch ui vty0 4 quit Note Before performing the following tasks you must generate an RSA public key pair using the client software on the client save the key pair in a file named key pub and then upload the file to the SSH server...

Page 1374: ...onfiguration 1 20 Figure 1 5 Generate a client key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1 6 Otherwise the process bar stops moving and the key pair generating process is stopped ...

Page 1375: ...500 EI Series Ethernet Switches Chapter 1 SSH Configuration 1 21 Figure 1 6 Generate a client key pair 2 After the key pair is generated click Save public key to save the key in a file by entering a file name key pub in this case ...

Page 1376: ... up to prompt you whether to save the private key without any protection Click Yes and enter the name of the file for saving the key private in this case Figure 1 8 Generate a client key pair 4 Note After generating a key pair on a client you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the server done before continuing configuration of...

Page 1377: ... the SSH server Launch PuTTY exe to enter the following interface In the Host Name or IP address text box enter the IP address of the server 192 168 1 40 Figure 1 9 SSH client configuration interface 1 Select Connection SSH Auth The following window appears Click Browse to bring up the file selection window navigate to the private key file and click OK ...

Page 1378: ... connection is normal you will be prompted to enter the username client002 to enter the configuration interface 1 6 SSH Client Configuration Examples 1 6 1 When Using Password Authentication I Network requirements z As shown in Figure 1 11 Switch A the SSH client needs to log on to Switch B the SSH server through the SSH protocol z The username of the SSH client is client001 and the password is aa...

Page 1379: ...witchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Set the authentication mode for the user interface to AAA SwitchB user interface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Enable the user interface to support SSH SwitchB ui vty0 4 protocol inbound ssh SwitchB ui vty0 4 quit Create local user client001 SwitchB local user client001 SwitchB luser c...

Page 1380: ...DACE915F0281810082269009E 14EC474BAF2932E69D3B1F18517AD95 SwitchA pkey key code 94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02 492B3959EC6499625BC4FA5082E22C5 SwitchA pkey key code B374E16DD00132CE71B020217091AC717B612391C76C1FB2E 88317C1BD8171D41ECB83E210C03CC9 SwitchA pkey key code B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC 9B09EEF0381840002818000AF995917 SwitchA pkey key code E1E570A3...

Page 1381: ...blickey authentication is used the algorithm is DSA II Network diagram Figure 1 12 Network diagram of SSH client configuration using publickey authentication III Configuration procedure 1 Configure the SSH server Generate RSA and DSA key pairs and enable SSH server SwitchB system view SwitchB public key local create rsa SwitchB public key local create dsa SwitchB ssh server enable Configure an IP ...

Page 1382: ...etails refer to Configuring the SSH Client Import the remote public key pair from the file key pub SwitchB public key peer Switch001 import sshkey key pub Specify the authentication type for user client002 as publickey and assign the public key Switch001 for the user SwitchB ssh user client002 service type stelnet authentication type publickey assign publickey Switch001 2 Configure the SSH client ...

Page 1383: ...ntinuing configuration of the client Establish an SSH connection to the server 10 165 87 136 SwitchA ssh2 10 165 87 136 Username client002 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is not authenticated Continue Y N y Do you want to save the server public key Y N n Copyright c 2004 2007 Hangzhou H3C Tech Co Ltd All rights reserved Without the owner s prior wri...

Page 1384: ...lso server as an SFTP client enabling a user to login from the device to a remote device for secure file transfer 2 2 Configuring an SFTP Server 2 2 1 Configuration Prerequisites z You have configured the SSH server For the detailed configuration procedure refer to Configuring the Device as an SSH Server z You have used the ssh user service type command to set the service type of SSH users to sftp...

Page 1385: ...out period sftp server idle timeout time out value Required 10 minutes by default 2 3 Configuring an SFTP Client 2 3 1 Specifying a Source IP Address or Interface for the SFTP Client You can configure a client to use only a specified source IP address or interface to access the SFTP server thus enhancing the service manageability Follow these steps to specify a source IP address or interface for t...

Page 1386: ...ftp ipv6 server port number identity key dsa rsa prefer ctos cipher aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Use either command in user view 2 3 3 Working with the SFTP Directories SFTP directory operations include z Changing or displaying the current working...

Page 1387: ...der a specified directory ls a l remote path Optional The dir command functions as the ls command Change the name of a specified directory on the SFTP server rename oldname newname Optional Create a new directory on the remote SFTP server mkdir remote path Optional Delete a directory from the SFTP server rmdir remote path 1 10 Optional 2 3 4 Working with SFTP Files SFTP file operations include z C...

Page 1388: ... Optional Download a file from the remote server and save it locally get remote file local file Optional Upload a local file to the remote SFTP server put local file remote file Optional dir a l remote path Display the files under a specified directory ls a l remote path Optional The dir command functions as the ls command delete remote file 1 10 Delete a file from the SFTP server remove remote fi...

Page 1389: ...inate the connection to the remote SFTP server To do Use the command Remarks Establish a connection to the remote SFTP server and enter SFTP client view sftp ipv6 server port number identity key dsa rsa prefer ctos cipher aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Requi...

Page 1390: ...ction SwitchB interface Vlan interface 1 SwitchB Vlan interface1 ip address 192 168 0 1 255 255 255 0 SwitchB Vlan interface1 quit Set the authentication method on the user interface to AAA SwitchB user interface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Set the protocol that a remote user uses to login as SSH SwitchB ui vty0 4 protocol inbound ssh SwitchB ui vty0 4 quit Create local us...

Page 1391: ...SFTP server and enter SFTP client view SwitchA sftp 192 168 0 1 Input Username client001 Trying 192 168 0 1 Press CTRL K to abort Connected to 192 168 0 1 The Server is not authenticated Continue Y N y Do you want to save the server public key Y N y Enter password sftp client Display files under the current directory of the server delete the file named z and check if the file is deleted successful...

Page 1392: ... Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 30 new1 Rename directory new1 to new2 and check if the directory is renamed successfully sftp client rename new1 new2 File successfully renamed sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 ...

Page 1393: ...25 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 rwxrwxrwx 1 noone nogroup 283 Sep 02 06 35 pub rwxrwxrwx 1 noone nogroup 283 Sep 02 06 36 puk sftp client Terminate the connection to the remote SFTP server sftp client quit Bye Connection closed SwitchA ...

Page 1394: ...guration Example 1 12 1 4 Configuring Transit Node 1 12 1 4 1 Configuration Procedure 1 12 1 4 2 Transit Node Configuration Example 1 13 1 5 Configuring Edge Node 1 14 1 5 1 Configuration Procedure 1 14 1 5 2 Edge Node Configuration Example 1 15 1 6 Configuring Assistant Edge Node 1 16 1 6 1 Configuration Procedure 1 16 1 6 2 Assistant Edge Node Configuration Example 1 17 1 7 Displaying and Mainta...

Page 1395: ...intaining RRPP z RRPP Typical Configuration Examples 1 1 RRPP Overview Rapid Ring Protection Protocol RRPP is an Ethernet ring specific link layer protocol It can not only prevent data loop from causing broadcast storm efficiently when the Ethernet ring is complete but also restore communication channels among nodes on the Ethernet ring rapidly when a link is torn down Compared with Spanning Tree ...

Page 1396: ...cially designed to transfer RRPP packets The ports accessing an RRPP ring on devices belong to the control VLAN of the ring and only these ports can join this VLAN IP address configuration is prohibited on the ports of the control VLAN You can configure a control VLAN for the primary ring namely the primary control VLAN However the control VLAN of a subring namely the secondary control VLAN is ass...

Page 1397: ...l logically deny data VLANs and permit only the packets of the control VLANs z When an RRPP ring is in disconnect state the secondary port of the master node will permit data VLANs that is forward packets of data VLANs 2 In terms of functionality there is no difference between the primary port and the secondary port of the transit node Both are designed for the transfer of protocol packets and dat...

Page 1398: ... ring transits into disconnect state until the secondary port receives the Health packet again Note z In an RRPP domain a transit node learns the Hello timer value and the Fail timer value on the master node through the received Health packets guaranteeing the consistency of two timer values across a ring z The Fail timer value must be greater than or equal to 3 times of the Hello timer value 1 1 ...

Page 1399: ...kets to examine the links of the primary ring between the edge node and the assistant edge node Major Fault Assistant edge node initiates Major Fault packets to notify the edge node of a failure when a link of primary ring between edge node and assistant edge node is torn down 1 1 3 Typical RRPP Networking Here are several typical networking applications I Single ring Device A Device B Device C De...

Page 1400: ...ode Ring 2 Figure 1 3 Multi domain tangent rings There are two or more rings in the network topology and only one common node between rings In this case you need define an RRPP domain for each ring III Single domain intersecting rings Figure 1 4 Single domain intersecting rings There are two or more rings in the network topology and two common nodes between rings In this case you only need to defi...

Page 1401: ...s case you only need to define an RRPP domain and set one ring as the primary ring and other rings as subrings V Multi domain intersecting rings Device A Device B Device C Device D Device E Master node Transit node Domain 1 Ring1 Ring 2 Master node Device F Master node Ring 3 Domain 2 Domain 3 Transit node Transit node Figure 1 6 Multi domain intersecting rings There are two or more domains in a n...

Page 1402: ...domain is down Upon the receipt of a Link Down packet the master node releases the secondary port from blocking data VLAN while sending Common Flush FDB packet to notify all the transit nodes the edge nodes and the assistant nodes to update their own MAC entries and ARP entries III Ring recovery The master node may find the ring is restored after a period of time after the ports belonging to the R...

Page 1403: ...e port is activated only when the edge node ensures that no loop will be brought forth when the edge port is activated 1 1 5 Protocols and Standards Related standard RFC 3619 1 2 RRPP Configuration Task List Complete the following tasks to configure RRPP Task Description Configuring Master Node Required Configuring Transit Node Optional Configuring Edge Node Optional Configuring Assistant Edge Nod...

Page 1404: ...orts that access the same node to the same RRPP ring must not be configured as multi domain intersection common ports at the same time z When configuring multi domain intersecting rings do not enable or disable the RRPP ring on which the multi domain intersection common port resides with RRPP globally enabled z In the case of multi domain intersection the rings in different domains are independent...

Page 1405: ...figuration Procedure Follow these steps to configure master node To do Use the command Remarks Enter system view system view Create an RRPP domain and enter its view rrpp domain domain id Required Specify control VLAN for the RRPP domain control vlan vlan id Required Specify the current device as the master node of the ring and specify the primary port and the secondary port ring ring id node mode...

Page 1406: ...thernet 1 0 2 as the secondary port z Set the Hello timer value to 2 seconds and the Fail timer value to 7 seconds II Configuration procedure Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 link delay 0 Sysname GigabitEthernet1 0 1 quit Sysname interface gigabitethernet 1 0 2 Sysname GigabitEthernet1 0 2 link delay 0 Sysname GigabitEthernet1 0 2 quit Sysnam...

Page 1407: ... RRPP ring ring ring id enable Required By default the RRPP ring is disabled Return to system view quit Enable RRPP rrpp enable Required By default RRPP is disabled Caution z The control VLAN configured for an RRPP domain must be a new one z Control VLAN configuration is required for configuring an RRPP ring z To use the undo rrpp domain command to remove an RRPP domain you must ensure the RRPP do...

Page 1408: ...Procedure Follow these steps to configure edge node To do Use the command Remarks Enter system view system view Create an RRPP domain and enter its view rrpp domain domain id Required Specify a control VLAN for the RRPP domain control vlan vlan id Required Specify the current device as the transit node of the primary ring and specify the primary port and the secondary port ring ring id node mode t...

Page 1409: ... deleting the primary ring configuration of an edge node However the RRPP ring enabled cannot be deleted z To use the undo rrpp domain command to remove an RRPP domain you must ensure the RRPP domain has no RRPP ring 1 5 2 Edge Node Configuration Example I Networking requirements z Specify the device in RRPP domain 1 z Set VLAN 4092 as the control VLAN z Specify the device as the transit node of p...

Page 1410: ...ng Assistant Edge Node 1 6 1 Configuration Procedure Follow these steps to configure assistant edge node To do Use the command Remarks Enter system view system view Create an RRPP domain and enter its view rrpp domain domain id Required Specify a control VLAN for the RRPP domain control vlan vlan id Required Specify the current device as the transit node of the primary ring and specify the primary...

Page 1411: ...e primary ring configuration of an edge node However the RRPP ring enabled cannot be deleted z To use the undo rrpp domain command to remove an RRPP domain you must ensure the RRPP domain has no RRPP ring 1 6 2 Assistant Edge Node Configuration Example I Networking requirements z Specify the device in RRPP domain 1 z Set VLAN 4092 as the control VLAN z Specify the device as the transit node of pri...

Page 1412: ...domain1 quit Sysname rrpp enable 1 7 Displaying and Maintaining RRPP To do Use the command Remarks Display brief information about RRPP configuration display rrpp brief Display detailed information about RRPP configuration display rrpp verbose domain domain id ring ring id Display RRPP statistics display rrpp statistics domain domain id ring ring id Available in any view Clear RRPP statistics rese...

Page 1413: ...nfiguration considerations First determine the node mode of a device in an RRPP ring and then perform the following configurations on a per device basis z Create an RRPP domain z Specify the control VLAN for the RRPP domain z Specify the node mode of a device on the primary ring and the ports accessing the RRPP ring on the device z Enable the RRPP ring z Enable RRPP III Configuration procedure 1 P...

Page 1414: ...ort gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 Device B rrpp domain1 ring 1 enable Device B rrpp domain1 quit Device B rrpp enable 3 Perform the following configuration on Device C Device C system view DeviceC interface gigabitethernet 1 0 1 DeviceC GigabitEthernet1 0 1 link delay 0 DeviceC GigabitEthernet1 0 1 quit DeviceC interface gigabitgigabitethernet 1 0 0 2 DeviceC G...

Page 1415: ...ce A Device B Device C and Device D constitute primary ring 1 z Device B Device C and Device E constitute subring 2 z Device A is the master node of primary ring 1 GigabitEthernet 1 0 1 is the primary port and GigabitEthernet 1 0 2 is the secondary port z Device E is the master node of subring 2 GigabitEthernet 1 0 1 is the primary port and GigabitEthernet 1 0 2 is the secondary port z Device B is...

Page 1416: ...n RRPP ring and the ports accessing the RRPP ring on the device z Enable these two RRPP rings z Enable RRPP III Configuration procedure 1 Perform the following configuration on Device A Device A system view DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 link delay 0 DeviceA GigabitEthernet1 0 1 quit DeviceA interface gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 link del...

Page 1417: ...ernet 1 0 2 edge port gigabitethernet 1 0 3 Device B rrpp domain1 ring 1 enable Device B rrpp domain1 ring 2 enable Device B rrpp domain1 quit Device B rrpp enable 3 Perform the following configuration on Device C Device C system view DeviceC interface gigabitethernet 1 0 1 DeviceC GigabitEthernet1 0 1 link delay 0 DeviceC GigabitEthernet1 0 1 quit DeviceC interface gigabitethernet 1 0 2 DeviceC G...

Page 1418: ...nterface gigabitethernet 1 0 1 DeviceE GigabitEthernet1 0 1 link delay 0 DeviceE GigabitEthernet1 0 1 quit DeviceE interface gigabitethernet 1 0 2 DeviceE GigabitEthernet1 0 2 link delay 0 DeviceE GigabitEthernet1 0 2 quit Device E rrpp domain 1 Device E rrpp domain1 control vlan 4092 Device E rrpp domain1 ring 2 node mode master primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 ...

Page 1419: ...Ethernet 1 0 1 is the primary port and GigabitEthernet 1 0 2 is the secondary port z Device F is a transit node on primary ring 2 in RRPP domain 2 GigabitEthernet 1 0 1 is the primary port and GigabitEthernet 1 0 2 is the secondary port z Use default values for timers on the primary ring in each domain Domain 1 Device A Device C Device D Master node Transit node Ring 1 Transit node Transit node GE...

Page 1420: ... system view DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1 link delay 0 DeviceB GigabitEthernet1 0 1 quit DeviceB interface gigabitethernet 1 0 2 DeviceB GigabitEthernet1 0 2 link delay 0 DeviceB GigabitEthernet1 0 2 quit DeviceB interface gigabitethernet 1 0 3 DeviceB GigabitEthernet1 0 3 link delay 0 DeviceB GigabitEthernet1 0 3 quit Device B rrpp domain 1 Device B rrpp do...

Page 1421: ...C rrpp domain2 ring 2 node mode transit primary port gigabitethernet 1 0 3 secondary port gigabitethernet 1 0 2 level 0 Device C rrpp domain2 ring 2 enable Device C rrpp domain2 quit Device C rrpp enable 4 Perform the following configuration on Device D Device D system view DeviceD interface gigabitethernet 1 0 1 DeviceD GigabitEthernet1 0 1 link delay 0 DeviceD GigabitEthernet1 0 1 quit DeviceD i...

Page 1422: ...p enable 6 Perform the following configuration on Device F Device F system view DeviceF interface gigabitethernet 1 0 1 DeviceF GigabitEthernet1 0 1 link delay 0 DeviceF GigabitEthernet1 0 1 quit DeviceF interface gigabitethernet 1 0 2 DeviceF GigabitEthernet1 0 2 link delay 0 DeviceF GigabitEthernet1 0 2 quit Device F rrpp domain 2 Device F rrpp domain2 control vlan 4092 Device F rrpp domain2 rin...

Page 1423: ... Security Mode 1 7 1 6 Configuring Port Security Features 1 8 1 6 1 Configuring NTK 1 8 1 6 2 Configuring Intrusion Protection 1 8 1 6 3 Configuring Trapping 1 9 1 7 Configuring Secure MAC Addresses 1 9 1 7 1 Configuration Prerequisites 1 10 1 7 2 Configuration Procedure 1 10 1 8 Ignoring the Authorization Information from the Server 1 10 1 9 Displaying and Maintaining Port Security 1 11 1 10 Port...

Page 1424: ...on MAC address of an outbound frame With port security you can define various port security modes to make a device learn only legal source MAC addresses so that you can implement different network security management as needed When a port security enabled device detects an illegal frame it triggers the corresponding port security feature and takes a pre defined action automatically This reduces yo...

Page 1425: ...security is disabled on the port and access to the port is not restricted In this mode neither the NTK nor the intrusion protection feature is triggered autoLearn In this mode a port can learn a specified number of MAC addresses and save those addresses as secure MAC addresses It permits only frames whose source MAC addresses are secure MAC addresses or static MAC addresses configured by using the...

Page 1426: ... first upon receiving 802 1x frames If 802 1x authentication fails the port performs MAC authentication macAddressEls eUserLoginSec ure This mode is the combination of the macAddressWithRadius and userLoginSecure modes with MAC authentication having a higher priority z Upon receiving a non 802 1x frame a port in this mode performs only MAC authentication z Upon receiving an 802 1x frame the port p...

Page 1427: ...following tasks to configure port security Task Remarks Enabling Port Security Required Setting the Maximum Number of Secure MAC Addresses Optional Setting the Port Security Mode Required Configuring NTK Configuring Intrusion Protection Configuring Port Security Features Configuring Trapping Optional Choose one or more features as required Configuring Secure MAC Addresses Optional Ignoring the Aut...

Page 1428: ...nformation about 802 1x authentication and MAC authentication refer to 802 1x HABP MAC Authentication Configuration 1 4 Setting the Maximum Number of Secure MAC Addresses With port security enabled more than one authenticated user is allowed on a port The number of authenticated users allowed however cannot exceed the specified upper limited By setting the maximum number of secure MAC addresses al...

Page 1429: ...any of the above configurations Note z With port security disabled you can configure the port security mode but your configuration does not take effect z With port security enabled you can change the port security mode of a port only when the port is operating in noRestrictions mode the default mode You can use the undo port security port mode command to restore the default port security mode z Yo...

Page 1430: ...se MAC addresses have an OUI value among the specified ones Follow these steps to enable the userLoginWithOUI mode To do Use the command Remarks Enter system view system view Set an OUI value for user authentication port security oui oui value index index value Optional Not configured by default Enter Ethernet port view interface interface type interface number Enable the userLoginWithOUI mode por...

Page 1431: ...a port operating in either macAddressElseUserLoginSecure mode or macAddressElseUserLoginSecureExt mode intrusion protection is triggered only after both MAC authentication and 802 1x authentication for the same frame fail 1 6 Configuring Port Security Features 1 6 1 Configuring NTK Follow these steps to configure the NTK feature To do Use the command Remarks Enter system view system view Enter Eth...

Page 1432: ...rity timer disableport command to set the silence timeout during which a port remains disabled 1 6 3 Configuring Trapping Follow these steps to configure port security trapping To do Use the command Remarks Enter system view system view Enable port security traps port security trap addresslearned dot1xlogfailure dot1xlogoff dot1xlogon intrusion ralmlogfailure ralmlogoff ralmlogon Required By defau...

Page 1433: ...vlan vlan id Required Use either approach No secure MAC address is configured by default Note The configured secure MAC addresses are saved in the configuration file and will not get lost when the port goes up or goes down After you save the configuration file the secure MAC address saved in the configuration file are maintained even after the device restarts 1 8 Ignoring the Authorization Informa...

Page 1434: ...type interface number vlan vlan id count Available in any view Display information about blocked MAC addresses display port security mac address block interface interface type interface number vlan vlan id count Available in any view 1 10 Port Security Configuration Examples 1 10 1 Port Security Configuration for autoLearn Mode I Network requirements Restrict port GigabitEthernet 1 0 1 of the swit...

Page 1435: ...ntrusion mode disableport temporarily Switch GigabitEthernet1 0 1 quit Switch port security timer disableport 30 2 Verify the configuration After completing the above configurations you can use the following command to view the port security configuration information Switch display port security interface gigabitethernet 1 0 1 Equipment port security is enabled Intrusion trap is enabled Disablepor...

Page 1436: ...rface command after the number of MAC addresses learned by the port reaches 64 you will see that the port security mode has changed to secure When any frame with a new MAC address arrives intrusion protection is triggered and you will see trap messages as follows May 2 03 15 55 871 2000 Switch PORTSEC 1 VIOLATION Traph3cSecureViolation A intrusion occurs IfIndex 9437207 Port 9437207 MAC Addr 0 2 0...

Page 1437: ...rized to access the Internet Restrict port GigabitEthernet 1 0 1 of the switch as follows z Allow only one 802 1x user to be authenticated z Allow up to 16 OUI values to be configured and allow one additional user whose MAC address has an OUI among the configured ones to access the port II Network diagram Figure 1 2 Network diagram for port security configuration for userLoginWithOUI mode III Conf...

Page 1438: ...ng server to money Switch radius radsun key accounting money Set the RADIUS server response timeout time to five seconds and the maximum number of RADIUS packet retransmission attempts to 5 Switch radius radsun timer response timeout 5 Switch radius radsun retry 5 Set the interval at which the switch sends real time accounting packets to the RADIUS server to 15 minutes Switch radius radsun timer r...

Page 1439: ...pe standard Primary Auth IP 192 168 1 1 Port 1812 State active Primary Acct IP 192 168 1 2 Port 1813 State active Second Auth IP 192 168 1 2 Port 1812 State active Second Acct IP 192 168 1 1 Port 1813 State active Auth Server Encryption Key name Acct Server Encryption Key money Accounting On packet disable send times 5 interval 3s Interval for timeout second 5 Retransmission times for timeout 5 In...

Page 1440: ...rotection mode is NoAction Max MAC address number is not configured Stored MAC address number is 0 Authorization is permitted After an 802 1x user gets online you can see that the number of secure MAC addresses stored is 1 You can also use the following command to view information about 802 1x users Switch display dot1x interface gigabitethernet 1 0 1 Equipment 802 1X protocol is enabled CHAP auth...

Page 1441: ...the following command to view the related information Switch display mac address interface gigabitethernet 1 0 1 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME s 1234 0300 0011 1 Learned GigabitEthernet1 0 1 AGING 1 mac address es found 1 10 3 Port Security Configuration for macAddressElseUserLoginSecure Mode I Network requirements The client is connected to the switch through GigabitEthernet 1 0 1 ...

Page 1442: ...ame and password to aaa and 123456 respectively Switch mac authentication user name format fixed account aaa password simple 123456 Switch interface gigabitethernet 1 0 1 Set the maximum number of secure MAC addresses allowed on the port to 64 Switch GigabitEthernet1 0 1 port security max mac count 64 Set the port security mode to macAddressElseUserLoginSecure Switch GigabitEthernet1 0 1 port secu...

Page 1443: ... detect period is 300s Quiet period is 60s Server response timeout value is 100s The max allowed user number is 1024 per slot Current user number amounts to 0 Current domain not configured use default domain Silent MAC User info MAC Addr From Port Port Index GigabitEthernet1 0 1 is link up MAC address authentication is enabled Authenticate success 3 failed 1 Current online user number is 3 MAC Add...

Page 1444: ...2 1X Multicast trigger is enabled Guest VLAN 0 Max number of on line users is 256 EAPOL Packet Tx 16331 Rx 102 Sent EAP Request Identity Packets 16316 EAP Request Challenge Packets 6 EAP Success Packets 4 Fail Packets 5 Received EAPOL Start Packets 6 EAPOL LogOff Packets 2 EAP Response Identity Packets 80 EAP Response Challenge Packets 6 Error Packets 0 1 Authenticated user MAC address 0002 0000 0...

Page 1445: ...figure secure MAC addresses Switch GigabitEthernet1 0 1 port security mac address security 1 1 2 vlan 1 Error Can not operate security MAC address for current port mode is not autoLearn II Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn III Solution Set the port security mode to autoLearn Switch GigabitEthernet1 0 1 undo port securi...

Page 1446: ...t GigabitEthernet1 0 1 II Analysis Changing port security mode is not allowed when an 802 1x authenticated or MAC authenticated user is online III Solution Use the cut command to forcibly disconnect the user from the port before changing the port security mode Switch GigabitEthernet1 0 1 cut connection interface gigabitethernet 1 0 1 Switch GigabitEthernet1 0 1 undo port security port mode ...

Page 1447: ...cols and Standards 1 4 1 2 LLDP Configuration Tasks List 1 4 1 3 Performing Basic LLDP Configuration 1 5 1 3 1 Enabling LLDP 1 5 1 3 2 Setting LLDP Operating Mode 1 6 1 3 3 Configuring LLDPDU TLVs 1 6 1 3 4 Enable LLDP Polling 1 8 1 3 5 Configuring the Parameters Concerning LLDPDU Sending 1 8 1 4 Configuring LLDP Trap 1 9 1 5 Displaying and Maintaining LLDP 1 10 1 6 LLDP Configuration Example 1 11...

Page 1448: ...n in LLDPDUs received is restored in standard MIB management information base 1 1 2 LLDP Fundamental I LLDP operating mode LLDP can operate in one of the following modes z TxRx mode A port in this mode sends and receives LLDPDUs z Tx mode A port in this mode only sends LLDPDUs z Rx mode A port in this mode only receives LLDPDUs z Disable mode A port in this mode does not send or receive LLDPDUs LL...

Page 1449: ...perating in the TxRx mode or Rx mode checks the TLVs carried in the LLDPDUs it receives and saves the valid neighboring information An LLDPDU also carries a TTL time to live setting with it The information about a neighboring device maintained locally ages out when the corresponding TTL expires The TTL of the information about a neighboring device is determined by the following expression TTL mult...

Page 1450: ...tem Description TLV Carries system description System Capabilities TLV Carries information about system capabilities Management Address TLV Carries the management address the corresponding port number and OID object identifier If the management address is not configured it is the IP address of the interface of the VLAN with the least VLAN ID among those permitted on the port If the IP address of t...

Page 1451: ... Extended power via MDI TLV which carries the information about the power supply capability of the current device z Hardware revision TLV which carries the hardware version of an MED device z Firmware revision TLV which carries the firmware version of an MED device z Software revision TLV which carries the software version of an MED device z Serial number TLV which carries the serial number of an ...

Page 1452: ...view system view Enable LLDP globally lldp enable Required The default global state of LLDP varies with device models Enter Ethernet interface view interface interface type interface number Enter Ethernet interface view port group view Enter port group view port group aggregation agg id manual port group name Either of the two is required Configuration performed in Ethernet interface view applies ...

Page 1453: ...current port only configuration performed in port group view applies to all the ports in the corresponding port group Set the LLDP operating mode lldp admin status disable rx tx txrx Optional TxRx by default 1 3 3 Configuring LLDPDU TLVs Follow these steps to configure LLDPDU TLVs To do Use the command Remarks Enter system view system view Set the TTL multiplier lldp hold multiplier value Optional...

Page 1454: ...code ca type ca value 1 10 elin address Tel Number network policy power over ethernet inventory Optional By default all types of LLDP TLVs except location identification TLV are sent Specify the management address and specify to send the management address through LLDPDUs lldp management address tlv ip address Optional By default the management address is sent through LLDPDUs and the management ad...

Page 1455: ...Vs also enables sending of MAC PHY configuration status TLVs 1 3 4 Enable LLDP Polling With LLDP polling enabled a device checks for the local configuration changes periodically Upon detecting a configuration change the device sends LLDPDUs to inform the neighboring devices of the change Follow these steps to enable LLDP polling To do Use the command Remarks Enter system view system view Enter Eth...

Page 1456: ...e number of the LLDPDUs to be sent when a new neighboring device is detected Follow these steps to set the number of the LLDPDUs to be sent when a new neighboring device is detected To do Use the command Remarks Enter system view system view Set the number of the LLDPDUs to be sent successively when a new neighboring device is detected lldp fast count value Optional 3 by default 1 4 Configuring LL...

Page 1457: ...interval to send LLDP traps lldp timer notification interval value Optional 5 seconds by default 1 5 Displaying and Maintaining LLDP To do Use the command Remarks Display the global LLDP information or the information contained in the LLDP TLVs to be sent through a port display lldp local information global interface interface type interface number Available in any view Display the information con...

Page 1458: ...or the link between Switch A and Switch B and the link between Switch A and the MED device on the NMS II Network diagram Figure 1 1 Network diagram for LLDP configuration III Configuration procedure 1 Configure Switch A Enter system view SwitchA system view Enable LLDP globally SwitchA lldp enable Enable LLDP on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 setting the LLDP operating mode to Rx ...

Page 1459: ...t1 0 1 lldp admin status tx 3 Verify the configuration Display the global LLDP status and port LLDP status on Switch A SwitchA display lldp status Global status of LLDP Enable The current number of neighbors 2 Neighbor information last changed time 0 days 0 hours 4 minutes 40 seconds Transmit interval 30s Hold multiplier 4 Reinit delay 2s Transmit delay 2s Trap interval 5s Fast start times 3 Port ...

Page 1460: ...eighbors 1 Neighbor information last changed time 0 days 0 hours 5 minutes 20 seconds Transmit interval 30s Hold multiplier 4 Reinit delay 2s Transmit delay 2s Trap interval 5s Fast start times 3 Port 0 GigabitEthernet1 0 1 Port status of LLDP Enable Admin status Rx_Only Trap flag No Roll time 0s Number of neighbors 1 Number of MED neighbors 1 Number of sent optional TLV 0 Number of received unkno...

Page 1461: ... 1 3 1 Configuring a PoE Interface through the Command Line 1 3 1 3 2 Configuring PoE Interfaces Through a PoE Configuration File 1 4 1 4 Configuring PD Power Management 1 5 1 5 Configuring a Power Alarm Threshold for the PSE 1 6 1 6 Upgrading PSE Processing Software Online 1 7 1 7 Configuring a PD Disconnection Detection Mode 1 7 1 8 Enabling the PSE to Detect Nonstandard PDs 1 8 1 9 Displaying a...

Page 1462: ...net PoE means that power sourcing equipment PSE supplies power to powered devices PD such as IP telephone wireless LAN access point and web camera from Ethernet interfaces through twisted pair cables I Advantages z Reliable Power is supplied in a centralized way so that it is very convenient to provide a backup power supply z Easy to connect A network terminal requires only one Ethernet cable but ...

Page 1463: ...cted to other power supply units for redundancy backup 1 1 2 Protocol Specification The protocol specification related to PoE is IEEE 802 3af 1 2 PoE Configuration Task List Complete these tasks to configure PoE Task Remarks Configuring the PoE Interface Required Configuring PD Power Management Optional Configuring a Power Alarm Threshold for the PSE Optional Upgrading PSE Processing Software Onli...

Page 1464: ...ly supports power over spare cables you have to change the order of the lines in the twisted pair cable to supply power to the PD 1 3 1 Configuring a PoE Interface through the Command Line To do Use the command Remarks Enter system view system view Enter PoE interface view interface interface type interface number Enable PoE poe enable Required Disabled by default Configure the maximum power for t...

Page 1465: ...n file and enter PoE configuration file view poe profile profile name index Required Enable PoE for the PoE interface poe enable Required Disabled by default Configure the maximum power for the PoE interface poe max power max power Optional 15 400 milliwatts by default Configure the PoE mode for the PoE interface poe mode signal Optional signal power over signal cables by default Return to system ...

Page 1466: ... The priority levels of PoE interfaces include critical high and low in descending order Power supply to a PD is subject to PD power management policies All PSEs implement the same PD power management policies When the PSE supplies power to a PD z By default no power will be supplied to a new PD if the PSE power is overloaded z Under the control of a priority policy the PD with a lower priority is...

Page 1467: ...interface view poe priority critical high low poe profile profile name index Configur e the power priority for a PoE interface Configure the power priority for the PoE interface in PoE configuration file view poe priority critical high low Use either command By default the power priority of a PoE interface is low Configure a PD power management priority policy poe pd policy priority Optional By de...

Page 1468: ... example an error results in device reboot If you fail to upgrade the PSE processing software in full mode after reboot you can power off the device and restart it before upgrading it again After upgrade restart the device manually to make the original PoE configurations take effect Follow these steps to upgrade the PSE processing software online To do Use the command Remarks Enter system view sys...

Page 1469: ...E to detect nonstandard PDs poe legacy enable Optional Disabled by default 1 9 Displaying and Maintaining PoE To do Use the command Remarks Display the mapping between ID module and slot of all PSEs display poe device Display the power state and information of the specified PoE interface display poe interface interface type interface number Display the power information of a PoE interface s displa...

Page 1470: ... 9 000 milliwatts II Network diagram GE1 0 1 GE1 0 2 GE1 0 11 GE1 0 12 Figure 1 1 Network diagram for PoE III Configuration procedure Enable PoE on GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 GigabitEthernet 1 0 11 and GigabitEthernet 1 0 12 Sysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 poe enable Sysname GigabitEthernet1 0 1 quit Sysname interface Gigabi...

Page 1471: ...e PoE interface z The priority of the PoE interface is already set Solution z In the first case you can solve the problem by reducing the maximum power of the PoE interface when the guaranteed remaining power of the PSE cannot be modified z In the second case you should first remove the priority already configured Symptom 2 Applying a PoE configuration file to a PoE interface fails Analysis z Some...

Page 1472: ... 1 sFlow Configuration 1 1 1 1 sFlow Overview 1 1 1 1 1 Introduction to sFlow 1 1 1 1 2 Operation of sFlow 1 2 1 2 Configuring sFlow 1 2 1 3 Displaying sFlow 1 3 1 4 sFlow Configuration Example 1 3 1 5 Troubleshooting sFlow Configuration 1 4 1 5 1 The Remote sFlow Collector Cannot Receive sFlow Packets 1 4 ...

Page 1473: ...number of packets from an sFlow enabled port z Time based sampling Samples interface statistics at a specified interval from an sFlow enabled port The sFlow system involves an sFlow agent embedded in a device and a remote sFlow collector The sFlow agent collects traffic from the sFlow enabled ports encapsulates the information into sFlow packets and sends the packets to the sFlow collector The sFl...

Page 1474: ...tem view system view Configure an IP address for the sFlow agent sflow agent ip ip address Required Not configured by default Specify the IP address and port number of the sFlow collector sflow collector ip ip address port port num Required Not specified by default Set the sFlow interval sflow interval interval time Optional 20 seconds by default Enter interface view interface interface type inter...

Page 1475: ...quirements z Host A and Server are connected to Switch through GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 respectively z Host B works as an sFlow collector with IP address 3 3 3 2 and port number 6343 and is connected to Switch through GigabitEthernet 1 0 3 z GigabitEthernet 1 0 3 belongs to VLAN 1 having an IP address of 3 3 3 1 Run sFlow agent on Switch and enable sFlow on GigabitEthernet 1...

Page 1476: ...ation Switch GigabitEthernet1 0 1 display sflow sFlow Global Information Agent IP 3 3 3 1 Collector IP 3 3 3 2 Port 6343 Interval s 30 sFlow Port Information Interface Direction Rate Mode Status GE1 0 1 Both 100000 Random Active 1 5 Troubleshooting sFlow Configuration 1 5 1 The Remote sFlow Collector Cannot Receive sFlow Packets I Symptom The remote sFlow collector cannot receive sFlow packets II ...

Page 1477: ...e sFlow collector fails III Solution 1 Check whether sFlow is correctly configured by displaying sFlow configuration with the display sflow command 2 Check whether the correct IP address is configured for the device to communicate with the sFlow collector 3 Check whether the physical link between the device and the sFlow collector is normal ...

Page 1478: ...licy 1 5 1 4 1 Configuration Prerequisites 1 5 1 4 2 Configuration Procedure 1 5 1 5 Displaying and Maintaining SSL 1 6 1 6 Troubleshooting SSL 1 6 1 6 1 SSL Handshake Failure 1 6 Chapter 2 HTTPS Configuration 2 1 2 1 HTTPS Overview 2 1 2 2 HTTPS Configuration Task List 2 1 2 3 Associating the HTTPS Service with an SSL Server Policy 2 2 2 4 Enabling the HTTPS Service 2 2 2 5 Associating the HTTPS ...

Page 1479: ...d during the handshake phase z Authentication SSL supports authenticating both the server and the client through certificates with the authentication of the client being optional z Reliability SSL uses key based message authentication code MAC to verify message integrity As shown in Figure 1 1 the SSL protocol consists of two layers of protocols the SSL record protocol at the lower layer and the S...

Page 1480: ...erver and the SSL client Complete the following tasks to configure SSL Task Remarks Configuring an SSL Server Policy Required Configuring an SSL Client Policy Optional 1 3 Configuring an SSL Server Policy An SSL server policy is a set of SSL parameters for a server to use when booting up An SSL server policy takes effect only after it is associated with an application layer protocol HTTP protocol ...

Page 1481: ...ching timeout time session cachesize size timeout time Optional The defaults are as follows 500 for the maximum number of cached sessions 3600 seconds for the caching timeout time Enable certificate based SSL client authentication client verify enable Optional Not enabled by default Note If you enable client authentication here you must request a local certificate for the client 1 3 3 SSL Server P...

Page 1482: ... quit Create a PKI domain and configure it Sysname pki domain 1 Sysname pki domain 1 ca identifier ca1 Sysname pki domain 1 certificate request url http 10 1 2 2 certsrv mscep mscep dll Sysname pki domain 1 certificate request from ra Sysname pki domain 1 certificate request entity en Sysname pki domain 1 quit Create a local key pair through RSA Sysname public key local create rsa Retrieve the CA ...

Page 1483: ...PKI Commands z For details about the public key local create rsa command refer to SSH Commands 1 4 Configuring an SSL Client Policy An SSL client policy is a set of SSL parameters for a client to use when connecting to the server An SSL client policy takes effect only after it is associated with an application layer protocol 1 4 1 Configuration Prerequisites Before configuring an SSL client policy...

Page 1484: ... command Remarks Display SSL server policy information display ssl server policy policy name all Display SSL client policy information display ssl client policy policy name all Available in any view 1 6 Troubleshooting SSL 1 6 1 SSL Handshake Failure I Symptom As the SSL server the device fails to handshake with the SSL client II Analysis SSL handshake failure may result from the following causes ...

Page 1485: ...the server requests a certificate from the CA that the SSL client trusts z If the SSL server is configured to authenticate the client but the certificate of the SSL client does not exist or cannot be trusted request and install a certificate for the client 2 You can use the display ssl server policy command to view the cipher suite used by the SSL server policy If the cipher suite used by the SSL ...

Page 1486: ...er SSL protocol The SSL protocol of HTTPS enhances the security of the device in the following ways z Uses the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal clients z Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity thus realizing the security management of the device z Defines certificat...

Page 1487: ...cy policy name Required Not associated by default Note z If the ip https ssl server policy command is executed repeatedly the HTTPS service is only associated with the last specified SSL server policy z When the HTTPS service is disabled the association between the HTTPS service and the SSL server is automatically removed To enable it again you need to re associate the HTTPS service with an SSL se...

Page 1488: ...PS service with a configured certificate access control policy helps control the access right of the client thus providing the device with enhanced security Follow these steps to associate the HTTPS service with a certificate attribute access control policy To do Use the command Remarks Enter system view system view Associate the HTTPS service with a certificate attribute access control policy ip ...

Page 1489: ...ociated by default Note If the ip https acl command is executed repeatedly the HTTPS service is only associated with the last specified ACL 2 7 Displaying and Maintaining HTTPS To do Use the command Remarks Display information about HTTPS display ip https Available in any view 2 8 HTTPS Configuration Example I Network requirements z Host acts as the HTTPS client and Switch acts as the HTTPS server...

Page 1490: ...t Configure a PKI domain Switch pki domain 1 Switch pki domain 1 ca identifier ca1 Switch pki domain 1 certificate request url http 10 1 2 2 8080 certsrv mscep mscep dll Switch pki domain 1 certificate request from ra Switch pki domain 1 certificate request entity en Switch pki domain 1 quit Generate a key pair locally by using the RSA algorithm Switch public key local create rsa Obtain a server c...

Page 1491: ...ss control policy myacp Switch pki cert acp myacp rule 1 permit mygroup1 Switch pki cert acp myacp quit 4 Reference an SSL server policy Associate the HTTPS service with the SSL server policy myssl Switch ip https ssl server policy myssl 5 Associate the HTTPS service with a certificate attribute access control policy Associate the HTTPS service with a certificate attribute access control policy my...

Page 1492: ...in Auto Mode 1 8 1 5 2 Submitting a Certificate Request in Manual Mode 1 9 1 6 Retrieving a Certificate Manually 1 10 1 7 Configuring PKI Certificate Validation 1 11 1 8 Destroying a Local RSA Key Pair 1 13 1 9 Deleting a Certificate 1 13 1 10 Configuring an Access Control Policy 1 14 1 11 Displaying and Maintaining PKI 1 14 1 12 PKI Configuration Examples 1 15 1 12 1 Configuring a PKI Entity to R...

Page 1493: ...on and public keys PKI allows users to request certificates use certificates and revoke certificates By leveraging digital certificates and relevant services like certificate distribution and blacklist publication PKI supports authentication the entities involved in communication and thus guaranteeing the confidentiality integrity and non repudiation of data 1 1 2 PKI Terms I Digital certificate A...

Page 1494: ...d function an effective way for checking the validity of certificates A CA may publish multiple CRLs when the number of revoked certificates is so large that publishing them in a single CRL may degrade network performance III CA policy A CA policy is a set of criteria that a CA follows in managing certificate requests and in issuing revoking and publishing CRLs Usually a CA advertises its policy i...

Page 1495: ...es keys CRLs and logs while providing a simple query function LDAP is a protocol for accessing and managing PKI information An LDAP server stores user information and digital certificates from the RA server and provides directory navigation service From an LDAP server an entity can retrieve local and CA certificates of its own as well as certificates of other entities 1 1 4 Applications of PKI The...

Page 1496: ... and issues a certificate 4 The RA receives the certificate from the CA sends it to the LDAP server to provide directory navigation service and notifies the entity that the certificate is successfully issued 5 The entity retrieves the certificate With the certificate the entity can communicate with other entities safely through encryption and digital signature 6 The entity makes a request to the C...

Page 1497: ...here www is a host name and whatever com a domain name z IP address of the entity z Locality where the entity resides z Organization to which the entity belongs z Unit of the entity in the organization z State where the entity resides Note The configuration of an entity DN must comply with the CA certificate issue policy You need to determine for example which entity DN parameters are mandatory an...

Page 1498: ...e data length of a certificate request If the entity DN in a certificate request goes beyond a certain limit the server does not respond to the certificate request 1 4 Configuring a PKI Domain Before requesting a PKI certificate an entity needs to be configured with some enrollment information which is referred to as a PKI domain A PKI domain is intended only for convenience of reference by other ...

Page 1499: ...ed to configure the IP address of the LDAP server z Fingerprint for root certificate validation Upon receiving the root certificate of the CA an entity needs to validate the fingerprint of the root certificate namely the hash value of the root certificate content This hash value is unique to every certificate The entity will reject the root certificate if the fingerprint of the root certificate do...

Page 1500: ...ertificate It is not used when in local certificate request 1 5 Submitting a PKI Certificate Request When requesting a certificate an entity introduces itself to the CA by providing its identity information and public key which will be the major components of the certificate that the CA may issue to the entity A certificate request can be submitted to a CA in two ways online and offline In offline...

Page 1501: ...includes a public key and a private key The private key is kept by the user while the public key is transferred to the CA along with some other information For detailed information about RSA key pair configuration refer to SSH Configuration Follow these steps to submit a certificate request in manual mode To do Use the command Remarks Enter system view system view Enter PKI domain view pki domain ...

Page 1502: ... it is impossible to request a certificate from the CA through SCEP you can save the request information by using the pki request certificate domain command with the pkcs10 and filename keywords and then send the file to the CA by an out of band means z Make sure the clocks of an entity and the CA are synchronous Otherwise the validity period of the certificate may be abnormal z The pki request ce...

Page 1503: ...irst z The pki retrieval certificate configuration will not be saved in the configuration file 1 7 Configuring PKI Certificate Validation A certificate needs to be validated before being used Validating a certificate is to check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked Before validating a certificate you need to retrieve the CA certific...

Page 1504: ...eval crl domain domain name Required Verify the validity of a certificate pki validate certificate ca local domain domain name Required II Configuring CRL checking disabled PKI certificate validation Follow these steps to configure CRL checking disabled PKI certificate validation To do Use the command Remarks Enter system view system view Enter PKI domain view pki domain domain name Disable CRL ch...

Page 1505: ...ire you can destroy the old RSA key pair and then create a pair to request a new certificate Follow these steps to destroy a local RSA key pair To do Use the command Remarks Enter system view system view Destroy a local RSA key pair public key local destroy rsa Required Note For details about the public key local destroy rsa command refer to SSH Commands 1 9 Deleting a Certificate When a certifica...

Page 1506: ... alt subject name fqdn ip issuer name subject name dn fqdn ip ctn equ nctn nequ attribute value Optional There is no restriction on the issuer name certificate subject name and alternative subject name by default Return to system view quit Create a certificate attribute based access control policy and enter its view pki certificate access control policy policy name Required No access control polic...

Page 1507: ...red when you use the Windows Server as the CA In this case when configuring the PKI domain you need to use the certificate request from ra command to specify that the entity requests a certificate from an RA z The SCEP plug in is not required when RSA Keon is used In this case when configuring a PKI domain you need to use the certificate request from ca command to specify that the entity requests ...

Page 1508: ...ction configuration page of the CA server This includes selecting the proper extension profiles enabling the SCEP autovetting function and adding the IP address list for SCEP autovetting 3 Configure the CRL publishing behavior After completing the above configuration you need to perform CRL related configurations In this example select the local CRL publishing mode of HTTP and set the HTTP URL to ...

Page 1509: ...rsa certificate request entity aaa Configure the URL for the CRL distribution point Switch pki domain torsa crl url http 4 4 4 133 447 myca crl Switch pki domain torsa quit 3 Generate a local key pair using RSA Switch public key local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It may take a few minutes Press CTRL C to abort Input the bits in th...

Page 1510: ... Use the following command to view information about the local certificate acquired Switch display pki certificate local domain torsa Certificate Data Version 3 0x2 Serial Number 9A96A48F 9A509FD7 05FFF4DF 104AD094 Signature Algorithm sha1WithRSAEncryption Issuer C cn O org OU test CN myca Validity Not Before Jan 8 09 26 53 2007 GMT Not After Jan 8 09 26 53 2008 GMT Subject CN Switch Subject Publi...

Page 1511: ... C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C You can also use some other display commands to view detailed information about the CA certificate and CRLs Refer to the parts related to display pki certificate ca domain and display pki crl domain commands in PKI Commands 1 12 2 Configuring a Certificate Attribute Based Access Control Policy I Network requirements z The client accesses the remote HTTPS server...

Page 1512: ...rules The first rule defines that the DN of the subject name includes the string aabbcc and the second rule defines that the IP address of the certificate issuer is 10 0 0 1 Switch pki certificate attribute group mygroup1 Switch pki cert attribute group mygroup1 attribute 1 subject name dn ctn aabbcc Switch pki cert attribute group mygroup1 attribute 2 issuer name ip equ 10 0 0 1 Switch pki cert a...

Page 1513: ...e Switch ip https certificate access control policy myacp Enable HTTPS service Switch ip https enable 1 13 Troubleshooting PKI 1 13 1 Failed to Retrieve a CA Certificate I Symptom Failed to retrieve a CA certificate II Analysis Possible reasons include these z The network connection is not proper For example the network cable may be damaged or loose z No trusted CA is specified z The URL of the en...

Page 1514: ...e required parameters of the entity DN are not configured III Solution z Make sure that the network connection is physically proper z Retrieve a CA certificate z Regenerate a key pair z Specify a trusted CA z Use the ping command to check that the RA server is reachable z Configure the RA for certificate request z Configure the required entity DN parameters 1 13 3 Failed to Retrieve CRLs I Symptom...

Page 1515: ...tches Chapter 1 PKI Configuration 1 23 III Solution z Make sure that the network connection is physically proper z Retrieve a CA certificate z Specify the IP address of the LADP server z Specify the URL for CRL distribution z Re configure the LDAP version ...

Page 1516: ...2 1 2 Track Configuration Task List 1 2 1 3 Configuring Collaboration Between the Track Module and the Detection Modules 1 3 1 3 1 Configuring Track NQA Collaboration 1 3 1 4 Configuring Collaboration Between the Track Module and the Application Modules 1 3 1 4 1 Configuring Track VRRP Collaboration 1 3 1 4 2 Configuring Track Static Routing Collaboration 1 4 1 5 Displaying and Maintaining Track O...

Page 1517: ...n here involves three parts the application modules the Track module and the detection modules These modules collaborate with one another through collaboration objects That is the detection modules trigger the application modules to perform certain operations through the Track module More specifically the detection modules probe the link status network performance and so on and inform the applicat...

Page 1518: ...on Between the Track Module and the Application Modules You can establish the collaboration between the Track module and the application modules through configuration If the status of the Track object changes the Track module tells the application modules to deal with the change accordingly At present the application modules that can collaborate with the Track module include z VRRP z Static routin...

Page 1519: ...re a Track object the specified NQA test group and Reaction entry can be nonexistent In this case the status of the configured Track object is Invalid 1 4 Configuring Collaboration Between the Track Module and the Application Modules 1 4 1 Configuring Track VRRP Collaboration Through the Track VRRP collaboration you can z Monitor the upper link If there is a fault on the upper link of the master o...

Page 1520: ...ress owner z When the status of the monitored Track object turns from Negative to Positive the corresponding master restores its priority automatically z The monitored Track object can be nonexistent so that you can first specify the Track object to be monitored using the vrrp vrid track command and then create the Track object using the track command z Refer to VRRP Configuration for details of V...

Page 1521: ...the static route and the specified Track object are associated directly for a nonexistent static route the system creates the static route and then associates it with the specified Track object z The Track object to be associated with the static route can be a nonexistent one After you use the track command to create the Track object the association takes effect z If a static route needs route rec...

Page 1522: ...I Network diagram Host A Switch A Switch B Virtual IP address 10 1 1 10 24 Vlan int2 10 1 1 1 24 Vlan int2 10 1 1 2 24 Host B 10 1 1 3 24 20 1 1 1 24 Internet Vlan int3 10 1 2 1 24 Vlan int3 10 1 3 1 24 Vlan int3 10 1 3 2 24 Vlan int3 10 1 2 2 24 Switch C Switch D Figure 1 2 Network diagram for VRRP Track NQA collaboration configuration III Configuration procedure 1 Configure the IP address of eac...

Page 1523: ... 10 Set the priority of Switch A in VRRP group 1 to 110 SwitchA Vlan interface2 vrrp vrid 1 priority 110 Set the authentication mode of VRRP group 1 to simple and the authentication key to hello SwitchA Vlan interface2 vrrp vrid 1 authentication mode simple hello Configure the master to send VRRP packets at an interval of five seconds SwitchA Ethernet1 0 vrrp vrid 1 timer advertise 5 Configure Swi...

Page 1524: ...rtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 5 Admin Status UP State Master Config Pri 110 Run Pri 110 Preempt Mode YES Delay Time 5 Auth Type SIMPLE TEXT Key hello Track Object 1 Pri Reduced 0 Virtual IP 10 1 1 10 Virtual MAC 0000 5e00 0101 Master IP 10 1 1 1 Display detailed information about VRRP group 1 on Switch B SwitchB Vlan interface2 display vrrp verbose IPv4 Standby ...

Page 1525: ...ime 5 Auth Type SIMPLE TEXT Key hello Track Object 1 Pri Reduced 30 Virtual IP 10 1 1 10 Master IP 10 1 1 2 Display detailed information about VRRP group 1 on Switch B when there is a fault on the link between Switch A and Switch C SwitchB Vlan interface2 display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 5 Admin...

Page 1526: ...Operation Manual Appendix H3C S5500 EI Series Ethernet Switches Table of Contents i Table of Contents Appendix A Acronyms A 1 ...

Page 1527: ...ter B BDR Backup Designated Router C CAR Committed Access Rate CLI Command Line Interface CoS Class of Service D DHCP Dynamic Host Configuration Protocol DR Designated Router D V Distance Vector Routing Algorithm E EGP Exterior Gateway Protocol F FTP File Transfer Protocol G GARP Generic Attribute Registration Protocol GE Gigabit Ethernet GVRP GARP VLAN Registration Protocol GMRP GARP Multicast Re...

Page 1528: ...Non Broadcast MultiAccess NIC Network Information Center NMS Network Management System NVRAM Nonvolatile RAM O OSPF Open Shortest Path First P PIM Protocol Independent Multicast PIM DM Protocol Independent Multicast Dense Mode PIM SM Protocol Independent Multicast Sparse Mode PKI Public Key Infrastructure Q QoS Quality of Service R RIP Routing Information Protocol RMON Remote Network Monitoring RS...

Page 1529: ...n Control Protocol Internet Protocol TFTP Trivial File Transfer Protocol ToS Type of Service TTL Time To Live U UDP User Datagram Protocol V VLAN Virtual LAN VOD Video On Demand VRRP Virtual Router Redundancy Protocol W WRR Weighted Round Robin X XID eXchange Identification XRN eXpandable Resilient Networking ...

Reviews:

No comments