manualshive.com logo in svg

HP 4500G PWR 24-Port, Configuration Manual

The HP 4500G PWR 24-Port is a powerful networking device that offers advanced features and reliable performance. To configure and optimize this device, be sure to download the free Configuration Manual from manualshive.com. This comprehensive manual provides step-by-step instructions and essential information to maximize the potential of your HP 4500G PWR 24-Port.

Share
Download
background image

 

1-5 

Enabling Port Security 

Configuration Prerequisites 

Before enabling port security, you need to disable 802.1X and MAC authentication globally.  

Configuration Procedure 

Follow these steps to enable port security: 

To do… 

Use the command… 

Remarks 

Enter system view 

system-view 

— 

Enable port security 

port-security enable 

Required 
Disabled by default 

 
Note that: 
1)  Enabling port security resets the following configurations on a port to the bracketed defaults. Then, 

values of these configurations cannot be changed manually; the system will adjust them based on 
the port security mode automatically: 

z

 

802.1X (disabled), port access control method (macbased), and port access control mode (auto) 

z

 

MAC authentication (disabled) 

2)  Disabling port security resets the following configurations on a port to the bracketed defaults: 

z

 

Port security mode (noRestrictions) 

z

 

802.1X (disabled), port access control method (macbased), and port access control mode (auto) 

z

 

MAC authentication (disabled) 

3)  Port security cannot be disabled if there is any user present on a port. 
 

 

z

 

For detailed 802.1X configuration, refer to 

802.1X Configuration 

in the 

Security Volume

.  

z

 

For detailed MAC-based authentication configuration, refer to 

MAC Authentication Configuration

 in 

the 

Security Volume

.  

 

Setting the Maximum Number of Secure MAC Addresses 

With port security enabled, more than one authenticated user is allowed on a port. The number of 
authenticated users allowed, however, cannot exceed the specified upper limit.  
By setting the maximum number of secure MAC addresses allowed on a port, you can: 

z

 

Control the maximum number of users who are allowed to access the network through the port. 

z

 

Control the number of secure MAC addresses that can be added with port security. 

Summary of Contents for 4500G PWR 24-Port

Page 1: ...tch 4800G 24 Port Switch 4800G 48 Port Switch 4800G PWR 24 Port Switch 4800G PWR 48 Port Switch 4800G 24 Port SFP Product Version Release 2202 Manual Version 6W101 20091012 www 3com com 3Com Corporation 350 Campus Drive Marlborough MA USA 01752 3064 ...

Page 2: ...rcial license for the Software Technical data is provided with limited rights only as provided in DFAR 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered tr...

Page 3: ...ew Static Routing RIP OSPF IS IS BGP IPv6 Static Routing RIPng OSPFv3 IPv6 IS IS IPv6 BGP Route Policy 03 IP Routing Volume MCE Policy Routing Mulitcast Overview Multicast Routing and Forwarding IGMP PIM MSDP MBGP IGMP Snooping Multicast VLAN IPv6 Multicast Routing and Forwarding MLD IPv6 PIM IPv6 MBGP 04 Multicast Volume MLD Snooping IPv6 Multicast VLAN 05 QoS Volume QoS User Profile AAA 802 1X H...

Page 4: ...rs One is selected x y Optional alternative items are grouped in square brackets and separated by vertical bars One or none is selected x y Alternative items are grouped in braces and separated by vertical bars A minimum of one or a maximum of all can be selected x y Optional alternative items are grouped in square brackets and separated by vertical bars Many or none can be selected 1 n The argume...

Page 5: ...G documentation set includes the following Manual Description 3Com Switch 4800G Family Command Reference Guide Provide detailed descriptions of command line interface CLI commands that you require to manage your switch 3Com Switch 4800G Family Getting Started Guide This guide provides all the information you need to install and use the 3Com Switch 4800G Family Obtaining Documentation You can acces...

Page 6: ...res 1 1 Introduction to Product 1 1 Feature Lists 1 1 2 Features 2 1 Access Volume 2 1 IP Services Volume 2 3 IP Routing Volume 2 4 Multicast Volume 2 6 QoS Volume 2 8 Security Volume 2 8 High Availability Volume 2 10 System Volume 2 11 ...

Page 7: ...ndant features and the related documents are divided into the volumes as listed in Table 1 1 Table 1 1 Feature list Volume Features Ethernet Interface Link Aggregation Port Isolation Service Loopback Group MSTP LLDP VLAN GVRP 01 Access Volume QinQ BPDU Tunneling VLAN Mapping Port Mirroring IP Addressing ARP DHCP DNS IP Performance Optimization UDP Helper IPv6 Basics Dual Stack 02 IP Services Volum...

Page 8: ...t Link Monitor Link RRPP DLDP Ethernet OAM Connectivity Fault Detection BFD 07 High Availability Volume Track GR Overview Login Basic System Configuration Device Management File System Management HTTP SNMP RMON MAC Address Table Management System Maintaining and Debugging Information Center PoE Hotfix NQA NTP Cluster Management IRF 08 System Volume IPC Automatic Configuration ...

Page 9: ...nfiguring the Storm Constrain Function on an Ethernet Interface Link aggregation Link aggregation aggregates multiple physical Ethernet ports into one logical link This document describes z Basic Concepts of Link Aggregation z Configuring a Static Aggregation Group z Configuring a Dynamic Aggregation Group z Configuring an Aggregate Interface z Configuring a Load Sharing Mode for Load Sharing Link...

Page 10: ...e VLAN space by allowing Ethernet frames to travel across the service provider network with double VLAN tags This document describes z Introduction to QinQ z Configuring basic QinQ z Configuring Selective QinQ z Configuring the TPID Value in VLAN Tags BPDU Tunnel BPDU tunneling enables transparently transmission of customer network BPDU frames over the service provider network This document descri...

Page 11: ...ame System DNS is a distributed database which provides the translation between domain name and the IP address This document describes z Configuring the DNS Client z Configuring the DNS Proxy IP Performance In some network environments you need to adjust the IP parameters to achieve best network performance This document describes z Enabling Reception and Forwarding of Directed Broadcasts to a Dir...

Page 12: ...g volume Features Description IP Routing Overview This document describes z Introduction to IP routing and routing table z Routing protocol overview Static Routing A static route is manually configured by the administrator The proper configuration and usage of static routes can improve network performance and ensure bandwidth for important network applications This document describes z Static rout...

Page 13: ...tic routes work well in simple IPv6 network environments This document describes z IPv6 static route configuration RIPng RIP next generation RIPng is an extension of RIP 2 for IPv4 RIPng for IPv6 is IPv6 RIPng This document describes z Configuring RIPng Basic Functions z Configuring RIPng Route Control z Tuning and Optimizing the RIPng Network OSPFv3 OSPFv3 is OSPF version 3 for short supporting I...

Page 14: ...cy configuration commands refer to QoS Commands in the QoS Volume Multicast Volume Table 2 4 Features in Multicast volume Features Description Multicast Overview This document describes the main concepts in multicast z Introduction to Multicast z Multicast Models z Multicast Architecture z Multicast Packets Forwarding Mechanism Multicast Routing and Forwarding Multicast routing and forwarding refe...

Page 15: ...upport This document describes z IPv6 Multicast routing and forwarding overview z IPv6 Multicast routing and forwarding configuration MLD MLD is used by an IPv6 router or a Ethernet Switch to discover the presence of multicast listeners on directly attached subnets This document describes z MLD overview z Configuring Basic Functions of MLD z Adjusting MLD Performance z Configuring MLD SSM Mapping ...

Page 16: ...ed for configuring these three security functions to implement the network security management This document describes z Introduction to AAA RADIUS and HWTACACS z AAA configuration z RADIUS configuration z HWTACACS configuration 802 1X IEEE 802 1X hereinafter simplified as 802 1X is a port based network access control protocol that is used as the standard for LAN user access authentication This do...

Page 17: ...onfiguring the Device as an SSH Server z Configuring the Device as an SSH Client z Configuring an SFTP Server z Configuring an SFTP Client PKI The Public Key Infrastructure PKI is a hierarchical framework designed for providing information security through public key technologies and digital certificates and verifying the identities of the digital certificate owners This document describes PKI rel...

Page 18: ...unction used to enable a device to be aware of the up down state change of the ports on an indirectly connected link This document describes z Monitor Link Overview z Configuring Monitor Link RRPP RRPP is a link layer protocol designed for Ethernet rings RRPP can prevent broadcast storms caused by data loops when an Ethernet ring is healthy and rapidly restore the communication paths between the n...

Page 19: ...between different modules through established collaboration objects The detection modules trigger the application modules to perform certain operations through the track module This document describes z Track Overview z Configuring Collaboration Between the Track Module and the Detection Modules z Configuring Collaboration Between the Track Module and the Application Modules GR Overview Graceful R...

Page 20: ... and renaming a file or a directory and opening a file This document describes z File system management z Configuration File Management z FTP configuration z TFTP configuration HTTP Hypertext Transfer Protocol HTTP is used for transferring web page information across the Internet This document describes z HTTP Configuration z HTTPS Configuration SNMP Simple network management protocol SNMP offers ...

Page 21: ...g equipment PSE to feed powered devices PDs from Ethernet ports through twisted pair cables This document describes z PoE overview z Configuring the PoE Interface z Configuring PoE power management z Configuring the PoE monitoring function z Online upgrading the PSE processing software z Configuring a PD Disconnection Detection Mode z Enabling the PSE to detect nonstandard PDs Hotfix Hotfix is a f...

Page 22: ...te Device to a Cluster z Configuring Advanced Cluster Functions IRF Intelligent Resilient Framework IRF allows you to build an IRF namely a united device by interconnecting multiple devices through IRF ports You can manage all the devices in the IRF by managing the united device This document describes z IRF Overview z IRF Working Process z Configuring IRF z Logging In to an IRF IPC Inter Process ...

Page 23: ...G Application Layer Gateway AM accounting management ANSI American National Standard Institute AP Access Point ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router ASCII American Standard Code for Information Interchange ASE Application service element ASIC Application Specific Integrated Circuit ASM Any Source Multicast ASN Auxiliary Signal Network AT Advanced...

Page 24: ...e and Telegraph Consultative Committee CE Customer Edge CFD Connectivity Fault Detection CFM Configuration File Management CHAP Challenge Handshake Authentication Protocol CIDR Classless Inter Domain Routing CIR Committed Information Rate CIST Common and Internal Spanning Tree CLNP Connectionless Network Protocol CPOS Channelized POS CPU Central Processing Unit CQ Custom Queuing CRC Cyclic Redunda...

Page 25: ...point Priority DSP Digital Signal Processor DTE Data Terminal Equipment DU Downstream Unsolicited D V Distance Vector Routing Algorithm DVMRP Distance Vector Multicast Routing Protocol DWDM Dense Wavelength Division Multiplexing E Return EACL Enhanced ACL EAD Endpoint Admission Defense EAP Extensible Authentication Protocol EAPOL Extensible Authentication Protocol over LAN EBGP External Border Gat...

Page 26: ...hernet GR Graceful Restart GRE Generic Routing Encapsulation GTS Generic Traffic Shaping GVRP GARP VLAN Registration Protocol H Return HA High Availability HABP HW Authentication Bypass Protocol HDLC High level Data Link Control HEC Header Error Control HoPE Hiberarchy of PE HoVPN Hiberarchy of VPN HQoS Hierarchical Quality of Service HSB Hot Standby HTTP Hyper Text Transport Protocol H VPLS Hiber...

Page 27: ...ion IPSec IP Security IPTN IP Phone Telephony Network IPv6 Internet protocol version 6 IPX Internet Packet Exchange IRF Intelligent Resilient Framework IS Intermediate System ISATAP Intra Site Automatic Tunnel Addressing Protocol ISDN Integrated Services Digital Network IS IS Intermediate System to Intermediate System intra domain routing information exchange protocol ISO International Organizatio...

Page 28: ...Rate LRTT Loop Round Trip Time LSA Link State Advertisement LSAck Link State Acknowledgment LSDB Link State Database LSP Label Switch Path LSPAGENT Label Switched Path AGENT LSPDU Link State Protocol Data Unit LSPM Label Switch Path Management LSR Link State Request LSR Label Switch Router LSR ID Label Switch Router Identity LSU Link State Update M Return MAC Media Access Control MAN Metropolitan ...

Page 29: ...ion Overhead MSTI Multi Spanning Tree Instance MSTP Multiple Spanning Tree Protocol MT Multicast Tunnel MTBF Mean Time Between Failure MTI Multicast Tunnel Interface MTU Maximum Transmission Unit MVRF Multicast VPN Routing and Forwarding N Return NAPT Network Address Port Translation NAS Network Access Server NAT Net Address Translation NBMA Non Broadcast Multi Access NBT NetBIOS over TCP IP NCP N...

Page 30: ... OC 3 OC 3 OID Object Identifier OL Optical Line OSI Open Systems Interconnection OSPF Open Shortest Path First P Return P2MP Point to MultiPoint P2P Point To Point PAP Password Authentication Protocol PCB Printed Circuit Board PCM Pulse Code Modulation PD Powered Device PDU Protocol Data Unit PE Provider Edge PHP Penultimate Hop Popping PHY Physical layer PIM Protocol Independent Multicast PIM DM...

Page 31: ...t Virtual Channel PW Pseudo wires Q Return QACL QoS ACL QinQ 802 1Q in 802 1Q QoS Quality of Service QQIC Querier s Query Interval Code QRV Querier s Robustness Variable R Return RA Registration Authority RADIUS Remote Authentication Dial in User Service RAM random access memory RD Routing Domain RD Router Distinguisher RED Random Early Detection RFC Request For comments RIP Routing Information Pr...

Page 32: ...Choke Fairness Frame SD Signal Degrade SDH Synchronous Digital Hierarchy SETS Synchronous Equipment Timing Source SF Sampling Frequency SFM Source Filtered Multicast SFTP Secure FTP Share MDT Share Multicast Distribution Tree SIP Session Initiation Protocol Site of Origin Site of Origin SLA Service Level Agreement SMB Standby Main Board SMTP Simple Mail Transfer Protocol SNAP Sub Network Access Po...

Page 33: ... Distribution Tree T Return TA Terminal Adapter TACACS Terminal Access Controller Access Control System TDM Time Division Multiplexing TCP Transmission Control Protocol TE Traffic Engineering TEDB TE DataBase TFTP Trivial File Transfer Protocol TLS Transparent LAN Service TLV Type Length Value ToS Type of Service TPID Tag Protocol Identifier TRIP Trigger RIP TS Traffic Shaping TTL Time to Live TTY...

Page 34: ...ork VPI Virtual Path Identifier VPLS Virtual Private Local Switch VPN Virtual Private Network VRID Virtual Router ID VRRP Virtual Router Redundancy Protocol VSI Virtual Switch Interface VT Virtual Tributary VTY Virtual Type Terminal W Return WAN Wide Area Network WFQ Weighted Fair Queuing WINS Windows Internet Naming Service WLAN wireless local area network WRED Weighted Random Early Detection WRR...

Page 35: ...nabling Forwarding of Jumbo Frames z Enabling Loopback Detection on an Ethernet Interface z Configuring the MDI Mode for an Ethernet Interface z Testing the Cable on an Ethernet Interface z Configuring the Storm Constrain Function on an Ethernet Interface Link aggregation Link aggregation aggregates multiple physical Ethernet ports into one logical link This document describes z Basic Concepts of ...

Page 36: ...VLAN z Types of VLAN z Isolate user vlan configuration z Introduction and Configuration of Voice VLAN GVRP GVRP is a GARP application This document describes z GARP overview z GVRP configuration z GARP Timers configuration QinQ As defined in IEEE802 1Q 12 bits are used to identify a VLAN ID so a device can support a maximum of 4094 VLANs The QinQ feature extends the VLAN space by allowing Ethernet...

Page 37: ...ing through a port to another port connected with a monitoring device for packet analysis to help implement network monitoring and troubleshooting This document describes z Port Mirroring overview z Local port mirroring configuration z Remote port mirroring configuration ...

Page 38: ...n an Ethernet Interface 1 4 Configuring Loopback Testing on an Ethernet Interface 1 4 Configuring a Port Group 1 5 Configuring Storm Suppression 1 5 Setting the Interval for Collecting Ethernet Interface Statistics 1 6 Enabling Forwarding of Jumbo Frames 1 7 Enabling Loopback Detection on an Ethernet Interface 1 7 Configuring the MDI Mode for an Ethernet Interface 1 8 Testing the Cable on an Ether...

Page 39: ...te of a Combo port To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Enable a specified Combo port undo shutdown Optional By default of the two ports in a Combo port the one with a smaller port ID is enabled In case of a Combo port only one interface either the optical port or the electrical port is active at a time ...

Page 40: ...Ethernet1 0 1 Interface for example Set the duplex mode duplex auto full half Optional auto by default The optical interface of an SFP port and the electrical interface of an Ethernet port whose port rate is configured as 1000 Mbps do not support the half keyword Set the transmission rate speed 10 100 1000 auto Optional The optical interface of an SFP port does not support the 10 or 100 keyword By...

Page 41: ...on transmission rate To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the auto negotiation transmission rate range speed auto 10 100 1000 Optional z This function is available for auto negotiation capable Gigabit Layer 2 Ethernet electrical ports only z If you repeatedly use the speed and the speed auto command...

Page 42: ...em view Enter Ethernet interface view interface interface type interface number Configure the up down suppression time of physical link state changes link delay delay time Required By default the physical link state change suppression time is not configured Configuring Loopback Testing on an Ethernet Interface You can enable loopback testing to check whether the Ethernet interface functions proper...

Page 43: ... Note that even though the settings are made on the port group they are saved on an interface basis rather than on a port group basis Thus you can only view the settings in the view of each interface with the display current configuration command or the display this command Follow these steps to configure a manual port group To do Use the command Remarks Enter system view system view Create a manu...

Page 44: ...t suppression ratio pps max pps Optional By default all broadcast traffic is allowed to pass through an interface that is broadcast traffic is not suppressed Set the multicast storm suppression ratio multicast suppression ratio pps max pps Optional By default all multicast traffic is allowed to pass through an interface that is multicast traffic is not suppressed Set the unknown unicast storm supp...

Page 45: ...ter system view system view port group manual port group name In port group view jumboframe enable interface interface type interface number Enable the forwarding of jumbo frames In Ethernet interface view jumboframe enable Use any command By default the device allows jumbo frames with the length of 9 216 bytes to pass through all Layer 2 Ethernet interfaces Enabling Loopback Detection on an Ether...

Page 46: ... configured in both system view and the interface view of the port z Loopback detection on all ports will be disabled after the configuration of the undo loopback detection enable command under system view Configuring the MDI Mode for an Ethernet Interface 10 Gigabit Ethernet ports and optical interfaces of SFP ports do not support this function Two types of Ethernet cables can be used to connect ...

Page 47: ...interface mdi across auto normal Optional Defaults to auto That is the Ethernet interface determines the physical pin roles transmit or receive through negotiation Testing the Cable on an Ethernet Interface z 10 Gigabit Ethernet ports and optical interfaces of SFP ports do not support this feature z A link in the up state goes down and then up automatically if you perform the operation described i...

Page 48: ...affic z Shutting down the interface In this case the interface is shut down and stops forwarding all types of traffic Interfaces shut down by the storm constrain function can only be brought up by using the undo shutdown command or disabling the storm constrain function Follow these steps to configure the storm constrain function on an Ethernet interface To do Use the command Remarks Enter system ...

Page 49: ...constrain function is applicable to multicast packets and broadcast packets and you can specify the upper and lower threshold for any of the three types of packets Displaying and Maintaining an Ethernet Interface To do Use the command Remarks Display the current state of an interface and the related information display interface interface type interface number Available in any view Display the sum...

Page 50: ...ort group manual all name port group name Available in any view Display the information about the loopback function display loopback detection Available in any view Display the information about storm constrain display storm constrain broadcast multicast interface interface type interface number Available in any view ...

Page 51: ...a Dynamic Aggregation Group 1 7 Configuring an Aggregate Interface 1 8 Configuring the Description of an Aggregate Interface 1 8 Enabling LinkUp LinkDown Trap Generation for an Aggregate Interface 1 8 Shutting Down an Aggregate Interface 1 9 Configuring a Load Sharing Mode for Load Sharing Link Aggregation Groups 1 9 Displaying and Maintaining Link Aggregation 1 10 Link Aggregation Configuration E...

Page 52: ...these member ports can dynamically back up each other Basic Concepts of Link Aggregation Aggregate interface An aggregate interface is a logical Layer 2 or Layer 3 aggregate interface Aggregation group An aggregation group is a collection of Ethernet interfaces When you create an aggregate interface an aggregation group numbered the same is created automatically depending on the type of the aggreg...

Page 53: ...on receiving an LACPDU the partner compares the received information with the information received on other interfaces to determine the interfaces that can operate as selected interfaces This allows the two systems to reach an agreement on which link aggregation member ports should be placed in selected state Operational key When aggregating ports link aggregation control automatically assigns eac...

Page 54: ... the member ports in a static aggregation group In a static aggregation group the system sets a port to selected or unselected state by the following rules z Select a port as the reference port from the ports that are in up state and with the same class two configurations as the corresponding aggregate interface These ports are selected in the order of full duplex high speed full duplex low speed ...

Page 55: ...f they are the same compare the system MAC addresses The system with the smaller MAC address wins out z Compare the port IDs of the ports on the system with the smaller system ID A port ID comprises a port LACP priority and a port number First compare the port LACP priorities The port with the lower LACP priority wins out If two ports are with the same LACP priority compare their port numbers The ...

Page 56: ...egation Group The link aggregation groups created on the 3Com Switch 4800G always operates in load sharing mode even when they contain only one member port Link Aggregation Configuration Task List Complete the following tasks to configure link aggregation Task Remarks Configuring a Static Aggregation Group Configuring an Aggregation Group Configuring a Dynamic Aggregation Group Required Perform ei...

Page 57: ...d enter the Layer 2 aggregate interface view interface bridge aggregation interface number Required When you create a Layer 2 aggregate interface a Layer 2 static aggregation group numbered the same is created automatically Exit to system view quit Enter Ethernet interface view interface interface type interface number Assign the Ethernet interface to the aggregation group port link aggregation gr...

Page 58: ...terface a Layer 2 static aggregation group numbered the same is created automatically Configure the aggregation group to work in dynamic aggregation mode link aggregation mode dynamic Required By default an aggregation group works in static aggregation mode Exit to system view quit Enter Layer 2 Ethernet interface view interface interface type interface number Assign the Ethernet interface to the ...

Page 59: ...consider the situation when making configuration Configuring an Aggregate Interface You can perform the following configurations for an aggregate interface z Configuring the Description of an Aggregate Interface z Enabling LinkUp LinkDown Trap Generation for an Aggregate Interface z Shutting Down an Aggregate Interface Configuring the Description of an Aggregate Interface Follow these steps to con...

Page 60: ...erface is brought up the selected state of the ports in the corresponding aggregation group is re calculated Follow these steps to shut down an aggregate interface To do Use the command Remarks Enter system view system view Enter Layer 2 aggregate interface view interface bridge aggregation interface number Shut down the aggregate interface shutdown Required By default aggregate interfaces are up ...

Page 61: ...source IP address and a destination IP address a source IP address and a source port number or a destination IP address and a destination port number to form a hash key z Combine any two or all three of the following elements to form a hash key ingress port number source MAC address and destination MAC address Displaying and Maintaining Link Aggregation To do Use the command Remarks Display the lo...

Page 62: ...s the configuration of the port rate and duplex mode z For details about class two configurations see Table 1 1Class two configurations Layer 2 Static Aggregation Configuration Example Network requirements As shown in Figure 1 1 Device A and Device B are connected through their respective Ethernet ports GigabitEthernet1 0 1 to GigabitEthernet1 0 3 Aggregate the ports on each device to form a stati...

Page 63: ...ure 1 2 Device A and Device B are connected through their respective Ethernet ports GigabitEthernet1 0 1 to GigabitEthernet1 0 3 Aggregate the ports on each device to form a dynamic link aggregation group thus balancing outgoing traffic across the member ports In addition perform load sharing based on source and destination MAC addresses Figure 1 2 Network diagram for Layer 2 dynamic aggregation C...

Page 64: ...nk aggregation group 1 DeviceA GigabitEthernet1 0 1 quit DeviceA interface GigabitEthernet 1 0 2 DeviceA GigabitEthernet1 0 2 port link aggregation group 1 DeviceA GigabitEthernet1 0 2 quit DeviceA interface GigabitEthernet 1 0 3 DeviceA GigabitEthernet1 0 3 port link aggregation group 1 2 Configure Device B Follow the same configuration procedure performed on Device A to configure Device B ...

Page 65: ...solation Configuration 1 1 Introduction to Port Isolation 1 1 Configuring the Isolation Group 1 1 Assigning a Port to the Isolation Group 1 1 Displaying and Maintaining Isolation Groups 1 2 Port Isolation Configuration Example 1 2 ...

Page 66: ...en a port inside an isolation group and a port outside the isolation group but not between ports inside the isolation group Configuring the Isolation Group Assigning a Port to the Isolation Group Follow these steps to add a port to the isolation group To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Enter Layer 2 ag...

Page 67: ...that Host A Host B and Host C cannot communicate with one another at Layer 2 but can access the Internet Figure 1 1 Networking diagram for port isolation configuration Configuration procedure Add ports GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 to the isolation group Device system view Device interface GigabitEthernet 1 0 1 Device GigabitEthernet1 0 1 port isolate enable...

Page 68: ...1 3 Uplink port support NO Group ID 1 Group members GigabitEthernet1 0 1 GigabitEthernet1 0 2 GigabitEthernet1 0 3 ...

Page 69: ...Functions of Service Loopback Groups 1 1 Port Configuration Prerequisites of Service Loopback Groups 1 1 States of the Ports in a Service Loopback Group 1 2 Configuring a Service Loopback Group 1 2 Displaying and Maintaining Service Loopback Groups 1 3 Configuration Example 1 3 ...

Page 70: ...group Similar to link aggregation a service loopback group can increase bandwidth and implement load sharing Service loopback groups fall into five types z IPv6 supporting IPv6 unicast traffic z IPv6 multicast supporting IPv6 multicast traffic z Tunnel supporting unicast tunnel traffic z Multicast tunnel supporting multicast tunnel traffic z MPLS supporting MPLS traffic Currently the 3Com Switch 4...

Page 71: ...ference port in rate duplex mode and hardware restrictions as candidate selected ports and set the rest ports to unselected state z The number of selected ports is limited in a service loopback group If the number of candidate ports exceeds the limit those with smaller port IDs are set to selected state and the others are set to unselected state The system follows the preemption principle when set...

Page 72: ...1 0 3 to a service loopback group to increase bandwidth and achieve load sharing Configuration procedure Create service loopback group 1 and specify the service type as Tunnel unicast tunnel service DeviceA system view DeviceA service loopback group 1 type tunnel Disable MSTP on GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 and then assign them to service loopback group 1 DeviceA interface G...

Page 73: ...g the Priority of a Device 1 19 Configuring the Maximum Hops of an MST Region 1 20 Configuring the Network Diameter of a Switched Network 1 20 Configuring Timers of MSTP 1 21 Configuring the Timeout Factor 1 22 Configuring the Maximum Port Rate 1 23 Configuring Ports as Edge Ports 1 23 Configuring Path Costs of Ports 1 24 Configuring Port Priority 1 26 Configuring the Link Type of Ports 1 27 Confi...

Page 74: ...oops at the data link layer in a local area network LAN Devices running this protocol detect loops in the network by exchanging information with one another and eliminate loops by selectively blocking certain ports to prune the loop structure into a loop free tree structure This avoids proliferation and infinite cycling of packets that would occur in a loop network and prevents decreased performan...

Page 75: ... port The root bridge has no root port Designated bridge and designated port The following table describes designated bridges and designated ports Table 1 1 Description of designated bridges and designated ports Classification Designated bridge Designated port For a device A device directly connected with the local device and responsible for forwarding BPDUs to the local device The port through wh...

Page 76: ...e spanning tree calculation Important fields in a configuration BPDU include z Root bridge ID consisting of the priority and MAC address of the root bridge z Root path cost the cost of the path to the root bridge denoted by the root identifier from the transmitting bridge z Designated bridge ID consisting of the priority and MAC address of the designated bridge z Designated port ID designated port...

Page 77: ...riority than that of the configuration BPDU generated by the port the device discards the received configuration BPDU and does not process the configuration BPDU of this port z If the received configuration BPDU has a higher priority than that of the configuration BPDU generated by the port the device replaces the content of the configuration BPDU generated by the port with the content of the rece...

Page 78: ... device z The designated port ID is replaced with the ID of this port 3 The device compares the calculated configuration BPDU with the configuration BPDU on the port of which the port role is to be defined and acts depending on the comparison result z If the calculated configuration BPDU is superior the device considers this port as the designated port and replaces the configuration BPDU on the po...

Page 79: ... port after comparison Device A z Port AP1 receives the configuration BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the received configuration BPDU and therefore discards the received configuration BPDU z Port AP2 receives the configuration BPDU of Device C 2 0 2 CP1 Device A finds that the BPDU of the local port 0 0 0 AP2 is super...

Page 80: ...port BP1 0 0 0 AP1 Designated port BP2 0 5 1 BP2 z Port CP1 receives the configuration BPDU of Device A 0 0 0 AP2 Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port 2 0 2 CP1 and updates the configuration BPDU of CP1 z Port CP2 receives the configuration BPDU of port BP2 of Device B 1 0 1 BP2 before the configuration BPDU is updated Device C...

Page 81: ...nning tree with Device A as the root bridge is established as shown in Figure 1 3 Figure 1 3 The final calculated spanning tree AP1 AP2 Device A With priority 0 Device B With priority 1 Device C With priority 2 BP1 BP2 CP2 5 4 The spanning tree calculation process in this example is only simplified process The BPDU forwarding mechanism in STP z Upon network initiation every switch regards itself a...

Page 82: ...te transition in STP the newly elected root ports or designated ports require twice the forward delay time before transiting to the forwarding state to ensure that the new configuration BPDU has propagated throughout the network z Hello time is the time interval at which a device sends hello packets to the surrounding devices to ensure that the paths are fault free z Max age is a parameter used to...

Page 83: ...ngs of STP and RSTP In addition to the support for rapid network convergence it allows data flows of different VLANs to be forwarded along separate paths thus providing a better load sharing mechanism for redundant links For description about VLANs refer to VLAN Configuration in the Access Volume MSTP features the following z MSTP supports mapping VLANs to spanning tree instances by means of a VLA...

Page 84: ... tree region MST region consists of multiple devices in a switched network and the network segments among them These devices have the following characteristics z All are MSTP enabled z They have the same region name z They have the same VLAN to instance mapping configuration z They have the same MSTP revision level configuration and z They are physically linked with one another For example all the...

Page 85: ... constitute the CIST of the entire network MSTI Multiple spanning trees can be generated in an MST region through MSTP one spanning tree being independent of another Each spanning tree is referred to as a multiple spanning tree instance MSTI In Figure 1 4 for example multiple spanning trees can exist in each MST region each spanning tree corresponding to the specific VLAN s These spanning trees ar...

Page 86: ...nate port The standby port for a root port or master port When the root port or master port is blocked the alternate port becomes the new root port or master port z Backup port The backup port of a designated port When the designated port is blocked the backup port becomes a new designated port and starts forwarding data without delay A loop occurs when two ports of the same MSTP device are interc...

Page 87: ... are calculated each being called an MSTI Among these MSTIs MSTI 0 is the IST while all the others are MSTIs Similar to STP MSTP uses configuration BPDUs to calculate spanning trees The only difference between the two protocols is that an MSTP BPDU carries the MSTP configuration on the device from which this BPDU is sent CIST calculation The calculation of a CIST tree is also the process of config...

Page 88: ...STP you need to know the role of each device in each MSTI root bridge or leave node In each MSTI one and only one device acts as the root bridge while all others as leaf nodes Complete these tasks to configure MSTP Task Remarks Configuring an MST Region Required Configuring the Root Bridge or a Secondary Root Bridge Optional Configuring the Work Mode of an MSTP Device Optional Configuring the Prio...

Page 89: ...e For the detailed information of GVRP refer to GVRP Configuration of the Access Volume z MSTP is mutually exclusive with any of the following functions on a port service loopback RRPP Smart Link and BPDU tunnel z Configurations made in system view take effect globally configurations made in Ethernet interface view take effect on the current interface only configurations made in port group view ta...

Page 90: ...urations of currently activated MST regions display stp region configuration The display command can be executed in any view z Two or more MSTP enabled devices belong to the same MST region only if they are configured to have the same format selector 0 by default not configurable MST region name the same VLAN to instance mapping entries in the MST region and the same MST region revision level and ...

Page 91: ...er if you specify a new primary root bridge for the instance then the secondary root bridge will not become the root bridge If you have specified multiple secondary root bridges for an instance when the root bridge fails MSTP will select the secondary root bridge with the lowest MAC address as the new root bridge Configuring the current device as the root bridge of a specific spanning tree Follow ...

Page 92: ...he device send out MSTP BPDUs If the device detects that it is connected with a legacy STP device the port connecting with the legacy STP device will automatically migrate to STP compatible mode Make this configuration on the root bridge and on the leaf nodes separately Follow these steps to configure the MSTP work mode To do Use the command Remarks Enter system view system view Configure the work...

Page 93: ...spanning tree calculation and thereby the size of the MST region is confined Make this configuration on the root bridge only All the devices other than the root bridge in the MST region use the maximum hop value set for the root bridge Follow these steps to configure the maximum number of hops of an MST region To do Use the command Remarks Enter system view system view Configure the maximum hops o...

Page 94: ...f the peer occur in a synchronized manner z Hello time is the time interval at which a device sends configuration BPDUs to the surrounding devices to ensure that the paths are fault free If a device fails to receive configuration BPDUs within a certain period of time it starts a new spanning tree calculation process z MSTP can detect link failures and automatically restore blocked redundant links ...

Page 95: ... to timely launch spanning tree calculations thus reducing the auto sensing capability of the network We recommend that you use the default setting The settings of hello time forward delay and max age must meet the following formulae otherwise network instability will frequently occur z 2 forward delay 1 second ú max age z Max age ú 2 hello time 1 second We recommend that you specify the network d...

Page 96: ...imit Required 10 by default The higher the maximum port rate is the more BPDUs will be sent within each hello time and the more system resources will be used By setting an appropriate maximum port rate you can limit the rate at which the port sends BPDUs and prevent MSTP from using excessive network resources when the network becomes instable We recommend that you use the default setting Configuri...

Page 97: ...c flows to be forwarded along different physical links thus achieving VLAN based load balancing The device can automatically calculate the default path cost alternatively you can also configure the path cost for ports Make the following configurations on the leaf nodes only Specifying a standard that the device uses when calculating the default path cost You can specify a standard for the device t...

Page 98: ...666 500 2 1 1 1 When calculating path cost for an aggregate interface 802 1d 1998 does not take into account the number of member ports in its aggregation group as 802 1t does The calculation formula of 802 1t is Path Cost 200 000 000 link speed in 100 kbps where link speed is the sum of the link speed values of the non blocked ports in the aggregation group Configuring path costs of ports Follow ...

Page 99: ... elected as the root port of a device If all other conditions are the same the port with the highest priority will be elected as the root port On an MSTP enabled device a port can have different priorities in different MSTIs and the same port can play different roles in different MSTIs so that data of different VLANs can be propagated along different physical paths thus implementing per VLAN load ...

Page 100: ...iew system view Enter Ethernet interface view or Layer 2 aggregate interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manual port group name Required Use either command Configure the link type of ports stp point to point auto force false force true Optional The default setting is auto namely the port automatically detec...

Page 101: ...acy Required auto by default z MSTP provides the MSTP packet format incompatibility guard function In MSTP mode if a port is configured to recognize send MSTP packets in a mode other than auto and receives a packet in a format different from the specified type the port will become a designated port and remain in the discarding state to prevent the occurrence of a loop z MSTP provides the MSTP pack...

Page 102: ...anual port group name Required Use either command Enable the MSTP feature for the ports stp enable Optional By default MSTP is enabled on all ports z MSTP takes effect when it is enabled both globally and on the port z To control MSTP flexibly you can use the undo stp enable command to disable the MSTP feature for certain ports so that they will not take part in spanning tree calculation and thus ...

Page 103: ... RSTP or MSTP mode Configuring Digest Snooping As defined in IEEE 802 1s interconnected devices are in the same region only when the MST region related configurations domain name revision level VLAN to instance mappings on them are identical An MSTP enabled device identifies devices in the same MST region by checking the configuration ID in BPDU packets The configuration ID includes the region nam...

Page 104: ...bled by default z With the Digest Snooping feature enabled comparison of configuration digest is not needed for in the same region check so the VLAN to instance mappings must be the same on associated ports z With global Digest Snooping enabled modification of VLAN to instance mappings and removing of the current region configuration using the undo stp region configuration command are not allowed ...

Page 105: ...ooping on Device B DeviceB system view DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1 stp config digest snooping DeviceB GigabitEthernet1 0 1 quit DeviceB stp config digest snooping Configuring No Agreement Check In RSTP and MSTP two types of messages are used for rapid state transition on designated ports z Proposal sent by designated ports to request rapid transition z Agre...

Page 106: ...TP and does not work in RSTP mode the root port on the downstream device receives no agreement packet from the upstream device and thus sends no agreement packets to the upstream device As a result the designated port of the upstream device fails to transit rapidly and can only change to the forwarding state after a period twice the Forward Delay In this case you can enable the No Agreement Check ...

Page 107: ...party device that has different MSTP implementation Both devices are in the same region z Device B is the regional root bridge and Device A is the downstream device Figure 1 9 No Agreement Check configuration 2 Configuration procedure Enable No Agreement Check on GigabitEthernet 1 0 1 of Device A DeviceA system view DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 stp no agreem...

Page 108: ... default BPDU guard does not take effect on loopback test enabled ports For information about loopback test refer to Ethernet Interface Configuration in the Access Volume Enabling Root guard The root bridge and secondary root bridge of a spanning tree should be located in the same MST region Especially for the CIST the root bridge and secondary root bridge are generally put in a high bandwidth cor...

Page 109: ...twork The loop guard function can suppress the occurrence of such loops If a loop guard enabled port fails to receive BPDUs from the upstream device and if the port takes part in STP calculation all the instances on the port no matter what roles the port plays will be set to and stay in the Discarding state Make this configuration on the root port or an alternate port of a device Follow these step...

Page 110: ...intaining MSTP To do Use the command Remarks View information about abnormally blocked ports display stp abnormal port Available in any view View information about ports blocked by STP protection functions display stp down port Available in any view View the historical information of port role calculation for the specified MSTI or all MSTIs display stp instance instance id history slot slot number...

Page 111: ... 1 10 Network diagram for MSTP configuration G E 1 0 1 G E 1 0 1 G E 1 0 1 G E 1 0 1 Configuration procedure 1 VLAN and VLAN member port configuration Create VLAN 10 VLAN 20 and VLAN 30 on Device A and Device B respectively create VLAN 10 VLAN 20 and VLAN 40 on Device C and create VLAN 20 VLAN 30 and VLAN 40 on Device D configure the ports on these devices as trunk ports and assign them to related...

Page 112: ...n DeviceB mst region active region configuration DeviceB mst region quit Specify the current device as the root bridge of MSTI 3 DeviceB stp instance 3 root primary Enable MSTP globally DeviceB stp enable 4 Configuration on Device C Enter MST region view configure the MST region name as example map VLAN 10 VLAN 30 and VLAN 40 to MSTI 1 MSTI 3 and MSTI 4 respectively and configure the revision leve...

Page 113: ...n on Device A DeviceA display stp brief MSTID Port Role STP State Protection 0 GigabitEthernet1 0 1 ALTE DISCARDING NONE 0 GigabitEthernet1 0 2 DESI FORWARDING NONE 0 GigabitEthernet1 0 3 ROOT FORWARDING NONE 1 GigabitEthernet1 0 1 DESI FORWARDING NONE 1 GigabitEthernet1 0 3 DESI FORWARDING NONE 3 GigabitEthernet1 0 2 DESI FORWARDING NONE 3 GigabitEthernet1 0 3 ROOT FORWARDING NONE Display brief s...

Page 114: ...ef MSTID Port Role STP State Protection 0 GigabitEthernet1 0 1 ROOT FORWARDING NONE 0 GigabitEthernet1 0 2 ALTE DISCARDING NONE 0 GigabitEthernet1 0 3 ALTE DISCARDING NONE 3 GigabitEthernet1 0 1 ROOT FORWARDING NONE 3 GigabitEthernet1 0 2 ALTE DISCARDING NONE 4 GigabitEthernet1 0 3 ROOT FORWARDING NONE Based on the above information you can draw the MSTI corresponding to each VLAN as shown in Figu...

Page 115: ...zation Delay 1 8 Enabling LLDP Polling 1 8 Configuring the TLVs to Be Advertised 1 8 Configuring the Management Address and Its Encoding Format 1 9 Setting Other LLDP Parameters 1 9 Setting an Encapsulation Format for LLDPDUs 1 10 Configuring CDP Compatibility 1 11 Configuration Prerequisites 1 11 Configuring CDP Compatibility 1 12 Configuring LLDP Trapping 1 12 Displaying and Maintaining LLDP 1 1...

Page 116: ... in IEEE 802 1AB The protocol operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends local device information including its major functions management IP address device ID and port ID as TLV type length and value triplets in LLDPDUs to the directly connected devices and at the same time stores the device information received in LL...

Page 117: ...ing bridge is used Type The Ethernet type for the upper layer protocol It is 0x88CC for LLDP Data LLDP data unit LLDPDU FCS Frame check sequence a 32 bit CRC value used to determine the validity of the received Ethernet frame 2 SNAP encapsulated LLDP frame format Figure 1 2 SNAP encapsulated LLDP frame format Data LLDPU n bytes 0 Destination MAC address Source MAC address Type 15 31 FCS The fields...

Page 118: ...information field in octets and the value field contains the information itself LLDPDU TLVs fall into these categories basic management TLVs organizationally IEEE 802 1 and IEEE 802 3 specific TLVs and LLDP MED media endpoint discovery TLVs Basic management TLVs are essential to device management Organizationally specific TLVs and LLDP MED TLVs are used for enhanced device management they are defi...

Page 119: ...ly 3Com switches 4800G support receiving but not sending protocol identity TLVs 3 IEEE 802 3 organizationally specific TLVs Table 1 5 IEEE 802 3 organizationally specific TLVs Type Description MAC PHY Configuration Status Contains the rate and duplex capabilities of the sending port support for auto negotiation enabling status of auto negotiation and the current rate and duplex mode Power Via MDI ...

Page 120: ...sset ID The typical case is that the user specifies the asset ID for the endpoint to facilitate directory management and asset tracking Location Identification Allows a network device to advertise the appropriate location identifier information for an endpoint to use in the context of location based applications Management address The management address of a device is used by the network managemen...

Page 121: ... resumes Receiving LLDP frames An LLDP enabled port operating in TxRx mode or Rx mode checks the TLVs carried in every LLDP frame it receives for validity violation If valid the information is saved and an aging timer is set for it based on the time to live TTL TLV carried in the LLDPDU If the TTL TLV is zero the information is aged out immediately Protocols and Standards The protocols and standar...

Page 122: ...port group manual port group name Required Use either command Enable LLDP lldp enable Optional By default LLDP is enabled on a port Setting LLDP Operating Mode LLDP can operate in one of the following modes z TxRx mode A port in this mode sends and receives LLDP frames z Tx mode A port in this mode only sends LLDP frames z Rx mode A port in this mode only receives LLDP frames z Disable mode A port...

Page 123: ...sends LLDP frames to inform the neighboring devices of the change Follow these steps to enable LLDP polling To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Enter Ethernet interface view or port group view Enter port group view port group manual port group name Required Use either command Enable LLDP polling and set...

Page 124: ...e normal communication with the neighbor Follow these steps to configure a management address to be advertised and its encoding format on one or a group of ports To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Enter Ethernet interface view or port group view Enter port group view port group manual port group name R...

Page 125: ...dp fast count count Optional 3 by default Both the LLDPDU transmit interval and delay must be less than the TTL to ensure that the LLDP neighbors can receive LLDP frames to update information about the device you are configuring before it is aged out Setting an Encapsulation Format for LLDPDUs LLDPDUs can be encapsulated in Ethernet II or SNAP frames z With Ethernet II encapsulation configured an ...

Page 126: ...nes As your LLDP enabled device cannot recognize CDP packets it does not respond to the requests of Cisco IP phones for the voice VLAN ID configured on the device This can cause a requesting Cisco IP phone to send voice traffic without any tag to your device disabling your device to differentiate the voice traffic from other types of traffic By configuring CDP compatibility you can enable LLDP on ...

Page 127: ...command Configure CDP compatible LLDP to operate in TxRx mode lldp compliance admin status cdp txrx Required By default CDP compatible LLDP operates in disable mode As the maximum TTL allowed by CDP is 255 seconds ensure that the product of the TTL multiplier and the LLDPDU transmit interval is less than 255 seconds for CDP compatible LLDP to work properly with Cisco IP phones Configuring LLDP Tra...

Page 128: ...n any view Display LLDP statistics display lldp statistics global interface interface type interface number Available in any view Display LLDP status of a port display lldp status interface interface type interface number Available in any view Display types of advertisable optional LLDP TLVs display lldp tlv config interface interface type interface number Available in any view LLDP Configuration ...

Page 129: ...hB system view SwitchB lldp enable Enable LLDP on GigabitEthernet1 0 1 you can skip this step because LLDP is enabled on ports by default and set the LLDP operating mode to Tx SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 lldp enable SwitchB GigabitEthernet1 0 1 lldp admin status tx SwitchB GigabitEthernet1 0 1 quit 3 Verify the configuration Display the global LLDP status a...

Page 130: ...operate in Rx mode that is they only receive LLDP frames Tear down the link between Switch A and Switch B and then display the global LLDP status and port LLDP status on Switch A SwitchA display lldp status Global status of LLDP Enable The current number of LLDP neighbors 1 The current number of CDP neighbors 0 LLDP neighbor information last changed time 0 days 0 hours 5 minutes 20 seconds Transmi...

Page 131: ...hones to automatically configure the voice VLAN thus confining their voice traffic within the voice VLAN to be isolated from other types of traffic Figure 1 5 Network diagram for CDP compatible LLDP configuration Configuration procedure 1 Configure a voice VLAN on Switch A Create VLAN 2 SwitchA system view SwitchA vlan 2 SwitchA vlan2 quit Set the link type of GigabitEthernet 1 0 1 and GigabitEthe...

Page 132: ...thernet1 0 2 lldp enable SwitchA GigabitEthernet1 0 2 lldp admin status txrx SwitchA GigabitEthernet1 0 2 lldp compliance admin status cdp txrx SwitchA GigabitEthernet1 0 2 quit 3 Verify the configuration Display the neighbor information on Switch A SwitchA display lldp neighbor information CDP neighbor information of port 1 GigabitEthernet1 0 1 CDP neighbor index 1 Chassis ID SEP00141CBCDBFE Port...

Page 133: ...nfiguration 1 14 Introduction 1 14 Configuring an IP Subnet Based VLAN 1 14 Displaying and Maintaining VLAN 1 15 VLAN Configuration Example 1 16 2 Isolate User VLAN Configuration 2 1 Overview 2 1 Configuring Isolate User VLAN 2 1 Displaying and Maintaining Isolate User VLAN 2 3 Isolate User VLAN Configuration Example 2 3 3 Voice VLAN Configuration 3 1 Overview 3 1 OUI Addresses 3 1 Voice VLAN Assi...

Page 134: ... and excessive broadcasts cannot be avoided on an Ethernet To address the issue virtual LAN VLAN was introduced The idea is to break a LAN down into separate VLANs that is Layer 2 broadcast domains whereby frames are switched between ports assigned to the same VLAN VLANs are isolated from each other at Layer 2 A VLAN is a bridging domain and all broadcast traffic is contained within it as shown in...

Page 135: ...E 802 1Q inserts a four byte VLAN tag after the DA SA field as shown in Figure 1 3 Figure 1 3 The position and format of VLAN tag A VLAN tag comprises four fields tag protocol identifier TPID priority canonical format indicator CFI and VLAN ID z The 16 bit TPID field with a value of 0x8100 indicates that the frame is VLAN tagged z The 3 bit priority field indicates the 802 1p priority of the frame...

Page 136: ...at the same time When determining to which VLAN a packet passing through the port should be assigned the device looks up the VLANs in the default order of MAC based VLANs IP based VLANs protocol based VLANs and port based VLANs Configuring Basic VLAN Settings Follow these steps to configure basic VLAN settings To do Use the command Remarks Enter system view system view Create VLANs vlan vlan id1 t...

Page 137: ...an create one VLAN interface You can assign the VLAN interface an IP address and specify it as the gateway of the VLAN to forward traffic destined for an IP network segment different from that of the VLAN Follow these steps to configure basic settings of a VLAN interface To do Use the command Remarks Enter system view system view Create a VLAN interface and enter VLAN interface view interface vlan...

Page 138: ...a hybrid port can carry multiple VLANs to receive and send traffic for them Unlike a trunk port a hybrid port allows traffic of all VLANs to pass through VLAN untagged You can configure a port connected to a network device or user terminal as a hybrid port for access link connectivity or trunk connectivity Default VLAN By default VLAN 1 is the default VLAN for all ports You can configure the defau...

Page 139: ... the frame carries the default VLAN tag z Send the frame without removing the tag if its VLAN is carried on the port but is different from the default one Hybrid Check whether the default VLAN is permitted on the port z If yes tag the frame with the default VLAN tag z If not drop the frame z Receive the frame if its VLAN is carried on the port z Drop the frame if its VLAN is not carried on the por...

Page 140: ... interface number Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enter interface view or port group view Enter port group view port group manual port group name Required Use either command z In Ethernet interface view the subsequent configurations apply to the current port z In port group view the subsequent configurations apply to all ports in the port group ...

Page 141: ...Enter Ethernet interface view interface interface type interface number Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enter interface view or port group view Enter port group view port group manual port group name Required Use either command z In Ethernet interface view the subsequent configurations apply to the current port z In port group view the subsequen...

Page 142: ...e VLANs You can assign it to a VLAN in interface view or port group view Follow these steps to assign a hybrid port to one or multiple VLANs To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enter interface view or port group view En...

Page 143: ... z When receiving an untagged frame the device looks up the list of MAC to VLAN mappings based on the source MAC address of the frame for a match Two matching modes are available exact matching and fuzzy matching In exact matching mode the device searches the MAC to VLAN mappings whose masks are all Fs If the MAC address in a MAC to VLAN mapping matches the source MAC address of the untagged frame...

Page 144: ...To do Use the command Remarks Enter system view system view Associate MAC addresses with a VLAN mac vlan mac address mac address mask mac mask vlan vlan id priority priority Required Support for the mask keyword in this command depends on the device model Enter Ethernet interface view interface interface type interface number Enter Ethernet interface view or port group view Enter port group view p...

Page 145: ...plate the packet will be tagged with the default VLAN ID of the port The port processes a tagged packet as it processes tagged packets of a port based VLAN z If the port permits the VLAN ID of the packet to pass through the port forwards the packet z If the port does not permit the VLAN ID of the packet to pass through the port drops the packet This feature is mainly used to assign packets of the ...

Page 146: ...nfiguring the user defined template for llc encapsulation Otherwise the encapsulation format of the matching packets will be the same as that of the ipx llc or ipx raw packets respectively z When you use the mode keyword to configure a user defined protocol template do not set etype id in ethernetii etype etype id to 0x0800 0x8137 0x809b or 0x86dd Otherwise the encapsulation format of the matching...

Page 147: ...k segment or IP address to be associated with a VLAN cannot be a multicast network segment or a multicast address Return to system view quit Enter Ethernet interface view interface interface type interface number Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enter interface view or port group view Enter port group view port group manual port group name Requir...

Page 148: ...rface vlan interface id Available in any view Display hybrid ports or trunk ports on the device display port hybrid trunk Available in any view Display MAC address to VLAN entries display mac vlan all dynamic mac address mac address mask mac mask static vlan vlan id Available in any view Display all interfaces with MAC based VLAN enabled display mac vlan interface Available in any view Display pro...

Page 149: ... 100 to pass through Figure 1 4 Network diagram for port based VLAN configuration Configuration procedure 1 Configure Device A Create VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 DeviceA system view DeviceA vlan 2 DeviceA vlan2 quit DeviceA vlan 100 DeviceA vlan100 vlan 6 to 50 Please wait Done Enter GigabitEthernet 1 0 1 interface view DeviceA interface GigabitEthernet 1 0 1 Configure GigabitEthern...

Page 150: ...isted pair Port hardware type is 1000_BASE_T Unknown speed mode unknown duplex mode Link speed type is autonegotiation link duplex type is autonegotiation Flow control is not enabled The Maximum Frame Length is 9216 Broadcast MAX ratio 100 Unicast MAX ratio 100 Multicast MAX ratio 100 Allow jumbo frame to pass PVID 100 Mdi type auto Link delay is 0 sec Port link type trunk VLAN passing 2 6 50 100 ...

Page 151: ...nderruns buffer failures 0 aborts 0 deferred 0 collisions 0 late collisions 0 lost carrier no carrier The output above shows that z The port GigabitEthernet 1 0 1 is a trunk port z The default VLAN of the port is VLAN 100 z The port permits packets of VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass through Therefore the configuration is successful ...

Page 152: ... of only the isolate user VLAN but not the secondary VLANs network configuration is simplified and VLAN resources are saved z You can isolate the Layer 2 traffic of different users by assigning the ports connected to them to different secondary VLANs To enable communication between secondary VLANs associated with the same isolate user VLAN you can enable local proxy ARP on the upstream device to r...

Page 153: ... least one port takes the isolate user VLAN as its default VLAN Hybrid port Refer to Assigning a Hybrid Port to a VLAN Use either approach Return to system view quit Create secondary VLANs vlan vlan id1 to vlan id2 all Required Quit to system view quit Access port Refer to Assigning an Access Port to a VLAN Assign ports to each secondary VLAN and ensure that at least one port in a secondary VLAN t...

Page 154: ...1 to VLAN 3 z Configure VLAN 6 on Device C as an isolate user VLAN assign the uplink port GigabitEthernet 1 0 5 to VLAN 6 and associate VLAN 6 with secondary VLANs VLAN 3 and VLAN 4 Assign GigabitEthernet 1 0 3 to VLAN 3 and GigabitEthernet 1 0 4 to VLAN 4 z For Device A Device B only has VLAN 5 and Device C only has VLAN 6 Figure 2 2 Network diagram for isolate user VLAN configuration Configurati...

Page 155: ...an4 port gigabitethernet 1 0 4 Associate the isolate user VLAN with the secondary VLANs DeviceC vlan4 quit DeviceC isolate user vlan 6 secondary 3 to 4 Verification Display the isolate user VLAN configuration on Device B DeviceB display isolate user vlan Isolate user VLAN VLAN ID 5 Secondary VLAN ID 2 3 VLAN ID 5 VLAN Type static Isolate user VLAN type isolate user VLAN Route Interface not configu...

Page 156: ... gigabitethernet 1 0 5 VLAN ID 3 VLAN Type static Isolate user VLAN type secondary Route Interface not configured Description VLAN 0003 Name VLAN 0003 Tagged Ports none Untagged Ports gigabitethernet 1 0 1 gigabitethernet 1 0 5 ...

Page 157: ... OUI Addresses A device determines whether a received packet is a voice packet by checking its source MAC address A packet whose source MAC address complies with the voice device Organizationally Unique Identifier OUI address is regarded as voice traffic You can configure the OUI addresses in advance or use the default OUI addresses Table 3 1 lists the default OUI address for each vendor s devices...

Page 158: ...t from the voice VLAN if no packet is received from the port after the aging time expires Assigning removing ports to from a voice VLAN are automatically performed by the system z In manual mode you should assign an IP phone connecting port to a voice VLAN manually Then the system matches the source MAC addresses in the packets against the OUI addresses If a match is found the system issues ACL ru...

Page 159: ...ort untagged If an IP phone sends tagged voice traffic and its connecting port is configured with 802 1X authentication and Guest VLAN you should assign different VLAN IDs for the voice VLAN the default VLAN of the connecting port and the 802 1X Guest VLAN z The default VLANs for all ports are VLAN 1 You can configure the default VLAN of a port and configure a port to permit a certain VLAN to pass...

Page 160: ...h Configuring a Voice VLAN Configuration Prerequisites Before configuring a VLAN as a voice VLAN create the VLAN first Note that you cannot configure VLAN 1 the system default VLAN as a voice VLAN Setting a Port to Operate in Automatic Voice VLAN Assignment Mode Follow these steps to set a port to operate in automatic voice VLAN assignment mode To do Use the command Remarks Enter system view syste...

Page 161: ...rate in Manual Voice VLAN Assignment Mode Follow these steps to set a port to operate in manual voice VLAN assignment mode To do Use the command Remarks Enter system view system view Enable the voice VLAN security mode voice vlan security enable Optional Enabled by default Add a recognizable OUI address voice vlan mac address oui mask oui mask description text Optional By default each voice VLAN h...

Page 162: ...splaying and Maintaining Voice VLAN To do Use the command Remarks Display the voice VLAN state display voice vlan state Available in any view Display the OUI addresses currently supported by system display voice vlan oui Available in any view Voice VLAN Configuration Examples Automatic Voice VLAN Mode Configuration Example Network requirements As shown in Figure 3 1 z The MAC address of IP phone A...

Page 163: ...rity enable Configure the allowed OUI addresses as MAC addresses prefixed by 0011 1100 0000 or 0011 2200 0000 In this way Device A identifies packets whose MAC addresses match any of the configured OUI addresses as voice packets DeviceA voice vlan mac address 0011 1100 0001 mask ffff ff00 0000 description IP phone A DeviceA voice vlan mac address 0011 2200 0001 mask ffff ff00 0000 description IP p...

Page 164: ...fff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3com phone Display the current states of voice VLANs DeviceA display voice vlan state Maximum of Voice VLANs 16 Current Voice VLANs 2 Voice VLAN security mode Security Voice VLAN aging time 1440 minutes Voice VLAN enabled port and its mode PORT VLAN MODE GigabitEthernet1 0 1 2 AUTO GigabitEthernet1 0 2 3 AUTO Manual Voice VLAN Assignment Mo...

Page 165: ... 1 undo voice vlan mode auto Configure GigabitEthernet 1 0 1 as a hybrid port DeviceA GigabitEthernet1 0 1 port link type access Please wait Done DeviceA GigabitEthernet1 0 1 port link type hybrid Configure the voice VLAN VLAN 2 as the default VLAN of GigabitEthernet 1 0 1 and configure GigabitEthernet 1 0 1 to permit the voice traffic of VLAN 2 to pass through untagged DeviceA GigabitEthernet1 0 ...

Page 166: ... 0000 ffff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3com phone Display the current voice VLAN state DeviceA display voice vlan state Maximum of Voice VLANs 16 Current Voice VLANs 2 Voice VLAN security mode Security Voice VLAN aging time 100 minutes Voice VLAN enabled port and its mode PORT VLAN MODE GigabitEthernet1 0 1 2 MANUAL ...

Page 167: ...Protocols and Standards 1 4 GVRP Configuration Task List 1 4 Configuring GVRP Functions 1 4 Configuring GARP Timers 1 5 Displaying and Maintaining GVRP 1 6 GVRP Configuration Examples 1 7 GVRP Configuration Example I 1 7 GVRP Configuration Example II 1 8 GVRP Configuration Example III 1 9 ...

Page 168: ...rt is regarded as a GARP participant GARP messages and timers 1 GARP messages A GARP application entity exchanges information with other GARP application entities by z Sending Join messages to register with other entities its attributes the attributes received from other GARP application entities and the attributes manually configured on it z Sending Leave messages to have its attributes deregiste...

Page 169: ...timer starts again z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN z On a GARP enabled network a device may send LeaveAll messages at the interval set by its LeaveAll timer or the LeaveAll timer on another device on the network whichever is smaller This is because each time a device on the network receives a LeaveAll message it resets its LeaveAll timer Operating...

Page 170: ...ute Consists of an Attribute Length an Attribute Event and an Attribute Value Attribute Length Number of octets occupied by an attribute inclusive of the attribute length field 2 to 255 in bytes Attribute Event Event described by the attribute z 0 LeaveAll event z 1 JoinEmpty event z 2 JoinIn event z 3 LeaveEmpty event z 4 LeaveIn event z 5 Empty event Attribute Value Attribute value VLAN ID for G...

Page 171: ...ynamically register and deregister VLANs and to propagate VLAN information except information about VLAN 1 A trunk port with forbidden registration type thus allows only VLAN 1 to pass through even though it is configured to carry all VLANs Protocols and Standards GVRP is described in IEEE 802 1Q GVRP Configuration Task List Complete these tasks to configure GVRP Task Remarks Configuring GVRP Func...

Page 172: ... remote probe VLAN to unexpected ports resulting in undesired duplicates to be received by the monitor port For more information about port mirroring refer to Port Mirroring Configuration in the Access Volume z Enabling GVRP on a Layer 2 aggregate interface enables both the aggregate interface and all selected member ports in the corresponding link aggregation group to participate in dynamic VLAN ...

Page 173: ...or a timer you may change the value range by tuning the value of another related timer z If you want to restore the default settings of the timers restore the Hold timer first and then the Join Leave and LeaveAll timers Table 1 2 Dependencies of GARP timers Timer Lower limit Upper limit Hold 10 centiseconds No greater than half of the Join timer setting Join No less than two times the Hold timer s...

Page 174: ...onfiguration Examples GVRP Configuration Example I Network requirements Configure GVRP for dynamic VLAN information registration and update among devices adopting the normal registration mode on ports Figure 1 2 Network diagram for GVRP configuration Configuration procedure 1 Configure Device A Enable GVRP globally DeviceA system view DeviceA gvrp Configure port GigabitEthernet 1 0 1 as a trunk po...

Page 175: ...ic Now the following dynamic VLAN exist s 2 GVRP Configuration Example II Network requirements Configure GVRP for dynamic VLAN information registration and update among devices Specify fixed GVRP registration on Device A and normal GVRP registration on Device B Figure 1 3 Network diagram for GVRP configuration Configuration procedure 1 Configure Device A Enable GVRP globally DeviceA system view De...

Page 176: ... a static VLAN Sysname vlan 3 3 Verify the configuration Display dynamic VLAN information on Device A DeviceA display vlan dynamic No dynamic vlans exist Display dynamic VLAN information on Device B DeviceB display vlan dynamic Now the following dynamic VLAN exist s 2 GVRP Configuration Example III Network requirements To prevent dynamic VLAN information registration and update among devices set t...

Page 177: ...RP globally DeviceB system view DeviceB gvrp Configure port GigabitEthernet 1 0 1 as a trunk port allowing all VLANs to pass through DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1 port link type trunk DeviceB GigabitEthernet1 0 1 port trunk permit vlan all Enable GVRP on GigabitEthernet 1 0 1 DeviceB GigabitEthernet1 0 1 gvrp DeviceB GigabitEthernet1 0 1 quit Create VLAN 3 a ...

Page 178: ... 1 5 Configuring Basic QinQ 1 5 Enabling Basic QinQ 1 5 Configuring Selective QinQ 1 5 Configuring Selective QinQ Based on Ports 1 6 Configuring Selective QinQ through QoS Policies 1 6 Configuring the TPID Value in VLAN Tags 1 7 QinQ Configuration Examples 1 8 Basic QinQ Configuration Example 1 8 Selective QinQ Configuration Example Port Based Configuration 1 10 Selective QinQ Configuration Exampl...

Page 179: ...can support a maximum of 4094 VLANs In actual applications however a large number of VLANs are required to isolate users especially in metropolitan area networks MANs and 4094 VLANs are far from satisfying such requirements QinQ Mechanism and Benefits The QinQ feature is a flexible easy to implement Layer 2 VPN technique It enables the edge device on the service provider network to encapsulate an ...

Page 180: ...vider network it is tagged with outer VLAN 4 In this way there is no overlap of VLAN IDs among customers and traffic from different customers does not become mixed By tagging tagged frames QinQ expands the available VLAN space from 4094 to 4094 4094 and thus satisfies the requirement for VLAN space in MAN It mainly addresses the following issues z Releases the stress on the SVLAN resource z Enable...

Page 181: ...ss of whether the frame is tagged or untagged If the received frame is already tagged it becomes a double tagged frame if it is untagged it becomes a frame tagged with the port s default VLAN tag 2 Selective QinQ Selective QinQ is a more flexible VLAN based implementation of QinQ In addition to all the functions of basic QinQ selective QinQ provides per CVLAN actions for frames received on the sam...

Page 182: ...tag In addition the systems of different vendors may set the TPID of the outer VLAN tag of QinQ frames to different values For compatibility with these systems you can modify the TPID value so that the QinQ frames when sent to the public network carry the TPID value identical to the value of a particular vendor to allow interoperability with the devices of that vendor The TPID in an Ethernet frame...

Page 183: ... all member ports in the current port group z Basic and selective QinQ should both be configured on the ports connecting customer networks z Do not configure QinQ on a reflector port For information about reflector ports refer to Port Mirroring Configuration in the Access Volume Configuring Basic QinQ Enabling Basic QinQ Follow these steps to enable basic QinQ To do Use the command Remarks Enter s...

Page 184: ...rt group name Required Use either command Enter QinQ view and configure the SVLAN tag for the port to add qinq vid vlan id Required By default the SVLAN tag to be added is the default VLAN tag of the receiving port Tag frames of the specified CVLANs with the current SVLAN raw vlan id inbound all vlan list Required z An inner VLAN tag corresponds to only one outer VLAN tag z If you want to change a...

Page 185: ... interface view interface interface type interface number Enter the Ethernet port view of the customer network side port Enter port group view port group manual port group name aggregation agg id Enter the Ethernet port view of the customer network side port Enable basic QinQ qing enable Required Apply the QoS policy in the inbound direction qos apply policy policy name inbound Required z For deta...

Page 186: ...ed through trunk ports They belong to SVLAN 10 and 50 z Customer A1 Customer A2 Customer B1 and Customer B2 are edge devices on the customer network z Third party devices with a TPID value of 0x8200 are deployed between Provider A and Provider B Make configuration to achieve the following z Frames of VLAN 200 through VLAN 299 can be exchanged between Customer A1 and Customer A2 through VLAN 10 of ...

Page 187: ... GigabitEthernet1 0 2 port hybrid vlan 50 untagged Enable basic QinQ on GigabitEthernet 1 0 2 ProviderA GigabitEthernet1 0 2 qinq enable ProviderA GigabitEthernet1 0 2 quit z Configure GigabitEthernet 1 0 3 Configure GigabitEthernet 1 0 3 as a trunk port to permit frames of VLAN 10 and 50 to pass through ProviderA interface gigabitethernet 1 0 3 ProviderA GigabitEthernet1 0 3 port link type trunk ...

Page 188: ...qinq ethernet type service tag 8200 3 Configuration on third party devices Configure the third party devices between Provider A and Provider B as follows configure the port connecting GigabitEthernet 1 0 3 of Provider A and that connecting GigabitEthernet 1 0 3 of Provider B to allow tagged frames of VLAN 10 and 50 to pass through Selective QinQ Configuration Example Port Based Configuration Netwo...

Page 189: ...ProviderA GigabitEthernet1 0 1 port link type hybrid ProviderA GigabitEthernet1 0 1 port hybrid vlan 1000 2000 untagged Tag CVLAN 10 frames with SVLAN 1000 ProviderA GigabitEthernet1 0 1 qinq vid 1000 ProviderA GigabitEthernet1 0 1 vid 1000 raw vlan id inbound 10 ProviderA GigabitEthernet1 0 1 vid 1000 quit Tag CVLAN 20 frames with SVLAN 2000 ProviderA GigabitEthernet1 0 1 qinq vid 2000 ProviderA ...

Page 190: ... and VLAN 2000 to pass through ProviderB system view ProviderB interface gigabitethernet 1 0 1 ProviderB GigabitEthernet1 0 1 port link type trunk ProviderB GigabitEthernet1 0 1 port trunk permit vlan 1000 2000 z Configure GigabitEthernet 1 0 2 Configure GigabitEthernet 1 0 2 as a hybrid port to permit frames of VLAN 2000 to pass through and configure GigabitEthernet 1 0 2 to send packets of VLAN ...

Page 191: ... B with a TPID value of 0x8200 The expected result of the configuration is as follows z VLAN 10 of Customer A and Customer B can intercommunicate across VLAN 1000 on the public network z VLAN 20 of Customer A and Customer C can intercommunicate across VLAN 2000 on the public network z Frames of the VLANs other than VLAN 10 and VLAN 20 of Customer A can be forwarded to Customer D across VLAN 3000 o...

Page 192: ...fic behavior P1000 ProviderA behavior P1000 nest top most vlan id 1000 ProviderA behavior P1000 quit Create a class A20 to match frames of VLAN 20 of Customer A ProviderA traffic classifier A20 ProviderA classifier A20 if match customer vlan id 20 ProviderA classifier A20 quit Create a traffic behavior P2000 and configure the action of tagging frames with the outer VLAN tag 2000 for the traffic be...

Page 193: ...000 To enable interoperability with the third party devices in the public network set the TPID of the service provider network VLAN tags to 0x8200 Therefore the port tags the received frames with the outer VLAN tag whose TPID is 0x8200 ProviderB GigabitEthernet1 0 1 qinq ethernet type service tag 8200 ProviderB GigabitEthernet1 0 1 quit z Configuration on GigabitEthernet 1 0 2 Configure VLAN 2000 ...

Page 194: ...1 16 so that their corresponding ports send tagged frames of VLAN 1000 VLAN 2000 and VLAN 3000 The configuration steps are omitted here ...

Page 195: ...DU Tunneling Configuration 1 1 Introduction to BPDU Tunneling 1 1 Configuring BPDU Transparent Transmission 1 3 Configuring Destination Multicast MAC Address for BPDU Tunnel Frames 1 3 BPDU Tunneling Configuration Example 1 3 ...

Page 196: ...was introduced BPDU tunneling delivers the following benefits z BPDUs can be transmitted transparently BPDUs of the same customer network can be broadcast in a specific VLAN across the service provider network so that the geographically dispersed networks of the same customer can implement consistent spanning tree calculation across the service provider network z BPDUs of different customer networ...

Page 197: ...er VLAN z At the output side of the service provider network the edge device recognizes the BPDU with the destination MAC address of 0x010F E200 0003 and restores its original destination MAC address 0x0180 C200 0000 Then the device removes the outer VLAN tag and sends the BPDU to the destination customer network Make sure through configuration that the VLAN tag of the BPDU is neither changed nor ...

Page 198: ...s bpdu tunnel dot1q stp Required By default BPDU tunneling for STP is disabled Configuring Destination Multicast MAC Address for BPDU Tunnel Frames By default the destination multicast MAC address for BPDU tunnel frames is 0x010F E200 0003 You can modify it to 0x0100 0CCD CDD0 0x0100 0CCD CDD1 or 0x0100 0CCD CDD2 through the following configuration Follow these steps to configure destination multi...

Page 199: ...tunnel frames as 0x0100 0CCD CDD0 ProviderA system view ProviderA bpdu tunnel tunnel dmac 0100 0ccd cdd0 Configure GigabitEthernet 1 0 1 to transmit packets through VLAN 2 ProviderA vlan 2 ProviderA vlan2 quit ProviderA interface GigabitEthernet 1 0 1 ProviderA GigabitEthernet1 0 1 port access vlan 2 Configure GigabitEthernet 1 0 1 to transmit BPDUs transparently ProviderA GigabitEthernet1 0 1 und...

Page 200: ...1 5 ProviderB GigabitEthernet1 0 2 undo stp enable ProviderB GigabitEthernet1 0 2 bpdu tunnel dot1q stp ...

Page 201: ...Is Implemented 1 4 VLAN Mapping Configuration Task List 1 5 Configuring One to One VLAN Mapping 1 6 Configuring One to One VLAN Mapping 1 6 Configuring Many to One VLAN Mapping 1 8 Configuring Many to One VLAN Mapping 1 8 Configuring Two to Two VLAN Mapping 1 10 VLAN Mapping Configuration Examples 1 13 One to One Many to One VLAN Mapping Configuration Example 1 13 Two to Two VLAN Mapping Configura...

Page 202: ...AN Mapping Overview VLAN mapping maps the customer VLANs CVLANs to service provider VLANs SVLANs Types of VLAN mapping include z One to one VLAN mapping that maps the CVLAN ID in the VLAN tag to the SVLAN ID z Many to one VLAN mapping that maps the CVLAN IDs in the VLAN tags of traffic of more than two VLANs to the same SVLAN ID z Two to two VLAN mapping that maps traffic with outer and inner VLAN...

Page 203: ...twork DHCP client DHCP server One to one VLAN mapping and many to one VLAN mapping are mainly applied in networking environments as shown in Figure 1 1 In such a network different VLANs are used for transmitting different services PC VoD and VoIP for example of a home user Furthermore to differentiate home users that are using the same service you need to perform one to one VLAN mapping to map the...

Page 204: ...becomes double tagged 2 When the double tagged packet enters the SP 2 network Device C replaces the outer VLAN tag VLAN 100 with VLAN 200 the VLAN ID assigned by SP 2 to the VPN 1 user For the packet to reach the VPN 1 user in VLAN 30 Device C replaces the inner tag VLAN 10 of the packet with VLAN 30 This double tag to double tag replacement is called two to two VLAN mapping For more information a...

Page 205: ...inal CVLAN Downlink policy in the outbound direction For information about QoS policies refer to QoS Configuration in the QoS Volume Many to one VLAN mapping On the downlink port On the uplink port For uplink traffic For downlink traffic Do Based on Do Based on Map all specified customer VLANs CVLANs to one service provider VLAN SVLAN Uplink policy in the inbound direction Replace the SVLAN with t...

Page 206: ... Task Remarks Configuring One to One VLAN Mapping Optional Perform this configuration on the corridor switches shown in Figure 1 1 Configuring Many to One VLAN Mapping Optional Perform this configuration on the campus switches shown in Figure 1 1 Configuring Two to Two VLAN Mapping Optional Perform this configuration on an edge device connecting two SP networks An example is Device C in the SP 2 n...

Page 207: ...default only the default VLAN VLAN 1 exists Repeat these steps for all CVLANs and SVLANs involved in VLAN mapping Configure an uplink policy to map the CVLAN to the SVLAN Refer to Table 1 1 Required Configure a downlink policy to map the SVLAN to the original CVLAN Refer to Table 1 2 Required Enter interface view of the downlink port interface interface type interface number Set the link type of t...

Page 208: ...he VLAN mapping remark service vlan id vlan id value Required Exit to system view quit Create a QoS policy and enter QoS policy view qos policy policy name Required Map the CVLAN to the SVLAN by associating the traffic class with the traffic behavior classifier tcl name behavior behavior name Required Exit to system view quit Table 1 2 Configure a downlink policy To do Use the command Remarks Ente...

Page 209: ...stem view system view Enable DHCP snooping dhcp snooping Required Disabled by default Create a VLAN and enter VLAN view vlan vlan id Enable ARP detection arp detection enable Enable ARP detection on the CVLANs and the SVLAN for the VLAN mapping Exit to system view quit Required Disabled by default Repeat these steps for all CVLANs and the SVLAN that the VLAN mapping involves Configure an uplink po...

Page 210: ...tion for each CVLAN z Before applying a QoS policy to the downlink port enable customer side QinQ on the port before disabling customer side QinQ on the downlink port remove the QoS policy z To change a VLAN mapping you must first use the reset dhcp snooping command to clear the corresponding DHCP snooping address binding entry refer to DHCP Commands in the IP Services Volume or disable the dynami...

Page 211: ...riginal SVLAN and CVLAN and the VLANs that the edge device substitutes for the original SVLAN and CVLAN are called the new SVLAN and CVLAN Perform two to two VLAN mapping on the edge device that connects two SP networks on Device C in Figure 1 2 for example Follow these steps to configure a two to two VLAN mapping To do Use the command Remarks Enter system view system view Configure an uplink poli...

Page 212: ...rt trunk permit vlan vlan id list all Required By default a trunk port permits only the packets of VLAN 1 to pass through Apply the uplink policy for the uplink port to the outbound direction of the uplink port qos apply policy policy name outbound Required Table 1 4 Configure an uplink policy for the uplink port To do Use the command Remarks Enter system view system view Create a class and enter ...

Page 213: ...replacing the original SVLAN remark service vlan id vlan id value Required Exit to system view quit Create a QoS policy and enter QoS policy view qos policy policy name Required Map the original SVLAN and CVLAN to the new SVLAN by associating the traffic class with the traffic behavior classifier tcl name behavior behavior name Required Exit to system view quit Table 1 6 Configure a downlink polic...

Page 214: ... traffic class with the traffic behavior classifier tcl name behavior behavior name Required Exit to system view quit VLAN Mapping Configuration Examples One to One Many to One VLAN Mapping Configuration Example Network requirements To save VLAN resources use one VLAN to carry a type of service traffic from Switch C at the campus network edge while isolating the traffic of a home user from the tra...

Page 215: ...111 210 VLAN 501 VLAN 211 310 VLAN 502 VLAN 311 410 VLAN 503 Home gateway GE1 0 1 GE1 0 2 GE1 0 3 GE1 0 1 GE1 0 2 GE1 0 3 GE1 0 1 GE1 0 2 GE1 0 3 Switch D DHCP server Campus switch Corridor switch Corridor switch GE1 0 1 Configuration procedure 1 Configuration on Switch A Create the CVLANs and the SVLANs SwitchA system view SwitchA vlan 2 to 3 SwitchA vlan 101 to 102 SwitchA vlan 201 to 202 Switch...

Page 216: ...policy p2 quit Configure downlink policies to map the SVLANs to the original CVLANs SwitchA traffic classifier c11 SwitchA classifier c11 if match service vlan id 101 SwitchA classifier c11 traffic classifier c22 SwitchA classifier c22 if match service vlan id 201 SwitchA classifier c22 traffic classifier c33 SwitchA classifier c33 if match service vlan id 301 SwitchA classifier c33 traffic classi...

Page 217: ...Ethernet1 0 1 quit Configure GigabitEthernet 1 0 2 to permit frames of the specified CVLANs and SVLANs to pass through SwitchA interface gigabitethernet 1 0 2 SwitchA GigabitEthernet1 0 2 port link type trunk SwitchA GigabitEthernet1 0 2 port trunk permit vlan 1 2 3 102 202 302 Enable basic QinQ on GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 qinq enable Apply the uplink policy p2 to the inb...

Page 218: ...itchB qos policy p1 SwitchB policy p1 classifier c1 behavior b1 SwitchB policy p1 classifier c2 behavior b2 SwitchB policy p1 classifier c3 behavior b3 SwitchB policy p1 quit SwitchB qos policy p2 SwitchB policy p2 classifier c1 behavior b4 SwitchB policy p2 classifier c2 behavior b5 SwitchB policy p2 classifier c3 behavior b6 SwitchB policy p2 quit Configure downlink policies to map the SVLANs to...

Page 219: ...direction of GigabitEthernet 1 0 1 SwitchB GigabitEthernet1 0 1 qos apply policy p1 inbound Apply the downlink policy p11 to the outbound direction of GigabitEthernet 1 0 1 SwitchB GigabitEthernet1 0 1 qos apply policy p11 outbound SwitchB GigabitEthernet1 0 1 quit Configure GigabitEthernet 1 0 2 to permit frames of the specified CVLANs and SLVANs to pass through SwitchB interface gigabitethernet ...

Page 220: ...enable SwitchC vlan311 vlan 112 SwitchC vlan112 arp detection enable SwitchC vlan112 vlan 212 SwitchC vlan212 arp detection enable SwitchC vlan212 vlan 312 SwitchC vlan312 arp detection enable SwitchC vlan312 vlan 501 SwitchC vlan501 arp detection enable SwitchC vlan501 vlan 502 SwitchC vlan502 arp detection enable SwitchC vlan502 vlan 503 SwitchC vlan503 arp detection enable SwitchC vlan503 quit ...

Page 221: ...2 quit Configure GigabitEthernet 1 0 1 to permit frames of the specified CVLANs and SVLANs to pass through SwitchC interface gigabitethernet 1 0 1 SwitchC GigabitEthernet1 0 1 port link type trunk SwitchC GigabitEthernet1 0 1 port trunk permit vlan 101 201 301 102 202 302 501 502 503 Enable customer side QinQ on GigabitEthernet 1 0 1 SwitchC GigabitEthernet1 0 1 qinq enable downlink Apply the upli...

Page 222: ...tethernet 1 0 1 SwitchD GigabitEthernet1 0 1 port link type trunk SwitchD GigabitEthernet1 0 1 port trunk permit vlan 501 502 503 Configure GigabitEthernet 1 0 1 as a DHCP snooping trusted port and disable DHCP snooping to record the IP to MAC bindings for DHCP clients on it SwitchD GigabitEthernet1 0 1 dhcp snooping trust no user binding Two to Two VLAN Mapping Configuration Example Network requi...

Page 223: ...ernet 1 0 2 to permit frames of VLAN 100 to pass through DeviceB interface gigabitethernet 1 0 2 DeviceB GigabitEthernet1 0 2 port link type trunk DeviceB GigabitEthernet1 0 2 port trunk permit vlan 100 3 Configuration on Device C Specify the original CVLAN and SVLAN in the VLAN mapping for VPN 1 traffic received on GigabitEthernet 1 0 1 DeviceC system view DeviceC traffic classifier downlink_in D...

Page 224: ...y the new CVLAN used for replacing the original CVLAN for outgoing VPN 1 traffic on GigabitEthernet 1 0 2 DeviceC traffic behavior uplink_out DeviceC behavior uplink_out remark customer vlan id 30 DeviceC behavior uplink_out quit Configure an uplink policy to map the original CVLAN and the new SVLAN to the new CVLAN for outgoing VPN 1 traffic on GigabitEthernet 1 0 2 DeviceC qos policy uplink_out ...

Page 225: ...1 0 2 port access vlan 200 DeviceD GigabitEthernet1 0 2 qinq enable Configure GigabitEthernet 1 0 1 to permit frames of VLAN 200 to pass through DeviceD interface gigabitethernet 1 0 1 DeviceD GigabitEthernet1 0 1 port link type trunk DeviceD GigabitEthernet1 0 1 port trunk permit vlan 200 ...

Page 226: ...onfiguring Remote Port Mirroring 1 4 Configuration Prerequisites 1 4 Configuring a Remote Source Mirroring Group on the Source Device 1 4 Configuring a Remote Destination Mirroring Group on the Destination Device 1 6 Displaying and Maintaining Port Mirroring 1 7 Port Mirroring Configuration Examples 1 7 Local Port Mirroring Configuration Example 1 7 Remote Port Mirroring Configuration Example 1 8 ...

Page 227: ...he mirroring port or ports and the monitor port can be located on the same device or different devices Currently remote port mirroring can be implemented only at Layer 2 As a monitor port can monitor multiple ports it may receive multiple duplicates of a packet in some cases Suppose that port P 1 is monitoring bidirectional traffic on ports P 2 and P 3 on the same device If a packet travels from P...

Page 228: ...vice The source device is the device where the mirroring ports are located On it you must create a remote source mirroring group to hold the mirroring ports The source device copies the packets passing through the mirroring ports broadcasts the packets in the remote probe VLAN for remote mirroring and transmits the packets to the next device which could be an intermediate device if any or the dest...

Page 229: ...ring local port mirroring is to configure local mirroring groups A local mirroring group comprises one or multiple mirroring ports and one monitor port These ports must not have been assigned to any other mirroring group Follow these steps to configure a local mirroring group To do Use the command Remarks Enter system view system view Create a local mirroring group mirroring group groupid local Re...

Page 230: ...is enabled GVRP may register the remote probe VLAN to unexpected ports resulting in undesired duplicates For information on GVRP refer to GVRP Configuration in the Access Volume Configuration Prerequisites Create a static VLAN for the probe VLAN on the source and destination device To ensure correct packet handling ensure that the VLANs you created on the two devices use the same ID and function o...

Page 231: ...itor egress monitor egress port id interface interface type interface number mirroring group groupid monitor egress Configure the egress port In interface view quit Required Use either approach Configure the probe VLAN mirroring group groupid remote probe vlan rprobe vlan id Required When configuring the mirroring ports note that z The mirroring ports and the egress port must be located on the sam...

Page 232: ...e probe vlan rprobe vlan id Required In system view mirroring group groupid monitor port monitor port id interface interface type interface number mirroring group groupid monitor port Configure the monitor port In interface view quit Required Use either approach Enter the interface view of the monitor port interface interface type interface number For an access port port access vlan rprobe vlan id...

Page 233: ...e Available in any view Port Mirroring Configuration Examples Local Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through Ethernet switches z Research and Development R D department is connected to Switch C through GigabitEthernet 1 0 1 z Marketing department is connected to Switch C through GigabitEthernet 1 0 2 z Data monitoring devi...

Page 234: ...l the port mirroring groups SwitchC display mirroring group all mirroring group 1 type local status active mirroring port GigabitEthernet1 0 1 both GigabitEthernet1 0 2 both monitor port GigabitEthernet1 0 3 After finishing the configuration you can monitor all the packets received and sent by R D department and Marketing department on the Data monitoring device Remote Port Mirroring Configuration...

Page 235: ...ination mirroring group on Switch C Configure VLAN 2 as the remote port mirroring VLAN and port GigabitEthernet 1 0 2 to which the data monitoring device is connected as the destination port Figure 1 4 Network diagram for remote port mirroring configuration Configuration procedure 1 Configure Switch A the source device Create a remote source port mirroring group SwitchA system view SwitchA mirrori...

Page 236: ... port GigabitEthernet 1 0 1 as a trunk port and configure the port to permit the packets of VLAN 2 SwitchC system view SwitchC interface GigabitEthernet 1 0 1 SwitchC GigabitEthernet1 0 1 port link type trunk SwitchC GigabitEthernet1 0 1 port trunk permit vlan 2 SwitchC GigabitEthernet1 0 1 quit Create a remote destination port mirroring group SwitchC mirroring group 1 remote destination Create VL...

Page 237: ...hich the client sends a configuration request and then the server returns a reply to send configuration parameters such as an IP address to the client This document describes z DHCP server configuration z DHCP relay agent configuration z DHCP Client configuration z DHCP Snooping configuration z BOOTP Client configuration DNS Used in the TCP IP application Domain Name System DNS is a distributed da...

Page 238: ...guration z IPv6 DNS Client configuration Dual Stack A network node that supports both IPv4 and IPv6 is called a dual stack node A dual stack node configured with an IPv4 address and an IPv6 address can have both IPv4 and IPv6 packets transmitted This document describes z Dual stack overview z Dual stack configuration Tunneling Tunneling is an encapsulation technique which utilizes one network tran...

Page 239: ... Addressing Overview 1 1 IP Address Classes 1 1 Special IP Addresses 1 2 Subnetting and Masking 1 2 Configuring IP Addresses 1 3 Assigning an IP Address to an Interface 1 3 IP Addressing Configuration Example 1 4 Displaying and Maintaining IP Addressing 1 5 ...

Page 240: ...example is 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1 1 for the address just mentioned Each IP address breaks down into two parts z Net ID The first several bits of the IP address defining a network also known as class bits z Host id Identifies a host o...

Page 241: ...tes the host with a host ID of 16 on the local network z IP address with an all zero host ID Identifies a network z IP address with an all one host ID Identifies a directed broadcast address For example a packet with the destination address of 192 168 1 255 will be broadcasted to all the hosts on the network 192 168 1 0 Subnetting and Masking Subnetting was developed to address the risk of IP addr...

Page 242: ... IP address to the VLAN interface you may configure the VLAN interface to obtain one through BOOTP or DHCP as alternatives If you change the way an interface obtains an IP address from manual assignment to BOOTP for example the IP address obtained from BOOTP will overwrite the old one manually assigned This chapter only covers how to assign an IP address manually For the other two approaches refer...

Page 243: ...sts on the two network segments to communicate with the external network through the switch and the hosts on the LAN can communicate with each other do the following z Assign two IP addresses to VLAN interface 1 on the switch z Set the switch as the gateway on all PCs in the two networks Figure 1 3 Network diagram for IP addressing configuration Configuration procedure Assign a primary IP address ...

Page 244: ...tes 56 Sequence 1 ttl 255 time 25 ms Reply from 172 16 2 2 bytes 56 Sequence 2 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 3 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 4 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 5 ttl 255 time 26 ms 172 16 2 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 25 25 26 ...

Page 245: ... ARP Entry Check 1 5 ARP Configuration Example 1 5 Configuring Gratuitous ARP 1 6 Introduction to Gratuitous ARP 1 6 Configuring Gratuitous ARP 1 6 Displaying and Maintaining ARP 1 6 2 Proxy ARP Configuration 2 1 Proxy ARP Overview 2 1 Proxy ARP 2 1 Local Proxy ARP 2 2 Enabling Proxy ARP 2 2 Displaying and Maintaining Proxy ARP 2 3 Proxy ARP Configuration Examples 2 3 Proxy ARP Configuration Examp...

Page 246: ... datagrams must be encapsulated within Ethernet frames before they can be transmitted over physical networks the sending host or device also needs to know the physical address of the destination host or device Therefore a mapping between the IP address and the physical address is needed ARP is the protocol to implement the mapping function ARP Message Format Figure 1 1 ARP message format The follo...

Page 247: ...t A buffers the packet and broadcasts an ARP request in which the sender IP address and the sender MAC address are the IP address and the MAC address of Host A respectively and the target IP address and the target MAC address are the IP address of Host B and an all zero MAC address respectively Because the ARP request is a broadcast all hosts on this subnet can receive the request but only the req...

Page 248: ... IP to MAC mapping specified in the static ARP entry Thus communications between the protected device and the specified device are ensured Static ARP entries can be classified into permanent or non permanent z A permanent static ARP entry can be directly used to forward packets When configuring a permanent static ARP entry you must configure a VLAN and an outbound interface for the entry besides t...

Page 249: ... Ethernet interface following the argument must belong to that VLAN A VLAN interface must be created for the VLAN Configuring the Maximum Number of ARP Entries for an Interface Follow these steps to set the maximum number of dynamic ARP entries that an interface can learn To do Use the command Remarks Enter system view system view Enter VLAN interface view interface interface type interface number...

Page 250: ...nable the ARP entry check arp check enable Optional By default the device is disabled from learning multicast MAC addresses ARP Configuration Example Network requirements z Enable the ARP entry check z Set the aging time for dynamic ARP entries to 10 minutes z Set the maximum number of dynamic ARP entries that VLAN interface 10 can learn to 1 000 z Add a static ARP entry with the IP address being ...

Page 251: ...e the device to send gratuitous ARP packets when receiving ARP requests from another network segment gratuitous arp sending enable Required By default a device cannot send gratuitous ARP packets when receiving ARP requests from another network segment Enable the gratuitous ARP packet learning function gratuitous arp learning enable Optional Enabled by default Displaying and Maintaining ARP To do U...

Page 252: ...1 7 Clearing ARP entries from the ARP table may cause communication failures ...

Page 253: ...work Proxy ARP involves common proxy ARP and local proxy ARP which are described in the following sections The term proxy ARP in the following sections of this chapter refers to common proxy ARP unless otherwise specified Proxy ARP A proxy ARP enabled device allows hosts that reside on different subnets to communicate As shown in Figure 2 1 Switch connects to two subnets through VLAN interface 1 a...

Page 254: ...o hosts Figure 2 2 Application environment of local proxy ARP VLAN 2 Vlan int2 192 168 10 100 16 Switch B GE1 0 3 GE1 0 1 GE1 0 2 Host A 192 168 10 99 16 Host B 192 168 10 200 16 VLAN 2 port isolate group Switch A In one of the following cases you need to enable local proxy ARP z Hosts connecting to different isolated Layer 2 ports in the same VLAN need to communicate at Layer 3 z If an isolate us...

Page 255: ...w Proxy ARP Configuration Examples Proxy ARP Configuration Example Network requirements Host A and Host D have the same IP prefix and mask Host A belongs to VLAN 1 Host D belongs to VLAN 2 Configure proxy ARP on the switch to enable the communication between the two hosts Figure 2 3 Network diagram for proxy ARP Configuration procedure Configure Proxy ARP on Switch to enable the communication betw...

Page 256: ...nd Host B Figure 2 4 Network diagram for local proxy ARP between isolated ports Switch A Switch B GE1 0 2 GE1 0 3 GE1 0 1 Host A 192 168 10 99 24 Host B 192 168 10 200 24 GE1 0 2 VLAN 2 Vlan int2 192 168 10 100 24 Configuration procedure 1 Configure Switch B Add GigabitEthernet 1 0 3 GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 to VLAN 2 Host A and Host B are isolated and unable to exchange Lay...

Page 257: ...user vlan which includes uplink port GigabitEthernet 1 0 1 and two secondary VLANs VLAN 2 and VLAN 3 GigabitEthernet 1 0 2 belongs to VLAN 2 and GigabitEthernet 1 0 3 belongs to VLAN 3 z Configure local proxy ARP on Switch A to implement Layer 3 communication between VLAN 2 and VLAN 3 Figure 2 5 Network diagram for local proxy ARP configuration in isolate user vlan Switch A Switch B Host A 192 168...

Page 258: ...dd GigabitEthernet 1 0 1 to it SwitchA system view SwitchA vlan 5 SwitchA vlan5 port gigabitethernet 1 0 1 SwitchA vlan5 interface vlan interface 5 SwitchA Vlan interface5 ip address 192 168 10 100 255 255 0 0 The ping operation from Host A to Host B is unsuccessful because they are isolated at Layer 2 Configure local proxy ARP to implement communication between VLAN 2 and VLAN 3 SwitchA Vlan inte...

Page 259: ...onfiguring a Domain Name Suffix for the Client 2 8 Configuring DNS Servers for the Client 2 8 Configuring WINS Servers and NetBIOS Node Type for the Client 2 8 Configuring the BIMS Server Information for the Client 2 9 Configuring Gateways for the Client 2 9 Configuring Option 184 Parameters for the Client with Voice Service 2 10 Configuring the TFTP Server and Bootfile Name for the Client 2 10 Co...

Page 260: ...HCP Relay Agent Configuration 3 11 4 DHCP Client Configuration 4 1 Introduction to DHCP Client 4 1 Enabling the DHCP Client on an Interface 4 1 Displaying and Maintaining the DHCP Client 4 2 DHCP Client Configuration Example 4 2 5 DHCP Snooping Configuration 5 1 DHCP Snooping Overview 5 1 Function of DHCP Snooping 5 1 Application Environment of Trusted Ports 5 2 DHCP Snooping Support for Option 82...

Page 261: ...configurations on hosts become more complex The Dynamic Host Configuration Protocol DHCP was introduced to solve these problems DHCP is built on a client server model in which a client sends a configuration request and then the server returns a reply to send configuration parameters such as an IP address to the client A typical DHCP application as shown in Figure 1 1 includes a DHCP server and mul...

Page 262: ...P server via four steps 1 The client broadcasts a DHCP DISCOVER message to locate a DHCP server 2 A DHCP server offers configuration parameters including an IP address to the client in a DHCP OFFER message The sending mode of the DHCP OFFER message is determined by the flag field in the DHCP DISCOVER message Refer to DHCP Message Format for related information 3 If several DHCP servers send offers...

Page 263: ...cast to extend the lease duration Upon availability of the IP address the DHCP server returns a DHCP ACK unicast confirming that the client s lease duration has been extended or a DHCP NAK unicast denying the request If the client receives no reply it broadcasts another DHCP REQUEST message for lease extension after 7 8 lease duration elapses The DHCP server handles the request as above mentioned ...

Page 264: ...ormat as the Bootstrap Protocol BOOTP message for compatibility but differs from it in the option field which identifies new features for DHCP DHCP uses the option field in DHCP messages to carry control information and network configuration parameters implementing dynamic address allocation and providing more network configuration information for clients Figure 1 4 shows the DHCP option format Fi...

Page 265: ...iguration Server ACS parameters including the ACS URL username and password z Service provider identifier acquired by the customer premises equipment CPE from the DHCP server and sent to the ACS for selecting vender specific configurations and parameters z Preboot Execution Environment PXE server address for further obtaining the bootfile or other control information from the PXE server 1 Format o...

Page 266: ...ate the DHCP client to further implement security control and accounting The Option 82 supporting server can also use such information to define individual assignment policies of IP address and other parameters for the clients Option 82 involves at most 255 sub options At least one sub option is defined Currently the DHCP relay agent supports two sub options sub option 1 Circuit ID and sub option ...

Page 267: ...DHCP messages and the type number and VLAN ID of the interface that received the client s request Its format is shown in Figure 1 10 Figure 1 10 Sub option 1 in verbose padding format In Figure 1 10 except that the VLAN ID field has a fixed length of 2 bytes all the other padding contents of sub option 1 are length variable z Sub option 2 Padded with the MAC address of the DHCP relay agent interfa...

Page 268: ...or not z Sub option 4 Failover route that specifies the destination IP address and the called number SIP users use such IP addresses and numbers to communicate with each other that a SIP user uses to reach another SIP user when both the primary and backup calling processors are unreachable You must define the sub option 1 to make other sub options effective Protocols and Standards z RFC 2131 Dynam...

Page 269: ...nly on VLAN interfaces and loopback interfaces The secondary IP address pool configuration is not supported on loopback interfaces Introduction to DHCP Server Application Environment The DHCP server is well suited to the network where z It is hard to implement manual configuration and centralized management z The hosts are more than the assignable IP addresses and it is impossible to assign a fixe...

Page 270: ...ddress from this address pool If no IP address is available in the address pool the DHCP server will fail to assign an address to the client For the configuration of such an address pool refer to section Configuring Dynamic Address Allocation for an Extended Address Pool 2 If there is an address pool where an IP address is statically bound to the MAC address or ID of the client the DHCP server wil...

Page 271: ...ge 5 The first assignable IP address found in a proper common address pool 6 The IP address that was a conflict or passed its lease duration If no IP address is assignable the server does not respond Option 50 is the requested IP address field in DHCP DISCOVER messages It is padded by the client to specify the IP address that the client wants to obtain The contents to be padded depend on the clien...

Page 272: ... the Client Configuring the BIMS Server Information for the Client Configuring Gateways for the Client Configuring Option 184 Parameters for the Client with Voice Service Configuring the TFTP Server and Bootfile Name for the Client Configuring Self Defined DHCP Options Optional Creating a DHCP Address Pool When creating a DHCP address pool specify it as a common address pool or an extended address...

Page 273: ...an IP address the DHCP server will find the IP address from the binding for the client A DHCP address pool now supports only one static binding which can be a MAC to IP or ID to IP binding Follow these steps to configure a static binding in a common address pool To do Use the command Remarks Enter system view system view Enter common address pool view dhcp server ip pool pool name Specify the IP a...

Page 274: ...tic binding to identify the requesting interface otherwise the client may fail to obtain an IP address Configuring dynamic address allocation You need to specify one and only one address range using a mask for the dynamic address allocation To avoid address conflicts the DHCP server excludes IP addresses used by the gateway or FTP server from dynamic allocation You can specify the lease duration f...

Page 275: ...range and the mask are specified the address pool is valid Follow these steps to configure dynamic address allocation for an extended address pool To do Use the command Remarks Enter system view system view Enter extended address pool view dhcp server ip pool pool name extended Specify the IP address range network ip range min address max address Required Not specified by default Specify the IP ad...

Page 276: ...To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name extended Specify DNS servers for the client dns list ip address 1 8 Required Not specified by default Configuring WINS Servers and NetBIOS Node Type for the Client A Microsoft DHCP client using NetBIOS protocol contacts a Windows Internet Naming Service WINS server for name resolu...

Page 277: ... Client A DHCP client performs regular software update and backup using configuration files obtained from a branch intelligent management system BIMS server Therefore the DHCP server needs to offer DHCP clients the BIMS server IP address port number shared key from the DHCP address pool Follow these steps to configure the BIMS server IP address port number and shared key in the DHCP address pool T...

Page 278: ... system view Enter DHCP address pool view dhcp server ip pool pool name extended Specify the IP address of the primary network calling processor voice config ncp ip ip address Required Not specified by default Specify the IP address of the backup network calling processor voice config as ip ip address Optional Not specified by default Configure the voice VLAN voice config voice vlan vlan id disabl...

Page 279: ...nd Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name extended Specify the TFTP server tftp server ip address ip address Specify the name of the TFTP server tftp server domain name domain name Required to use either command Not specified by default Specify the bootfile name bootfile name bootfile name Required Not specified by default Configuring Self ...

Page 280: ...netbios type hex 66 TFTP server name tftp server ascii 67 Bootfile name bootfile name ascii 43 Vendor Specific Information hex Be cautious when configuring self defined DHCP options because such configuration may affect the DHCP operation process Enabling DHCP Enable DHCP before performing other configurations Follow these steps to enable DHCP To do Use the command Remarks Enter system view system...

Page 281: ...has no secondary IP addresses the server is unable to assign an IP address to the client z Without the keyword subaddress specified the DHCP server will assign an IP address from the address pool containing the primary IP address of the server interface connected to the client Applying an Extended Address Pool on an Interface After you create an extended address pool and apply it on an interface t...

Page 282: ...HCP servers Follow these steps to enable unauthorized DHCP server detection To do Use the command Remarks Enter system view system view Enable unauthorized DHCP server detection dhcp server detect Required Disabled by default With the unauthorized DHCP server detection enabled the device puts a record once for each DHCP server The administrator needs to find unauthorized DHCP servers from the log ...

Page 283: ... requesting client If the server is configured to ignore Option 82 it will assign an IP address to the client without adding Option 82 in the response message Configuration prerequisites Before performing this configuration complete the following configuration on the DHCP server z Enable DHCP z Configure the DHCP address pool Configuring the handling mode for Option 82 Follow these steps to enable...

Page 284: ...ear information about IP address conflicts reset dhcp server conflict all ip ip address Clear information about dynamic bindings reset dhcp server ip in use all ip ip address pool pool name Clear information about DHCP server statistics reset dhcp server statistics Available in user view Using the save command does not save DHCP server lease information Therefore when the system boots up or the re...

Page 285: ...ess 10 1 1 5 SwitchA dhcp pool 0 static bind mac address 000f e200 0002 SwitchA dhcp pool 0 dns list 10 1 1 2 SwitchA dhcp pool 0 gateway list 10 1 1 126 SwitchA dhcp pool 0 quit Dynamic IP Address Assignment Configuration Example Network requirements z As shown in Figure 2 2 DHCP server Switch A assigns IP address to clients in subnet 10 1 1 0 24 which is subnetted into 10 1 1 0 25 and 10 1 1 128...

Page 286: ...faces omitted Configure the DHCP server Enable DHCP SwitchA system view SwitchA dhcp enable Exclude IP addresses addresses of the DNS server WINS server and gateways SwitchA dhcp server forbidden ip 10 1 1 2 SwitchA dhcp server forbidden ip 10 1 1 4 SwitchA dhcp server forbidden ip 10 1 1 126 SwitchA dhcp server forbidden ip 10 1 1 254 Configure DHCP address pool 0 address range client domain name...

Page 287: ...HCP clients through Option 43 a self defined option The format of Option 43 and that of the PXE server address list are shown in Figure 1 5 and Figure 1 7 respectively The value of Option 43 configured on the DHCP server in this example is 80 0B 00 00 02 01 02 03 04 02 02 02 02 The number 80 is the value of the sub option type The number 0B is the value of the sub option length The numbers 00 00 a...

Page 288: ...me to check whether there is a host using the same IP address 2 If a ping response is received the IP address has been manually configured on the host Execute the dhcp server forbidden ip command on the DHCP server to exclude the IP address from dynamic allocation 3 Connect the client s network cable Release the IP address and obtain another one on the client Take WINDOW XP as an example run cmd t...

Page 289: ...pported only on VLAN interfaces Introduction to DHCP Relay Agent Application Environment Since DHCP clients request IP addresses via broadcast messages the DHCP server and clients must be on the same subnet Therefore a DHCP server must be available on each subnet which is not practical DHCP relay agent solves the problem Via a relay agent DHCP clients communicate with a DHCP server on another subn...

Page 290: ...IP address and forwards the message to the designated DHCP server in unicast mode 2 Based on the giaddr field the DHCP server returns an IP address and other configuration parameters to the relay agent which conveys them to the client DHCP Relay Agent Support for Option 82 Option 82 records the location information of the DHCP client The administrator can locate the DHCP client to further implemen...

Page 291: ...e Option 82 padded in normal format verbose Forward the message after adding the Option 82 padded in verbose format no Option 82 user defined Forward the message after adding the user defined Option 82 DHCP Relay Agent Configuration Task List Complete the following tasks to configure the DHCP relay agent Task Remarks Enabling DHCP Required Enabling the DHCP Relay Agent on an Interface Required Cor...

Page 292: ... an IP address via the DHCP relay agent the address pool of the subnet to which the IP address of the DHCP relay agent belongs must be configured on the DHCP server Otherwise the DHCP client cannot obtain a correct IP address Correlating a DHCP Server Group with a Relay Agent Interface To improve reliability you can specify several DHCP servers as a group on the DHCP relay agent and correlate a re...

Page 293: ...mmand Configuring the DHCP Relay Agent Security Functions Creating static bindings and enable IP address check The DHCP relay agent can dynamically record clients IP to MAC bindings after clients get IP addresses It also supports static bindings which means you can manually configure IP to MAC bindings on the DHCP relay agent so that users can access external network using fixed IP addresses For a...

Page 294: ... a specified interval The DHCP relay agent uses the IP address of a client and the MAC address of the DHCP relay interface to periodically send a DHCP REQUEST message to the DHCP server z If the server returns a DHCP ACK message or does not return any message within a specified interval which means the IP address is assignable now the DHCP relay agent will update its bindings by aging out the bind...

Page 295: ... After you configure this task the DHCP relay agent actively sends a DHCP RELEASE request that contains the client s IP address to be released Upon receiving the DHCP RELEASE request the DHCP server then releases the IP address for the client meanwhile the client s IP to MAC binding entry is removed from the DHCP relay agent Follow these steps to configure the DHCP relay agent in system view to se...

Page 296: ...b option dhcp relay information circuit id format type ascii hex Optional By default the code type depends on the padding format of Option 82 Each field has its own code type The code type configuration applies to non user defined Option 82 only Configure non user defined Option 82 Configure the code type for the remote ID sub option dhcp relay information remote id format type ascii hex Optional ...

Page 297: ...ce type interface number Display information about bindings of DHCP relay agents display dhcp relay security ip address dynamic static Display statistics information about bindings of DHCP relay agents display dhcp relay security statistics Display information about the refreshing interval for entries of dynamic IP to MAC bindings display dhcp relay security tracker Display information about the c...

Page 298: ...group 1 SwitchA Vlan interface1 dhcp relay server select 1 z Performing the configuration on the DHCP server is also required to guarantee the client server communication via the relay agent Refer to DHCP Server Configuration Examples for DHCP server configuration information z Because the DHCP relay agent and server are on different subnets you need to configure a static route or dynamic routing ...

Page 299: ...hA Vlan interface1 dhcp relay information strategy replace SwitchA Vlan interface1 dhcp relay information circuit id string company001 SwitchA Vlan interface1 dhcp relay information remote id string device001 You need to perform corresponding configurations on the DHCP server to make the Option 82 configurations function normally Troubleshooting DHCP Relay Agent Configuration Symptom DHCP clients ...

Page 300: ...3 12 z The relay agent interface connected to DHCP clients is correlated with correct DHCP server group and IP addresses for the group members are correct ...

Page 301: ...t recommended to enable both the DHCP client and the DHCP snooping on the same device Otherwise DHCP snooping entries may fail to be generated or the DHCP client may fail to obtain an IP address Introduction to DHCP Client With the DHCP client enabled on an interface the interface will use DHCP to obtain configuration parameters such as an IP address from the DHCP server Enabling the DHCP Client o...

Page 302: ...enabled on the interface by executing the undo ip address dhcp alloc and ip address dhcp alloc commands in sequence Displaying and Maintaining the DHCP Client To do Use the command Remarks Display specified configuration information display dhcp client verbose interface interface type interface number Available in any view DHCP Client Configuration Example Network requirements As shown in Figure 2...

Page 303: ...ing can implement the following 1 Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers 2 Recording IP to MAC mappings of DHCP clients Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers If there is an unauthorized DHCP server on a network the DHCP clients may obtain invalid IP addresses and network configuration parameters and cannot normally communicate ...

Page 304: ... customer VLANs CVLANs by searching corresponding DHCP snooping entries for DHCP client information including IP addresses MAC addresses and CVLANs when sending the packets to clients For details refer to VLAN Mapping Configuration in the Access Volume Application Environment of Trusted Ports Configuring a trusted port connected to a DHCP server Figure 5 1 Configure trusted and untrusted ports Tru...

Page 305: ...ecord binding entries Switch A GE1 0 1 GE1 0 3 GE1 0 2 Switch B GE1 0 3 and GE1 0 4 GE1 0 1 GE1 0 2 Switch C GE1 0 1 GE1 0 3 and Ethernet 1 4 GE1 0 2 DHCP Snooping Support for Option 82 Option 82 records the location information of the DHCP client The administrator can locate the DHCP client to further implement security control and accounting For more information refer to Relay agent option Optio...

Page 306: ...d the message after adding the Option 82 padded in normal format verbose Forward the message after adding the Option 82 padded in verbose format no Option 82 user defined Forward the message after adding the user defined Option 82 The handling strategy and padding format for Option 82 on the DHCP snooping device are the same as those on the relay agent Configuring DHCP Snooping Basic Functions Fol...

Page 307: ...ayer 2 Ethernet interface to an aggregation group z Configuring both the DHCP snooping and selective QinQ function on the switch is not recommended because it may result in malfunctioning of DHCP snooping Configuring DHCP Snooping to Support Option 82 Prerequisites You need to enable the DHCP snooping function before configuring DHCP snooping to support Option 82 Configuring DHCP Snooping to Suppo...

Page 308: ...ng circuit id Optional By default the padding content depends on the padding format of Option 82 Configure user defined Option 82 Configure the padding content for the remote ID sub option dhcp snooping information vlan vlan id remote id string remote id sysname Optional By default the padding content depends on the padding format of Option 82 z You can enable DHCP snooping to support Option 82 on...

Page 309: ... statistics slot slot number Available in user view DHCP Snooping Configuration Examples DHCP Snooping Configuration Example Network requirements z As shown in Figure 5 3 Switch B is connected to a DHCP server through GigabitEthernet 1 0 1 and to two DHCP clients through GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 z GigabitEthernet 1 0 1 forwards DHCP server responses while the other two do no...

Page 310: ...itEthernet 1 0 1 as trusted SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 dhcp snooping trust SwitchB GigabitEthernet1 0 1 quit Configure GigabitEthernet 1 0 2 to support Option 82 SwitchB interface gigabitethernet 1 0 2 SwitchB GigabitEthernet1 0 2 dhcp snooping information enable SwitchB GigabitEthernet1 0 2 dhcp snooping information strategy replace SwitchB GigabitEtherne...

Page 311: ... Introduction to BOOTP Client This section covers these topics z BOOTP Application z Obtaining an IP Address Dynamically z Protocols and Standards BOOTP Application After you specify an interface of a device as a BOOTP client the interface can use BOOTP to get information such as IP address from the BOOTP server which simplifies your configuration Before using BOOTP an administrator needs to confi...

Page 312: ... the BOOTP client The BOOTP server then returns a BOOTP response to the BOOTP client 3 The BOOTP client obtains the IP address from the received response Protocols and Standards Some protocols and standards related to BOOTP include z RFC 951 Bootstrap Protocol BOOTP z RFC 2132 DHCP Options and BOOTP Vendor Extensions z RFC 1542 Clarifications and Extensions for the Bootstrap Protocol Configuring a...

Page 313: ...LAN VLAN interface 1 obtains an IP address from the DHCP server by using BOOTP Configuration procedure The following describes only the configuration on Switch B serving as a client Configure VLAN interface 1 to dynamically obtain an IP address from the DHCP server SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address bootp alloc To make the BOOTP client obtain ...

Page 314: ...Configuring Static Domain Name Resolution 1 4 Configuring Dynamic Domain Name Resolution 1 4 Configuring the DNS Proxy 1 5 Displaying and Maintaining DNS 1 5 DNS Configuration Examples 1 5 Static Domain Name Resolution Configuration Example 1 5 Dynamic Domain Name Resolution Configuration Example 1 6 DNS Proxy Configuration Example 1 9 Troubleshooting DNS Configuration 1 10 ...

Page 315: ... checks the local static name resolution table for an IP address If no IP address is available it contacts the DNS server for dynamic name resolution which takes more time than static name resolution Therefore some frequently queried name to IP address mappings are stored in the local static name resolution table to improve efficiency Static Domain Name Resolution The static domain name resolution...

Page 316: ...is valid and the DNS client gets the aging information from DNS messages DNS suffixes The DNS client normally holds a list of suffixes which can be defined by users It is used when the name to be resolved is incomplete The resolver can supply the missing part For example a user can configure com as the suffix for aabbcc com The user only needs to type aabbcc to get the IP address of aabbcc com The...

Page 317: ... the DNS proxy instead of on each DNS client Figure 1 2 DNS proxy networking application Operation of a DNS proxy 1 A DNS client considers the DNS proxy as the DNS server and sends a DNS request to the DNS proxy that is the destination address of the request is the IP address of the DNS proxy 2 The DNS proxy searches the local static domain name resolution table after receiving the request If the ...

Page 318: ...ous one if there is any You may create up to 50 static mappings between domain names and IP addresses Configuring Dynamic Domain Name Resolution Follow these steps to configure dynamic domain name resolution To do Use the command Remarks Enter system view system view Enable dynamic domain name resolution dns resolve Required Disabled by default Specify a DNS server dns server ip address Required N...

Page 319: ...lable in any view Clear the information of the dynamic domain name cache reset dns dynamic host Available in user view DNS Configuration Examples Static Domain Name Resolution Configuration Example Network requirements Switch uses the static domain name resolution to access Host with IP address 10 1 1 2 through domain name host com Figure 1 3 Network diagram for static domain name resolution Confi...

Page 320: ...x is com The mapping between domain name Host and IP address 3 1 1 1 16 is stored in the com domain z Switch serves as a DNS client and uses the dynamic domain name resolution and the suffix to access the host with the domain name host com and the IP address 3 1 1 1 16 Figure 1 4 Network diagram for dynamic domain name resolution Configuration procedure z Before performing the following configurat...

Page 321: ...ructions to create a new zone named com Figure 1 5 Create a zone Create a mapping between the host name and IP address Figure 1 6 Add a host In Figure 1 6 right click zone com and then select New Host to bring up a dialog box as shown in Figure 1 7 Enter host name host and IP address 3 1 1 1 ...

Page 322: ...ost is normal and that the corresponding destination IP address is 3 1 1 1 Sysname ping host Trying DNS resolve press CTRL_C to break Trying DNS server 2 1 1 2 PING host com 3 1 1 1 56 data bytes press CTRL_C to break Reply from 3 1 1 1 bytes 56 Sequence 1 ttl 126 time 3 ms Reply from 3 1 1 1 bytes 56 Sequence 2 ttl 126 time 1 ms Reply from 3 1 1 1 bytes 56 Sequence 3 ttl 126 time 1 ms Reply from ...

Page 323: ...er and the host are reachable to each other and the IP addresses of the interfaces are configured as shown in Figure 1 8 1 Configure the DNS server This configuration may vary with different DNS servers When a Windows server 2000 acts as the DNS server refer to Dynamic Domain Name Resolution Configuration Example for related configuration information 2 Configure the DNS proxy Specify the DNS serve...

Page 324: ...4 ttl 126 time 1 ms Reply from 3 1 1 1 bytes 56 Sequence 5 ttl 126 time 1 ms host com ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 1 3 ms Troubleshooting DNS Configuration Symptom After enabling the dynamic domain name resolution the user cannot get the correct IP address Solution z Use the display dns dynamic host command to verify that the ...

Page 325: ...a Directly Connected Network 1 1 Enabling Reception of Directed Broadcasts to a Directly Connected Network 1 1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network 1 2 Configuration Example 1 2 Configuring TCP Optional Parameters 1 3 Configuring ICMP to Send Error Packets 1 4 Displaying and Maintaining IP Performance Optimization 1 6 ...

Page 326: ...specific network In the destination IP address of a directed broadcast the network ID is a network ID identifies the target network and the host ID is all one If a device is allowed to forward directed broadcasts to a directly connected network hackers may mount attacks to the network Therefore the device is disabled from receiving and forwarding directed broadcasts to a directly connected network...

Page 327: ...mand executed last time does not include the acl acl number the ACL configured previously will be removed Configuration Example Network requirements As shown in Figure 1 1 the host s interface and VLAN interface 3 of Switch A are on the same network segment 1 1 1 0 24 VLAN interface 2 of Switch A and VLAN interface 2 of Switch B are on another network segment 2 2 2 0 24 The default gateway of the ...

Page 328: ...ers TCP optional parameters that can be configured include z synwait timer When sending a SYN packet TCP starts the synwait timer If no response packet is received within the synwait timer interval the TCP connection cannot be created z finwait timer When a TCP connection is changed into FIN_WAIT_2 state the finwait timer is started If no FIN packets is received within the timer interval the TCP c...

Page 329: ... route option in the packet ICMP redirect packets function simplifies host administration and enables a host to gradually establish a sound routing table to find out the best route 2 Sending ICMP timeout packets If the device received an IP packet with a timeout error it drops the packet and sends an ICMP timeout packet to the source The device will send an ICMP timeout packet under the following ...

Page 330: ...ng a lot of ICMP packets will increase network traffic z If a device receives a lot of malicious packets that cause it to send ICMP error packets its performance will be reduced z As the redirection function increases the routing table size of a host the host s performance will be reduced if its routing table becomes very large z If a host sends malicious ICMP destination unreachable packets end u...

Page 331: ...play ip socket socktype sock type task id socket id slot slot number Display FIB information display fib vpn instance vpn instance name begin include exclude regular expression acl acl number ip prefix ip prefix name Display FIB information matching the specified destination IP address display fib vpn instance vpn instance name ip address mask mask length Available in any view Clear statistics of ...

Page 332: ...ontents 1 UDP Helper Configuration 1 1 Introduction to UDP Helper 1 1 Configuring UDP Helper 1 1 Displaying and Maintaining UDP Helper 1 2 UDP Helper Configuration Examples 1 2 UDP Helper Configuration Example 1 2 ...

Page 333: ... relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified destination server With UDP Helper enabled the device decides whether to forward a received UDP broadcast packet according to the UDP destination port number of the packet z If the destination port number of the packet matches the one pre configured on the device the device modifies the destinati...

Page 334: ...tion of all UDP ports is removed if you disable UDP Helper z You can configure up to 256 UDP port numbers to enable the forwarding of packets with these UDP port numbers z You can configure up to 20 destination servers on an interface Displaying and Maintaining UDP Helper To do Use the command Remarks Displays the information of forwarded UDP packets display udp helper server interface interface t...

Page 335: ... 0 16 is available Enable UDP Helper SwitchA system view SwitchA udp helper enable Enable the forwarding broadcast packets with the UDP destination port 55 SwitchA udp helper port 55 Specify the destination server 10 2 1 1 on VLAN interface 1 SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 10 110 1 1 16 SwitchA Vlan interface1 udp helper server 10 2 1 1 ...

Page 336: ... to RA Messages 1 12 Configuring the Maximum Number of Attempts to Send an NS Message for DAD 1 15 Configuring PMTU Discovery 1 15 Configuring a Static PMTU for a Specified IPv6 Address 1 15 Configuring the Aging Time for Dynamic PMTUs 1 15 Configuring IPv6 TCP Properties 1 16 Configuring ICMPv6 Packet Sending 1 16 Configuring the Maximum ICMPv6 Error Packets Sent in an Interval 1 16 Enable Sendin...

Page 337: ...ew Internet Protocol Version 6 IPv6 also called IP next generation IPng was designed by the Internet Engineering Task Force IETF as the successor to Internet Protocol Version 4 IPv4 The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits This section covers the following z IPv6 Features z Introduction to IPv6 Address z Introduction to IP...

Page 338: ...tateful and stateless address configuration z Stateful address configuration means that a host acquires an IPv6 address and related information from a server for example a DHCP server z Stateless address configuration means that a host automatically generates an IPv6 address and related information on the basis of its own link layer address and the prefix information advertised by a router In addi...

Page 339: ...can be represented in a shorter format as 2001 0 130F 0 0 9C0 876A 130B z If an IPv6 address contains two or more consecutive groups of zeros they can be replaced by a double colon For example the above mentioned address can be represented in the shortest format as 2001 0 130F 9C0 876A 130B A double colon can be used only once in an IPv6 address Otherwise the device is unable to determine how many...

Page 340: ...addresses including aggregatable global unicast address link local address and site local address z The aggregatable global unicast addresses equivalent to public IPv4 addresses are provided for network service providers This type of address allows efficient prefix aggregation to restrict the number of global routing entries z The link local addresses are used for communication between link local ...

Page 341: ...0 0 0 1 FF is permanent and consists of 104 bits and XX XXXX is the last 24 bits of an IPv6 unicast or anycast address Interface identifier in IEEE EUI 64 format An interface identifier is used to identify a unique interface on a link and is 64 bits long An interface identifier in IEEE EUI 64 format is derived from the link layer address MAC of an interface A MAC address is 48 bits long and theref...

Page 342: ...sed to respond to an RS message Router advertisement RA message 134 With the RA message suppression disabled the router regularly sends an RA message containing information such as prefix information options and flag bits Redirect message 137 When a certain condition is satisfied the default gateway sends a redirect message to the source host so that the host can reselect a correct next hop router...

Page 343: ...ion The DAD procedure is as follows 1 Node A sends an NS message whose source address is the unassigned address and destination address is the corresponding solicited node multicast address of the IPv6 address to be detected The NS message contains the IPv6 address 2 If node B uses this IPv6 address node B returns an NA message The NA message contains the IPv6 address of node B 3 Node A learns tha...

Page 344: ...the source host so that the host can select a better next hop to forward packets similar to the ICMP redirection function in IPv4 The gateway sends an IPv6 ICMP redirect message when the following conditions are satisfied z The receiving interface is the forwarding interface z The selected route itself is not created or modified by an IPv6 ICMP redirect message z The selected route is not the defa...

Page 345: ...dresses but also AAAA records IPv6 addresses The DNS server can convert domain names into IPv4 addresses or IPv6 addresses In this way the DNS server implements the functions of both IPv6 DNS and IPv4 DNS Protocols and Standards Protocols and standards related to IPv6 include z RFC 1881 IPv6 Address Allocation Management z RFC 1887 An Architecture for IPv6 Unicast Address Allocation z RFC 1981 Pat...

Page 346: ...IPv6 site local addresses or aggregatable global unicast addresses are configured manually IPv6 link local addresses can be configured in either of the following ways z Automatic generation The device automatically generates a link local address for an interface according to the link local address prefix FE80 10 and the link layer address of the interface z Manual assignment IPv6 link local addres...

Page 347: ...st adopt manual assignment and then automatic generation the automatically generated link local address will not take effect and the link local address of an interface is still the manually assigned one If you delete the manually assigned address the automatically generated link local address is validated z The undo ipv6 address auto link local command can only remove the link local addresses gene...

Page 348: ...cquire the link layer address of a neighbor node through NS and NA messages and add it into the neighbor table Too large a neighbor table may reduce the forwarding performance of the device You can restrict the size of the neighbor table by setting the maximum number of neighbors that an interface can dynamically learn When the number of dynamically learned neighbors reaches the threshold the inte...

Page 349: ... hosts use the stateless autoconfiguration to acquire information other than IPv6 addresses Router lifetime This field is used to set the lifetime of the router that sends RA messages to serve as the default router of hosts According to the router lifetime in the received RA messages hosts determine whether the router sending RA messages can serve as the default router Retrans timer If the device ...

Page 350: ... and the IPv6 address of the interface sending RA messages is used as the prefix information Set the M flag bit to 1 ipv6 nd autoconfig managed address flag Optional By default the M flag bit is set to 0 that is hosts acquire IPv6 addresses through stateless autoconfiguration Set the O flag bit to 1 ipv6 nd autoconfig other flag Optional By default the O flag bit is set to 0 that is hosts acquire ...

Page 351: ...message for DAD ipv6 nd dad attempts value Optional 1 by default When the value argument is set to 0 DAD is disabled Configuring PMTU Discovery Configuring a Static PMTU for a Specified IPv6 Address You can configure a static PMTU for a specified destination IPv6 address When a source host sends a packet through an interface it compares the interface MTU with the static PMTU of the specified desti...

Page 352: ...connection is terminated after the finwait timer expires z Size of the IPv6 TCP sending receiving buffer Follow these steps to configure IPv6 TCP properties To do Use the command Remarks Enter system view system view Set the finwait timer tcp ipv6 timer fin timeout wait time Optional 675 seconds by default Set the synwait timer tcp ipv6 timer syn timeout wait time Optional 75 seconds by default Se...

Page 353: ...t echo requests by default Follow these steps to enable sending of multicast echo replies To do Use the command Remarks Enter system view system view Enable sending of multicast echo replies ipv6 icmpv6 multicast echo reply enable Not enabled by default Enabling Sending of ICMPv6 Time Exceeded Packets A device sends an ICMPv6 time exceeded packet in the following cases z If a received IPv6 packet ...

Page 354: ...er for resolution The system can support at most six DNS servers You can configure a DNS suffix so that you only need to enter part of a domain name and the system can automatically add the preset suffix for address resolution The system can support at most 10 DNS suffixes Follow these steps to configure dynamic IPv6 domain name resolution To do Use the command Remarks Enter system view system vie...

Page 355: ...ace type interface number vlan vlan id count Display the PMTU information of an IPv6 address display ipv6 pathmtu ipv6 address all dynamic static Display socket information display ipv6 socket socktype socket type task id socket id slot slot number Display the statistics of IPv6 packets and ICMPv6 packets display ipv6 statistics slot slot number Display the IPv6 TCP connection statistics display t...

Page 356: ... is 3001 2 64 and a route to Host is available z IPv6 is enabled for Host to automatically get an IPv6 address through IPv6 NDP and a route to Switch B is available Figure 1 6 Network diagram for IPv6 address configuration The VLAN interfaces have been created on the switch Configuration procedure z Configure Switch A Enable IPv6 SwitchA system view SwitchA ipv6 Specify an aggregatable global unic...

Page 357: ...2001 15B E0EA 3524 E791 0015 e9a6 7d14 1 GE1 0 2 STALE D 1248 The above information shows that the IPv6 aggregatable global unicast address that Host obtained is 2001 15B E0EA 3524 E791 Verification Display the IPv6 interface settings on Switch A SwitchA Vlan interface1 display ipv6 interface vlan interface 2 verbose Vlan interface2 current state UP Line protocol current state UP IPv6 is enabled l...

Page 358: ...E80 20F E2FF FE00 1C0 Global unicast address es 2001 1 subnet is 2001 64 Joined group address es FF02 1 FF00 0 FF02 1 FF00 1 FF02 1 FF00 1C0 FF02 2 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds N...

Page 359: ...erface2 current state UP Line protocol current state UP IPv6 is enabled link local address is FE80 20F E2FF FE00 1234 Global unicast address es 3001 2 subnet is 3001 64 Joined group address es FF02 1 FF00 0 FF02 1 FF00 2 FF02 1 FF00 1234 FF02 2 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hos...

Page 360: ...itchB Vlan interface2 ping ipv6 c 1 3001 1 PING 3001 1 56 data bytes press CTRL_C to break Reply from 3001 1 bytes 56 Sequence 1 hop limit 64 time 2 ms 3001 1 ping statistics 1 packet s transmitted 1 packet s received 0 00 packet loss round trip min avg max 2 2 2 ms SwitchB Vlan interface2 ping ipv6 c 1 2001 15B E0EA 3524 E791 PING 2001 15B E0EA 3524 E791 56 data bytes press CTRL_C to break Reply ...

Page 361: ...mmand in any view or the display this command in system view to verify that IPv6 is enabled z Use the display ipv6 interface command in any view to verify that the IPv6 address of the interface is correct and the interface is up z Use the debugging ipv6 packet command in user view to enable the debugging for IPv6 packets to help locate the cause ...

Page 362: ...i Table of Contents 1 Dual Stack Configuration 1 1 Dual Stack Overview 1 1 Configuring Dual Stack 1 1 ...

Page 363: ... be selected at the transport layer while IPv6 stack is preferred at the network layer Figure 1 1 illustrates the IPv4 IPv6 dual stack in relation to the IPv4 stack Figure 1 1 IPv4 IPv6 dual stack in relation to IPv4 stack on Ethernet IPv4 application IPv4 IPv6 application TCP UDP TCP UDP IPv4 IPv4 IPv6 Ethernet Ethernet Protocol ID 0x0800 Protocol ID 0x0800 Protocol ID 0x86DD IPv4 stack Dual stac...

Page 364: ...an interface Automatically create an IPv6 link local address ipv6 address auto link local Configure an IPv6 address on the interface Configure an IPv6 link local address Manually specify an IPv6 link local address ipv6 address ipv6 address link local Optional By default after you configured an IPv6 site local address or global unicast address a link local address is automatically created z For inf...

Page 365: ...Prerequisites 1 5 Configuration Procedure 1 5 Configuration Example 1 6 Configuring 6to4 Tunnel 1 10 Configuration Prerequisites 1 10 Configuration Procedure 1 10 6to4 Tunnel Configuration Example 1 11 Configuring ISATAP Tunnel 1 14 Configuration Prerequisites 1 14 Configuration Procedure 1 14 Configuration Example 1 15 Displaying and Maintaining Tunneling Configuration 1 18 Troubleshooting Tunnel...

Page 366: ...m Since significant improvements have been made in address space security network management mobility and QoS IPv6 becomes one of the core standards for the next generation Internet protocol IPv6 is compatible with all protocols except IPv4 in the TCP IP suite Therefore IPv6 can completely take the place of IPv4 Before IPv6 becomes the dominant protocol networks using the IPv6 protocol stack are e...

Page 367: ...IPv6 over IPv4 tunneling mechanism encapsulates an IPv4 header in IPv6 data packets so that IPv6 packets can pass an IPv4 network through a tunnel to realize interworking between isolated IPv6 networks as shown in Figure 1 1 The devices at both ends of an IPv6 over IPv4 tunnel must support IPv4 IPv6 dual stack Figure 1 1 IPv6 over IPv4 tunnel The IPv6 over IPv4 tunnel processes packets in the foll...

Page 368: ... tunnel is called a configured tunnel z If the interface address of an IPv6 over IPv4 tunnel has an IPv4 address embedded into an IPv6 address the IPv4 address of the tunnel destination can be acquired automatically Such a tunnel is called an automatic tunnel Type According to the way an IPv6 packet is encapsulated IPv6 over IPv4 tunnels are divided into the following types Tunnel type Tunnel mode...

Page 369: ... permanent value and the IPv4 address of the tunnel source or destination it is possible that IPv6 packets can be forwarded by the tunnel 3 ISATAP tunnel With the application of the IPv6 technology there will be more and more IPv6 hosts in the existing IPv4 network The ISATAP tunneling technology provides a satisfactory solution for IPv6 application An ISATAP tunnel is a point to point automatic t...

Page 370: ...rding function is disabled Create a tunnel interface and enter tunnel interface view interface tunnel number Required By default there is no tunnel interface on the device ipv6 address ipv6 address prefix length ipv6 address prefix length Configure a global unicast IPv6 address or a site local address ipv6 address ipv6 address prefix length eui 64 Required Use either command By default no IPv6 glo...

Page 371: ... in the IP Routing Volume z When you configure a static route at one tunnel end you need to configure a route to the destination IPv6 address of the packet instead of the IPv4 address of the tunnel destination and set the outbound interface to the tunnel interface at the local end or set the next hop to the tunnel interface at the peer end The similar configuration needs to be performed at the oth...

Page 372: ...1 SwitchA interface vlan interface 101 SwitchA Vlan interface101 ipv6 address 3002 1 64 SwitchA Vlan interface101 quit Create a service loopback group Note that you need to disable STP on a port before adding it to a service loopback group SwitchA service loopback group 1 type tunnel SwitchA interface GigabitEthernet 1 0 1 SwitchA GigabitEthernet1 0 1 stp disable SwitchA GigabitEthernet1 0 1 port ...

Page 373: ...rvice loopback group 1 type tunnel SwitchB interface GigabitEthernet 1 0 1 SwitchB GigabitEthernet1 0 1 stp disable SwitchB GigabitEthernet1 0 1 port service loopback group 1 SwitchB GigabitEthernet1 0 1 quit Configure an IPv6 manual tunnel SwitchB interface tunnel 1 0 0 SwitchB Tunnel1 0 0 ipv6 address 3001 2 64 SwitchB Tunnel1 0 0 source vlan interface 100 SwitchB Tunnel1 0 0 destination 192 168...

Page 374: ...ess es 3001 2 subnet is 3001 64 Joined group address es FF02 1 FFA8 3201 FF02 1 FF00 1 FF02 1 FF00 0 FF02 2 FF02 1 MTU is 1480 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics InReceives 55 Ping the IPv6 address of VLAN interface 101 at the peer end from Switch A SwitchA ping ipv6 3003 1 PI...

Page 375: ...ce and enter tunnel interface view interface tunnel number Required By default there is no tunnel interface on the device ipv6 address ipv6 address prefix length ipv6 address prefix length Configure an IPv6 global unicast address or a site local address ipv6 address ipv6 address prefix length eui 64 Required Use either command By default no IPv6 global unicast address or site local address is conf...

Page 376: ...the tunnel destination and set the outbound interface to the tunnel interface at the local end or set the next hop to the tunnel interface at the peer end The similar configuration needs to be performed at the other tunnel end z To reference a service loopback group on the tunnel interface to receive and send packets you must have configured the service loopback group Otherwise the tunnel interfac...

Page 377: ...dress for VLAN interface 101 SwitchA interface vlan interface 101 SwitchA Vlan interface101 ipv6 address 2002 0201 0101 1 1 64 SwitchA Vlan interface101 quit Create a service loopback group Note that you need to disable STP on a port before adding it to a service loopback group SwitchA service loopback group 1 type tunnel SwitchA interface GigabitEthernet 1 0 1 SwitchA GigabitEthernet1 0 1 stp dis...

Page 378: ...roup Note that you need to disable STP on a port before adding it to a service loopback group SwitchB service loopback group 1 type tunnel SwitchB interface GigabitEthernet 1 0 1 SwitchB GigabitEthernet1 0 1 stp disable SwitchB GigabitEthernet1 0 1 port service loopback group 1 SwitchB GigabitEthernet1 0 1 quit Configure the 6to4 tunnel SwitchB interface tunnel 1 0 0 SwitchB Tunnel1 0 0 ipv6 addre...

Page 379: ...figuration Procedure Follow these steps to configure an ISATAP tunnel To do Use the command Remarks Enter system view system view Enable IPv6 ipv6 Required By default the IPv6 forwarding function is disabled Create a tunnel interface and enter tunnel interface view interface tunnel number Required By default there is no tunnel interface on the device ipv6 address ipv6 address prefix length ipv6 ad...

Page 380: ...onfiguration in the IP Routing Volume z The automatic tunnel interfaces using the same encapsulation protocol cannot share the same source IP address z When you configure a static route at one tunnel end you need to configure a route to the destination IPv6 address of the packet instead of the IPv4 address of the tunnel destination and set the outbound interface to the tunnel interface at the loca...

Page 381: ...tch Vlan interface101 ip address 1 1 1 1 255 0 0 0 Switch Vlan interface101 quit Create a service loopback group Note that you need to disable STP on a port before adding it to a service loopback group Switch service loopback group 1 type tunnel Switch interface GigabitEthernet 1 0 1 Switch GigabitEthernet1 0 1 stp disable Switch GigabitEthernet1 0 1 port service loopback group 1 Switch GigabitEth...

Page 382: ...routing preference 1 EUI 64 embedded IPv4 address 0 0 0 0 router link layer address 0 0 0 0 preferred link local fe80 5efe 2 1 1 2 life infinite link MTU 1280 true link MTU 65515 current hop limit 128 reachable time 42500ms base 30000ms retransmission interval 1000ms DAD transmits 0 default site prefix length 48 A link local address fe80 5efe 2 1 1 2 in the ISATAP format was automatically generate...

Page 383: ...taining Tunneling Configuration To do Use the command Remarks Display information about a specified tunnel interface display interface tunnel number Available in any view Display IPv6 information related to a specified tunnel interface display ipv6 interface tunnel number verbose Available in any view Troubleshooting Tunneling Configuration Symptom After the configuration of related parameters suc...

Page 384: ... Overview 1 1 Introduction to sFlow 1 1 Operation of sFlow 1 1 Configuring sFlow 1 2 Displaying and Maintaining sFlow 1 2 sFlow Configuration Example 1 3 Troubleshooting sFlow Configuration 1 4 The Remote sFlow Collector Cannot Receive sFlow Packets 1 4 ...

Page 385: ...the sFlow packets and displays the results sFlow has the following two sampling mechanisms z Packet based sampling An sFlow enabled port samples one packet out of a configurable number of packets passing through it z Time based sampling The sFlow agent samples the statistics of all sFlow enabled ports at a configurable interval As a traffic monitoring technology sFlow has the following advantages ...

Page 386: ...t collects the statistics of sFlow enabled ports sflow interval interval time Optional 20 seconds by default Enter Ethernet port view interface interface type interface number Enable sFlow in the inbound or outbound direction sflow enable inbound outbound Required Not enabled by default Specify the sFlow sampling mode sflow sampling mode determine random Optional random by default Currently the de...

Page 387: ...he results Network diagram Figure 1 1 Network diagram for sFlow configuration Configuration procedure Configure an IP address for the sFlow agent Switch system view Switch sflow agent ip 3 3 3 1 Specify the IP address and port number of the sFlow collector Switch sflow collector ip 3 3 3 2 Set the sFlow interval to 30 seconds Switch sflow interval 30 Enable sFlow in both the inbound and outbound d...

Page 388: ...f the sFlow collector specified on the sFlow agent is different from that of the remote sFlow collector z No IP address is configured for the Layer 3 interface on the device or the IP address is configured but the UDP packets with the IP address being the source cannot reach the sFlow collector z The physical link between the device and the sFlow collector fails Solution 1 Check whether sFlow is c...

Page 389: ...his document describes z Static route configuration z Detecting Reachability of the Static Route s Nexthop RIP Routing Information Protocol RIP is a simple Interior Gateway Protocol IGP mainly used in small sized networks This document describes z RIP basic functions configuration z RIP advanced functions configuration z RIP network optimization configuration OSPF Open Shortest Path First OSPF is ...

Page 390: ...Peer State Changes IPv6 Static Routing Static routes are special routes that are manually configured by network administrators Similar to IPv4 static routes IPv6 static routes work well in simple IPv6 network environments This document describes z IPv6 static route configuration RIPng RIP next generation RIPng is an extension of RIP 2 for IPv4 RIPng for IPv6 is IPv6 RIPng This document describes z...

Page 391: ...uration MCE Multi CE MCE enables a switch to function as the CEs of multiple VPN instances in a BGP MPLS VPN network thus reducing the investment on network equipment z Configuring a VPN Instance z Configuring Route Exchange between a MCE and a Site z Configuring Route Exchange between a MCE and a PE Policy Routing Policy routing is to make forwarding decisions based on user defined policies Diffe...

Page 392: ... Protocol Overview 1 3 Static Routing and Dynamic Routing 1 3 Classification of Dynamic Routing Protocols 1 3 Routing Protocols and Routing Priority 1 4 Load Balancing and Route Backup 1 4 Route Recursion 1 5 Sharing of Routing Information 1 5 Configuring a Router ID 1 5 Displaying and Maintaining a Routing Table 1 6 ...

Page 393: ...ertain destination should go out to reach the next hop the next router or the directly connected destination Routes in a routing table can be divided into three categories by origin z Direct routes Routes discovered by data link protocols also known as interface routes z Static routes Routes that are manually configured z Dynamic routes Routes that are discovered dynamically by routing protocols C...

Page 394: ... to the router z Indirect routes The destination is not directly connected to the router To prevent the routing table from getting too large you can configure a default route All packets without matching any entry in the routing table will be forwarded through the default route In Figure 1 1 the IP address on each cloud represents the address of the network Router G is connected to three networks ...

Page 395: ...d on the following standards Operational scope z Interior gateway protocols IGPs Work within an autonomous system including RIP OSPF and IS IS z Exterior gateway protocols EGPs Work between autonomous systems The most popular one is BGP An autonomous system refers to a group of routers that share the same routing policy and work under the same administration Routing algorithm z Distance vector pro...

Page 396: ... 255 UNKNOWN 256 z The smaller the priority value the higher the priority z The priority for a direct route is always 0 which you cannot change Any other type of routes can have their priorities manually configured z Each static route can be configured with a different priority z IPv4 and IPv6 routes have their own respective routing tables Load Balancing and Route Backup Load Balancing In multi r...

Page 397: ...nected To forward the packets the outgoing interface to reach the nexthop must be available Route recursion is used to find the outgoing interface based on the nexthop information of the route Link state routing protocols such as OSPF and IS IS do not need route recursion because they obtain nexthop information through route calculation Sharing of Routing Information As different routing protocols...

Page 398: ... the router ID display router id Available in any view Clear statistics for the routing table or a VPN routing table reset ip routing table statistics protocol vpn instance vpn instance name all protocol Available in user view Display brief IPv6 routing table information display ipv6 routing table Available in any view Display verbose IPv6 routing table information display ipv6 routing table verbo...

Page 399: ...ng a Static Route 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 3 Detecting Reachability of the Static Route s Nexthop 1 3 Detecting Nexthop Reachability Through BFD 1 3 Detecting Nexthop Reachability Through Track 1 4 Displaying and Maintaining Static Routes 1 5 Static Route Configuration Example 1 6 Basic Static Route Configuration Example 1 6 ...

Page 400: ...opological change occurs in the network the routes will be unreachable and the network breaks In this case the network administrator has to modify the static routes manually Default Route If the destination address of a packet fails to match any entry in the routing table the packet will be discarded After a default route is configured on a router any packet whose destination IP address matches no...

Page 401: ...ing on the specific occasion For a NULL0 or loopback interface if the output interface has already been configured there is no need to configure the next hop address In fact all the route entries must have a next hop address When forwarding a packet a router first searches the routing table for the route to the destination address of the packet The system can find the corresponding link layer addr...

Page 402: ...the IP address of a local interface z If you do not specify the preference when configuring a static route the default preference will be used Reconfiguring the default preference applies only to newly created static routes z You can flexibly control static routes by configuring tag values and using the tag values in the routing policy z If the destination IP address and mask are both configured a...

Page 403: ... echo packet preference preference value tag tag value description description text Required Not configured by default z To implement BFD in the control packet mode the remote end must create a BFD session otherwise the BFD function cannot work To implement BFD in the echo packet mode the BFD function can work without the remote end needing to create any BFD session z If a route flap occurs enabli...

Page 404: ...y For a non existent static route configure it and associate it with a Track entry z If the track module uses NQA to detect the reachability of the private network static route s nexthop the VPN instance number of the static route s nexthop must be identical to that configured in the NQA test group z If a static route needs route recursion the associated track entry must monitor the nexthop of the...

Page 405: ...ch A SwitchA system view SwitchA ip route static 0 0 0 0 0 0 0 0 1 1 4 2 Configure two static routes on Switch B SwitchB system view SwitchB ip route static 1 1 2 0 255 255 255 0 1 1 4 1 SwitchB ip route static 1 1 3 0 255 255 255 0 1 1 5 6 Configure a default route on Switch C SwitchC system view SwitchC ip route static 0 0 0 0 0 0 0 0 1 1 5 5 3 Configure the hosts The default gateways for the th...

Page 406: ... 1 5 5 Vlan600 1 1 5 5 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 1 1 6 0 24 Direct 0 0 192 168 1 47 Vlan100 1 1 6 1 32 Direct 0 0 127 0 0 1 InLoop0 Use the ping command on Host B to check reachability to Host A assuming Windows XP runs on the two hosts C Documents and Settings Administrator ping 1 1 2 2 Pinging 1 1 2 2 with 3...

Page 407: ...1 8 1 1 ms 1 ms 1 ms 1 1 6 1 2 1 ms 1 ms 1 ms 1 1 4 1 3 1 ms 1 ms 1 ms 1 1 2 2 Trace complete ...

Page 408: ...tion 1 11 Configuring RIP Network Optimization 1 11 Configuring RIP Timers 1 12 Configuring Split Horizon and Poison Reverse 1 12 Configuring the Maximum Number of Load Balanced Routes 1 13 Enabling Zero Field Check on Incoming RIPv1 Messages 1 13 Enabling Source IP Address Check on Incoming RIP Updates 1 13 Configuring RIPv2 Message Authentication 1 14 Specifying a RIP Neighbor 1 14 Configuring R...

Page 409: ...of RIP Introduction RIP is a distance vector routing protocol using UDP packets for exchanging information through port 520 RIP uses a hop count to measure the distance to a destination The hop count from a router to a directly connected network is 0 The hop count from a router to a directly connected router is 1 To limit convergence time the range of RIP metric value is from 0 to 15 A metric valu...

Page 410: ...e will be deleted from the routing table Routing loops prevention RIP is a distance vector D V routing protocol Since a RIP router advertises its own routing table to neighbors routing loops may occur RIP uses the following mechanisms to prevent routing loops z Counting to infinity The metric value of 16 is defined as unreachable When a routing loop occurs the metric value of the route will increm...

Page 411: ...broadcast and multicast Multicast is the default type using 224 0 0 9 as the multicast address The interface working in the RIPv2 broadcast mode can also receive RIPv1 messages RIP Message Format A RIPv1 message consists of a header and up to 25 route entries A RIPv2 authentication message uses the first route entry as the authentication entry so it has up to 24 route entries RIPv1 message format ...

Page 412: ...indicates that the originator of the route is the best next hop otherwise it indicates a next hop better than the originator of the route RIPv2 authentication RIPv2 sets the AFI field of the first route entry to 0xFFFF to identify authentication information See Figure 1 3 Figure 1 3 RIPv2 Authentication Message z Authentication Type A value of 2 represents plain text authentication while a value o...

Page 413: ...P Version 2 Protocol Applicability Statement z RFC 1724 RIP Version 2 MIB Extension z RFC 2082 RIPv2 MD5 Authentication z RFC2453 RIP Version 2 Configuring RIP Basic Functions Configuration Prerequisites Before configuring RIP basic functions complete the following tasks z Configure the link layer protocol z Configure an IP address on each interface and make sure all adjacent routers are reachable...

Page 414: ...erface interface type interface number Enable the interface to receive RIP messages rip input Optional Enabled by default Enable the interface to send RIP messages rip output Optional Enabled by default Configuring a RIP version You can configure a RIP version in RIP or interface view z If neither global nor interface RIP version is configured the interface sends RIPv1 broadcasts and can receive R...

Page 415: ...ng RIPv2 Route Summarization z Disabling Host Route Reception z Advertising a Default Route z Configuring Inbound Outbound Route Filtering z Configuring a Priority for RIP z Configuring RIP Route Redistribution Before configuring RIP routing feature complete the following tasks z Configure an IP address for each interface and make sure all neighboring routers are reachable to each other z Configur...

Page 416: ...automatic summarization if you want to advertise all subnet routes Follow these steps to enable RIPv2 route automatic summarization To do Use the command Remarks Enter system view system view Enter RIP view rip process id vpn instance vpn instance name Enable RIPv2 automatic route summarization summary Optional Enabled by default Advertising a summary route You can configure RIPv2 to advertise a s...

Page 417: ... Advertising a Default Route You can configure RIP to advertise a default route with a specified metric to RIP neighbors z In RIP view you can configure all the interfaces of the RIP process to advertise a default route in interface view you can configure a RIP interface of the RIP process to advertise a default route The latter takes precedence over the former on the interface z If a RIP process ...

Page 418: ...routes from a specified neighbor Follow these steps to configure route filtering To do Use the command Remarks Enter system view system view Enter RIP view rip process id vpn instance vpn instance name Configure the filtering of incoming routes filter policy acl number gateway ip prefix name ip prefix ip prefix name gateway ip prefix name import interface type interface number Required Not configu...

Page 419: ...s Follow these steps to configure RIP route redistribution To do Use the command Remarks Enter system view system view Enter RIP view rip process id vpn instance vpn instance name Configure a default metric for redistributed routes default cost value Optional The default metric of a redistributed route is 0 by default Redistribute routes from another protocol import route protocol process id all p...

Page 420: ...rk performance you need to make RIP timers of RIP routers identical to each other to avoid unnecessary traffic or route oscillation Configuring Split Horizon and Poison Reverse If both split horizon and poison reverse are configured only the poison reverse function takes effect The split horizon and poison reverse functions can avoid routing loops Enabling split horizon The split horizon function ...

Page 421: ...name Configure the maximum number of load balanced routes maximum load balancing number Optional 4 by default Enabling Zero Field Check on Incoming RIPv1 Messages Some fields in the RIPv1 message must be zero These fields are called zero fields You can enable zero field check on received RIPv1 messages If such a field contains a non zero value the RIPv1 message will not be processed If you are sur...

Page 422: ...pports two authentication modes plain text and MD5 In plain text authentication the authentication information is sent with the RIP message which however cannot meet high security needs Follow these steps to configure RIPv2 message authentication To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure RIPv2 authentication...

Page 423: ...guring RIP to MIB Binding This task allows you to enable a specific RIP process to receive SNMP requests Follow these steps to bind RIP to MIB To do Use the command Remarks Enter system view system view Bind RIP to MIB rip mib binding process id Optional By default MIB is bound to RIP process 1 Configuring the RIP Packet Sending Rate RIP periodically sends routing information in RIP packets to RIP...

Page 424: ...ormation about a specified RIP process display rip process id route ip address mask mask length peer ip address statistics Available in any view Clear the statistics of a RIP process reset rip process id statistics Available in user view RIP Configuration Examples Configuring RIP Version Network requirements As shown in Figure 1 4 enable RIPv2 on all interfaces on Switch A and Switch B Figure 1 4 ...

Page 425: ...itch B SwitchB rip SwitchB rip 1 network 192 168 1 0 SwitchB rip 1 network 10 0 0 0 Display the RIP routing table of Switch A SwitchA display rip 1 route Route Flags R RIP T TRIP P Permanent A Aging S Suppressed G Garbage collect Peer 192 168 1 2 on Vlan interface100 Destination Mask Nexthop Cost Tag Flags Sec 10 0 0 0 8 192 168 1 2 1 0 RA 11 From the routing table you can find that RIPv1 uses a n...

Page 426: ...h A through RIP 100 and with Switch C through RIP 200 z Configure route redistribution on Switch B to make RIP 200 redistribute direct routes and routes from RIP 100 Thus Switch C can learn routes destined for 10 2 1 0 24 and 11 1 1 0 24 while Switch A cannot learn routes destined for 12 3 1 0 24 and 16 4 1 0 24 z Configure a filtering policy on Switch B to filter out the route 10 2 1 1 24 from RI...

Page 427: ...tchC display ip routing table Routing Tables Public Destinations 6 Routes 6 Destination Mask Proto Pre Cost NextHop Interface 12 3 1 0 24 Direct 0 0 12 3 1 2 Vlan200 12 3 1 2 32 Direct 0 0 127 0 0 1 InLoop0 16 4 1 0 24 Direct 0 0 16 4 1 1 Vlan400 16 4 1 1 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 3 Configure route redistribut...

Page 428: ...ng table Routing Tables Public Destinations 7 Routes 7 Destination Mask Proto Pre Cost NextHop Interface 11 1 1 0 24 RIP 100 1 12 3 1 1 Vlan200 12 3 1 0 24 Direct 0 0 12 3 1 2 Vlan200 12 3 1 2 32 Direct 0 0 127 0 0 1 InLoop0 16 4 1 0 24 Direct 0 0 16 4 1 1 Vlan400 16 4 1 1 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 Configuring...

Page 429: ...quit Configure Switch B SwitchB system view SwitchB rip 1 SwitchB rip 1 network 1 0 0 0 SwitchB rip 1 version 2 SwitchB rip 1 undo summary Configure Switch C SwitchC system view SwitchB rip 1 SwitchC rip 1 network 1 0 0 0 SwitchC rip 1 version 2 SwitchC rip 1 undo summary Configure Switch D SwitchD system view SwitchD rip 1 SwitchD rip 1 network 1 0 0 0 SwitchD rip 1 version 2 SwitchD rip 1 undo s...

Page 430: ...ce 200 SwitchA Vlan interface200 rip metricin 3 SwitchA Vlan interface200 display rip 1 database 1 0 0 0 8 cost 0 ClassfulSumm 1 1 1 0 24 cost 0 nexthop 1 1 1 1 Rip interface 1 1 2 0 24 cost 0 nexthop 1 1 2 1 Rip interface 1 1 3 0 24 cost 1 nexthop 1 1 1 2 1 1 4 0 24 cost 2 nexthop 1 1 1 2 1 1 5 0 24 cost 2 nexthop 1 1 1 2 The display shows that there is only one RIP route to network 1 1 5 0 24 wi...

Page 431: ...ch B SwitchB system view SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 10 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 network 10 6 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit Configure Switch C SwitchC system view SwitchC ospf SwitchC ospf 1 area 0 SwitchC ospf 1 area 0 0 0 0 network 10 1 1 0 0 0 0 255 SwitchC ospf 1 area 0 0 0 0 network 10 2 1 0 0 0 0 255 SwitchC ospf ...

Page 432: ... 1 2 Vlan300 11 3 1 2 32 Direct 0 0 127 0 0 1 InLoop0 11 4 1 0 24 Direct 0 0 11 4 1 2 Vlan400 11 4 1 2 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 4 Configure route summarization on Switch C and advertise only the summary route 10 0 0 0 8 SwitchC interface vlan interface 300 SwitchC Vlan interface300 rip summary address 10 0 0 ...

Page 433: ...n z Use the display rip command to check whether some interface is disabled Route Oscillation Occurred Symptom When all links work well route oscillation occurs on the RIP network After displaying the routing table you may find some routes appear and disappear in the routing table intermittently Analysis In the RIP network make sure all the same timers within the whole network are identical and re...

Page 434: ...nterface as NBMA 1 25 Configuring the OSPF Network Type for an Interface as P2MP 1 26 Configuring the OSPF Network Type for an Interface as P2P 1 26 Configuring OSPF Route Control 1 26 Prerequisites 1 26 Configuring OSPF Route Summarization 1 27 Configuring OSPF Inbound Route Filtering 1 28 Configuring ABR Type 3 LSA Filtering 1 28 Configuring an OSPF Cost for an Interface 1 29 Configuring the Max...

Page 435: ...tion Prerequisites 1 41 Configuring a Loopback Interface 1 41 Advertising Routes of a Loopback Interface 1 41 Creating a Sham Link 1 42 Configuring OSPF Graceful Restart 1 43 Configuring the OSPF GR Restarter 1 43 Configuring the OSPF GR Helper 1 44 Triggering OSPF Graceful Restart 1 45 Displaying and Maintaining OSPF 1 45 OSPF Configuration Examples 1 46 Configuring OSPF Basic Functions 1 46 Conf...

Page 436: ...ing OSPF Graceful Restart z Displaying and Maintaining OSPF z OSPF Configuration Examples z Troubleshooting OSPF Configuration The term router in this document refers to a router in a generic sense or an Ethernet switch running routing protocols Introduction to OSPF Unless otherwise noted OSPF refers to OSPFv2 throughout this document OSPF has the following features z Wide scope Supports networks ...

Page 437: ...ighted directed graph which actually reflects the topology architecture of the entire network All the routers have the same graph z Each router uses the SPF algorithm to compute a Shortest Path Tree that shows the routes to the nodes in the autonomous system The router itself is the root of the tree Router ID An OSPF process running on a router must have its own router ID which is a 32 bit unsigne...

Page 438: ...e Type 9 opaque LSA is flooded into the local subnet the Type 10 is flooded into the local area and the Type 11 is flooded throughout the whole AS Neighbor and Adjacency In OSPF the Neighbor and Adjacency are two different concepts Neighbor Two routers that have interfaces to a common network Neighbor relationships are maintained by and usually dynamically discovered by OSPF s hello packets When a...

Page 439: ...e to physical limitations the requirements may not be satisfied In this case configuring OSPF virtual links is a solution A virtual link is established between two area border routers via a non backbone area and is configured on both ABRs to take effect The area that provides the non backbone area internal route for the virtual link is a transit area In the following figure Area 2 has no direct ph...

Page 440: ...ring a totally stub area z The backbone area cannot be a totally stub area z To configure an area as a stub area the stub command must be configured on routers in the area z To configure an area as a totally stub area the stub command must be configured on routers in the area and the ABR of the area must be configured with the stub no summary command z A totally stub area cannot have an ASBR becau...

Page 441: ... Compared with a totally stub area a stub area can import inter area routes z Compared with a stub area an NSSA area can import external routes through Type 7 LSAs advertised by the ASBR to the area z Compared with an NSSA area a totally NSSA area does not import inter area routes Classification of Routers Router types The OSPF routers fall into four types according to the position in the AS 1 Int...

Page 442: ... of the AS while external routes describe routes to destinations outside the AS OSPF classifies external routes into two types Type 1 and Type 2 A Type 1 external route is an IGP route such as a RIP or static route which has high credibility and whose cost is comparable with the cost of an OSPF internal route The cost from a router to the destination of the Type 1 external route the cost from the ...

Page 443: ...on NBMA interfaces Since these interfaces cannot broadcast hello packets for neighbor location you need to specify neighbors manually and configure whether the neighbors have the DR election right An NBMA network is fully meshed which means any two routers in the NBMA network have a direct virtual link for communication If direct connections are not available between some routers the type of inter...

Page 444: ...etwork are elected by all routers rather than configured manually The DR priority of an interface determines its qualification for DR BDR election Interfaces attached to the network and having priorities higher than 0 are election candidates The election votes are hello packets Each router sends the DR elected by itself in a hello packet to all the other routers If two routers on the network decla...

Page 445: ...entication type from 0 to 2 corresponding with non authentication simple plaintext authentication and MD5 authentication respectively z Authentication Information determined by authentication type It is not defined for authentication type 0 It is defined as password information for authentication type 1 and defined as Key ID MD5 authentication data length and sequence number for authentication typ...

Page 446: ... z Rtr Pri Router priority A value of 0 means the router cannot become the DR BDR z RouterDeadInterval Time before declaring a silent router down If two routers have different time values they cannot become neighbors z Designated router IP address of the DR interface z Backup designated router IP address of the BDR interface z Neighbor Router ID of the neighbor router DD packet Two routers exchang...

Page 447: ...ackets are to follow z MS Master Slave The Master Slave bit When set to 1 it indicates that the router is the master during the database exchange process Otherwise the router is the slave z DD Sequence Number Used to sequence the collection of database description packets for ensuring reliability and intactness of DD packets between the master and slave The initial value is set by the master The D...

Page 448: ...tate Update packets are used to send the requested LSAs to peers and each packet carries a collection of LSAs The LSU packet format is shown below Figure 1 13 LSU packet format LSAck packet LSAack Link State Acknowledgment packets are used to acknowledge received LSU packets contents including LSA headers to describe the corresponding LSAs Multiple LSAs can be acknowledged in a single Link State A...

Page 449: ... LSA was originated A LSA ages in the LSDB added by 1 per second but does not in transmission z LS type Type of the LSA z Link State ID The contents of this field depend on the LSA s type z LS sequence number Used by other routers to judge new and old LSAs z LS checksum Checksum of the LSA except the LS age field z Length Length in bytes of the LSA including the LSA header Formats of LSAs 1 Router...

Page 450: ...SA is an ABR z Links Number of router links interfaces to the area described in the LSA z Link ID Determined by Link type z Link data Determined by Link type z Type Link type A value of 1 indicates a point to point link to a remote router a value of 2 indicates a link to a transit network a value of 3 indicates a link to a stub network a value of 4 indicates a virtual link z TOS Number of differen...

Page 451: ...ary LSAs Type 3 LSAs and ASBR summary LSAs Type 4 LSAs are originated by ABRs Other than the difference in the Link State ID field the format of type 3 and 4 summary LSAs is identical Figure 1 18 Summary LSA format Major fields z Link State ID For a Type 3 LSA it is an IP address outside the area for a type 4 LSA it is the router ID of an ASBR outside the area z Network mask The network mask for t...

Page 452: ... State ID is always set to Default Destination 0 0 0 0 and the Network Mask is set to 0 0 0 0 z Network mask The IP address mask for the advertised destination z E External Metric The type of the external metric value which is set to 1 for type 2 external routes and set to 0 for type 1 external routes Refer to Route types for description about external route types z Metric The metric to the destin...

Page 453: ...ea must be identical Authentication types include non authentication plaintext authentication and MD5 ciphertext authentication The authentication password for interfaces attached to a network segment must be identical OSPF Graceful Restart For GR information refer to GR Overview in the High Availability Volume After an OSPF GR Restarter restarts it needs to perform the following two tasks in orde...

Page 454: ...rity than a backbone route VPN traffic will always travel on the backdoor route rather than the backbone route To avoid this an unnumbered sham link can be configured between PE routers connecting the router to another PE router via an intraarea route with a lower cost Protocols and Standards z RFC 1765 OSPF Database Overflow z RFC 2328 OSPF Version 2 z RFC 3101 OSPF Not So Stubby Area NSSA Option...

Page 455: ...ring a Priority for OSPF Optional Configuring OSPF Route Control Configuring OSPF Route Redistribution Optional Configuring OSPF Packet Timers Optional Specifying an LSA Transmission Delay Optional Specifying SPF Calculation Interval Optional Specifying the LSA Minimum Repeat Arrival Interval Optional Specifying the LSA Generation Interval Optional Disabling Interfaces from Sending OSPF Packets Op...

Page 456: ...t have a Router ID which is the unique identifier of the router in the AS z You can specify a Router ID when creating the OSPF process Any two routers in an AS must have different Router IDs In practice the ID of a router is the IP address of one of its interfaces z If you specify no Router ID when creating the OSPF process the global Router ID will be used For details about global Router ID refer...

Page 457: ...he backbone itself cannot be achieved you can configure virtual links to solve it Prerequisites Before configuring an OSPF area you have configured z IP addresses for interfaces making neighboring nodes accessible with each other at the network layer z OSPF basic functions Configuring a Stub Area You can configure a non backbone area at the AS edge as a stub area by configuring the stub command on...

Page 458: ...ub area cannot have an ASBR because AS external routes cannot be distributed into the stub area z Virtual links cannot transit totally stub areas Configuring an NSSA Area A stub area cannot redistribute routes You can configure the area as an NSSA area to allow for route redistribution while keeping other characteristics of a stub area Follow these steps to configure an NSSA area To do Use the com...

Page 459: ...s command on both ends of a virtual link Note that hello and dead intervals must be identical on both ends of the virtual link Configuring OSPF Network Types OSPF classifies networks into four types broadcast NBMA P2MP and P2P upon the link layer protocol You can change the network type of an interface as needed For example z When an NBMA network becomes fully meshed through address mapping namely...

Page 460: ... the network type of an interface as NBMA you need to make some special configurations Because NBMA interfaces cannot find neighbors via broadcasting Hello packets you need to specify neighbors and neighbor DR priorities A DR priority of 0 means the router does not have the DR election right a DR priority greater than 0 means the router has the DR election right Follow these steps to configure the...

Page 461: ...k type for an interface as P2MP To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure the OSPF network type for the interface as P2MP ospf network type p2mp Required By default the network type is broadcast Configuring the OSPF Network Type for an Interface as P2P Follow these steps to configure the OSPF network type fo...

Page 462: ... Follow these steps to configure route summarization on an ABR To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Enter OSPF area view area area id Configure ABR route summarization abr summary ip address mask mask length advertise not advertise cost cost Required The command is available on an ABR only Not con...

Page 463: ... address prefixes z Filtering routing information by next hop through the filtering criteria configured with the gateway keyword z Filtering routing information by destination address through ACLs and IP address prefixes and by next hop through the filtering criteria configured with the gateway keyword z Filtering routing information by route policies specified by the route policy keyword Follow t...

Page 464: ...5 is used if the calculated cost is less than 1 the value of 1 is used If no cost is configured for an interface OSPF computes the interface cost automatically Follow these steps to configure an OSPF cost for an interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure an OSPF cost for the interface ospf cost valu...

Page 465: ...marks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Configure the maximum number of equivalent load balanced routes maximum load balancing maximum Optional The default number is 4 Configuring a Priority for OSPF A router may run multiple routing protocols and it sets a priority for each protocol When a route found by several routing pr...

Page 466: ...route policy name Required Not configured by default Configure OSPF to filter redistributed routes before advertisement filter policy acl number ip prefix ip prefix name export protocol process id Optional Not configured by default Only active routes can be redistributed You can use the display ip routing table protocol command to display route state information Configure OSPF to redistribute a de...

Page 467: ...ed routes cost route number tag and type default cost cost limit limit tag tag type type Optional By default the default cost is 1 default upper limit of routes redistributed per time is 1000 default tag is 1 and default type of redistributed routes is Type 2 Advertising a Host Route Follow these steps to advertise a host route To do Use the command Remarks Enter system view system view Enter OSPF...

Page 468: ...ives no hello packet from the neighbor it declares the neighbor is down z LSA retransmission timer Interval within which if the interface receives no acknowledgement packets after sending a LSA to the neighbor it will retransmit the LSA Follow these steps to configure timers for OSPF packets To do Use the command Remarks Enter system view system view Enter interface view interface interface type i...

Page 469: ...n an interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Specify an LSA transmission delay ospf trans delay seconds Optional 1 second by default Specifying SPF Calculation Interval The LSDB changes lead to SPF calculations When an OSPF network changes frequently a large amount of network resources will be occupied red...

Page 470: ...nce name Configure the LSA minimum repeat arrival interval lsa arrival interval interval Optional Defaults to 1000 milliseconds The interval set with the lsa arrival interval command should be smaller or equal to the interval set with the lsa generation interval command Specifying the LSA Generation Interval With this feature configured you can protect network resources and routers from being over...

Page 471: ... associated with the current process rather than interfaces associated with other processes z After an OSPF interface is set to silent other interfaces on the router can still advertise direct routes of the interface in Router LSAs but no OSPF packet can be advertised for the interface to find a neighbor This configuration can enhance adaptability of OSPF networking and reduce resource consumption...

Page 472: ...on all the routers in the area In addition the authentication mode and password for all interfaces attached to the same area must be identical Follow these steps to configure OSPF authentication To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Enter area view area area id Configure the authentication mode aut...

Page 473: ...and Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Specify the maximum number of external LSAs in the LSDB lsdb overflow limit number Optional Not specified by default Making External Route Selection Rules Defined in RFC1583 Compatible The selection of an external route from multiple LSAs defined in RFC2328 is different from the...

Page 474: ... traps z Level 6 for notification traps The generated traps are sent to the Information Center of the device The output rules of the traps namely whether to output the traps and the output direction are determined according to the Information Center configuration For Information Center configuration refer to Information Center Configuration in the System Volume Follow these steps to configure OSPF...

Page 475: ...ure OSPF runs normally a router receives and processes Hello packets and other protocol packets at the same time When the router has established neighbor relationships with multiple neighboring routers and the routing table size is big the router will need to receive and process large numbers of packets Configuring OSPF to give priority to receiving and processing Hello packets helps ensure stable...

Page 476: ...interfaces must be bound to the VPN instances and be advertised through BGP Configuration Prerequisites Before configuring OSPF sham link be sure to configure OSPF in the LAN where CEs reside Configuring a Loopback Interface Follow these steps to configure a loopback interface To do Use the command Remarks Enter system view system view Create a loopback interface and enter loopback interface view ...

Page 477: ...link sham link source ip address destination ip address cost cost dead dead interval hello hello interval retransmit retrans interval trans delay delay simple cipher plain password md5 hmac md5 key id cipher plain password Required By default no sham link is configured z If you start OSPF but do not configure the router ID the system will automatically elect one However the same election rules pro...

Page 478: ... standard IETF OSPF GR Restarter To do Use the command Remarks Enter system view system view Enable OSPF and enter its view ospf process id router id router id vpn instance instance name Enable opaque LSA advertisement capability opaque capability enable Required Disabled by default Enable the IETF standard Graceful Restart capability for OSPF graceful restart ietf Required Disabled by default Con...

Page 479: ...ption and advertisement opaque capability enable Required Not enabled by default Configure the neighbors for which the router can serve as a GR Helper graceful restart help acl number prefix prefix list Optional The router can server as a GR Helper for any OSPF neighbor by default Configuring the non IETF standard OSPF GR Helper Follow these steps to configure the non IETF standard OSPF GR Helper ...

Page 480: ... id peer statistics Display next hop information display ospf process id nexthop Display routing table information display ospf process id routing interface interface type interface number nexthop nexthop address Display virtual link information display ospf process id vlink Display information about OSPF sham links display ospf process id sham link area area id Display OSPF request queue informat...

Page 481: ...s run OSPF The AS is split into three areas in which Switch A and Switch B act as ABRs to forward routing information between areas z After configuration all switches can learn routes to every network segment in the AS Figure 1 21 Network diagram for OSPF basic configuration Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure OSPF basic functions Configure Switch A ...

Page 482: ...rea 0 0 0 1 network 10 4 1 0 0 0 0 255 SwitchC ospf 1 area 0 0 0 1 quit SwitchC ospf 1 quit Configure Switch D SwitchD system view SwitchD ospf SwitchD ospf 1 area 2 SwitchD ospf 1 area 0 0 0 2 network 10 3 1 0 0 0 0 255 SwitchD ospf 1 area 0 0 0 2 network 10 5 1 0 0 0 0 255 SwitchD ospf 1 area 0 0 0 2 quit SwitchD ospf 1 quit 3 Verify the configuration Display information about neighbors on Switc...

Page 483: ...4 13 Stub 10 2 1 2 10 4 1 1 0 0 0 1 10 5 1 0 24 14 Inter 10 1 1 2 10 3 1 1 0 0 0 0 10 1 1 0 24 2 Transit 10 1 1 1 10 2 1 1 0 0 0 0 Total Nets 5 Intra Area 3 Inter Area 2 ASE 0 NSSA 0 Display the Link State Database on Switch A SwitchA display ospf lsdb OSPF Process 1 with Router ID 10 2 1 1 Link State Database Area 0 0 0 0 Type LinkState ID AdvRouter Age Len Sequence Metric Router 10 2 1 1 10 2 1 ...

Page 484: ...nter Area 3 ASE 0 NSSA 0 On Switch D ping the IP address 10 4 1 1 to check connectivity SwitchD ping 10 4 1 1 PING 10 4 1 1 56 data bytes press CTRL_C to break Request time out Reply from 10 4 1 1 bytes 56 Sequence 2 ttl 253 time 2 ms Reply from 10 4 1 1 bytes 56 Sequence 3 ttl 253 time 1 ms Reply from 10 4 1 1 bytes 56 Sequence 4 ttl 253 time 1 ms Reply from 10 4 1 1 bytes 56 Sequence 5 ttl 253 t...

Page 485: ...1 import route static 4 Verify the configuration Display the ABR ASBR information of Switch D SwitchD display ospf abr asbr OSPF Process 1 with Router ID 10 5 1 1 Routing Table to ABR and ASBR Type Destination Area Cost Nexthop RtType Intra 10 3 1 1 0 0 0 2 10 10 3 1 1 ABR Inter 10 4 1 1 0 0 0 2 22 10 3 1 1 ASBR Display the OSPF routing table of Switch D SwitchD display ospf routing OSPF Process 1...

Page 486: ...BGP connection is established between Switch B and Switch C Switch C is configured to redistribute OSPF routes into BGP z Switch B is configured to redistribute BGP routes into OSPF Switch B is configured with route summarization and advertises only the summary route 10 0 0 0 8 to reduce Switch A s routing table size Figure 1 23 Network diagram for OSPF summary route advertisement on switches Conf...

Page 487: ...ea 0 SwitchD ospf 1 area 0 0 0 0 network 10 1 1 0 0 0 0 255 SwitchD ospf 1 area 0 0 0 0 network 10 3 1 0 0 0 0 255 SwitchD ospf 1 area 0 0 0 0 quit Configure Switch E SwitchE system view SwitchE ospf SwitchE ospf 1 area 0 SwitchE ospf 1 area 0 0 0 0 network 10 2 1 0 0 0 0 255 SwitchE ospf 1 area 0 0 0 0 network 10 4 1 0 0 0 0 255 SwitchE ospf 1 area 0 0 0 0 quit SwitchE ospf 1 quit 3 Configure BGP...

Page 488: ...e it SwitchB ospf 1 asbr summary 10 0 0 0 8 Display the OSPF routing table of Switch A SwitchA display ip routing table Routing Tables Public Destinations 5 Routes 5 Destination Mask Proto Pre Cost NextHop Interface 10 0 0 0 8 O_ASE 150 2 11 2 1 1 Vlan100 11 2 1 0 24 Direct 0 0 11 2 1 2 Vlan100 11 2 1 2 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 ...

Page 489: ...spf 1 import route static SwitchD ospf 1 quit Display ABR ASBR information on Switch C SwitchC display ospf abr asbr OSPF Process 1 with Router ID 10 4 1 1 Routing Table to ABR and ASBR Type Destination Area Cost Nexthop RtType Intra 10 2 1 1 0 0 0 1 3 10 2 1 1 ABR Inter 10 3 1 1 0 0 0 1 5 10 2 1 1 ABR Inter 10 5 1 1 0 0 0 1 7 10 2 1 1 ASBR Display OSPF routing table information on Switch C Switch...

Page 490: ...C SwitchC ospf SwitchC ospf 1 area 1 SwitchC ospf 1 area 0 0 0 1 stub SwitchC ospf 1 area 0 0 0 1 quit SwitchC ospf 1 quit Display OSPF routing information on Switch C SwitchC display ospf routing OSPF Process 1 with Router ID 10 4 1 1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 0 0 0 0 0 4 Inter 10 2 1 1 10 2 1 1 0 0 0 1 10 2 1 0 24 3 Transit 10 2 1 2 10 2 1 1 ...

Page 491: ... 0 4 Inter 10 2 1 1 10 2 1 1 0 0 0 1 10 2 1 0 24 3 Transit 10 2 1 2 10 4 1 1 0 0 0 1 10 4 1 0 24 3 Stub 10 4 1 1 10 4 1 1 0 0 0 1 Total Nets 3 Intra Area 2 Inter Area 1 ASE 0 NSSA 0 After this configuration routing entries on the stub router are further reduced containing only one default external route Configuring an OSPF NSSA Area Network requirements The following figure shows an AS is split in...

Page 492: ...rea 0 0 0 0 quit SwitchA ospf 1 quit Configure Switch C SwitchC ospf SwitchC ospf 1 area 1 SwitchC ospf 1 area 0 0 0 1 nssa SwitchC ospf 1 area 0 0 0 1 quit SwitchC ospf 1 quit It is recommended to configure the nssa command with the keyword default route advertise no summary on Switch A an ABR to reduce the routing table size on NSSA routers On other NSSA routers use the nssa command Display OSPF...

Page 493: ...Destination Cost Type NextHop AdvRouter Area 10 2 1 0 24 22 Inter 10 3 1 1 10 3 1 1 0 0 0 2 10 3 1 0 24 10 Transit 10 3 1 2 10 3 1 1 0 0 0 2 10 4 1 0 24 25 Inter 10 3 1 1 10 3 1 1 0 0 0 2 10 5 1 0 24 10 Stub 10 5 1 1 10 5 1 1 0 0 0 2 10 1 1 0 24 12 Inter 10 3 1 1 10 3 1 1 0 0 0 2 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 3 1 3 0 24 1 Type2 1 10 3 1 1 10 2 1 1 Total Nets 6 Intra ...

Page 494: ...it Configure Switch B SwitchB system view SwitchB router id 2 2 2 2 SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 192 168 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 quit Configure Switch C SwitchC system view SwitchC router id 3 3 3 3 SwitchC ospf SwitchC ospf 1 area 0 SwitchC ospf 1 area 0 0 0 0 network 192 168 1 0 0 0 0 255 SwitchC ospf 1 area 0 0 0 0 ...

Page 495: ...68 1 3 MTU 0 Dead timer due in 31 sec Neighbor is up for 00 01 28 Authentication Sequence 0 Router ID 4 4 4 4 Address 192 168 1 4 GR State Normal State Full Mode Nbr is Master Priority 1 DR 192 168 1 4 BDR 192 168 1 3 MTU 0 Dead timer due in 31 sec Neighbor is up for 00 01 28 Authentication Sequence 0 Switch D becomes the DR and Switch C is the BDR 3 Configure router priorities on interfaces Confi...

Page 496: ...3 MTU 0 Dead timer due in 35 sec Neighbor is up for 00 11 19 Authentication Sequence 0 Router ID 3 3 3 3 Address 192 168 1 3 GR State Normal State Full Mode Nbr is Slave Priority 2 DR 192 168 1 4 BDR 192 168 1 3 MTU 0 Dead timer due in 33 sec Neighbor is up for 00 11 15 Authentication Sequence 0 The DR and BDR have no change In the above output you can find the priority configuration does not take...

Page 497: ...168 1 1 BDR 192 168 1 3 MTU 0 Dead timer due in 39 sec Neighbor is up for 00 01 41 Authentication Sequence 0 Switch A becomes the DR and Switch C is the BDR If the neighbor state is full it means Switch D has established the adjacency with the neighbor If the neighbor state is 2 way it means the two switches are neither the DR nor the BDR and they do not exchange LSAs Display OSPF interface inform...

Page 498: ... Switch D Area 2 Vlan int300 10 1 1 2 24 Vlan int100 10 3 1 2 24 Vlan int100 10 3 1 1 24 Virtual link Vlan int200 10 2 1 1 24 Vlan int200 10 2 1 2 24 Area 1 Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure OSPF basic functions Configure Switch A SwitchA system view SwitchA ospf 1 router id 1 1 1 1 SwitchA ospf 1 area 0 SwitchA ospf 1 area 0 0 0 0 network 10 1 1 0...

Page 499: ...ting OSPF Process 1 with Router ID 2 2 2 2 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 10 2 1 0 24 2 Transit 10 2 1 1 3 3 3 3 0 0 0 1 10 1 1 0 24 2 Transit 10 1 1 2 2 2 2 2 0 0 0 0 Total Nets 2 Intra Area 2 Inter Area 0 ASE 0 NSSA 0 Since Area 0 has no direct connection to Area 2 the routing table of Switch B has no route to Area 2 3 Configure a virtual link Con...

Page 500: ...IETF standard GR Restarter whereas Switch B and Switch C are the GR Helpers and re synchronize their LSDB with Switch A through OOB communication of GR Figure 1 28 Network diagram for OSPF GR configuration Vlan int100 192 1 1 1 24 Vlan int100 192 1 1 3 24 Vlan int100 192 1 1 2 24 GR helper GR helper GR restarter Switch A Switch C Switch B Router ID 1 1 1 1 Router ID 2 2 2 2 Router ID 3 3 3 3 Confi...

Page 501: ...0 area 0 SwitchC ospf 100 area 0 0 0 0 network 192 1 1 0 0 0 0 255 4 Verify the configuration After the configurations on Switch A Switch B and Switch C are completed and the switches are running steadily enable OSPF Graceful Restart event debugging and then perform OSPF GR on Switch A SwitchA debugging ospf event graceful restart SwitchA terminal monitor SwitchA terminal debugging SwitchA reset o...

Page 502: ... NSSA LSAs Switch A completes GR with the help of Switch B Configuring Route Filtering Network requirements As shown in the following figure z All the switches in the network run OSPF The AS is divided into three areas z Switch A and Switch B work as ABRs z Configure Switch C as an ASBR to redistribute external routes static routes and configure a filter policy on Switch C to filter out redistribu...

Page 503: ...1 0 24 Direct 0 0 10 2 1 1 Vlan200 10 2 1 1 32 Direct 0 0 127 0 0 1 InLoop0 10 3 1 0 24 OSPF 10 4 10 1 1 2 Vlan100 10 4 1 0 24 OSPF 10 13 10 2 1 2 Vlan200 10 5 1 0 24 OSPF 10 14 10 1 1 2 Vlan100 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 4 On Switch C filter out route 3 1 3 0 24 Configure the IPv4 prefix list SwitchC ip ip prefix prefix1 index 1 deny 3 1 3 0...

Page 504: ...ilter route 10 5 1 0 24 SwitchA ospf 1 SwitchA ospf 1 filter policy 2000 import SwitchA ospf 1 quit Display the OSPF routing table of Switch A SwitchA display ip routing table Routing Tables Public Destinations 10 Routes 10 Destination Mask Proto Pre Cost NextHop Interface 3 1 1 0 24 O_ASE 150 1 10 2 1 2 Vlan200 3 1 2 0 24 O_ASE 150 1 10 2 1 2 Vlan200 10 1 1 0 24 Direct 0 0 10 1 1 1 Vlan100 10 1 1...

Page 505: ...s to other areas Analysis The backbone area must maintain connectivity to all other areas If a router connects to more than one area at least one area must be connected to the backbone The backbone cannot be configured as a Stub area In a Stub area all routers cannot receive external routes and all interfaces connected to the Stub area must belong to the Stub area Solution 1 Use the display ospf p...

Page 506: ... Redistribution 1 21 Configuring IS IS Route Filtering 1 21 Configuring IS IS Route Leaking 1 22 Tuning and Optimizing IS IS Networks 1 23 Configuration Prerequisites 1 23 Specifying Intervals for Sending IS IS Hello and CSNP Packets 1 23 Specifying the IS IS Hello Multiplier 1 23 Configuring a DIS Priority for an Interface 1 24 Disabling an Interface from Sending Receiving IS IS Packets 1 24 Enab...

Page 507: ...Process with MIBs 1 33 Displaying and Maintaining IS IS 1 34 IS IS Configuration Example 1 35 IS IS Basic Configuration 1 35 DIS Election Configuration 1 39 Configuring IS IS Route Redistribution 1 44 IS IS based Graceful Restart Configuration Example 1 47 IS IS Authentication Configuration Example 1 49 ...

Page 508: ...mic routing protocol designed by the International Organization for Standardization ISO to operate on the connectionless network protocol CLNP The IS IS routing protocol was modified and extended in RFC 1195 by the International Engineer Task Force IETF for application in both TCP IP and OSI reference models and the new one is called Integrated IS IS or Dual IS IS IS IS is an Interior Gateway Prot...

Page 509: ...The IDP is equal to the network ID of an IP address and the DSP is equal to the subnet and host ID The IDP includes the Authority and Format Identifier AFI and the Initial Domain Identifier IDI The DSP includes the High Order Part of DSP HO DSP System ID and SEL where the HO DSP identifies the area the System ID identifies the host and the SEL identifies the type of service The IDP and DSP are var...

Page 510: ...reas Typically a Level 1 router is deployed within an area a Level 2 router is deployed between areas and a Level 1 2 router is deployed between Level 1 and Level 2 routers Level 1 and Level 2 1 Level 1 router A Level 1 router establishes neighbor relationships with Level 1 and Level 1 2 routers in the same area The LSDB maintained by the Level 1 router contains the local area routing information ...

Page 511: ...ne The other four areas are non backbone areas connected to the backbone through Level 1 2 routers Figure 1 2 IS IS topology Figure 1 3 shows another IS IS topology The Level 1 2 routers connect to the Level 1 and Level 2 routers and form the IS IS backbone together with the Level 2 routers There is no area defined as the backbone in this topology The backbone comprises all contiguous Level 2 and ...

Page 512: ...e the information of other Level 1 areas and the Level 2 area with the Level 1 area by default Since a Level 1 router simply sends packets destined for other areas to the nearest Level 1 2 router this may cause that the best paths cannot be selected To solve this problem route leaking was introduced A Level 2 router can advertise Level 2 routing information to a specified Level 1 area By having th...

Page 513: ...th each other Figure 1 4 DIS in the IS IS broadcast network The DIS creates and updates pseudonodes as well as generates their LSPs to describe all routers on the network A pseudonode represents a virtual node on the broadcast network It is not a real router In IS IS it is identified by the system ID of the DIS and a one byte Circuit ID a non zero value Using pseudonodes can reduce the resources c...

Page 514: ...sion Protocol ID Extension Set to 1 0x01 z ID Length Length of the NSAP address and NET ID z R Reserved Set to 0 z PDU Type For details refer to Table 1 1 z Version Set to 1 0x01 z Maximum Area Address Maximum number of area addresses supported Table 1 1 PDU type Type PDU Type Acronym 15 Level 1 LAN IS IS hello PDU L1 LAN IIH 16 Level 2 LAN IS IS hello PDU L2 LAN IIH 17 Point to Point IS IS hello ...

Page 515: ...mmon header Figure 1 7 L1 L2 LAN IIH format z Reserved Circuit Type The first 6 bits are reserved with a value of 0 The last 2 bits indicate the router type 00 means reserved 01 indicates L1 10 indicates L2 and 11 indicates L1 2 z Source ID System ID of the router advertising the hello packet z Holding Time If no hello packets are received from the neighbor within the holding time the neighbor is ...

Page 516: ...The Link State PDUs LSP carry link state information LSP involves two types Level 1 LSP and Level 2 LSP The Level 2 LSPs are sent by the Level 2 routers and the Level 1 LSPs are sent by the Level 1 routers The level 1 2 router can send both types of LSPs The two types of LSPs have the same format as shown in Figure 1 9 Figure 1 9 L1 L2 LSP format ...

Page 517: ...xample in Figure 1 10 Router A forwards packets to Router C through Router B Once other routers know the OL field of LSPs from Router B is set to 1 Router A will send packets to Router C via Router D and Router E but still send to Router B packets destined to the network directly connected to Router B Figure 1 10 LSDB overload z IS Type Type of the router generating the LSP SNP format A sequence n...

Page 518: ...neighbors Figure 1 12 shows the PSNP packet format Figure 1 12 L1 L2 PSNP format Intradomain routing protocol discriminator Reserved Version R ID length Version Protocol ID extension Length indicator Maximum area address R R PDU type No of Octets 1 1 1 1 1 1 1 1 PDU length Source ID Variable length fields 2 ID length 1 CLV The variable fields of PDU comprise multiple Code Length Value CLV triplets...

Page 519: ...nformation L2 LSP 131 Inter Domain Routing Protocol Information L2 LSP 132 IP Interface Address IIH LSP Code 1 to 10 of CLV are defined in ISO 10589 code 3 and 5 are not shown in the table and others are defined in RFC 1195 Supported IS IS Features Multiple instances and processes IS IS supports multiple instances and processes Multiple processes allow a IS IS process to work in concert with a gro...

Page 520: ...information by flooding LSPs One LSP carries a limited amount of link state information therefore IS IS fragments LSPs Each LSP fragment is uniquely identified by a combination of the System ID Pseudonode ID 0 for a common LSP or a non zero value for a Pseudonode LSP and LSP Number LSP fragment number of the node or pseudo node that generated the LSP The one byte LSP Number field allowing a maximu...

Page 521: ...irtual systems z Mode 2 Applicable to a network where all the routers support LSP fragment extension In this mode all the IS IS routers know which virtual system belongs to which originating system therefore no limitation is imposed on the link state information of the extended LSP fragments advertised by the virtual systems The operation mode of LSP fragment extension is configured based on area ...

Page 522: ...riority for IS IS Required Configuring the Maximum Number of Equal Cost Routes Optional Configuring IS IS Route Summarization Optional Advertising a Default Route Optional Configuring IS IS Route Redistribution Optional Configuring IS IS Route Filtering Optional Configuring IS IS Routing Information Control Configuring IS IS Route Leaking Optional Specifying Intervals for Sending IS IS Hello and C...

Page 523: ...fault Return to system view quit Enter interface view interface interface type interface number Enable an IS IS process on the interface isis enable process id Required Disabled by default Configuring the IS Level and Circuit Level If only one area is available it is recommended that z Configure the IS level of all routers as Level 1 or Level 2 and don t configure different levels in this case bec...

Page 524: ...zation mechanism If there are only two routers on a broadcast network you can configure the network type of attached interfaces as P2P to avoid DIS election and CSNP flooding saving network bandwidth and speeding up network convergence Follow these steps to configure the network type of an interface To do Use the command Remarks Enter system view system view Enter interface view interface interfac...

Page 525: ... Mbps the interface cost equals 10 z If none of the above costs is used a default cost of 10 applies Configuring an IS IS cost for an interface Follow these steps to configure a cost for an interface To do Use the command Remarks Enter system view system view Enter IS IS view isis process id vpn instance vpn instance name Specify an IS IS cost style cost style narrow wide wide compatible compatibl...

Page 526: ...ins You can reference a routing policy to specify a priority for specific routes For information about routing policy refer to Routing Policy Configuration in the IP Routing Volume Follow these steps to configure the priority of IS IS To do Use the command Remarks Enter system view system view Enter IS IS view isis process id vpn instance vpn instance name Specify a priority for IS IS preference r...

Page 527: ...z The cost of the summary route is the lowest one among the costs of summarized routes z The router summarizes only the routes in the locally generated LSPs Advertising a Default Route A router running IS IS cannot redistribute any default route and thus cannot advertise a default route to other neighbors You can use the following commands to advertise a default route of 0 0 0 0 0 to the same leve...

Page 528: ...1 Level 2 IPv4 routes import route limit number Optional By default the maximum number of redistributed Level 1 Level 2 IPv4 routes is 12288 Only active routes can be redistributed You can use the display ip routing table protocol command to display route state information Configuring IS IS Route Filtering You can reference a configured ACL IP prefix list or routing policy to filter routes calcula...

Page 529: ...ing protocol or IS IS process filter policy acl number ip prefix ip prefix name route policy route policy name export protocol process id Required Not configured by default Configuring IS IS Route Leaking With IS IS route leaking enabled the Level 1 2 router can advertise the routing information of other Level 1 areas and Level 2 area routing information to Level 1 routers Follow these steps to co...

Page 530: ...e interval for sending CSNP packets on the DIS of a broadcast network isis timer csnp seconds level 1 level 2 Optional 10 seconds by default The interval between hello packets sent by the DIS is 1 3 the hello interval set with the isis timer hello command Specifying the IS IS Hello Multiplier If a neighbor receives no hello packets from the router within the advertised hold time it considers the r...

Page 531: ...vel 2 Optional 64 by default Disabling an Interface from Sending Receiving IS IS Packets After disabled from sending and receiving hello packets an interface cannot form any neighbor relationship but can advertise directly connected networks in LSPs through other interfaces By doing so you can save bandwidth and CPU resources while ensuring other routers know networks directly connected to the int...

Page 532: ...needs to refresh LSPs generated by itself at a configurable interval and send them to other routers to prevent valid routes from being aged out A smaller refresh interval speeds up network convergence but consumes more bandwidth When the network topology changes for example a neighbor is down up or the interface metric system ID or area ID is changed the router generates an LSP after a configurabl...

Page 533: ...5 seconds by default Configure a proper LSP retransmission interval to avoid unnecessary retransmissions Specifying LSP lengths IS IS messages cannot be fragmented at the IP layer because they are directly encapsulated in frames Therefore IS IS routers in an area need to send LSPs smaller than the smallest interface MTU in this area If the IS IS routers have different interface MTUs it is recommen...

Page 534: ... level 1 level 2 level 1 2 mode 1 mode 2 Required Not enabled by default Configure a virtual system ID virtual system virtual system id Required Not configured by default z After LSP fragment extension is enabled for an IS IS process the MTUs of all the interfaces running the IS IS process must not be less than 512 otherwise LSP fragment extension will not take effect z At least one virtual system...

Page 535: ...ce into a mesh group and block an interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Add the interface to a mesh group isis mesh group mesh group number Block the interface isis mesh group mesh blocked Required to choose either By default the interface neither belongs to any mesh group nor is blocked The mesh group f...

Page 536: ...eps to set the LSDB overload bit To do Use the command Remarks Enter system view system view Enter IS IS view isis process id vpn instance vpn instance name Set the overload bit set overload on startup start from nbr system id timeout1 nbr timeout timeout2 allow interlevel external Required Not set by default Configuring IS IS Authentication Configuration Prerequisites Complete the following tasks...

Page 537: ...ord in received Level 1 packets Routers in a common area must have the same authentication mode and password Follow these steps to configure area authentication To do Use the command Remarks Enter system view system view Enter IS IS view isis process id vpn instance vpn instance name Specify the area authentication mode and password area authentication mode simple md5 password ip osi Required No a...

Page 538: ... host name for dynamic system ID to host name mapping applies Configuring a Static System ID to Host Name Mapping Follow these steps to configure a static system ID to host name mapping To do Use the command Remarks Enter system view system view Enter IS IS view isis process id vpn instance vpn instance name Configure a system ID to host name mapping for a remote IS is name map sys id map sys name...

Page 539: ... the event to its GR capable neighbors which known as the GR helpers will keep their adjacencies with the router within a configurable GR interval After the restart the router contacts its neighbors to retrieve its routing table During the whole process the network keeps stable You can enable the GR Restarter to suppress the Suppress Advertisement SA bit in the hello PDUs In this way its neighbors...

Page 540: ...s to the terminal for display Enabling IS IS SNMP Trap Follow these steps to enable IS IS SNMP trap To do Use the command Remarks Enter system view system view Enter IS IS view isis process id vpn instance vpn instance name Enable SNMP trap is snmp traps enable Required Enabled by default Binding an IS IS Process with MIBs Follow these steps to bind an IS IS process with MIBs To do Use the command...

Page 541: ...Available in any view Display IS IS mesh group information display isis mesh group process id vpn instance vpn instance name Available in any view Display the host name to system ID mapping table display isis name table process id vpn instance vpn instance name Available in any view Display IS IS neighbor information display isis peer verbose statistics process id vpn instance vpn instance name Av...

Page 542: ...esses for interfaces omitted 2 Configure IS IS Configure Switch A SwitchA system view SwitchA isis 1 SwitchA isis 1 is level level 1 SwitchA isis 1 network entity 10 0000 0000 0001 00 SwitchA isis 1 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 isis enable 1 SwitchA Vlan interface100 quit Configure Switch B SwitchB system view SwitchB isis 1 SwitchB isis 1 is level level 1 Sw...

Page 543: ...face 100 SwitchD Vlan interface100 isis enable 1 SwitchD Vlan interface100 quit SwitchD interface vlan interface 300 SwitchD Vlan interface300 isis enable 1 SwitchD Vlan interface300 quit 3 Verify the configuration Display the IS IS LSDB of each switch to check the LSP integrity SwitchA display isis lsdb Database information for ISIS 1 Level 1 Link State Database LSPID Seq Num Checksum Holdtime Le...

Page 544: ...cksum Holdtime Length ATT P OL 0000 0000 0001 00 00 0x00000006 0xdb60 847 68 0 0 0 0000 0000 0002 00 00 0x00000008 0xe651 1053 68 0 0 0 0000 0000 0002 01 00 0x00000005 0xd2b3 1052 55 0 0 0 0000 0000 0003 00 00 0x00000014 0x194a 1051 111 1 0 0 0000 0000 0003 01 00 0x00000002 0xabdb 854 55 0 0 0 Self LSP Self LSP Extended ATT Attached P Partition OL Overload Level 2 Link State Database LSPID Seq Num...

Page 545: ...l 2 SwitchA display isis route Route information for ISIS 1 ISIS 1 IPv4 Level 1 Forwarding Table IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags 10 1 1 0 24 10 NULL Vlan100 Direct D L 10 1 2 0 24 20 NULL Vlan100 10 1 1 1 R 192 168 0 0 24 20 NULL Vlan100 10 1 1 1 R 0 0 0 0 0 10 NULL Vlan100 10 1 1 1 R Flags D Direct R Added to RM L Advertised in LSPs U Up Down Bit Set SwitchC display i...

Page 546: ...Destination IntCost ExtCost ExitInterface NextHop Flags 192 168 0 0 24 10 NULL Vlan300 Direct D L 10 1 1 0 24 20 NULL Vlan300 192 168 0 1 R 10 1 2 0 24 20 NULL Vlan300 192 168 0 1 R 172 16 0 0 16 10 NULL Vlan100 Direct D L Flags D Direct R Added to RM L Advertised in LSPs U Up Down Bit Set DIS Election Configuration Network requirements As shown in Figure 1 16 Switch A B C and Switch D reside in I...

Page 547: ...face100 quit Configure Switch B SwitchB system view SwitchB isis 1 SwitchB isis 1 network entity 10 0000 0000 0002 00 SwitchB isis 1 quit SwitchB interface vlan interface 100 SwitchB Vlan interface100 isis enable 1 SwitchB Vlan interface100 quit Configure Switch C SwitchC system view SwitchC isis 1 SwitchC isis 1 network entity 10 0000 0000 0003 00 SwitchC isis 1 is level level 1 SwitchC isis 1 qu...

Page 548: ...RI 64 System Id 0000 0000 0002 Interface Vlan interface100 Circuit Id 0000 0000 0004 01 State Up HoldTime 28s Type L2 L1L2 PRI 64 System Id 0000 0000 0004 Interface Vlan interface100 Circuit Id 0000 0000 0004 01 State Up HoldTime 30s Type L2 PRI 64 Display information about IS IS interfaces of Switch A SwitchA display isis interface Interface information for ISIS 1 Interface Vlan interface100 Id I...

Page 549: ...tchA display isis peer Peer information for ISIS 1 System Id 0000 0000 0002 Interface Vlan interface100 Circuit Id 0000 0000 0001 01 State Up HoldTime 21s Type L1 L1L2 PRI 64 System Id 0000 0000 0003 Interface Vlan interface100 Circuit Id 0000 0000 0001 01 State Up HoldTime 27s Type L1 PRI 64 System Id 0000 0000 0002 Interface Vlan interface100 Circuit Id 0000 0000 0001 01 State Up HoldTime 28s Ty...

Page 550: ...0000 0001 01 State Up HoldTime 7s Type L1 PRI 100 SwitchC display isis interface Interface information for ISIS 1 Interface Vlan interface100 Id IPV4 State IPV6 State MTU Type DIS 001 Up Down 1497 L1 L2 No No Display information about IS IS neighbors and interfaces of Switch D SwitchD display isis peer Peer information for ISIS 1 System Id 0000 0000 0001 Interface Vlan interface100 Circuit Id 0000...

Page 551: ...e redistribution Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure IS IS basic functions Configure Switch A SwitchA system view SwitchA isis 1 SwitchA isis 1 is level level 1 SwitchA isis 1 network entity 10 0000 0000 0001 00 SwitchA isis 1 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 isis enable 1 SwitchA Vlan interface100 quit Configure Sw...

Page 552: ...s level level 2 SwitchD isis 1 network entity 20 0000 0000 0004 00 SwitchD isis 1 quit SwitchD interface interface vlan interface 300 SwitchD Vlan interface300 isis enable 1 SwitchD Vlan interface300 quit Display IS IS routing information on each switch SwitchA display isis route Route information for ISIS 1 ISIS 1 IPv4 Level 1 Forwarding Table IPV4 Destination IntCost ExtCost ExitInterface NextHo...

Page 553: ...to RM L Advertised in LSPs U Up Down Bit Set SwitchD display isis route Route information for ISIS 1 ISIS 1 IPv4 Level 2 Forwarding Table IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags 192 168 0 0 24 10 NULL VLAN300 Direct D L 10 1 1 0 24 20 NULL VLAN300 192 168 0 1 R 10 1 2 0 24 20 NULL VLAN300 192 168 0 1 R Flags D Direct R Added to RM L Advertised in LSPs U Up Down Bit Set 3 Confi...

Page 554: ...0 NULL VLAN300 Direct D L Flags D Direct R Added to RM L Advertised in LSPs U Up Down Bit Set ISIS 1 IPv4 Level 2 Forwarding Table IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags 10 1 1 0 24 10 NULL VLAN100 Direct D L 10 1 2 0 24 10 NULL VLAN200 Direct D L 192 168 0 0 24 10 NULL VLAN300 Direct D L 10 1 4 0 24 10 NULL VLAN300 192 168 0 2 R L 10 1 5 0 24 20 NULL VLAN300 192 168 0 2 R L ...

Page 555: ... view SwitchA isis 1 SwitchA isis 1 graceful restart SwitchA isis 1 graceful restart interval 150 SwitchA isis 1 return Configurations for Switch B and Switch C are similar and therefore are omitted here 3 Verify the configuration After Router A establishes adjacencies with Router B and Router C they begin to exchange routing information Restart IS IS on Router A which enters into the restart stat...

Page 556: ... IS IS routing domain Switch A Switch B and Switch C belong to Area 10 and Switch D belongs to Area 20 Configure neighbor relationship authentication between neighbors Configure area authentication in Area 10 to prevent untrusted routes from entering into the area Configure routing domain authentication on Switch C and Switch D to prevent untrusted routes from entering the routing domain Figure 1 ...

Page 557: ...itchC interface vlan interface 300 SwitchC Vlan interface300 isis enable 1 SwitchC Vlan interface300 quit Configure Switch D SwitchD system view SwitchD isis 1 SwitchD isis 1 network entity 20 0000 0000 0001 00 SwitchD isis 1 quit SwitchD interface vlan interface 300 SwitchD Vlan interface300 isis enable 1 SwitchD Vlan interface300 quit 3 Configure neighbor relationship authentication between neig...

Page 558: ...00 SwitchD Vlan interface300 isis authentication mode md5 hSec SwitchD Vlan interface300 quit 4 Configure area authentication Specify the MD5 authentication mode and password 10Sec on Switch A Switch B and Switch C SwitchA isis 1 SwitchA isis 1 area authentication mode md5 10Sec SwitchA isis 1 quit SwitchB isis 1 SwitchB isis 1 area authentication mode md5 10Sec SwitchB isis 1 quit SwitchC isis 1 ...

Page 559: ...20 Controlling Route Distribution and Reception 1 21 Prerequisites 1 21 Configuring BGP Route Summarization 1 21 Advertising a Default Route to a Peer or Peer Group 1 22 Configuring BGP Route Distribution Reception Filtering Policies 1 22 Enabling BGP and IGP Route Synchronization 1 24 Limiting Prefixes Received from a Peer Peer Group 1 24 Configuring BGP Route Dampening 1 24 Configuring a Shortcu...

Page 560: ...ing a BGP Confederation 1 38 Configuring BGP GR 1 39 Enabling Trap 1 40 Enabling Logging of Peer State Changes 1 40 Displaying and Maintaining BGP 1 42 Displaying BGP 1 42 Resetting BGP Connections 1 43 Clearing BGP Information 1 43 BGP Configuration Examples 1 43 BGP Basic Configuration 1 43 BGP and IGP Synchronization Configuration 1 47 BGP Load Balancing Configuration 1 49 BGP Community Configu...

Page 561: ...ocument BGP Overview There are three early BGP versions BGP 1 RFC1105 BGP 2 RFC1163 and BGP 3 RFC1267 The current version in use is BGP 4 RFC 4271 which is the defacto Internet exterior gateway protocol used between ISPs The characteristics of BGP are as follows z Focusing on the control of route propagation and the selection of optimal routes rather than the route discovery and calculation which ...

Page 562: ...een ASs Formats of BGP Messages Header BGP has five types of messages z Open z Update z Notification z Keep alive z Route refresh They have the same header as shown below Figure 1 1 BGP message header z Marker The 16 byte field is used to delimit BGP messages The Marker must be all ones z Length The 2 byte unsigned integer indicates the total length of the message z Type This 1 byte unsigned integ...

Page 563: ...awn routes Path attributes NLRI Unfeasible routes length 2 Octets N Octets 2 Octets N Octets N Octets Each update message can advertise a group of feasible routes with identical attributes and the routes are contained in the network layer reachable information NLRI field The Path Attributes field carries attributes of these routes Each update message can also carry multiple withdrawn routes in the...

Page 564: ... Its format contains only the message header Route refresh A route refresh message is sent to a peer to request the resending of the specified address family routing information Its format is shown below Figure 1 5 BGP Route refresh message format z AFI Address family identifier z Res Reserved Set to 0 z SAFI Subsequent Address Family Identifier BGP Path Attributes Classification of path attribute...

Page 565: ...ion that is how a route became a BGP route It involves three types z IGP Has the highest priority Routes added to the BGP routing table using the network command have the IGP attribute z EGP Has the second highest priority Routes obtained via EGP have the EGP attribute z incomplete Has the lowest priority The source of routes with this attribute is unknown which does not mean such routes are unrea...

Page 566: ...cations you can apply a routing policy to control BGP route selection by modifying the AS_PATH length By configuring an AS path filtering list you can filter routes based on AS numbers contained in the AS_PATH attribute 3 NEXT_HOP Different from IGP the NEXT_HOP attribute may not be the IP address of a directly connected router It involves three types of values as shown in Figure 1 7 z When advert...

Page 567: ...e smallest MED value the best route if other conditions are the same As shown below traffic from AS10 to AS20 travels through Router B that is selected according to MED Figure 1 8 MED attribute D 9 0 0 0 Next_hop 2 1 1 1 MED 0 D 9 0 0 0 Next_hop 3 1 1 1 MED 100 MED 0 Router B Router A Router C Router D 2 1 1 1 3 1 1 1 MED 100 AS 20 AS 10 9 0 0 0 EBGP EBGP IBGP IBGP IBGP In general BGP compares MED...

Page 568: ...o do with the local AS Well known community attributes involve z Internet By default all routes belong to the Internet community Routes with this attribute can be advertised to all BGP peers z No_Export After received routes with this attribute cannot be advertised out the local AS or out the local confederation but can be advertised to other sub ASs in the confederation for confederation informat...

Page 569: ...P load balancing based on route recursion namely if multiple recursive routes to the same destination are load balanced suppose three direct next hop addresses BGP generates the same number of next hops to forward packets Note that BGP load balancing based on route recursion is always enabled by the system rather than configured using commands BGP differs from IGP in the implementation of load bal...

Page 570: ...cluding both eBGP and iBGP peers z A BGP speaker does not advertise routes from an iBGP peer to other iBGP peers z A BGP speaker advertises routes learned through iBGP to eBGP peers Note that if BGP and IGP synchronization is disabled those routes are advertised to eBGP peers directly If the feature is enabled only after IGP advertises those routes can BGP advertise the routes to eBGP peers z A BG...

Page 571: ... that is a route comes up and disappears in the routing table frequently When a route flap occurs the routing protocol sends an update to its neighbor and then the neighbor needs to recalculate routes and modify the routing table Therefore frequent route flaps consume large bandwidth and CPU resources and even affect network normal operation In most cases BGP is used in complex networks where rout...

Page 572: ...of BGP routers in several ASs enjoy the same policy Community is a path attribute and advertised between BGP peers without being limited by AS A BGP router can modify the community attribute for a route before sending it to other peers Besides using well known community attributes you can define extended community attributes by using a community list to define a routing policy Route reflector iBGP...

Page 573: ...single point failure as shown in the following figure The configured route reflectors must have the same Cluster_ID to avoid routing loops Figure 1 14 Network diagram for route reflectors Route reflector1 Route reflector2 Client Client Client IBGP IBGP IBGP Cluster IBGP AS 65000 When the BGP routers in an AS are fully meshed route reflection is unnecessary because it consumes more bandwidth resour...

Page 574: ...he topology will be changed In large scale BGP networks both route reflector and confederation can be used BGP GR z For GR Graceful Restart information refer to GR Overview in the High Availability Volume z The 4800G series switches are centralized devices that support IRF They can act as a GR Helper before forming an IRF they can form a distributed chassis switch in a logical sense and act as a G...

Page 575: ...rotocol Extensions for BGP 4 MP BGP in RFC 4760 Routers supporting MP BGP can communicate with routers not supporting MP BGP MP BGP extended attributes In BGP 4 the three types of attributes for IPv4 address format namely NLRI NEXT_HOP and AGGREGATOR AGGREGATOR contains the IP address of the speaker generating the summary route are all carried in updates To support multiple network layer protocols...

Page 576: ...tem Confederations for BGP z draft ietf idr restart 08 Graceful Restart Mechanism for BGP BGP Configuration Task List Complete the following tasks to configure BGP Task Remarks Creating a BGP Connection Required Specifying the Source Interface for TCP Connections Optional Configuring BGP Basic Functions Allowing Establishment of eBGP Connection to a Non Directly Connected Peer Peer Group Optional ...

Page 577: ...eset Optional Enabling Quick eBGP Session Reestablishment Optional Enabling MD5 Authentication for TCP Connections Optional Configuring BGP Load Balancing Optional Tuning and Optimizing BGP Networks Forbiding Session Establishment with a Peer or Peer Group Optional Configuring BGP Peer Groups Optional Configuring BGP Community Optional Configuring a BGP Route Reflector Optional Configuring a Large...

Page 578: ...r group name ip address as number as number Required Not specified by default Enable the default use of IPv4 unicast address family for the peers that are established using the peer as number command default ipv4 unicast Optional Enabled by default Enable a peer peer ip address enable Optional Enabled by default Configure a description for a peer peer group peer group name ip address description d...

Page 579: ...he best route to the peer as the source interface Allowing Establishment of eBGP Connection to a Non Directly Connected Peer Peer Group In general direct physical links should be available between eBGP peers If not you can use the peer ebgp max hop command to establish a TCP connection over multiple hops between two peers Follow these steps to allow establishment of eBGP connection to a non direct...

Page 580: ...ed by default Configuring BGP Route Redistribution BGP does not find routes by itself Rather it redistributes routing information in the local AS from other routing protocols During route redistribution you can configure BGP to filter routing information from specific routing protocols The origin attribute of routes redistributed using the import route command is Incomplete Follow these steps to c...

Page 581: ... summarizes redistributed IGP subnets to advertise only natural networks Routes injected with the network command can not be summarized Follow these steps to configure automatic route summarization To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Configure automatic route summarization summary automatic Required Not configured by default Configure manual rou...

Page 582: ...ddress default route advertise route policy route policy name Required Not advertised by default Configuring BGP Route Distribution Reception Filtering Policies Prerequisites You need to configure following filters as needed z ACL z IP prefix list z Route policy z AS path ACL For how to configure an ACL refer to ACL Configuration in the Security Volume For how to configure an IP prefix list route ...

Page 583: ...the configured filtering policies can be installed into the local BGP routing table Members of a peer group can have different route reception filtering policies from the peer group Follow these steps to configure BGP route reception filtering policies To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Filter incoming routes with an ACL or IP prefix list filte...

Page 584: ... the number is reached the router breaks down the BGP connection to the peer peer group name ip address route limit prefix number percentage value Specify the maximum number of prefixes that can be received from a peer peer group If the number is reached the router outputs alert information but does not break down the BGP connection to the peer peer group name ip address route limit prefix number ...

Page 585: ... Specifying a Preferred Value for Routes Received By default routes received from a peer have a preferred value of 0 Among multiple routes that have the same destination mask and are learned from different peers the one with the greatest preferred value is selected as the route to the destination Follow these steps to specify a preferred value for routes from a peer or peer group To do Use the com...

Page 586: ...local preference for routes sent to iBGP peers Follow these steps to specify the default local preference To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Configure the default local preference default local preference value Optional 100 by default Configuring the MED Attribute MED is used to determine the best route for traffic going into an AS When a BGP r...

Page 587: ...C becomes optimal as shown below Network NextHop MED LocPrf PrefVal Path Ogn i 10 0 0 0 1 1 1 1 60 0 200e i 10 0 0 0 2 2 2 2 50 0 300e i 3 3 3 3 50 0 200e However Router C and Router B reside in the same AS and therefore BGP will compare the MEDs of them Since Router C has a greater MED network 10 0 0 0 learned from it is not optimal In this case you can configure the bestroute compare med command...

Page 588: ...ir AS path attributes contain AS numbers that don t belong to the confederation For example there are three routes AS path attributes of them are 65006 65009 65007 65009 and 65008 65009 and MED values of them are 2 3 and 1 Because the third route contains an AS number that does not belong to the confederation the first route becomes the optimal route Configuring the Next Hop Attribute By default w...

Page 589: ...r will set it as the next hop for routes sent to an iBGP peer peer group regardless of whether the peer next hop local command is configured Follow these steps to configure the next hop attribute To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Specify the router as the next hop of routes sent to a peer peer group peer group name ip address next hop local Op...

Page 590: ...n configure Router A to specify a fake AS number of 2 for created connections to eBGP peers peer groups In this way these eBGP peers still think Router A is in AS 2 and thus need not change their configurations This feature ensures uninterrupted BGP services Follow these steps to specify a fake AS number for a peer peer group To do Use the command Remarks Enter system view system view Enter BGP vi...

Page 591: ...ystem view system view Enter BGP view bgp as number Replace the AS number of a peer peer group in the AS_PATH attribute as the local AS number peer group name ip address substitute as Optional Not configured by default Improper AS number substitution configuration may cause route loops use this command with caution Remove private AS numbers from updates to a peer peer group Follow these steps to r...

Page 592: ...econds z The maximum keepalive interval should be one third of the holdtime and no less than 1 second The holdtime is no less than 3 seconds unless it is set to 0 z The intervals set with the peer timer command are preferred to those set with the timer command z If the router has established a neighbor relationship with a peer you need to reset the BGP connection to validate the new set timers Con...

Page 593: ...esh for a peer peer group peer group name ip address capability advertise route refresh Optional Enabled by default Configure manual soft reset If a BGP peer does not support route refresh you need to save updates from the peer on the local router by using the peer keep all routes command When a route selection policy is modified you can use the refresh bgp command to refresh the BGP routing table...

Page 594: ...TCP connections BGP MD5 authentication is not for BGP packets but for TCP connections If the authentication fails no TCP connection can be established Follow these steps to enable MD5 authentication for TCP connections To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enable MD5 authentication when establishing a TCP connection to the peer peer group peer gro...

Page 595: ...etwork many peers may use the same route selection policy You can configure a peer group and add these peers into this group In this way peers can share the same policy as the peer group When the policy of the group is modified the modification also applies to peers in it thus simplifying configuration A peer group is an iBGP peer group if peers in it belong to the same AS and is an eBGP peer grou...

Page 596: ...bgp as number Create an eBGP peer group group group name external Required Specify the AS number for the group peer group name as number as number Required Add a peer into the group peer ip address group group name Required All the added peers have the same AS number as that of the peer group Follow these steps to configure an eBGP peer group using the second approach To do Use the command Remarks...

Page 597: ...eers Configuring route reflectors or confederation can solve it In a large scale AS both of them can be used Configuring BGP Community A BGP community is a group of destinations with the same characteristics It has no geographical boundaries and is independent of ASs You can configure a route policy to define which destinations belong to a BGP community and then advertise the community attribute t...

Page 598: ...mber Configure the router as a route reflector and specify a peer peer group as its client peer group name ip address reflect client Required Not configured by default Enable route reflection between clients reflect between clients Optional Enabled by default Configure the cluster ID of the route reflector reflector cluster id cluster id Optional By default a route reflector uses its router ID as ...

Page 599: ...t The AS number of a sub AS is effective only in the confederation Follow these steps to configure a BGP confederation To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Configure a confederation ID confederation id as number Required Not configured by default Specify peering sub ASs in the confederation confederation peer as as number list Required Not config...

Page 600: ...n Base indicates the end of route updates Enabling Trap After Trap is enabled for BGP BGP generates Level 4 traps to report important events of it The generated traps are sent to the Information Center of the device The output rules of the traps namely whether to output the traps and the output direction are determined according to the Information Center configuration For Information Center config...

Page 601: ...1 41 To do Use the command Remarks peer state changes for a peer or peer group peer group name ip address log change Optional Enabled by default ...

Page 602: ...mation matching a BGP community list display bgp routing table community list basic community list number whole match adv community list number 1 16 Display BGP dampened routing information display bgp routing table dampened Display BGP dampening parameter information display bgp routing table dampening parameter Display BGP routing information originating from different ASs display bgp routing ta...

Page 603: ...ask length Clear route flap information reset bgp flap info ip address mask length mask as path acl as path acl number regexp as path regular expression Available in user view BGP Configuration Examples BGP Basic Configuration Network requirements In the following figure are all BGP switches Between Switch A and Switch B is an eBGP connection iBGP speakers Switch B Switch C and Switch D are fully ...

Page 604: ...p peer 9 1 2 1 as number 65009 SwitchD bgp quit 3 Configure the eBGP connection Configure Switch A SwitchA system view SwitchA bgp 65008 SwitchA bgp router id 1 1 1 1 SwitchA bgp peer 200 1 1 1 as number 65009 Inject network 8 0 0 0 8 to the BGP routing table SwitchA bgp network 8 0 0 0 SwitchA bgp quit Configure Switch B SwitchB bgp 65009 SwitchB bgp peer 200 1 1 2 as number 65008 SwitchB bgp qui...

Page 605: ...es 1 BGP Local router ID is 2 2 2 2 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn 8 0 0 0 200 1 1 2 0 0 65008i Display the BGP routing table on Switch C SwitchC display bgp routing table Total Number of Routes 1 BGP Local router ID is 3 3 3 3 Status codes valid best d damped h history i internal ...

Page 606: ...n on Switch C SwitchC display bgp routing table Total Number of Routes 7 BGP Local router ID is 3 3 3 3 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn i 8 0 0 0 200 1 1 2 0 100 0 65008i i 9 1 1 0 24 9 1 3 1 0 100 0 i 9 1 1 2 32 9 1 3 1 0 100 0 i 9 1 3 0 24 9 1 3 1 0 100 0 i 9 1 3 2 32 9 1 3 1 0 10...

Page 607: ...n Figure 1 21 Network diagram for BGP and IGP synchronization Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure OSPF omitted 3 Configure the eBGP connection Configure Switch A SwitchA system view SwitchA bgp 65008 SwitchA bgp router id 1 1 1 1 SwitchA bgp peer 3 1 1 1 as number 65009 Inject network 8 1 1 0 24 to the BGP routing table SwitchA bgp network 8 1 1 0 24...

Page 608: ... SwitchC display ip routing table Routing Tables Public Destinations 7 Routes 7 Destination Mask Proto Pre Cost NextHop Interface 8 1 1 0 24 O_ASE 150 1 9 1 1 1 Vlan300 9 1 1 0 24 Direct 0 0 9 1 1 2 Vlan300 9 1 1 2 32 Direct 0 0 127 0 0 1 InLoop0 9 1 2 0 24 Direct 0 0 9 1 2 1 Vlan400 9 1 2 1 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 ...

Page 609: ...ms BGP Load Balancing Configuration Network requirements As shown in the following figure all the switches run BGP Switch A resides in AS 65008 Switch B and Switch C in AS 65009 Between Switch A and Switch B Switch A and Switch C are eBGP connections and between Switch B and Switch C is an iBGP connection Two routes are configured on Switch A for load balancing Figure 1 22 Network diagram for BGP ...

Page 610: ...255 255 0 SwitchC bgp quit Display the routing table on Switch A SwitchA display bgp routing table Total Number of Routes 3 BGP Local router ID is 1 1 1 1 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn 8 0 0 0 0 0 0 0 0 0 i 9 1 1 0 24 200 1 1 1 0 0 65009i 200 1 2 1 0 0 65009i From the above output...

Page 611: ...er than sign indicating they are the best routes BGP Community Configuration Network requirements As shown in the following figure Switch B establishes eBGP connections with Switch A and C Configure No_Export community attribute on Switch A to make routes from AS 10 not advertised by AS 20 to any other AS Figure 1 23 Network diagram for BGP community configuration Configuration procedure 1 Configu...

Page 612: ...ion of 9 1 1 0 24 From 200 1 2 1 1 1 1 1 Original nexthop 200 1 2 1 AS path 10 Origin igp Attribute value MED 0 pref val 0 pre 255 State valid external best Advertised to such 1 peers 200 1 3 2 Switch B advertised routes to Switch C in AS30 Display the routing table on Switch C SwitchC display bgp routing table Total Number of Routes 1 BGP Local router ID is 3 3 3 3 Status codes valid best d dampe...

Page 613: ...iginal nexthop 200 1 2 1 Community No Export AS path 10 Origin igp Attribute value MED 0 pref val 0 pre 255 State valid external best Not advertised to any peers yet The route 9 1 1 0 24 is not available in the routing table of Switch C BGP Route Reflector Configuration Network requirements In the following figure all switches run BGP z Between Switch A and Switch B is an eBGP connection between S...

Page 614: ...200 SwitchB bgp peer 193 1 1 1 next hop local SwitchB bgp quit Configure Switch C SwitchC system view SwitchC bgp 200 SwitchC bgp router id 3 3 3 3 SwitchC bgp peer 193 1 1 2 as number 200 SwitchC bgp peer 194 1 1 2 as number 200 SwitchC bgp quit Configure Switch D SwitchD system view SwitchD bgp 200 SwitchD bgp router id 4 4 4 4 SwitchD bgp peer 194 1 1 1 as number 200 SwitchD bgp quit 3 Configur...

Page 615: ... to reduce iBGP connections in AS 200 split it into three sub ASs AS65001 AS65002 and AS65003 Switches in AS65001 are fully meshed Figure 1 25 Network diagram for BGP confederation configuration Switch F Switch A Switch D Switch E AS 200 AS 100 Vlan int600 Switch B Switch C AS 65002 AS 65003 Vlan int100 Vlan int100 AS 65001 V l a n i n t 3 0 0 Vlan int400 Vlan int500 Vlan int400 Vlan int500 Vlan i...

Page 616: ...bgp confederation peer as 65001 65003 SwitchB bgp peer 10 1 1 1 as number 65001 SwitchB bgp quit Configure Switch C SwitchC system view SwitchC bgp 65003 SwitchC bgp router id 3 3 3 3 SwitchC bgp confederation id 200 SwitchC bgp confederation peer as 65001 65002 SwitchC bgp peer 10 1 2 1 as number 65001 SwitchC bgp quit 3 Configure iBGP connections in AS65001 Configure Switch A SwitchA bgp 65001 S...

Page 617: ... 200 1 1 1 as number 200 SwitchF bgp network 9 1 1 0 255 255 255 0 SwitchF bgp quit 5 Verify above configuration Display the routing table on Switch B SwitchB display bgp routing table Total Number of Routes 1 BGP Local router ID is 2 2 2 2 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn i 9 1 1 0 ...

Page 618: ...100 pref val 0 pre 255 State valid internal best Not advertised to any peers yet The output information shows that z Switch F can send route information to Switch B and Switch C through the confederation by establishing only an eBGP connection with Switch A z Switch B and Switch D are in the same confederation but belong to different sub ASs They obtain external route information from Switch A and...

Page 619: ...em view SwitchB ospf SwitchB ospf area 0 SwitchB ospf 1 area 0 0 0 0 network 192 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 network 194 1 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 quit Configure Switch C SwitchC system view SwitchC ospf SwitchC ospf area 0 SwitchC ospf 1 area 0 0 0 0 network 193 1 1 0 0 0 0 255 SwitchC ospf 1 area 0 0 0 0 network 195 1 1 0 0 0 0 255 SwitchC os...

Page 620: ...or the route 1 0 0 0 8 advertised from Switch A to peer 192 1 1 2 Define an ACL numbered 2000 to permit route 1 0 0 0 8 SwitchA acl number 2000 SwitchA acl basic 2000 rule permit source 1 0 0 0 0 255 255 255 SwitchA acl basic 2000 quit Define two routing policies apply_med_50 which sets the MED for route 1 0 0 0 8 to 50 and apply_med_100 which sets the MED for route 1 0 0 0 8 to 100 SwitchA route ...

Page 621: ...0 255 255 255 SwitchC acl basic 2000 quit Configure a routing policy named localpref on Switch C setting the local preference of route 1 0 0 0 8 to 200 the default is 100 SwitchC route policy localpref permit node 10 SwitchC route policy if match acl 2000 SwitchC route policy apply local preference 200 SwitchC route policy quit Apply routing policy localpref to routes from peer 193 1 1 1 SwitchC b...

Page 622: ...rent configuration command to verify the peer s AS number 2 Use the display bgp peer command to verify the peer s IP address 3 If the loopback interface is used check whether the peer connect interface command is configured 4 If the peer is a non direct eBGP peer check whether the peer ebgp max hop command is configured 5 Check whether a route to the peer is available in the routing table 6 Use th...

Page 623: ...6 Static Routing 1 1 Features of IPv6 Static Routes 1 1 Default IPv6 Route 1 1 Configuring an IPv6 Static Route 1 1 Configuration prerequisites 1 2 Configuring an IPv6 Static Route 1 2 Displaying and Maintaining IPv6 Static Routes 1 2 IPv6 Static Routing Configuration Example 1 2 ...

Page 624: ...tcomings any topology changes could result in unavailable routes requiring the network administrator to manually configure and modify the static routes Features of IPv6 Static Routes Similar to IPv4 static routes IPv6 static routes work well in simple IPv6 network environments Their major difference lies in the destination and next hop addresses IPv6 static routes use IPv6 addresses whereas IPv4 s...

Page 625: ...preference preference value Required The default preference of IPv6 static routes is 60 Displaying and Maintaining IPv6 Static Routes To do Use the command Remarks Display IPv6 static route information display ipv6 routing table protocol static inactive verbose Available in any view Remove all IPv6 static routes delete ipv6 static routes all Available in system view Using the undo ipv6 route stati...

Page 626: ...ic route on SwitchC SwitchC system view SwitchC ipv6 route static 0 5 2 3 Configure the IPv6 addresses of hosts and gateways Configure the IPv6 addresses of all the hosts based upon the network diagram configure the default gateway of Host A as 1 1 that of Host B as 2 1 and that of Host C as 3 1 4 Display configuration information Display the IPv6 routing table of SwitchA SwitchA display ipv6 rout...

Page 627: ... ping command SwitchA ping ipv6 3 1 PING 3 1 56 data bytes press CTRL_C to break Reply from 3 1 bytes 56 Sequence 1 hop limit 254 time 63 ms Reply from 3 1 bytes 56 Sequence 2 hop limit 254 time 62 ms Reply from 3 1 bytes 56 Sequence 3 hop limit 254 time 62 ms Reply from 3 1 bytes 56 Sequence 4 hop limit 254 time 63 ms Reply from 3 1 bytes 56 Sequence 5 hop limit 254 time 63 ms 3 1 ping statistics...

Page 628: ...tric 1 4 Configuring RIPng Route Summarization 1 5 Advertising a Default Route 1 5 Configuring a RIPng Route Filtering Policy 1 6 Configuring a Priority for RIPng 1 6 Configuring RIPng Route Redistribution 1 6 Tuning and Optimizing the RIPng Network 1 7 Configuring RIPng Timers 1 7 Configuring Split Horizon and Poison Reverse 1 8 Configuring Zero Field Check on RIPng Packets 1 8 Configuring the Ma...

Page 629: ...Next hop 128 bit IPv6 address z Source address RIPng uses FE80 10 as the link local source address RIPng Working Mechanism RIPng is a routing protocol based on the distance vector D V algorithm RIPng uses UDP packets to exchange routing information through port 521 RIPng uses a hop count to measure the distance to a destination The hop count is referred to as metric or cost The hop count from a ro...

Page 630: ...figuration in the IP Routing Volume RIPng Packet Format Basic format A RIPng packet consists of a header and multiple route table entries RTEs The maximum number of RTEs in a packet depends on the IPv6 MTU of the sending interface Figure 1 1 shows the packet format of RIPng Figure 1 1 RIPng basic packet format z Command Type of message 0x01 indicates Request 0x02 indicates Response z Version Versi...

Page 631: ...uested routing information to the requesting router in the response packet Response packet The response packet containing the local routing table information is generated as z A response to a request z An update periodically z A trigged update caused by route change After receiving a response a router checks the validity of the response before adding the route to its routing table such as whether ...

Page 632: ...g a Default Route z Configuring a RIPng Route Filtering Policy z Configuring a Priority for RIPng z Configuring RIPng Route Redistribution Before the configuration accomplish the following tasks first z Configure an IPv6 address on each interface and make sure all nodes are reachable to one another z Configure RIPng basic functions z Define an IPv6 ACL before using it for route filtering Refer to ...

Page 633: ... Summarization Follow these steps to configure RIPng route summarization To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Advertise a summary IPv6 prefix ripng summary address ipv6 address prefix length Required Advertising a Default Route Follow these steps to advertise a default route To do Use the command Remarks Enter sy...

Page 634: ...uting information Configuring a Priority for RIPng Any routing protocol has its own protocol priority used for optimal route selection You can set a priority for RIPng manually The smaller the value is the higher the priority is Follow these steps to configure a RIPng priority To do Use the command Remarks Enter system view system view Enter RIPng view ripng process id Configure a RIPng priority p...

Page 635: ...lancing Configuring RIPng Timers You can adjust RIPng timers to optimize the performance of the RIPng network Follow these steps to configure RIPng timers To do Use the command Remarks Enter system view system view Enter RIPng view ripng process id Configure RIPng timers timers garbage collect garbage collect value suppress suppress value timeout timeout value update update value Optional The RIPn...

Page 636: ...ops Configuring the poison reverse function The poison reverse function enables a route learned from an interface to be advertised through the interface However the metric of the route is set to 16 That is to say the route is unreachable Follow these steps to configure poison reverse To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface...

Page 637: ...lt Displaying and Maintaining RIPng To do Use the command Remarks Display configuration information of a RIPng process display ripng process id Available in any view Display routes in the RIPng database display ripng process id database Available in any view Display the routing information of a specified RIPng process display ripng process id route Available in any view Display RIPng interface inf...

Page 638: ...view SwitchB ripng 1 SwitchB ripng 1 quit SwitchB interface vlan interface 200 SwitchB Vlan interface200 ripng 1 enable SwitchB Vlan interface200 quit SwitchB interface vlan interface 100 SwitchB Vlan interface100 ripng 1 enable SwitchB Vlan interface100 quit Configure Switch C SwitchC system view SwitchC ripng 1 SwitchC ripng 1 quit SwitchC interface vlan interface 200 SwitchC Vlan interface200 r...

Page 639: ...rbage collect Peer FE80 200 2FF FE64 8904 on Vlan interface100 Dest 1 64 via FE80 200 2FF FE64 8904 cost 1 tag 0 A 31 Sec Dest 4 64 via FE80 200 2FF FE64 8904 cost 2 tag 0 A 31 Sec Dest 5 64 via FE80 200 2FF FE64 8904 cost 2 tag 0 A 31 Sec Dest 3 64 via FE80 200 2FF FE64 8904 cost 1 tag 0 A 31 Sec 3 Configure Switch B to filter incoming and outgoing routes SwitchB acl ipv6 number 2000 SwitchB acl6...

Page 640: ...00 100 cost 1 tag 0 A 5 Sec Dest 5 64 via FE80 20F E2FF FE00 100 cost 1 tag 0 A 5 Sec SwitchA display ripng 1 route Route Flags A Aging S Suppressed G Garbage collect Peer FE80 20F E2FF FE00 1235 on Vlan interface100 Dest 1 64 via FE80 20F E2FF FE00 1235 cost 1 tag 0 A 2 Sec Dest 4 64 via FE80 20F E2FF FE00 1235 cost 2 tag 0 A 2 Sec Dest 5 64 via FE80 20F E2FF FE00 1235 cost 2 tag 0 A 2 Sec ...

Page 641: ...l 1 7 Prerequisites 1 7 Configuring OSPFv3 Route Summarization 1 7 Configuring OSPFv3 Inbound Route Filtering 1 8 Configuring an OSPFv3 Cost for an Interface 1 8 Configuring the Maximum Number of OSPFv3 Load balanced Routes 1 9 Configuring a Priority for OSPFv3 1 9 Configuring OSPFv3 Route Redistribution 1 10 Tuning and Optimizing OSPFv3 Networks 1 10 Prerequisites 1 11 Configuring OSPFv3 Timers 1...

Page 642: ...ii Troubleshooting OSPFv3 Configuration 1 24 No OSPFv3 Neighbor Relationship Established 1 24 Incorrect Routing Information 1 24 ...

Page 643: ...outer ID and area ID z Packets Hello DD Data Description LSR Link State Request LSU Link State Update LSAck Link State Acknowledgment z Mechanism for finding neighbors and establishing adjacencies z Mechanism for LSA flooding and aging Differences between OSPFv3 and OSPFv2 z OSPFv3 runs on a per link basis instead of on a per IP subnet basis z OSPFv3 supports multiple instances per link z OSPFv3 i...

Page 644: ...r Area Router LSA Similar to Type 4 LSA of OSPFv2 originated by ABRs and flooded throughout the LSA s associated area Each Inter Area Router LSA describes a route to ASBR Autonomous System Boundary Router z AS external LSA Originated by ASBRs and flooded throughout the AS except Stub and NSSA areas Each AS external LSA describes a route to another Autonomous System A default route can be described...

Page 645: ...p time of the LSA LSA delay time Each LSA has an age in the local LSDB incremented by 1 per second but an LSA does not age on transmission You need to add an LSA delay time into the age time before transmission which is important for low speed networks SPF timer Whenever the LSDB changes an SPF calculation happens If recalculations become so frequent a large amount of resources will be occupied Yo...

Page 646: ...oute Redistribution Optional Configuring OSPFv3 Timers Optional Configuring a DR Priority for an Interface Optional Ignoring MTU Check for DD Packets Optional Disable Interfaces from Sending OSPFv3 Packets Optional Tuning and Optimizing OSPFv3 Networks Enable the Logging of Neighbor State Changes Optional Configuring GR Restarter Optional Configuring OSPFv3 GR Configuring GR Helper Optional Enabli...

Page 647: ...n configure them as stub areas to further reduce the size of routing tables and the number of LSAs Non backbone areas exchange routing information via the backbone area Therefore the backbone and non backbone areas including the backbone itself must be contiguous In practice necessary physical links may not be available for such connectivity You can configure virtual links to address the problem P...

Page 648: ... Use the command Remarks Enter system view system view Enter OSPFv3 view ospfv3 process id Enter OSPFv3 area view area area id Configure a virtual link vlink peer router id hello seconds retransmit seconds trans delay seconds dead seconds instance instance id Required z Both ends of a virtual link are ABRs that must be configured with the vlink peer command z Do not configure virtual links in the ...

Page 649: ...an also specify DR priorities for neighbors Follow these steps to configure an NBMA or P2MP unicast neighbor and its DR priority To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Specify an NBMA or P2MP unicast neighbor and its DR priority ospfv3 peer ipv6 address dr priority dr priority instance instance id Required Configur...

Page 650: ...ss id Configure inbound route filtering filter policy acl number ipv6 prefix ipv6 prefix name import Required Not configured by default Use of the filter policy import command can only filter routes computed by OSPFv3 Only routes not filtered out can be added into the local routing table Configuring an OSPFv3 Cost for an Interface You can configure an OSPFv3 cost for an interface with one of the f...

Page 651: ...al 100 Mbps by default Configuring the Maximum Number of OSPFv3 Load balanced Routes If multiple equal cost routes to a destination are available enabling load balancing among these routes can improve link utilization Follow these steps to configure the maximum number of load balanced routes To do Use the command Remarks Enter system view system view Enter OSPFv3 view ospfv3 process id Specify the...

Page 652: ...t injected by default Filter redistributed routes filter policy acl6 number ipv6 prefix ipv6 prefix name export isisv6 process id ospfv3 process id ripng process id bgp4 direct static Optional Not configured by default z Executing the import route or default route advertise command on a router makes it become an ASBR z You can only inject and advertise a default route using the default route adver...

Page 653: ...rface view interface interface type interface number Configure the hello interval ospfv3 timer hello seconds instance instance id Optional Defaults to 10 seconds on P2P broadcast interfaces Specify the poll interval ospfv3 timer poll seconds instance instance id Optional The poll interval defaults to 120 seconds Configure the dead interval ospfv3 timer dead seconds instance instance id Optional De...

Page 654: ... a DR priority ospfv3 dr priority priority instance instance id Optional Defaults to 1 The DR priority of an interface determines the interface s qualification in DR election Interfaces having the priority 0 cannot become a DR or BDR Ignoring MTU Check for DD Packets When LSAs are few in DD packets it is unnecessary to check the MTU in DD packets in order to improve efficiency Follow these steps t...

Page 655: ...e Logging of Neighbor State Changes Follow these steps to enable the logging of neighbor state changes To do Use the command Remarks Enter system view system view Enter OSPFv3 view ospfv3 process id Enable the logging of neighbor state changes log peer change Required Enabled by default Configuring OSPFv3 GR z You cannot configure OSPFv3 GR after configuring OSPFv3 virtual links becase they are no...

Page 656: ...ter capability on a GR Restarter Follow these steps to configure GR Restarter To do Use the command Remarks Enter system view system view Enter OSPFv3 view ospfv3 process id Enable the GR capability graceful restart enable Required Disabled by default Configure the GR interval graceful restart interval interval value Optional 120 seconds by default Configuring GR Helper You can configure the GR He...

Page 657: ...formation display ospfv3 process id routing ipv6 address prefix length ipv6 address prefix length abr routes asbr routes all statistics Display OSPFv3 area topology information display ospfv3 process id topology area area id Display OSPFv3 virtual link information display ospfv3 process id vlink Display OSPFv3 next hop information display ospfv3 process id next hop Display OSPFv3 link state reques...

Page 658: ...igure IPv6 addresses for interfaces omitted 2 Configure OSPFv3 basic functions Configure Switch A SwitchA system view SwitchA ipv6 SwitchA ospfv3 SwitchA ospfv3 1 router id 1 1 1 1 SwitchA ospfv3 1 quit SwitchA interface vlan interface 300 SwitchA Vlan interface300 ospfv3 1 area 1 SwitchA Vlan interface300 quit SwitchA interface vlan interface 200 SwitchA Vlan interface200 ospfv3 1 area 1 SwitchA ...

Page 659: ...4 4 4 SwitchD ospfv3 1 quit SwitchD interface Vlan interface 400 SwitchD Vlan interface400 ospfv3 1 area 2 SwitchD Vlan interface400 quit Display OSPFv3 neighbor information on Switch B SwitchB display ospfv3 peer OSPFv3 Area ID 0 0 0 0 Process 1 Neighbor ID Pri State Dead Time Interface Instance ID 3 3 3 3 1 Full DR 00 00 39 Vlan100 0 OSPFv3 Area ID 0 0 0 1 Process 1 Neighbor ID Pri State Dead Ti...

Page 660: ... 93D0 1 Interface Vlan400 3 Configure Area 2 as a stub area Configure Switch D SwitchD ospfv3 SwitchD ospfv3 1 area 2 SwitchD ospfv3 1 area 0 0 0 2 stub Configure Switch C and specify the cost of the default route sent to the stub area as 10 SwitchC ospfv3 SwitchC ospfv3 1 area 2 SwitchC ospfv3 1 area 0 0 0 2 stub SwitchC ospfv3 1 area 0 0 0 2 default cost 10 Display OSPFv3 routing table informati...

Page 661: ...educed All non direct routes are removed except the default route SwitchD display ospfv3 routing E1 Type 1 external route IA Inter area route I Intra area route E2 Type 2 external route Seleted route OSPFv3 Router with ID 4 4 4 4 Process 1 Destination 0 Type IA Cost 11 NextHop FE80 F40D 0 93D0 1 Interface Vlan400 Destination 2001 2 64 Type I Cost 1 NextHop directly connected Interface Vlan400 Conf...

Page 662: ...lan interface100 ospfv3 1 area 0 SwitchA Vlan interface100 quit Configure Switch B SwitchB system view SwitchB ipv6 SwitchB ospfv3 SwitchB ospfv3 1 router id 2 2 2 2 SwitchB ospfv3 1 quit SwitchB interface vlan interface 200 SwitchB Vlan interface200 ospfv3 1 area 0 SwitchB Vlan interface200 quit Configure Switch C SwitchC system view SwitchC ipv6 SwitchC ospfv3 SwitchC ospfv3 1 router id 3 3 3 3 ...

Page 663: ... 0 0 0 Process 1 Neighbor ID Pri State Dead Time Interface Instance ID 1 1 1 1 1 Full DROther 00 00 30 Vlan100 0 2 2 2 2 1 Full DROther 00 00 37 Vlan200 0 3 3 3 3 1 Full Backup 00 00 31 Vlan100 0 3 Configure DR priorities for interfaces Configure the DR priority of VLAN interface 100 as 100 on Switch A SwitchA interface Vlan interface 100 SwitchA Vlan interface100 ospfv3 dr priority 100 SwitchA Vl...

Page 664: ...eer OSPFv3 Area ID 0 0 0 0 Process 1 Neighbor ID Pri State Dead Time Interface Instance ID 2 2 2 2 0 Full DROther 00 00 31 Vlan200 0 3 3 3 3 2 Full Backup 00 00 39 Vlan100 0 4 4 4 4 1 Full DROther 00 00 37 Vlan200 0 Display neighbor information on Switch D You can find Switch A becomes the DR SwitchD display ospfv3 peer OSPFv3 Area ID 0 0 0 0 Process 1 Neighbor ID Pri State Dead Time Interface Ins...

Page 665: ...n interface100 quit Enable OSPFv3 on Switch B and set the router ID to 2 2 2 2 By default GR helpler is enabled on Switch B SwitchB system view SwitchB ipv6 SwitchB ospfv3 1 SwitchB ospfv3 1 router id 2 2 2 2 SwitchB ospfv3 1 quit SwitchB interface vlan interface 100 SwitchB Vlan interface100 ospfv3 1 area 1 SwitchB Vlan interface100 quit Enable OSPFv3 on Switch C and set the router ID to 3 3 3 3 ...

Page 666: ...ast network at least one interface must have a DR priority higher than 0 Incorrect Routing Information Symptom OSPFv3 cannot find routes to other areas Analysis The backbone area must maintain connectivity to all other areas If a router connects to more than one area at least one area must be connected to the backbone The backbone cannot be configured as a Stub area In a Stub area all routers cann...

Page 667: ...uring IPv6 IS IS Basic Functions 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 2 Configuring IPv6 IS IS Routing Information Control 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 3 Displaying and Maintaining IPv6 IS IS 1 4 IPv6 IS IS Configuration Example 1 5 ...

Page 668: ... multiple network protocols including IPv6 IS IS with IPv6 support is called IPv6 IS IS dynamic routing protocol The international engineer task force IETF defines two type length values TLVs and a new network layer protocol identifier NLPID to enable IPv6 support for IS IS TLV is a variable length field in the link state PDU or link state packet LSP The two TLVs are z IPv6 Reachability Defines th...

Page 669: ... Enter system view system view Enable an IS IS process and enter IS IS view isis process id Required Not enabled by default Configure the network entity title for the IS IS process network entity net Required Not configured by default Enable IPv6 for the IS IS process ipv6 enable Required Disabled by default Return to system view quit Enter interface view interface interface type interface number ...

Page 670: ...ame route policy route policy name import Optional No filtering policy is defined by default Configure IPv6 IS IS to redistribute routes from another routing protocol ipv6 import route protocol process id allow ibgp cost cost level 1 level 2 level 1 2 route policy route policy name tag tag Optional Not configured by default Configure the maximum number of redistributed Level 1 Level 2 IPv6 routes ...

Page 671: ...ce name Available in any view Display IS IS license information display isis license Available in any view Display LSDB information display isis lsdb l1 l2 level 1 level 2 lsp id lsp id lsp name lspname local verbose process id vpn instance vpn instance name Available in any view Display IS IS mesh group information display isis mesh group process id vpn instance vpn instance name Available in any...

Page 672: ...nd Switch C are in area 10 while Switch D is in area 20 Figure 1 1 Network diagram for IPv6 IS IS basic configuration Configuration procedure 1 Configure IPv6 addresses for interfaces omitted 2 Configure IPv6 IS IS Configure Switch A SwitchA system view SwitchA isis 1 SwitchA isis 1 is level level 1 SwitchA isis 1 network entity 10 0000 0000 0001 00 SwitchA isis 1 ipv6 enable SwitchA isis 1 quit S...

Page 673: ...e vlan interface 200 SwitchC Vlan interface200 isis ipv6 enable 1 SwitchC Vlan interface200 quit SwitchC interface vlan interface 300 SwitchC Vlan interface300 isis ipv6 enable 1 SwitchC Vlan interface300 quit Configure Switch D SwitchD system view SwitchD isis 1 SwitchD isis 1 is level level 2 SwitchD isis 1 network entity 20 0000 0000 0004 00 SwitchD isis 1 ipv6 enable SwitchD isis 1 quit Switch...

Page 674: ...Peer Peer Group 1 7 Configuring Outbound Route Filtering 1 8 Configuring Inbound Route Filtering 1 9 Configuring IPv6 BGP and IGP Route Synchronization 1 9 Configuring Route Dampening 1 10 Configuring IPv6 BGP Route Attributes 1 10 Prerequisites 1 10 Configuring IPv6 BGP Preference and Default LOCAL_PREF and NEXT_HOP Attributes 1 10 Configuring the MED Attribute 1 11 Configuring the AS_PATH Attrib...

Page 675: ...ii IPv6 BGP Route Reflector Configuration 1 22 Troubleshooting IPv6 BGP Configuration 1 24 No IPv6 BGP Peer Relationship Established 1 24 ...

Page 676: ...esigned to carry only IPv4 routing information and thus other network layer protocols such as IPv6 are not supported To support multiple network layer protocols IETF extended BGP 4 by introducing Multiprotocol BGP MP BGP which is defined in RFC 2858 multiprotocol extensions for BGP 4 MP BGP for IPv6 is referred to as IPv6 BGP for short IPv6 BGP puts IPv6 network layer information into the attribut...

Page 677: ...Summarization Optional Advertising a Default Route to an IPv6 Peer Peer Group Optional Configuring Outbound Route Filtering Optional Configuring Inbound Route Filtering Optional Configuring IPv6 BGP and IGP Route Synchronization Optional Controlling Route Distribution and Reception Configuring Route Dampening Optional Configuring IPv6 BGP Preference and Default LOCAL_PREF and NEXT_HOP Attributes O...

Page 678: ...igured for any interfaces Enter IPv6 address family view ipv6 family Specify an IPv6 peer and its AS number peer ipv6 address as number as number Required Not configured by default Injecting a Local IPv6 Route Follow these steps to configure advertise a local route into the routing table To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv6 address fam...

Page 679: ...and For information about using a routing policy to set a preferred value refer to the command peer group name ipv4 address ipv6 address route policy route policy name import export in this document and the command apply preferred value preferred value in Routing Policy Commands of the IP Routing Volume Specifying the Source Interface for Establishing TCP Connections Follow these steps to specify ...

Page 680: ...er group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv6 address family view ipv6 family Allow the establishment of eBGP connection to a non directly connected peer peer group peer ipv6 group name ipv6 address ebgp max hop hop count Required Not configured by default In general direct links should be available between eBGP peers If not you can us...

Page 681: ...teps to configure to log on the session and event information of an IPv6 peer peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enable logging of peer changes globally log peer change Optional Enabled by default Enter IPv6 address family view ipv6 family Enable the state change logging for an IPv6 peer or peer group peer ipv6 group name ipv6 addres...

Page 682: ...ing the import route command cannot redistribute any IGP default route Configuring IPv6 BGP Route Summarization To reduce the routing table size on medium and large BGP networks you need to configure route summarization on BGP routers BGP supports only manual summarization of IPv6 routes Follow these steps to configure IPv6 BGP route summarization To do Use the command Remarks Enter system view sy...

Page 683: ... number Enter IPv6 address family view ipv6 family Configure the filtering of outgoing routes filter policy acl6 number ipv6 prefix ipv6 prefix name export protocol process id Required Not configured by default Apply a routing policy to routes advertised to an IPv6 peer peer group peer ipv6 group name ipv6 address route policy route policy name export Required Not applied by default Specify an IPv...

Page 684: ...e ipv6 address filter policy acl6 number import Required Not specified by default Specify an AS path ACL to filter routing information imported from an IPv6 peer peer group peer ipv6 group name ipv6 address as path acl as path acl number import Required Not specified by default Specify an IPv6 prefix list to filter routing information imported from an IPv6 peer peer group peer ipv6 group name ipv6...

Page 685: ... dampening To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv6 address family view ipv6 family Configure IPv6 BGP route dampening parameters dampening half life reachable half life unreachable reuse suppress ceiling route policy route policy name Optional Not configured by default Configuring IPv6 BGP Route Attributes This section describes how to us...

Page 686: ... can configure routes advertised to the IPv6 iBGP peer peer group to use the local router as the next hop If BGP load balancing is configured the local router specifies itself as the next hop of routes sent to an IPv6 iBGP peer peer group regardless of whether the peer next hop local command is configured z In a third party next hop network that is the two IPv6 eBGP peers reside in a common broadc...

Page 687: ...6 address public as only Optional By default IPv6 BGP updates carry private AS number Substitute the local AS number for the AS number of an IPv6 peer peer group identified in the AS_PATH attribute peer ipv6 group name ipv6 address substitute as Optional Not substituted by default Tuning and Optimizing IPv6 BGP Networks This section describes configurations of IPv6 BGP timers IPv6 BGP connection s...

Page 688: ...Configure IPv6 BGP basic functions Configuring IPv6 BGP Timers Follow these steps to configure IPv6 BGP timers To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv6 address family view ipv6 family Specify keepalive interval and holdtime timer keepalive keepalive hold holdtime Configure IPv6 BGP timers Configure keepalive interval and holdtime for an IP...

Page 689: ...peer group not letting them go through the inbound policy peer ipv6 group name ipv6 address keep all routes Optional Not saved by default Return to user view return Soft reset BGP connections manually refresh bgp ipv6 all ipv6 address group ipv6 group name external internal export import Required If the peer keep all routes command is used all routes from the peer peer group will be saved regardle...

Page 690: ... not limited by AS To guarantee connectivity between iBGP peers you need to make them fully meshed but it becomes unpractical when there are too many iBGP peers Using route reflectors or confederation can solve it In a large scale AS both of them can be used Confederation configuration of IPv6 BGP is identical to that of BGP4 so it is not mentioned here The following describes z Configuring IPv6 B...

Page 691: ...z If a peer was added into an eBGP peer group you cannot specify any AS number for the peer group Creating a mixed eBGP peer group Follow these steps to create a mixed eBGP peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv6 address family view ipv6 family Create an eBGP peer group group ipv6 group name external Required Specify the AS num...

Page 692: ...w these steps to apply a routing policy to routes advertised to a peer peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv6 address family view ipv6 family Apply a routing policy to routes advertised to an IPv6 peer peer group peer ipv6 group name ipv6 address route policy route policy name export Required Not applied by default z When conf...

Page 693: ... the route reflector reflector cluster id cluster id Optional By default a route reflector uses its router ID as the cluster ID z In general since the route reflector forwards routing information between clients it is not required to make clients of a route reflector fully meshed If clients are fully meshed it is recommended to disable route reflection between clients to reduce routing costs z If ...

Page 694: ...formation matching an IPv6 BGP community list display bgp ipv6 routing table community list basic community list number whole match adv community list number 1 16 Display dampened IPv6 BGP routing information display bgp ipv6 routing table dampened Display IPv6 BGP dampening parameter information display bgp ipv6 routing table dampening parameter Display IPv6 BGP routing information originated fro...

Page 695: ...ation and release suppressed routes reset bgp ipv6 dampening ipv6 address prefix length Clear IPv6 BGP route flap information reset bgp ipv6 flap info ipv6 address prefix length as path acl as path acl number regexp as path regexp Available in user view IPv6 BGP Configuration Examples Some examples for IPv6 BGP configuration are similar to those of BGP4 so refer to BGP Configuration in the IP Rout...

Page 696: ...hB bgp af ipv6 quit SwitchB bgp quit Configure Switch C SwitchC system view SwitchC ipv6 SwitchC bgp 65009 SwitchC bgp router id 3 3 3 3 SwitchC bgp ipv6 family SwitchC bgp af ipv6 peer 9 3 1 as number 65009 SwitchC bgp af ipv6 peer 9 2 2 as number 65009 SwitchC bgp af ipv6 quit SwitchC bgp quit Configure Switch D SwitchD system view SwitchD ipv6 SwitchD bgp 65009 SwitchD bgp router id 4 4 4 4 Swi...

Page 697: ...0 Established 9 1 2 4 65009 2 4 0 0 00 00 19 Established Display IPv6 peer information on Switch C SwitchC display bgp ipv6 peer BGP local router ID 3 3 3 3 Local AS number 65009 Total number of peers 2 Peers in established state 2 Peer V AS MsgRcvd MsgSent OutQ PrefRcv Up Down State 9 3 1 4 65009 4 4 0 0 00 02 18 Established 9 2 2 4 65009 4 5 0 0 00 01 52 Established Switch A and B has establishe...

Page 698: ... id 1 1 1 1 SwitchA bgp ipv6 family SwitchA bgp af ipv6 peer 100 2 as number 200 SwitchA bgp af ipv6 network 1 64 Configure Switch B SwitchB system view SwitchB ipv6 SwitchB bgp 200 SwitchB bgp router id 2 2 2 2 SwitchB bgp ipv6 family SwitchB bgp af ipv6 peer 100 1 as number 100 SwitchB bgp af ipv6 peer 101 1 as number 200 SwitchB bgp af ipv6 peer 101 1 next hop local Configure Switch C SwitchC s...

Page 699: ...tion to the peer cannot become established Analysis To become IPv6 BGP peers any two routers need to establish a TCP session using port 179 and exchange open messages successfully Processing steps 1 Use the display current configuration command to verify the peer s AS number 2 Use the display bgp ipv6 peer command to verify the peer s IPv6 address 3 If the loopback interface is used check whether ...

Page 700: ...List 1 5 Configuring a Route Policy 1 5 Prerequisites 1 5 Creating a Route Policy 1 6 Defining if match Clauses 1 6 Defining apply Clauses 1 7 Displaying and Maintaining the Route Policy 1 9 Route Policy Configuration Example 1 9 Applying a Route Policy to IPv4 Route Redistribution 1 9 Applying a Route Policy to IPv6 Route Redistribution 1 12 Applying a Route Policy to Filter Received BGP Routes 1...

Page 701: ...ion to Route Policy Route Policy A route policy is used on a router for route filtering and attributes modification when routes are received advertised or redistributed To configure a route policy you need to define some filters based on the attributes of routing information such as destination address advertising router s address and so on The filters can be set beforehand and then applied to the...

Page 702: ...d to match routing information and modify the attributes of permitted routes It can reference the above mentioned filters to define its own match criteria A route policy can comprise multiple nodes which are in logic OR relationship Each route policy node is a match unit and a node with a smaller number is matched first Once a node is matched the route policy is passed and the packet will not go t...

Page 703: ...n IPv4 prefix list To do Use the command Remarks Enter system view system view Define an IPv4 prefix list ip ip prefix ip prefix name index index number permit deny ip address mask length greater equal min mask length less equal max mask length Required Not defined by default If all the items are set to the deny mode no routes can pass the IPv4 prefix list Therefore you need to define the permit 0...

Page 704: ...ing information to pass For example the following configuration filters routes 2000 1 48 2000 2 48 and 2000 3 48 but allows other routes to pass Sysname system view Sysname ip ipv6 prefix abc index 10 deny 2000 1 48 Sysname ip ipv6 prefix abc index 20 deny 2000 2 48 Sysname ip ipv6 prefix abc index 30 deny 2000 3 16 Sysname ip ipv6 prefix abc index 40 permit 0 less equal 128 Defining an AS Path Li...

Page 705: ...nd Remarks Enter system view system view Define an extended community list ip extcommunity list ext comm list number deny permit rt route target 1 16 Required Not defined by default Configuring a Route Policy A route policy is used to filter routing information and modify attributes of matching routing information The match criteria of a route policy can be configured by referencing filters above ...

Page 706: ...t will go to the next node for a match z When a route policy has more than one node at least one node should be configured with the permit keyword If the route policy is used to filter routing information routing information that does not meet any node cannot pass the route policy If all nodes of the route policy are set with the deny keyword no routing information can pass it Defining if match Cl...

Page 707: ...h interface interface type interface number 1 16 Optional Not configured by default Match routing information having the specified route type if match route type internal external type1 external type2 external type1or2 is is level 1 is is level 2 nssa external type1 nssa external type2 nssa external type1or2 Optional Not configured by default Match RIP OSPF and IS IS routing information having the...

Page 708: ...on apply cost type external internal type 1 type 2 Optional Not set by default Set the extended community attribute for BGP routing apply extcommunity rt as number nn ip address nn 1 16 additive Optional Not set by default for IPv4 routes apply ip address next hop ip address Optional Not set by default The setting does not apply to redistributed routing information Set the next hop for IPv6 routes...

Page 709: ...dv community list number Display BGP extended community list information display ip extcommunity list ext comm list number Display IPv4 prefix list statistics display ip ip prefix ip prefix name Display IPv6 prefix list statistics display ip ipv6 prefix ipv6 prefix name Display route policy information display route policy route policy name Available in any view Clear IPv4 prefix list statistics r...

Page 710: ...C interface vlan interface 201 SwitchC Vlan interface201 isis enable SwitchC Vlan interface201 quit SwitchC interface vlan interface 202 SwitchC Vlan interface202 isis enable SwitchC Vlan interface202 quit SwitchC interface vlan interface 203 SwitchC Vlan interface203 isis enable SwitchC Vlan interface203 quit Configure Switch B SwitchB system view SwitchB isis SwitchB isis 1 is level level 2 Swit...

Page 711: ...8 1 1 192 168 1 1 0 0 0 0 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 172 17 1 0 24 1 Type2 1 192 168 1 2 192 168 2 2 172 17 2 0 24 1 Type2 1 192 168 1 2 192 168 2 2 172 17 3 0 24 1 Type2 1 192 168 1 2 192 168 2 2 192 168 2 0 24 1 Type2 1 192 168 1 2 192 168 2 2 Total Nets 5 Intra Area 1 Inter Area 0 ASE 4 NSSA 0 4 Configure filtering lists Configure ACL 2002 to permit route 172 1...

Page 712: ...rk Destination Cost Type NextHop AdvRouter Area 192 168 1 0 24 1 Transit 192 168 1 1 192 168 1 1 0 0 0 0 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 172 17 1 0 24 100 Type2 1 192 168 1 2 192 168 2 2 172 17 2 0 24 1 Type2 20 192 168 1 2 192 168 2 2 172 17 3 0 24 1 Type2 1 192 168 1 2 192 168 2 2 192 168 2 0 24 1 Type2 1 192 168 1 2 192 168 2 2 Total Nets 5 Intra Area 1 Inter Area 0...

Page 713: ...lan interface100 quit Configure three static routes SwitchA ipv6 route static 20 32 11 2 SwitchA ipv6 route static 30 32 11 2 SwitchA ipv6 route static 40 32 11 2 Configure a route policy SwitchA ip ipv6 prefix a index 10 permit 30 32 SwitchA route policy static2ripng deny node 0 SwitchA route policy if match ipv6 address prefix list a SwitchA route policy quit SwitchA route policy static2ripng pe...

Page 714: ...cy to Filter Received BGP Routes Network requirements As shown in the following figure z All the switches run BGP Switch C establishes eBGP connections with other switches z Configure a route policy on Switch D to reject routes from AS 200 Figure 1 3 Route policy configuration to filter received BGP routes on switches Swtich B AS 200 Vlan int200 1 1 2 1 24 Swtich D Swtich C AS 400 Swtich A AS 100 ...

Page 715: ...ect routes 4 4 4 4 24 5 5 5 5 24 and 6 6 6 6 24 to BGP SwitchA bgp network 4 4 4 4 24 SwitchA bgp network 5 5 5 5 24 SwitchA bgp network 6 6 6 6 24 On Switch B inject routes 7 7 7 7 24 8 8 8 8 24 and 9 9 9 9 24 to BGP SwitchB bgp network 7 7 7 7 24 SwitchB bgp network 8 8 8 8 24 SwitchB bgp network 9 9 9 9 24 Display the BGP routing table information of Switch D SwitchD bgp display bgp routing tab...

Page 716: ...al Number of Routes 3 BGP Local router ID is 4 4 4 4 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn 4 4 4 0 24 1 1 3 1 0 300 100i 5 5 5 0 24 1 1 3 1 0 300 100i 6 6 6 0 24 1 1 3 1 0 300 100i The display above shows that Switch D has learned only routes 4 4 4 0 24 5 5 5 0 24 and 6 6 6 0 24 from AS 1...

Page 717: ...lly Analysis At least one item of the IPv6 prefix list should be configured as permit mode and at least one node of the Route policy should be configured as permit mode Solution 1 Use the display ip ipv6 prefix command to display IP prefix list information 2 Use the display route policy command to display route policy information ...

Page 718: ...nge between a MCE and a Site 2 3 Configuring to Use Static Routes between a MCE and a Site 2 3 Configuring to Use RIP between a MCE and a Site 2 4 Configuring to Use OSPF between a MCE and a Site 2 4 Configuring to Use IS IS between a MCE and a Site 2 5 Configuring to Use EBGP between a MCE and a Site 2 6 Configuring Route Exchange between a MCE and a PE 2 8 Configuring Route Exchange between a MC...

Page 719: ...y and convenient support for MPLS QoS and MPLS TE Hence it is widely used The BGP MPLS VPN model consists of three kinds of devices z Customer edge device CE A CE resides on a customer network and has one or more interfaces directly connected with service provider networks It can be a router a switch or a host It neither can sense the existence of any VPN nor needs to support MPLS z Provider edge ...

Page 720: ...as the ingress LSR the egress PE functions as the egress LSR while P routers function as the transit LSRs You can use Switch 4800G series as the CEs in a BGP MPLS VPN implementation BGP MPLS VPN Concepts Site Site is often mentioned in the VPN whose meanings are described as follows z A site is a group of IP systems with IP connectivity that does not rely on any service provider network to impleme...

Page 721: ...des the route distinguisher RD route filtering policy and member interface list LFIBs of VPN instances exist on only PEs supporting MPLS No LFIBs of VPN instances exist on MCE capable devices VPN IPv4 address Traditional BGP cannot process VPN routes which have overlapping address spaces If for example both VPN 1 and VPN 2 use addresses in the segment 10 110 10 0 24 and advertise a route to the se...

Page 722: ...ent of VPN routing information A VPN instance on a PE supports two types of VPN target attributes z Export target attribute A local PE sets this type of VPN target attribute for VPN IPv4 routes learnt from directly connected sites before advertising them to other PEs z Import target attribute A PE checks the export target attribute of VPN IPv4 routes advertised by other PEs If the export target at...

Page 723: ...LAN interface 2 can be bound to VPN 1 and VLAN interface 3 can be bound to VPN 2 When receiving a piece of routing information MCE determines the source of the routing information according to the number of the interface receiving the information and then maintains the corresponding routing table accordingly You need to also to bind the interfaces to the VPNs on PE 1 in the same way as those on th...

Page 724: ... the same binding configured on CE and site private network routes of different VPNs can be exchanged between CEs and sites through different RIP processes thus isolating and securing VPN routes OSPF An Switch 4800G can bind OSPF processes to VPN instances and isolate the routes of different VPNs Note that For an OSPF process bound to a VPN instance the router ID of the public network configured i...

Page 725: ...To use EBGP to exchange private routes between a CE and a site you need to configure BGP peers for VPN instances on CEs and import IGP routing information from corresponding VPNs Normally sites reside in different ASs so EBGP is used for route exchange In this case the following configurations are needed 1 Configuring to use EBGP to import IGP routes from each site To advertise private network rou...

Page 726: ...1 8 z RIP z OSPF z IS IS z EBGP For information on how to configure the routing protocols and how to import routes refer to the IPv4 Routing module of this manual ...

Page 727: ... instance is an integration of the VPN membership and routing rules of its corresponding site A VPN instance takes effect only after a route distinguisher RD is configured for it For a VPN instance with the RD not configured all the other settings except the description information are inaccessible The description information of a VPN instance can be used to record the relationship between the VPN...

Page 728: ... associated with a VPN instance Executing the ip binding vpn instance command invalidates the IP address configured for the current interface so you need to configure an IP address for an interface again after associating the interface with a VPN instance Configuring the Route related Attributes for a VPN Instance The process of advertising VPN routes is as follows z When the switch learns a VPN r...

Page 729: ...routes matching the VPN target attribute are permitted z This attribute can be advertised with a route only when BGP runs between the MCE and the PE Otherwise this attribute is of no sense z The VPN target specified for a VPN instance on the MCE device must be same as that specified for the VPN instance on the PE device Configuring Route Exchange between a MCE and a Site Configuring Route Exchange...

Page 730: ...igure RIP between a MCE and a site To do Use the command Remarks Enter system view system view Enable RIP for a VPN instance This operation also leads you to RIP view rip process id vpn instance vpn instance name Required This operation is performed on the MCE device As for the corresponding configuration on the site you can just enable RIP as usual Redistribute routes from the remote site adverti...

Page 731: ...on on the site you can just enable OSPF as usual Configure the type codes of OSPF extended community attributes ext community type domain id type code1 router id type code2 route type type code3 Optional The defaults are as follows 0x0005 for Domain ID 0x0107 for Router ID and 0x0306 for Route Type z Router IDs of the public network configured in system view do not applies to OSPF processes bound ...

Page 732: ...ter enabling IS IS for a VPN instance you need also to configure to use IS IS for routing information exchange Configuring to Use EBGP between a MCE and a Site 1 Configuration on the MCE device Follow these steps to configure an MCE device To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter BGP VPN instance view ipv4 family vpn instance vpn instance name ...

Page 733: ...e local AS number So do the routes advertised by the site In this case you need to configure to permit the routes with their AS numbers contained in their AS_PATH attributes being the local AS number on MCE devices for the routes advertised by the site to be received and processed by the MCE device 2 Configuration on the site The site configuration procedures vary with device model The following t...

Page 734: ...r a VPN instance To do Use the command Remarks Enter system view system view ip route static dest address mask mask length gateway address interface type interface number gateway address vpn instance d vpn instance name gateway address preference preference value tag tag value description description text Define a static route for a VPN instance ip route static vpn instance s vpn instance name 1 6...

Page 735: ...y the MCE device to the routing table of the PE Follow these steps to enable RIP for a VPN instance To do Use the command Remarks Enter system view system view Enable RIP for a VPN instance and enter RIP view rip process id vpn instance vpn instance name Required Set the default cost for imported routes default cost value Optional By default the cost for an imported route is 0 Import the VPN route...

Page 736: ...te maintained by the MCE device to the routing table of the PE In IS IS routes discovered by other routing protocols are external routes While importing routes of other protocols you can specify the default cost value for the imported routes as well You can also apply filter policies for imported routes Follow these steps to configure IS IS to import external routes To do Use the command Remarks E...

Page 737: ... filter policy acl number ip prefix ip prefix name export direct isis process id ospf process id rip process id static Optional By default no filter policy is applied Apply a filter policy for received routes filter policy acl number ip prefix ip prefix name import Optional By default no filter policy is applied Displaying and Maintaining MCE To do Use the command Remarks Display the IP routing ta...

Page 738: ...c Available in any view Perform a soft reset of the BGP connections in a specified VPN instance refresh bgp vpn instance vpn instance name ip address all external group group name export import Available in user view Reset the BGP connections of a VPN instance reset bgp vpn instance vpn instance name as number ip address all external group group name Available in user view Clear the route flap dam...

Page 739: ...and advertises all the VPN routes to the PE device using OSPF Network diagram Figure 2 1 Network diagram for MCE configuration A CE Site 1 VPN2 PE PE PE VPN 2 VR2 VPN1 VR1 MCE GE1 0 18 GE1 0 10 Vlan int10 10 214 10 3 192 168 0 0 GE1 0 20 Vlan int20 10 214 20 3 RIP 192 168 10 0 CE VPN 1 Site2 GE1 0 3 Vlan int30 10 214 30 1 Vlan int40 10 214 40 1 Configuration procedure For distinguish devices assum...

Page 740: ...rresponding VLAN interfaces Then bind VLAN 30 to VPN 1 and VLAN 40 to VPN 2 and configure IP addresses of the VLAN interfaces MCE vlan 30 MCE vlan30 quit MCE interface Vlan interface 30 MCE Vlan interface30 ip binding vpn instance vpn1 MCE Vlan interface30 ip address 10 214 30 1 30 MCE Vlan interface30 quit MCE vlan 40 MCE vlan40 quit MCE interface Vlan interface 40 MCE Vlan interface40 ip binding...

Page 741: ...nd advertise the network segments 192 168 10 0 and 10 214 20 0 VR2 system view VR2 rip 20 VR2 rip 20 network 192 168 10 0 VR2 rip 20 network 10 0 0 0 RIP is running within VPN2 so you can configure RIP on MCE and involve the RIP on MCE in the routing computation in the site to update the routing information automatically Create RIP process 20 disable automatic route summarization redistribute rout...

Page 742: ...re omitted here Configure Loopback0 of MCE and CE to specify the router ID for MCE and PE respectively The IP addresses for Loopback0 of MCE and CE are 101 101 10 1 and 100 100 10 1 respectively Configuration procedures are omitted here Create OSPF process 10 on MCE bind the process to VPN1 and set the OSPF domain ID to 10 and enable OSPF multi instance MCE GigabitGigabitEthernet1 0 3 quit MCE osp...

Page 743: ...The information displayed below verifies the configuration PE display ip routing table vpn instance vpn2 display ip routing table vpn instance vpn2 Routing Tables vpn2 Destinations 6 Routes 6 Destination Mask Proto Pre Cost NextHop Interface 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 10 214 40 0 24 Direct 0 0 10 214 40 1 Vlan40 10 214 40 2 32 Direct 0 0 127 ...

Page 744: ... 10 1 and 20 1 for both the import and export extended community attribute list MCE system view MCE ip vpn instance vpn1 MCE vpn instance vpn1 route distinguisher 10 1 MCE vpn instance vpn1 vpn target 10 1 both MCE vpn instance vpn1 quit MCE ip vpn instance vpn2 MCE vpn instance vpn2 route distinguisher 20 1 MCE vpn instance vpn2 vpn target 20 1 both Create VLAN 2 add GigabitEthernet 1 0 10 to VLA...

Page 745: ...ng vpn instance vpn2 MCE Vlan interface40 ip address 10 214 40 1 30 MCE Vlan interface40 quit z Configure the routing protocol running between MCE and a site The procedure of enabling OSPF in the two VPN instances and advertising the network segments is the same as that in normal OSPF and is omitted Create OSPF process 10 for MCE whose router ID is 10 10 10 1 bind the process to VPN1 Redistribute ...

Page 746: ...0 0 127 0 0 1 InLoop0 172 16 20 0 24 OSPF 10 1 10 100 20 2 Vlan3 z Configure the routing protocol running between MCE and PE The procedure of connecting MCE to PE through trunk ports is similar to that in MCE Configuration Example A and is omitted here Create BGP process 10 for MCE MCE bgp 100 MCE bgp Enter IPv4 address family view in VPN1 MCE bgp ipv4 family vpn instance vpn1 MCE bgp vpn1 Configu...

Page 747: ...ation procedures are omitted here Followed is the result of the above configurations PE display ip routing table vpn instance vpn2 Routing Tables vpn2 Destinations 5 Routes 5 Destination Mask Proto Pre Cost NextHop Interface 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 10 100 40 0 24 Direct 0 0 10 100 20 3 Vlan3 10 100 40 3 32 Direct 0 0 127 0 0 1 InLoop0 172 ...

Page 748: ...ew 1 1 Configuring Traffic Redirecting 1 1 Configuring a QoS Policy 1 1 Applying the QoS Policy 1 2 Displaying and Maintaining QoS Policies 1 3 Policy Routing Configuration Examples 1 3 IPv4 Policy Routing Configuration Example 1 3 IPv6 Policy Routing Configuration Example 1 4 ...

Page 749: ...ia will be forwarded along the specified path thus to implement flexible routing Policy routing takes precedence over destination based routing That is if a packet meets the match criteria policy routing applies otherwise destination based routing applies For details about QoS policies refer to QoS configuration in the QoS Volume Configuring Traffic Redirecting Before configuring policy routing yo...

Page 750: ...nterface If you fail to do that the matching traffic will be dropped Applying the QoS Policy When configuring policy routing you can apply a QoS policy to different occasions z Applied globally the policy takes effect on the traffic sent or received on all ports z Applied to an interface the policy takes effect on the traffic sent or received on the interface z Applied to a VLAN the policy takes e...

Page 751: ... inbound Required QoS policies cannot be applied to dynamic VLANs for example VLANs created by GVRP Displaying and Maintaining QoS Policies To do Use the command Remarks Display user defined QoS policy configuration information display qos policy user defined policy name classifier tcl name Display QoS policy configuration on the specified or all interfaces display qos policy interface interface t...

Page 752: ...edirect next hop 202 1 1 2 SwitchA behavior a quit Associate class a with behavior a in QoS policy a SwitchA qos policy a SwitchA qospolicy a classifier a behavior a SwitchA qospolicy a quit Apply QoS policy a to the incoming traffic of GigabitEthernet 1 0 1 SwitchA interface gigabitethernet 1 0 1 SwitchA GigabitEthernet1 0 1 qos apply policy a inbound Verification After completing the configurati...

Page 753: ...irecting traffic to the next hop 202 2 for behavior a SwitchA traffic behavior a SwitchA behavior a redirect next hop 202 2 SwitchA behavior a quit Associate class a with behavior a in QoS policy a SwitchA qos policy a SwitchA qospolicy a classifier a behavior a SwitchA qospolicy a quit Apply QoS policy a to the incoming traffic of GigabitEthernet 1 0 1 SwitchA interface gigabitethernet 1 0 1 Swit...

Page 754: ...gement Protocol IGMP is a protocol in the TCP IP suite responsible for management of IP multicast members This document describes z IGMP overview z Configuring basic functions of IGMP z Configuring IGMP performance parameters z Configuring IGMP SSM Mapping z Configuring IGMP Proxying PIM PIM leverages the unicast routing table created by any unicast routing protocol to provide routing information ...

Page 755: ... router or a Ethernet Switch to discover the presence of multicast listeners on directly attached subnets This document describes z MLD overview z Configuring Basic Functions of MLD z Adjusting MLD Performance z Configuring MLD SSM Mapping z Configuring MLD Proxying IPv6 PIM IPv6 PIM discovers multicast source and delivers information to the receivers This document describes z Configuring IPv6 PIM...

Page 756: ...of Information Transmission Techniques 1 1 Features of Multicast 1 4 Common Notations in Multicast 1 5 Advantages and Applications of Multicast 1 5 Multicast Models 1 6 Multicast Architecture 1 6 Multicast Addresses 1 7 Multicast Protocols 1 11 Multicast Packet Forwarding Mechanism 1 13 ...

Page 757: ...ultipoint data transmission over a network multicast greatly saves network bandwidth and reduces network load With the multicast technology a network operator can easily provide new value added services such as live Webcasting Web TV distance learning telemedicine Web radio real time videoconferencing and other bandwidth and time critical information services Comparison of Information Transmission...

Page 758: ...d over the network is proportional to the number of hosts that need the information If a large number of users need the information the information source needs to send a copy of the same information to each of these users This means a tremendous pressure on the information source and the network bandwidth As we can see from the information transmission process unicast is not suitable for batch tr...

Page 759: ...ificant waste of network resources Multicast As discussed above unicast and broadcast techniques are unable to provide point to multipoint data transmissions with the minimum network consumption Multicast can well solve this problem When some hosts on the network need multicast information the information sender or multicast source sends only one copy of the information Multicast distribution tree...

Page 760: ...of Multicast Multicast has the following features z A multicast group is a multicast receiver set identified by an IP multicast address Hosts join a multicast group to become members of the multicast group before they can receive the multicast data addressed to that multicast group Typically a multicast source does not need to join a multicast group z An information sender is referred to as a mult...

Page 761: ...et that any multicast source sends to multicast group G Here represents any multicast source while G represents a specific multicast group z S G Indicates a shortest path tree SPT or a multicast packet that multicast source S sends to multicast group G Here S represents a specific multicast source while G represents a specific multicast group For details about the concepts RPT and SPT see PIM Conf...

Page 762: ...certain multicast sources The SSM model provides a transmission service that allows users to specify the multicast sources they are interested in at the client side The radical difference between the SSM model and the ASM model is that in the SSM model receivers already know the locations of the multicast sources by some other means In addition the SSM model uses a multicast address range that is ...

Page 763: ...on permanent group addresses are listed in Table 1 3 A packet destined for an address in this block will not be forwarded beyond the local subnet regardless of the Time to Live TTL value in the IP header 224 0 1 0 to 238 255 255 255 Globally scoped group addresses This block includes two types of designated group addresses z 232 0 0 0 8 SSM group addresses and z 233 0 0 0 8 Glop group addresses 23...

Page 764: ...r Redundancy Protocol VRRP 2 IPv6 multicast addresses Figure 1 4 IPv6 multicast format Group ID 112 bits 0xFF Flags Scope 0 7 11 15 31 Referring to Figure 1 4 the meanings of the fields of an IPv6 multicast address are as follows z 0xFF The most significant 8 bits are 11111111 indicating that this address is an IPv6 multicast address Figure 1 5 Format of the Flags field z Flags Referring to Figure...

Page 765: ...cal scope 2 Link local scope 4 Admin local scope 5 Site local scope 6 7 9 through D Unassigned 8 Organization local scope E Global scope z Group ID 112 bits IPv6 multicast group identifier that uniquely identifies an IPv6 multicast group in the scope defined by the Scope field Ethernet multicast MAC addresses When a unicast IP packet is transmitted over Ethernet the destination MAC address is the ...

Page 766: ...same MAC address Therefore in Layer 2 multicast forwarding a device may receive some multicast data addressed for other IPv4 multicast groups and such redundant data needs to be filtered by the upper layer 2 IPv6 multicast MAC addresses The high order 16 bits of an IPv6 multicast MAC address are 0x3333 and the low order 32 bits are the low order 32 bits of a multicast IPv6 address Figure 1 7 shows...

Page 767: ...eneral descriptions about applications and functions of the Layer 2 and Layer 3 multicast protocols in a network For details of these protocols refer to the related configuration manuals in the IP Multicast Volume Layer 3 multicast protocols Layer 3 multicast protocols include multicast group management protocols and multicast routing protocols Figure 1 8 describes where these multicast protocols ...

Page 768: ... Border Gateway Protocol MP BGP is used for exchanging multicast routing information among different ASs For the SSM model multicast routes are not divided into inter domain routes and intra domain routes Since receivers know the position of the multicast source channels established through PIM SM are sufficient for multicast information transport Layer 2 multicast protocols Layer 2 multicast prot...

Page 769: ...incoming interface to multiple outgoing interfaces Compared with a unicast model a multicast model is more complex in the following aspects z To ensure multicast packet transmission in the network unicast routing tables or multicast routing tables for example the MBGP routing table specially provided for multicast must be used as guidance for multicast forwarding z To process the same multicast in...

Page 770: ... and Forwarding 1 7 Configuration Prerequisites 1 7 Configuring Multicast Static Routes 1 7 Configuring a Multicast Routing Policy 1 8 Configuring a Multicast Forwarding Range 1 8 Configuring the Multicast Forwarding Table Size 1 9 Tracing a Multicast Path 1 9 Displaying and Maintaining Multicast Routing and Forwarding 1 10 Configuration Examples 1 10 Changing an RPF Route 1 10 Creating an RPF Rou...

Page 771: ...irectly used to control the forwarding of multicast packets A multicast forwarding table consists of a set of S G entries each indicating the routing information for delivering multicast data from a multicast source to a multicast group If a router supports multiple multicast protocols its multicast routing table will include routes generated by multiple protocols The router chooses the optimal ro...

Page 772: ...corresponding routing entry explicitly defines the RPF interface and the RPF neighbor 2 Then the router selects one from these three optimal routes as the RPF route The selection process is as follows z If configured to use the longest match principle the router selects the longest match route from the three if these three routes have the same mask the router selects the route with the highest pri...

Page 773: ...ng table the multicast packet is subject to an RPF check z If the RPF interface is the incoming interface of the S G entry this means the S G entry is correct but the packet arrived from a wrong path The packet is to be discarded z If the RPF interface is not the incoming interface this means the S G entry has expired and router replaces the incoming interface with the RPF interface If the interfa...

Page 774: ...lticast traffic different from that for unicast traffic Figure 1 2 Changing an RPF route As shown in Figure 1 2 when no multicast static route is configured Router C s RPF neighbor on the path back to Source is Router A and the multicast information from Source travels along the path from Router A to Router C which is the unicast route between the two routers with a static route configured on Rout...

Page 775: ...ng Therefore a multicast static route is also called an RPF static route z A multicast static route is effective only on the multicast router on which it is configured and will not be advertised throughout the network or redistributed to other routers Multicast Traceroute The multicast traceroute utility is used to trace the path that a multicast stream flows down from the first hop router to the ...

Page 776: ...he end of the request packet and unicasts it to the previous hop 4 When the first hop router receives the request packet it changes the packet type to indicate a response packet and then sends the completed packet via unicast to the multicast traceroute querier Configuration Task List Complete these tasks to configure multicast routing and forwarding Task Remarks Enabling IP Multicast Routing Requ...

Page 777: ...ticast forwarding table Configuring Multicast Static Routes By configuring a multicast static route for a given multicast source you can specify an RPF interface or an RPF neighbor for multicast traffic from that source Follow these steps to configure a multicast static route To do Use the command Remarks Enter system view system view Configure a multicast static route ip rpf route static source a...

Page 778: ... data corresponding to each multicast group must be transmitted within a definite scope Presently you can define a multicast forwarding range by z Specifying boundary interfaces which form a closed multicast forwarding area or z Setting the minimum time to live TTL value required for a multicast packet to be forwarded Setting the minimum TTL is not supported on 3Com Switch 4800G You can configure ...

Page 779: ...ution tree You can configure the maximum number of downstream nodes namely the maximum number of outgoing interfaces for a single entry in the multicast forwarding table to lessen burden on the router for replicating multicast traffic If the configured maximum number of downstream nodes for a single multicast forwarding entry is smaller than the current number the downstream nodes in excess will n...

Page 780: ...le in any view View the RPF route information of the specified multicast source display multicast rpf info source address group address Available in any view Clear forwarding entries from the multicast forwarding table reset multicast forwarding table source address mask mask mask length group address mask mask mask length incoming interface interface type interface number register all Available i...

Page 781: ...onfiguration steps are omitted here Enable OSPF on the switches in the PIM DM domain Ensure the network layer interoperation among the switches in the PIM DM domain Ensure that the switches can dynamically update their routing information by leveraging the unicast routing protocol The specific configuration steps are omitted here 2 Enable IP multicast routing and enable PIM DM and IGMP Enable IP m...

Page 782: ...Vlan interface102 RPF neighbor 30 1 1 2 Referenced route mask 50 1 1 0 24 Referenced route type igp Route selection rule preference preferred Load splitting rule disable As shown above the current RPF route on Switch B is contributed by a unicast routing protocol and the RPF neighbor is Switch A 3 Configure a multicast static route Configure a multicast static route on Switch B specifying Switch C...

Page 783: ... int300 50 1 1 1 24 Configuration procedure 1 Configure IP addresses and unicast routing Configure the IP address and subnet mask for each interface as per Figure 1 5 The detailed configuration steps are omitted here Enable OSPF on Switch B and Switch C Ensure the network layer interoperation among Switch B and Switch C Ensure that the switches can dynamically update their routing information by l...

Page 784: ... neighbor on the route to Source 2 SwitchB ip rpf route static 50 1 1 100 24 30 1 1 2 Configure a multicast static route on Switch C specifying Switch B as its RPF neighbor on the route to Source 2 SwitchC ip rpf route static 50 1 1 100 24 20 1 1 2 4 Verify the configuration Use the display multicast rpf info command to view the RPF routes to Source 2 on Switch B and Switch C SwitchB display multi...

Page 785: ...tic route If the interface is not a point to point interface be sure to specify the next hop address to configure the outgoing interface when you configure the multicast static route 4 Check that the multicast static route matches the specified routing protocol If a protocol was specified in multicast static route configuration enter the display ip routing table command to check if an identical ro...

Page 786: ...1 16 3 In the case of PIM SM use the display current configuration command to check the BSR and RP information ...

Page 787: ... Prerequisites 1 12 Configuring IGMP Message Options 1 12 Configuring IGMP Query and Response Parameters 1 13 Configuring IGMP Fast Leave Processing 1 15 Configuring IGMP SSM Mapping 1 15 Configuration Prerequisites 1 15 Enabling SSM Mapping 1 16 Configuring SSM Mappings 1 16 Configuring IGMP Proxying 1 17 Configuration Prerequisites 1 17 Enabling IGMP Proxying 1 17 Configuring Multicast Forwardin...

Page 788: ...eir multicast group memberships to immediately neighboring multicast routers IGMP Versions So far there are three IGMP versions z IGMPv1 documented in RFC 1112 z IGMPv2 documented in RFC 2236 z IGMPv3 documented in RFC 3376 All IGMP versions support the Any Source Multicast ASM model In addition to support of the ASM model IGMPv3 can be directly deployed to implement the Source Specific Multicast ...

Page 789: ... as shown in Figure 1 1 The following describes how the hosts join the multicast groups and the IGMP querier Router B in the figure maintains the multicast group memberships 1 The hosts send unsolicited IGMP reports to the addresses of the multicast groups that they want to join without having to wait for the IGMP queries from the IGMP querier 2 The IGMP querier periodically multicasts IGMP querie...

Page 790: ...oduced The querier election process is as follows 1 Initially every IGMPv2 router assumes itself as the querier and sends IGMP general query messages often referred to as general queries to all hosts and routers on the local subnet the destination address is 224 0 0 1 2 Upon hearing a general query every IGMPv2 router compares the source IP address of the query message with its own interface addre...

Page 791: ...ecific sources like S1 S2 it sends a report with the Filter Mode denoted as Exclude Sources S1 S2 As shown in Figure 1 2 the network comprises two multicast sources Source 1 S1 and Source 2 S2 both of which can send multicast data to multicast group G Host B is interested only in the multicast data that Source 1 sends to G but not in the data from Source 2 Figure 1 2 Flow paths of source and group...

Page 792: ... list of the additional sources that the system wishes to hear from for packets sent to the specified multicast address If the change was to an Include source list these are the addresses that were added to the list if the change was to an Exclude source list these are the addresses that were deleted from the list z BLOCK indicates that the Source Address fields in this Group Record contain a list...

Page 793: ...gured on Router A Router A cannot provide SSM service and drops the message z If G is in the SSM group range and the IGMP SSM mappings have been configured on Router A for multicast group G Router A translates the G information in the IGMP report into G INCLUDE S1 S2 information based on the configured IGMP SSM mappings and provides SSM service accordingly z The IGMP SSM mapping feature does not p...

Page 794: ...tains a group membership database which storesthe group memberships on all the downstream interfaces Each entry comprises the multicast address filter mode and source list Such an entry is a collection of members in the same multicast group on each downstream interface A proxy device performs host functions on the upstream interface based on the database It responds to queries according to the inf...

Page 795: ...configurations performed in interface view are effective on the current interface only z If a feature is not configured for an interface in interface view the global configuration performed in IGMP view will apply to that interface If a feature is configured in both IGMP view and interface view the configuration performed in interface view will be given priority Configuring Basic Functions of IGMP...

Page 796: ...mmands in the IP Multicast Volume Configuring IGMP Versions Because the protocol packets of different IGMP versions vary in structure and type the same IGMP version should be configured for all routers on the same subnet before IGMP can work properly Configuring an IGMP version globally Follow these steps to configure an IGMP version globally To do Use the command Remarks Enter system view system ...

Page 797: ...st group or multicast source and group by default z Before you can configure an interface of a PIM SM device as a static member of a multicast group or a multicast source and group if the interface is PIM SM enabled it must be a PIM SM DR if this interface is IGMP enabled but not PIM SM enabled it must be an IGMP querier For more information about PIM SM and a DR refer to PIM Configuration in the ...

Page 798: ...the maximum number of multicast groups an interface can join To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure the maximum number of multicast groups that can be joined on the current interface igmp group limit limit Required 1024 by default This configuration takes effect for dynamically joined multicast groups but...

Page 799: ... for processing For details about the Router Alert option refer to RFC 2113 An IGMP message is processed differently depending on whether it carries the Router Alert option in the IP header z By default for the consideration of compatibility the device does not check the Router Alert option namely it processes all the IGMP messages it received In this case IGMP messages are directly passed to the ...

Page 800: ...cast group timeout time Upon receiving an IGMP query general query or group specific query a host starts a delay timer for each multicast group it has joined This timer is initialized to a random value in the range of 0 to the maximum response time which is derived from the Max Response Time field in the IGMP query When the timer value comes down to 0 the host sends an IGMP report to the correspon...

Page 801: ...nt interval Optional For the system default see Note below Configuring IGMP query and response parameters on an interface Follow these steps to configure IGMP query and response parameters on an interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure the startup query interval igmp startup query interval interva...

Page 802: ...nterval take the configured values z Make sure that the other querier present interval is greater than the IGMP query interval otherwise the IGMP querier may change frequently on the network z Make sure that the IGMP query interval is greater than the maximum response time for IGMP general queries otherwise multicast group members may be wrongly removed z The configurations of the maximum response...

Page 803: ...ticast sources Follow these steps to configure an IGMP SSM mapping To do Use the command Remarks Enter system view system view Enter IGMP view igmp Configure an IGMP SSM mapping ssm mapping group address mask mask length source address Required No IGMP mappings are configured by default If IGMPv3 is enabled on a VLAN interface of a switch that supports both IGMP Snooping and IGMP and if a port in ...

Page 804: ...t igmp send router alert and igmp version commands can take effect on such interfaces z You cannot enable other multicast routing protocols such as PIM DM or PIM SM on interfaces with IGMP proxying enabled or vice versa However the source lifetime source policy and ssm policy commands configured in PIM view can still take effect In addition in IGMPv1 the designated router DR is elected by the work...

Page 805: ...vlan vlan id slot slot number verbose Available in any view View IGMP configuration and operation information display igmp interface interface type interface number verbose Available in any view View the information of IGMP proxying groups display igmp proxying group group address verbose Available in any view View information in the IGMP routing table display igmp routing table source address mas...

Page 806: ...Configuration Example Network requirements z Receivers receive VOD information through multicast Receivers of different organizations form stub networks N1 and N2 and Host A and Host C are receivers in N1 and N2 respectively z Switch A in the PIM network connects to N1 and both Switch B and Switch C connect to N2 z Switch A connects to N1 through VLAN interface 100 and to other devices in the PIM ...

Page 807: ... configuration steps are omitted here 2 Enable IP multicast routing and enable PIM DM and IGMP Enable IP multicast routing on Switch A enable PIM DM on each interface and enable IGMP on VLAN interface 100 SwitchA system view SwitchA multicast routing enable SwitchA interface vlan interface 100 SwitchA Vlan interface100 igmp enable SwitchA Vlan interface100 pim dm SwitchA Vlan interface100 quit Swi...

Page 808: ...ce vlan interface 200 Vlan interface200 10 110 2 1 IGMP is enabled Current IGMP version is 2 Value of query interval for IGMP in seconds 60 Value of other querier present interval for IGMP in seconds 125 Value of maximum query response time for IGMP in seconds 10 Querier for IGMP 10 110 2 1 this router Total 1 IGMP Group reported SSM Mapping Configuration Example Network requirements z The PIM SM ...

Page 809: ...n steps are omitted here Configure OSPF for interoperability among the switches Ensure the network layer interoperation on the PIM SSM network and dynamic update of routing information among the switches through a unicast routing protocol The detailed configuration steps are omitted here 2 Enable IP multicast routing enable PIM SM on each interface and enable IGMP and IGMP SSM mapping on the host ...

Page 810: ...ace 104 SwitchD pim c rp vlan interface 104 SwitchD pim quit 4 Configure the SSM group range Configure the SSM group range 232 1 1 0 24 on Switch D SwitchD acl number 2000 SwitchD acl basic 2000 rule permit source 232 1 1 0 0 0 0 255 SwitchD acl basic 2000 quit SwitchD pim SwitchD pim ssm policy 2000 SwitchD pim quit The configuration on Switch A Switch B and Switch C is similar to that on Switch ...

Page 811: ...1 1 232 1 1 1 Protocol pim ssm Flag UpTime 00 13 25 Upstream interface Vlan interface104 Upstream neighbor 192 168 4 2 RPF prime neighbor 192 168 4 2 Downstream interface s information Total number of downstreams 1 1 Vlan interface400 Protocol igmp UpTime 00 13 25 Expires never 133 133 3 1 232 1 1 1 Protocol pim ssm Flag UpTime 00 13 25 Upstream interface Vlan interface103 Upstream neighbor 192 16...

Page 812: ...1 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 igmp enable SwitchA Vlan interface100 pim dm SwitchA Vlan interface100 quit Enable IP multicast routing on Switch B IGMP Proxying on VLAN interface 100 and IGMP on VLAN interface 200 SwitchB system view SwitchB multicast routing enable SwitchB interface vlan interface 100 SwitchB Vlan interface100 igmp proxying enable SwitchB Vl...

Page 813: ...her the protocol layer of the interface is up directly affect the generation of group membership information z Multicast routing must be enabled on the router and IGMP must be enabled on the interface connecting to the host z If the IGMP version on the router interface is lower than that on the host the router will not be able to recognize the IGMP report from the host z If the igmp group policy c...

Page 814: ...face and these parameters influence one another forming very complicated relationships Inconsistent IGMP interface parameter configurations for routers on the same subnet will surely result in inconsistency of memberships z In addition although an IGMP router is compatible with a host that is running a different IGMP version all routers on the same subnet must run the same version of IGMP Inconsis...

Page 815: ... Configuring an RP 1 19 Configuring a BSR 1 21 Configuring Administrative Scoping 1 24 Configuring Multicast Source Registration 1 26 Disabling SPT Switchover 1 27 Configuring PIM SSM 1 28 PIM SSM Configuration Task List 1 28 Configuration Prerequisites 1 28 Enabling PIM SM 1 29 Configuring the SSM Group Range 1 29 Configuring PIM Common Features 1 30 PIM Common Feature Configuration Task List 1 3...

Page 816: ...onfiguration 1 54 Failure of Building a Multicast Distribution Tree Correctly 1 54 Multicast Data Abnormally Terminated on an Intermediate Router 1 55 RPs Unable to Join SPT in PIM SM 1 55 RPT Establishment Failure or Source Registration Failure in PIM SM 1 56 ...

Page 817: ...eway protocol BGP Independent of the unicast routing protocols running on the device multicast routing can be implemented as long as the corresponding multicast routing entries are created through unicast routes PIM uses the reverse path forwarding RPF mechanism to implement multicast forwarding When a multicast packet arrives on an interface of the device it is subject to an RPF check If the RPF ...

Page 818: ... source tree is the shortest path from the multicast source to the receivers it is also called shortest path tree SPT How PIM DM Works The working mechanism of PIM DM is summarized as follows z Neighbor discovery z SPT building z Graft z Assert Neighbor discovery In a PIM domain a PIM router discovers PIM neighbors maintains PIM neighboring relationships with other routers and builds and maintains...

Page 819: ...re 1 1 a router without any receiver attached to it the router connected with Host A for example sends a prune message and this prune process goes on until only necessary branches are left in the PIM DM domain These branches constitute the SPT Figure 1 1 SPT establishment The flood and prune process takes place periodically A pruned state timeout mechanism is provided A pruned branch restarts mult...

Page 820: ...ulticast packets and both Router A and Router B on their own local interface receive a duplicate packet forwarded by the other Upon detecting this condition both routers send an assert message to all PIM routers 224 0 0 13 through the interface on which the packet was received The assert message contains the following information the multicast source address S the multicast group address G and the...

Page 821: ... the RPT z When a multicast source sends multicast streams to a multicast group the source side designated router DR first registers the multicast source with the RP by sending register messages to the RP by unicast until it receives a register stop message from the RP The arrival of a register message at the RP triggers the establishment of an SPT Then the multicast source sends subsequent multic...

Page 822: ...sage Ethernet Ethernet RP DR DR Hello message Register message Source Receiver Receiver As shown in Figure 1 3 the DR election process is as follows 1 Routers on the multi access network send hello messages to one another The hello messages contain the router priority for DR election The router with the highest DR priority will become the DR 2 In the case of a tie in the router priority or if any ...

Page 823: ...ns the address of the advertising C RP and the multicast group range it serves The BSR collects these advertisement messages and chooses the appropriate C RP information for each multicast group to form an RP set which is a database of mappings between multicast groups and RPs The BSR then encapsulates the RP set in the bootstrap messages it periodically originates and floods the bootstrap message...

Page 824: ...The routers along the path from the DR to the RP form an RPT branch Each router on this branch generates a G entry in its forwarding table The means any multicast source The RP is the root while the DRs are the leaves of the RPT The multicast data addressed to the multicast group G flows through the RP reaches the corresponding DR along the established RPT and finally is delivered to the receiver ...

Page 825: ...age hop by hop toward the multicast source Thus the routers along the path from the RP to the multicast source constitute an SPT branch Each router on this branch generates an S G entry in its forwarding table The DR at the multicast source side is the root while the RP is the leaf of the SPT 3 The subsequent multicast data from the multicast source travels along the established SPT to the RP and ...

Page 826: ...blish an SPT between the DR at the source side and the RP The subsequent multicast data from the multicast source travel along the established SPT to the RP For details about the SPT switchover initiated by the RP refer to Multicast source registration 2 The receiver side DR initiates an SPT switchover process Upon receiving the first multicast packet the receiver side DR initiates an SPT switchov...

Page 827: ...packets such as assert messages and bootstrap messages for a specific group range cannot cross the admin scope zone boundary Multicast group ranges served by different admin scope zones can be overlapped A multicast group is valid only within its local admin scope zone functioning as a private group address The global scope zone maintains a BSR which serves the multicast groups that do not belong ...

Page 828: ...es have no intersections however they may overlap one another Figure 1 8 Relationship between admin scope zones and the global scope zone in group address ranges In Figure 1 8 the group address ranges of admin scope 1 and 2 have no intersection whereas the group address range of admin scope 3 is a subset of the address range of admin scope 1 The group address range of the global scope zone covers ...

Page 829: ...PT is required there is no source registration process and there is no need of using the multicast source discovery protocol MSDP for discovering sources in other PIM domains Compared with the ASM model the SSM model only needs the support of IGMPv3 and some subsets of PIM SM The operation mechanism of PIM SSM can be summarized as follows z Neighbor discovery z DR election z SPT building Neighbor ...

Page 830: ... RP and a multicast source registration process is needed In PIM SSM the channel concept is used to refer to a multicast group and the channel subscription concept is used to refer to a join message Protocols and Standards PIM related specifications are as follows z RFC 4601 Protocol Independent Multicast Sparse Mode PIM SM Protocol Specification Revised z RFC 3973 Protocol Independent Multicast D...

Page 831: ...o enable PIM DM on all non border interfaces of the routers Enabling PIM DM globally Follow these steps to enable PIM DM globally To do Use the command Remarks Enter system view system view Enable IP multicast routing multicast routing enable Required Disable by default Enter interface view interface interface type interface number Enable PIM DM pim dm Required Disabled by default z All the interf...

Page 832: ... value comes down to 0 In a small network a state refresh message may cycle in the network To effectively control the propagation scope of state refresh messages you need to configure an appropriate TTL value based on the network size It is recommended to perform the following configurations on all routers in the PIM domain Follow these steps to configure state refresh parameters To do Use the com...

Page 833: ... RP Configuring C RP timers globally Optional Configuring a C BSR Optional Configuring a PIM domain border Optional Configuring global C BSR parameters Optional Configuring a BSR Configuring C BSR timers Optional Enabling administrative scoping Optional Configuring an admin scope zone boundary Optional Configuring Administrative Scoping Configuring C BSRs for each admin scope zone and the global s...

Page 834: ... Register suppression time z Register probe time z The ACL rule and sequencing rule for disabling an SPT switchover Enabling PIM SM With PIM SM enabled a router sends hello messages periodically to discover PIM neighbors and processes messages from the PIM neighbors When deploying a PIM SM domain you are recommended to enable PIM SM on all non border interfaces of the routers Enabling PIM SM globa...

Page 835: ...pim Configure a static RP static rp rp address acl number preferred Required No static RP by default To enable a static RP to work normally you must perform this configuration on all the routers in the PIM SM domain and specify the same RP address Configuring a C RP In a PIM SM domain you can configure routers that intend to become the RP as C RPs The BSR collects the C RP information by receiving...

Page 836: ...device the device can receive these two types of messages and record the RP information carried in such messages Follow these steps to enable auto RP To do Use the command Remarks Enter system view system view Enter PIM view pim Enable auto RP auto rp enable Required Disabled by default Configuring C RP timers globally To enable the BSR to distribute the RP set information within the PIM SM domain...

Page 837: ...s If there is a tie in the priority the C BSR with a higher IP address wins The loser uses the winner s BSR address to replace its own BSR address and no longer assumes itself to be the BSR while the winner retains its own BSR address and continues assuming itself to be the BSR Configuring a legal range of BSR addresses enables filtering of bootstrap messages based on the address range thus to pre...

Page 838: ...ices in the PIM SM domain a relatively large bandwidth should be provided between the C BSRs and the other devices in the PIM SM domain z For C BSRs interconnected via a Generic Routing Encapsulation GRE tunnel multicast static routes need to be configured to ensure that the next hop to a C BSR is a GRE interface For more information about multicast static routes refer to Multicast Routing and For...

Page 839: ...an configure these parameters at three levels global configuration level global scope zone level and admin scope zone level z The value of these parameters configured at the global scope zone level or admin scope zone level have preference over the global values z If you do not configure these parameters at the global scope zone level or admin scope zone level the corresponding global values will ...

Page 840: ...S timeout 60 2 10 130 seconds z If this parameter is manually configured the system will use the configured value In configuration make sure that the BS period value is smaller than the BS timeout value Configuring Administrative Scoping With administrative scoping disabled a PIM SM domain has only one BSR The BSR manages the whole network To manage your network more effectively and specifically y...

Page 841: ...er of the multicast boundary command can be used to specify the multicast groups an admin scope zone serves in the range of 239 0 0 0 8 For details about the multicast boundary command see Multicast Routing and Forwarding Commands in the IP Multicast Volume Configuring C BSRs for each admin scope zone and the global scope zone In a network with administrative scoping enabled group range specific B...

Page 842: ...sk length and C BSR priority z You can configure these parameters at three levels global configuration level global scope zone level and admin scope zone level z The value of these parameters configured at the global scope zone level or admin scope zone level have preference over the global values z If you do not configure these parameters at the global scope zone level or admin scope zone level t...

Page 843: ...from the interval 0 5 times register_suppression_time 1 5 times register_suppression_time minus register_probe_time Configure a filtering rule for register messages on all C RP routers and configure them to calculate the checksum based on the entire register messages Configure the register suppression time and the register probe time on all routers that may become source side DRs Follow these step...

Page 844: ... not use spt switch threshold infinity command on a switch that may become an RP namely a static RP or a C RP Configuring PIM SSM The PIM SSM model needs the support of IGMPv3 Therefore be sure to enable IGMPv3 on PIM routers with multicast receivers PIM SSM Configuration Task List Complete these tasks to configure PIM SSM Task Remarks Enabling PIM SM Required Configuring the SSM Group Range Optio...

Page 845: ...mode For details about the multicast routing enable command see Multicast Routing and Forwarding Commands in the IP Multicast Volume Configuring the SSM Group Range As for whether the information from a multicast source is delivered to the receivers based on the PIM SSM model or the PIM SM model this depends on whether the group address in the S G channel subscribed by the receivers falls in the S...

Page 846: ...e in interface view has preference over the configuration made in PIM view regardless of the configuration sequence PIM Common Feature Configuration Task List Complete these tasks to configure PIM common features Task Remarks Configuring a Multicast Data Filter Optional Configuring a Hello Message Filter Optional Configuring PIM Hello Options Optional Configuring PIM Common Timers Optional Configu...

Page 847: ...rol on one hand and control the information available to receivers downstream to enhance data security on the other hand Follow these steps to configure a multicast data filter To do Use the command Remarks Enter system view system view Enter PIM view pim Configure a multicast group filter source policy acl number Required No multicast data filter by default z Generally a smaller distance from the...

Page 848: ...you want to enable neighbor tracking the neighbor tracking feature should be enabled on all PIM routers on a multi access subnet The LAN delay setting will cause the upstream routers to delay processing received prune messages If the LAN delay setting is too small it may cause the upstream router to stop forwarding multicast packets before a downstream router sends a prune override message Therefo...

Page 849: ...lt Configure the prune override interval hello option override interval interval Optional 2 500 milliseconds by default Disable join suppression hello option neighbor tracking Required Enabled by default Configuring hello options on an interface Follow these steps to configure hello options on an interface To do Use the command Remarks Enter system view system view Enter interface view interface i...

Page 850: ...source S the router does not immediately delete the corresponding S G entry instead it maintains the S G entry for a period of time namely the multicast source lifetime before deleting the S G entry Configuring PIM common timers globally Follow these steps to configure PIM common timers globally To do Use the command Remarks Enter system view system view Enter PIM view pim Configure the hello inte...

Page 851: ...n message size the loss of a single message will bring relatively minor impact By controlling the maximum number of S G entries in a join prune message you can effectively reduce the number of S G entries sent per unit of time Follow these steps to configure join prune message sizes To do Use the command Remarks Enter system view system view Enter PIM view pim Configure the maximum size of a join ...

Page 852: ...ace interface type interface number register outgoing interface include exclude match interface type interface number register mode mode type flags flag value fsm Available in any view View the RP information display pim rp info group address Available in any view Reset PIM control message counters reset pim control message counters interface interface type interface number Available in user view ...

Page 853: ...face as per Figure 1 10 Detailed configuration steps are omitted here Configure the OSPF protocol for interoperation among the switches in the PIM DM domain Ensure the network layer interoperation in the PIM DM domain and enable dynamic update of routing information among the switches through a unicast routing protocol Detailed configuration steps are omitted here 2 Enable IP multicast routing and...

Page 854: ... 1 30 1 192 168 1 2 local Vlan101 1 30 1 192 168 2 2 local Vlan102 1 30 1 192 168 3 2 local Carry out the display pim neighbor command to view the PIM neighboring relationships among the switches For example View the PIM neighboring relationships on Switch D SwitchD display pim neighbor Total Number of Neighbors 3 Neighbor Interface Uptime Expires Dr Priority 192 168 1 1 Vlan103 00 02 22 00 01 27 ...

Page 855: ...treams 1 1 Vlan interface100 Protocol pim dm UpTime 00 04 25 Expires never The information on Switch B and Switch C is similar to that on Switch A View the PIM routing table information on Switch D SwitchD display pim routing table Total 0 G entry 1 S G entry 10 110 5 100 225 1 1 1 Protocol pim dm Flag LOC ACT UpTime 00 03 27 Upstream interface Vlan interface300 Upstream neighbor NULL RPF prime ne...

Page 856: ...ace 105 on Switch D and Vlan interface 102 on Switch E act as C BSRs and C RPs the C BSR on Switch E has a higher priority the multicast group range served by the C RP is 225 1 1 0 24 modify the hash mask length to map a certain number of consecutive group addresses within the range to the two C RPs z IGMPv2 is to run between Switch A and N1 and between Switch B Switch C and N2 Network diagram Fig...

Page 857: ...quit SwitchA interface vlan interface 102 SwitchA Vlan interface102 pim sm SwitchA Vlan interface102 quit The configuration on Switch B and Switch C is similar to that on Switch A The configuration on Switch D and Switch E is also similar to that on Switch A except that it is not necessary to enable IGMP on the corresponding interfaces on these two switches 3 Configure a C BSR and a C RP On Switch...

Page 858: ...h A SwitchA display pim bsr info Elected BSR Address 192 168 9 2 Priority 20 Hash mask length 32 State Accept Preferred Scope Not scoped Uptime 00 40 40 Expires 00 01 42 View the BSR information and the locally configured C RP information in effect on Switch D SwitchD display pim bsr info Elected BSR Address 192 168 9 2 Priority 20 Hash mask length 32 State Accept Preferred Scope Not scoped Uptime...

Page 859: ...oldTime 150 Uptime 00 51 45 Expires 00 02 22 Assume that Host A needs to receive information addressed to the multicast group G 225 1 1 0 The RP corresponding to the multicast group G is Switch E as a result of hash calculation so an RPT will be built between Switch A and Switch E When the multicast source S 10 110 5 100 24 registers with the RP an SPT will be built between Switch D and Switch E U...

Page 860: ...100 Protocol pim sm UpTime 00 00 42 Expires 00 03 06 The information on Switch B and Switch C is similar to that on Switch A View the PIM routing table information on Switch D SwitchD display pim routing table Total 0 G entry 1 S G entry 10 110 5 100 225 1 1 0 RP 192 168 9 2 Protocol pim sm Flag SPT LOC ACT UpTime 00 00 42 Upstream interface Vlan interface300 Upstream neighbor NULL RPF prime neigh...

Page 861: ...ulticast information from only Source 1 while Host B receives the multicast information from only Source 2 Source 3 sends multicast information to multicast group 224 1 1 1 Host C is a multicast receiver for this multicast group z VLAN interface 101 of Switch B acts as a C BSR and C RP of admin scope zone 1 which serve the multicast group range 239 0 0 0 8 VLAN interface 104 of Switch D acts as a ...

Page 862: ...24 Switch E Vlan int400 192 168 4 1 24 Vlan int103 10 110 2 1 24 Vlan int105 10 110 5 2 24 Vlan int102 10 110 3 1 24 Vlan int108 10 110 7 2 24 Switch C Vlan int300 192 168 3 1 24 Switch F Vlan int109 10 110 9 1 24 Vlan int104 10 110 4 1 24 Vlan int107 10 110 8 2 24 Vlan int105 10 110 5 1 24 Vlan int102 10 110 3 2 24 Vlan int103 10 110 2 2 24 Switch G Vlan int500 192 168 5 1 24 Vlan int106 10 110 6...

Page 863: ...ting enable SwitchB pim SwitchB pim c bsr admin scope SwitchB pim quit SwitchB interface vlan interface 200 SwitchB Vlan interface200 pim sm SwitchB Vlan interface200 quit SwitchB interface vlan interface 101 SwitchB Vlan interface101 pim sm SwitchB Vlan interface101 quit SwitchB interface vlan interface 102 SwitchB Vlan interface102 pim sm SwitchB Vlan interface102 quit SwitchB interface vlan int...

Page 864: ... rule permit source 239 0 0 0 0 255 255 255 SwitchB acl basic 2001 quit SwitchB pim SwitchB pim c bsr group 239 0 0 0 8 SwitchB pim c bsr vlan interface 101 SwitchB pim c rp vlan interface 101 group policy 2001 SwitchB pim quit On Switch D configure the service scope of RP advertisements and configure VLAN interface 104 as a C BSR and C RP of admin scope zone 2 SwitchD acl number 2001 SwitchD acl ...

Page 865: ...ask length 30 State Elected Scope 239 0 0 0 8 Candidate RP 10 110 1 2 Vlan interface101 Priority 0 HoldTime 150 Advertisement Interval 60 Next advertisement scheduled at 00 00 15 View the BSR information and the locally configured C RP information on Switch D SwitchD display pim bsr info Elected BSR Address 10 110 9 1 Priority 0 Hash mask length 30 State Accept Preferred Scope Global Uptime 00 01 ...

Page 866: ... 1 Priority 0 Hash mask length 30 State Elected Scope Global Candidate RP 10 110 9 1 Vlan interface109 Priority 0 HoldTime 150 Advertisement Interval 60 Next advertisement scheduled at 00 00 55 To view the RP information learned on a switch use the display pim rp info command For example View the RP information on Switch B SwitchB display pim rp info PIM SM BSR RP information Group MaskLen 224 0 0...

Page 867: ...orks and one or more receiver hosts exist in each stub network The entire PIM domain operates in the SSM mode z Host A and Host C are multicast receivers in two stub networks z Switch D connects to the network that comprises the multicast source Source through VLAN interface 300 z Switch A connects to stub network N1 through VLAN interface 100 and to Switch D and Switch E through VLAN interface 10...

Page 868: ...addresses and unicast routing Configure the IP address and subnet mask for each interface as per Figure 1 13 Detailed configuration steps are omitted here Configure the OSPF protocol for interoperation among the switches in the PIM SM domain Ensure the network layer interoperation in the PIM SM domain and enable dynamic update of routing information among the switches through a unicast routing pro...

Page 869: ...terface command to view the PIM configuration and running status on each interface For example View the PIM configuration information on Switch A SwitchA display pim interface Interface NbrCnt HelloInt DR Pri DR Address Vlan100 0 30 1 10 110 1 1 local Vlan101 1 30 1 192 168 1 2 Vlan102 1 30 1 192 168 9 2 Assume that Host A needs to receive the information a specific multicast source S 10 110 5 100...

Page 870: ...it has a route to the multicast source If the router does not have a route to the multicast source or if PIM DM is not enabled on the router s RPF interface to the multicast source the router cannot create S G entries z When PIM SM runs on the entire network and when a router is to join the SPT the router creates S G entries only if it has a route to the multicast source If the router does not hav...

Page 871: ... PIM mode is enabled on all the routers PIM SM on all routers or PIM DM on all routers In the case of PIM SM also check that the BSR and RP configurations are correct Multicast Data Abnormally Terminated on an Intermediate Router Symptom An intermediate router can receive multicast data successfully but the data cannot reach the last hop router An interface on the intermediate router receives data...

Page 872: ... C RP Adv messages to the BSR by unicast If a C RP has no unicast route to the BSR the BSR cannot receive C RP Adv messages from that C RP and the bootstrap message of the BSR will not contain the information of that C RP z In addition if the BSR does not have a unicast router to a C RP it will discard the C RP Adv messages from that C RP and therefore the bootstrap messages of the BSR will not co...

Page 873: ...er Connection Control 1 11 Configuring SA Messages Related Parameters 1 11 Configuration Prerequisites 1 11 Configuring SA Message Content 1 11 Configuring SA Request Messages 1 12 Configuring SA Message Filtering Rules 1 13 Configuring the SA Cache Mechanism 1 13 Displaying and Maintaining MSDP 1 14 MSDP Configuration Examples 1 14 Inter AS Multicast Configuration Leveraging BGP Routes 1 14 Inter...

Page 874: ...d to discover multicast source information in other PIM SM domains In the basic PIM SM mode a multicast source registers only with the RP in the local PIM SM domain and the multicast source information of a domain is isolated from that of another domain As a result the RP is aware of the source information only within the local domain and a multicast distribution tree is built only within the loca...

Page 875: ...d sends the messages to its remote MSDP peer to notify the MSDP peer of the locally registered multicast source information A source side MSDP peer must be created on the source side RP otherwise it will not be able to advertise the multicast source information out of the PIM SM domain z Receiver side MSDP peer the MSDP peer nearest to the receivers typically the receiver side RP like RP 3 Upon re...

Page 876: ...to know the specific location of Source so that receiver hosts can receive multicast traffic originated from it MSDP peering relationships should be established between RP 1 and RP 3 and between RP 3 and RP 2 respectively Figure 1 2 MSDP peering relationships RP 1 DR 1 Source PIM SM 1 PIM SM 3 PIM SM 2 PIM SM 4 RP 3 RP 2 DR 2 MSDP peers SA message Join message Multicast packets Register message Re...

Page 877: ...ss z If no receivers for the group exist in the domain RP 2 does not create an S G entry and does join the SPT rooted at the source z An MSDP mesh group refers to a group of MSDP peers that have MSDP peering relationships among one another and share the same group name z When using MSDP for inter domain multicasting once an RP receives information form a multicast source it no longer relies on RPs...

Page 878: ...RP 3 Because the SA message is from an MSDP peer RP 3 in the same mesh group RP 4 and RP 5 both accept the SA message but they do not forward the message to other members in the mesh group instead they forward it to other MSDP peers RP 6 in this example out of the mesh group 4 When RP 6 receives the SA messages from RP 4 and RP 5 suppose RP 5 has a higher IP address Although RP 4 and RP 5 are in t...

Page 879: ... Typical network diagram of Anycast RP SA message Source Receiver Router A Router B RP 1 RP 2 PIM SM MSDP peers The work process of Anycast RP is as follows 1 The multicast source registers with the nearest RP In this example Source registers with RP 1 with its multicast data encapsulated in the register message When the register message arrives at RP 1 RP 1 decapsulates the message 2 Receivers se...

Page 880: ...ss into a host address z An MSDP peer address must be different from the Anycast RP address Protocols and Standards MSDP is documented in the following specifications z RFC 3618 Multicast Source Discovery Protocol MSDP z RFC 3446 Anycast Rendezvous Point RP mechanism using Protocol Independent Multicast PIM and Multicast Source Discovery Protocol MSDP MSDP Configuration Task List Complete these ta...

Page 881: ...ess prefix list for an RP address filtering policy Enabling MSDP Follow these steps to enable MSDP globally To do Use the command Remarks Enter system view system view Enable IP multicast routing multicast routing enable Required Disabled by default Enable MSDP and enter MSDP view msdp Required Disabled by default For details about the multicast routing table command see Multicast Routing and Forw...

Page 882: ...r To do Use the command Remarks Enter system view system view Enter MSDP view msdp Configure a static RPF peer static rpf peer peer address rp policy ip prefix name Required No static RPF peer configured by default If only one MSDP peer is configured on a router this MSDP will be registered as a static RPF peer Configuring an MSDP Peer Connection Configuration Prerequisites Before configuring MSDP...

Page 883: ...esh group on the other hand a mesh group member accepts SA messages from inside the group without performing an RPF check and does not forward the message within the mesh group either This mechanism not only avoids SA flooding but also simplifies the RPF check mechanism because BGP or MBGP is not needed to run between these MSDP peers By configuring the same mesh group name for multiple MSDP peers...

Page 884: ...te the following tasks z Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer z Configuring basic functions of MSDP Before configuring SA message delivery prepare the following data z ACL rules for filtering SA request messages z ACL rules as SA message creation rules z ACL rules for filtering SA messages to be received and forwarded z TTL...

Page 885: ...lt Configure the interface address as the RP address in SA messages originating rp interface type interface number Optional PIM RP address by default Configuring SA Request Messages By default upon receiving a new Join message a router does not send an SA request message to any MSDP peer instead it waits for the next SA message from its MSDP peer This will cause the receiver to delay obtaining mul...

Page 886: ... the TTL value is less than the threshold the router does not forward the SA message to the designated MSDP peer if the TTL value is greater than or equal to the threshold the router re encapsulates the multicast data in an SA message and sends the SA message out Follow these steps to configure a filtering rule for receiving or forwarding SA messages To do Use the command Remarks Enter system view...

Page 887: ... SA cache display msdp sa cache group address source address as number Available in any view View the number of S G entries in the SA cache display msdp sa count as number Available in any view Reset the TCP connection with an MSDP peer reset msdp peer peer address Available in user view Clear S G entries in the SA cache reset msdp sa cache group address Available in user view Clear all statistics...

Page 888: ... 110 6 2 24 Switch C Vlan int104 10 110 4 1 24 Vlan int400 10 110 7 1 24 Vlan int102 192 168 3 1 24 Source 1 10 110 2 100 24 Vlan int101 192 168 1 2 24 Source 2 10 110 5 100 24 Loop0 2 2 2 2 32 Configuration procedure 1 Configure IP addresses and unicast routing Configure the IP address and subnet mask for each interface as per Figure 1 5 Detailed configuration steps are omitted here Configure OSP...

Page 889: ...Configure Loopback 0 as a C BSR and a C RP on Switch B SwitchB pim SwitchB pim c bsr loopback 0 SwitchB pim c rp loopback 0 SwitchB pim quit The configuration on Switch C and Switch E is similar to the configuration on Switch B 4 Configure BGP for mutual route redistribution between BGP and OSPF Configure EBGP on Switch B and redistribute OSPF routes SwitchB bgp 100 SwitchB bgp router id 1 1 1 1 S...

Page 890: ...erface 102 SwitchE msdp quit 6 Verify the configuration Carry out the display bgp peer command to view the BGP peering relationships between the switches For example View the information about BGP peering relationships on Switch B SwitchB display bgp peer BGP local router ID 1 1 1 1 Local AS number 100 Total number of peers 1 Peers in established state 1 Peer V AS MsgRcvd MsgSent OutQ PrefRcv Up D...

Page 891: ...0 100 i 2 2 2 2 32 192 168 3 2 0 100 0 3 3 3 3 32 0 0 0 0 0 0 192 168 1 0 0 0 0 0 0 0 192 168 1 1 0 0 100 192 168 1 1 32 0 0 0 0 0 0 192 168 1 2 32 0 0 0 0 0 0 192 168 1 1 0 0 100 192 168 3 0 0 0 0 0 0 0 i 192 168 3 2 0 100 0 192 168 3 1 32 0 0 0 0 0 0 192 168 3 2 32 0 0 0 0 0 0 i 192 168 3 2 0 100 0 When the multicast source in PIM SM 1 Source 1 and the multicast source in PIM SM 2 Source 2 send ...

Page 892: ...splay msdp peer status MSDP Peer 192 168 1 2 AS 200 Description Information about connection status State Up Up down time 00 15 47 Resets 0 Connection interface Vlan interface101 192 168 1 1 Number of sent received messages 16 16 Number of discarded output messages 0 Elapsed time since last connection or counters clear 00 17 51 Information about Source Group based SA filtering policy Import policy...

Page 893: ... Switch B and Switch B be configured as the only static RPF peer of Switch C and Switch E so that any switch can receive SA messages only from its static RPF peer s and permitted by the corresponding filtering policy Network diagram Figure 1 6 Network diagram for inter AS multicast configuration leveraging static RPF peers V l a n i n t 1 0 2 V l a n i n t 1 0 3 V l a n i n t 1 0 3 V l a n i n t 2...

Page 894: ...ce100 pim sm SwitchA Vlan interface100 quit SwitchA interface vlan interface 200 SwitchA Vlan interface200 igmp enable SwitchA Vlan interface200 pim sm SwitchA Vlan interface200 quit The configuration on Switch B Switch C Switch D Switch E and Switch F is similar to the configuration on Switch A Configure PIM domain borders on Switch B SwitchB interface vlan interface 102 SwitchB Vlan interface102...

Page 895: ... to view the BGP peering relationships between the switches If the command gives no output information a BGP peering relationship has not been established between the switches When the multicast source in PIM SM 1 Source 1 and the multicast source in PIM SM 2 Source 2 send multicast information receivers in PIM SM 1 and PIM SM 3 can receive the multicast data You can use the display msdp brief com...

Page 896: ...an MSDP peering relationship between Switch B and Switch D Network diagram Figure 1 7 Network diagram for anycast RP configuration L o o p 0 L o o p 2 0 L o o p 2 0 L o o p 0 V l a n i n t 1 0 1 V l a n i n t 1 0 1 V l a n i n t 1 0 2 V l a n i n t 1 0 2 V l a n i n t 1 0 3 V l a n i n t 1 0 3 V l a n i n t 1 0 4 V l a n i n t 1 0 4 Device Interface IP address Device Interface IP address Source 1 ...

Page 897: ...itchB Vlan interface100 pim sm SwitchB Vlan interface100 quit SwitchB interface vlan interface 103 SwitchB Vlan interface103 pim sm SwitchB Vlan interface103 quit SwitchB interface Vlan interface 101 SwitchB Vlan interface101 pim sm SwitchB Vlan interface101 quit SwitchB interface loopback 0 SwitchB LoopBack0 pim sm SwitchB LoopBack0 quit SwitchB interface loopback 10 SwitchB LoopBack10 pim sm Swi...

Page 898: ...witchD display msdp brief MSDP Peer Brief Information Configured Up Listen Connect Shutdown Down 1 1 0 0 0 0 Peer s Address State Up Down time AS SA Count Reset Count 1 1 1 1 Up 00 10 18 0 0 To view the PIM routing information on the switches use the display pim routing table command When Source 1 10 110 5 100 24 sends multicast data to multicast group G 225 1 1 1 Host A joins multicast group G By...

Page 899: ...By comparing the PIM routing information displayed on Switch B with that displayed on Switch D you can see that Switch D acts now as the RP for Source 2 and Host B View the PIM routing information on Switch B SwitchB display pim routing table No information is output on Switch B View the PIM routing information on Switch D SwitchD display pim routing table Total 1 G entry 1 S G entry 225 1 1 1 RP ...

Page 900: ...ltering rules so that receivers Host A and Host B can receive only the multicast data addressed to multicast groups 225 1 1 0 30 and 226 1 1 0 30 while Host can receive only the multicast data addressed to multicast groups 226 1 1 0 30 and 227 1 1 0 30 Network diagram Figure 1 8 Network diagram for SA message filtering configuration Loop0 Vlan int102 Vlan int102 Device Interface IP address Device ...

Page 901: ...hA interface vlan interface 101 SwitchA Vlan interface101 pim sm SwitchA Vlan interface101 quit SwitchA interface vlan interface 102 SwitchA Vlan interface102 pim sm SwitchA Vlan interface102 quit SwitchA interface loopback 0 SwitchA LoopBack0 pim sm SwitchA LoopBack0 quit The configuration on Switch B Switch C and Switch D is similar to the configuration on Switch A The specific configuration ste...

Page 902: ... not forward SA messages for Source 1 225 1 1 0 30 to Switch D SwitchC acl number 3001 SwitchC acl adv 3001 rule deny ip source 10 110 3 100 0 destination 225 1 1 0 0 0 0 3 SwitchC acl adv 3001 rule permit ip source any destination any SwitchC acl adv 3001 quit SwitchC msdp SwitchC msdp peer 10 110 5 2 sa policy export acl 3001 SwitchC msdp quit Configure an SA message rule on Switch D so that Swi...

Page 903: ...226 1 1 3 1 1 1 1 00 32 53 00 05 07 Troubleshooting MSDP MSDP Peers Stay in Down State Symptom The configured MSDP peers stay in the down state Analysis z A TCP connection based MSDP peering relationship is established between the local interface address and the MSDP peer after the configuration z The TCP connection setup will fail if there is a consistency between the local interface address and ...

Page 904: ...xchange their locally registered S G entries with one another in the Anycast RP application Analysis z In the Anycast RP application RPs in the same PIM SM domain are configured to be MSDP peers to achieve load balancing among the RPs z An MSDP peer address must be different from the anycast RP address and the C BSR and C RP must be configured on different devices or interfaces z If the originatin...

Page 905: ...iguring MBGP Route Dampening 1 7 Configuring MBGP Route Attributes 1 7 Prerequisites 1 8 Configuring MBGP Route Preferences 1 8 Configuring the Default Local Preference 1 8 Configuring the MED Attribute 1 8 Configuring the Next Hop Attribute 1 9 Configuring the AS PATH Attribute 1 9 Tuning and Optimizing MBGP Networks 1 10 Prerequisites 1 10 Configuring MBGP Soft Reset 1 10 Configuring the Maximum...

Page 906: ...ast topology may be different from the unicast topology To meet the requirement the multiprotocol BGP extensions enable BGP to carry the unicast Network Layer Reachability Information NLRI and multicast NLRI separately and the multicast NLRI is used to perform reverse path forwarding RPF exclusively In this way route selection for a destination through the unicast routing table and through the mul...

Page 907: ...tering Optional Configuring Inbound MBGP Route Filtering Optional Controlling Route Advertisement and Reception Configuring MBGP Route Dampening Configuring MBGP Route Preferences Configuring the Default Local Preference Configuring the MED Attribute Configuring the Next Hop Attribute Configuring MBGP Route Attributes Configuring the AS PATH Attribute Optional Configuring MBGP Soft Reset Optional ...

Page 908: ...and Reception Prerequisites You need to configure MBGP basic functions before configuring this task Configuring MBGP Route Redistribution MBGP can advertise routing information in the local AS to neighboring ASs It redistributes such routing information from IGP into its routing table rather than learns the information by itself Follow these steps to configure MBGP route redistribution To do Use t...

Page 909: ...otocol process id med med value route policy route policy name Required No route redistribution is configured by default Enable default route redistribution into the MBGP routing table default route imported Required Not enabled by default Configuring MBGP Route Summarization To reduce the routing table size on medium and large MBGP networks you need to configure route summarization on peers MBGP ...

Page 910: ...ystem view system view Enter BGP view bgp as number Enter IPv4 MBGP address family view ipv4 family multicast Advertise a default route to an MBGP peer or peer group peer group name ip address default route advertise route policy route policy name Required Not advertised by default With the peer default route advertise command executed the router sends a default route with the next hop being itsel...

Page 911: ...ddress as path acl as path acl number export Reference an IP prefix list to filer route advertisements to an IPv4 MBGP peer peer group peer group name ip address ip prefix ip prefix name export At least one of these approaches is required No outbound route filtering is configured by default Configuring Inbound MBGP Route Filtering By configuring MBGP route reception filtering policies you can filt...

Page 912: ...filtering is configured by default Specify the maximum number of routes that can be received from an IPv4 MBGP peer peer group peer group name ip address route limit limit percentage Optional The number is unlimited by default Members of a peer group can have different route reception filtering policies from the peer group Configuring MBGP Route Dampening By configuring MBGP route dampening you ca...

Page 913: ...icy name Optional The default preferences of multicast MBGP eBGP MBGP iBGP and local MBGP routes are 255 255 and 130 respectively Configuring the Default Local Preference Follow these steps to configure the default local preference To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enter IPv4 MBGP address family view ipv4 family multicast Configure the default...

Page 914: ...er the peer next hop local command is configured In a third party next hop network that is the local router has two multicast eBGP peers in a broadcast network the router does not specify itself as the next hop of routing information sent to the eBGP peers unless the peer next hop local command is configured Follow these steps to specify the router as the next hop of routes sent to a peer peer gro...

Page 915: ...to configure BGP basic functions before configuring this task Configuring MBGP Soft Reset After modifying a route selection policy you have to reset MBGP connections to make it take effect causing short time disconnections After the route refresh capability is enabled on all MBGP routers in a network when a route selection policy is modified on a router the local router can perform dynamic route u...

Page 916: ... multi protocol extensions for a peer peer group peer group name ip address capability advertise conventional Optional Enabled by default Enter IPv4 MBGP address family view ipv4 family multicast Keep all original routes from a peer peer group regardless of whether they pass the inbound filtering policies peer group name ip address keep all routes Required Not kept by default Return to user view r...

Page 917: ...mber as number Required No peer is added by default Enter IPv4 MBGP address family view ipv4 family multicast Enable the IPv4 unicast peer group peer group name enable Required Add an IPv4 MBGP peer to the peer group peer ip address group group name Required Not configured by default z To configure an MBGP peer group you need to enable the corresponding IPv4 BGP unicast peer group in IPv4 MBGP add...

Page 918: ...dvertisement z For route policy configuration refer to Route Policy Configuration in the IP Routing Volume Configuring an MBGP Route Reflector To guarantee the connectivity between multicast iBGP peers in an AS you need to make them fully meshed But this becomes unpractical when there are large numbers of multicast iBGP peers Configuring route reflectors can solve this problem Follow these steps t...

Page 919: ...e in any view Display the advertised networks display bgp multicast network Available in any view Display AS path information display bgp multicast paths as regular expression Available in any view Display MBGP peer peer group information display bgp multicast peer ip address verbose Available in any view Display MBGP routing information display bgp multicast routing table ip address mask mask len...

Page 920: ...regular expression as regular expression Available in any view Display IPv4 MBGP routing statistics display bgp multicast routing table statistic Available in any view Resetting MBGP Connections To do Use the command Remarks Reset specified MBGP connections reset bgp ipv4 multicast all as number ip address group group name external internal Available in user view Clearing MBGP Information To do Us...

Page 921: ...lan int104 192 168 4 2 24 Vlan int103 192 168 3 1 24 Loop0 4 4 4 4 32 Loop0 2 2 2 2 32 Configuration procedure 1 Configure IP addresses for interfaces as shown in the above figure omitted 2 Configure OSPF omitted 3 Enable IP multicast routing PIM SM and IGMP and configure a PIM SM domain border Enable IP multicast routing on Switch A and enable PIM SM on each interface SwitchA system view SwitchA ...

Page 922: ...re it as the C BSR and C RP on Switch A SwitchA interface loopback 0 SwitchA LoopBack0 ip address 1 1 1 1 32 SwitchA LoopBack0 pim sm SwitchA LoopBack0 quit SwitchA pim SwitchA pim c bsr loopback 0 SwitchA pim c rp loopback 0 SwitchA pim quit Configure Loopback 0 and configure it as the C BSR and C RP on Switch B SwitchB interface loopback 0 SwitchB LoopBack0 ip address 2 2 2 2 32 SwitchB LoopBack...

Page 923: ...msdp peer 192 168 1 1 connect interface vlan interface 101 SwitchB msdp quit 7 Verify the configuration You can use the display bgp multicast peer command to display MBGP peers on a switch For example display MBGP peers on Switch B SwitchB display bgp multicast peer BGP local router ID 2 2 2 2 Local AS number 200 Total number of peers 3 Peers in established state 3 Peer V AS MsgRcvd MsgSent OutQ P...

Page 924: ...iguration Prerequisites 1 12 Enabling IGMP Snooping Querier 1 12 Configuring IGMP Queries and Responses 1 12 Configuring Source IP Address of IGMP Queries 1 14 Configuring an IGMP Snooping Policy 1 14 Configuration Prerequisites 1 14 Configuring a Multicast Group Filter 1 14 Configuring Multicast Source Port Filtering 1 15 Configuring the Function of Dropping Unknown Multicast Data 1 16 Configurin...

Page 925: ... and multicast MAC addresses and forwards multicast data based on these mappings As shown in Figure 1 1 when IGMP Snooping is not running on the switch multicast packets are broadcast to all devices at Layer 2 When IGMP Snooping is running on the switch multicast packets for known multicast groups are multicast to the receivers rather than broadcast to all hosts at Layer 2 Figure 1 1 Before and af...

Page 926: ...Ethernet 1 0 1 of Switch A and GigabitEthernet 1 0 1 of Switch B are router ports The switch registers all its local router ports in its router port list z Member port A member port is a port on an Ethernet switch that leads the switch towards multicast group members In the figure GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 of Switch A and GigabitEthernet 1 0 2 of Switch B are member ports The...

Page 927: ...r age out How IGMP Snooping Works A switch running IGMP Snooping performs different actions when it receives different IGMP messages as follows The description about adding or deleting a port in this section is only for a dynamic port Static ports can be added or deleted only through the corresponding configurations For details see Configuring Static Ports When receiving a general query The IGMP q...

Page 928: ...l the attached hosts listening to the reported multicast address will suppress their own reports upon receiving this report and this will prevent the switch from knowing whether the reported multicast group still has active members attached to that port For the description of IGMP report suppression mechanism refer to IGMP Configuration in the IP Multicast Volume When receiving a leave message Whe...

Page 929: ...outgoing port list of the forwarding table entry for that multicast group when the aging timer expires Processing of Multicast Protocol Messages With Layer 3 multicast routing enabled an IGMP Snooping switch processes multicast protocol messages differently under different conditions specifically as follows 1 If only IGMP is enabled or both IGMP and PIM are enabled on the switch the switch handles...

Page 930: ...t Optional Configuring an IGMP Snooping Policy Configuring Multicast Group Replacement Optional z Configurations made in IGMP Snooping view are effective for all VLANs while configurations made in VLAN view are effective only for ports belonging to the current VLAN For a given VLAN a configuration made in IGMP Snooping view is effective only if the same configuration is not made in VLAN view z Con...

Page 931: ...nable Required Disabled by default z IGMP Snooping must be enabled globally before it can be enabled in a VLAN z After enabling IGMP Snooping in a VLAN you cannot enable IGMP and or PIM on the corresponding VLAN interface z When you enable IGMP Snooping in a specified VLAN this function takes effect for the ports in this VLAN only Configuring the Version of IGMP Snooping By configuring an IGMP Sno...

Page 932: ...ic router ports z Aging time of dynamic member ports and z Multicast group and multicast source addresses Configuring Aging Timers for Dynamic Ports If the switch receives no IGMP general queries or PIM hello messages on a dynamic router port the switch removes the port from the router port list when the aging timer of the port expires If the switch receives no IGMP reports for a multicast group o...

Page 933: ...ata that a particular multicast source sends to a particular group you can configure static G or S G joining on that port namely configure the port as a group specific or source and group specific static member port You can configure a port of a switch to be a static router port through which the switch can forward all the multicast traffic it received Follow these steps to configure static ports ...

Page 934: ...d due to some reasons the multicast router may deem that no member of this multicast group exists on the network segment and therefore will remove the corresponding forwarding path To avoid this situation from happening you can enable simulated joining on a port of the switch namely configure the port as a simulated member host for a multicast group When receiving an IGMP query the simulated host ...

Page 935: ...hich more than one host is attached when one host leaves a multicast group the other hosts attached to the port and interested in the same multicast group will fail to receive multicast data for that group Therefore if the function of dropping unknown multicast traffic is already enabled on the switch or in the VLANs the fast leave processing function should not be enabled Configuring fast leave p...

Page 936: ... VLAN where multicast traffic needs to be Layer 2 switched only and no multicast routers are present the Layer 2 switch will act as the IGMP Snooping querier to send IGMP queries thus allowing multicast forwarding entries to be established and maintained at the data link layer Follow these steps to enable IGMP Snooping querier To do Use the command Remarks Enter system view system view Enter VLAN ...

Page 937: ...configure IGMP queries and responses globally To do Use the command Remarks Enter system view system view Enter IGMP Snooping view igmp snooping Configure the maximum response time to IGMP general queries max response time interval Optional 10 seconds by default Configure the IGMP last member query interval last member query interval interval Optional 1 second by default Configuring IGMP queries a...

Page 938: ... of IGMP query messages may affect IGMP querier selection within the segment Configuring an IGMP Snooping Policy Configuration Prerequisites Before configuring an IGMP Snooping policy complete the following task z Enable IGMP Snooping in the VLAN Before configuring an IGMP Snooping policy prepare the following data z ACL rule for multicast group filtering z The maximum number of multicast groups t...

Page 939: ...her approach Configure a multicast group filter igmp snooping group policy acl number vlan vlan list Required By default no group filter is configured on the current port that is hosts on this port can join any valid multicast group Configuring Multicast Source Port Filtering With the multicast source port filtering feature enabled on a port the port can be connected with multicast receivers only ...

Page 940: ...cast data enabled the switch forwards unknown multicast data to its router ports instead of flooding it in the VLAN If no router ports exist the switch drops the unknown multicast data Follow these steps to configure the function of dropping unknown multicast data in a VLAN To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Enable the function of dropping unkn...

Page 941: ...owed on the port s is 1024 z When the number of multicast groups a port has joined reaches the maximum number configured the system deletes all the forwarding entries persistent to that port from the IGMP Snooping forwarding table and the hosts on this port need to join the multicast groups again z If you have configured static or simulated joins on a port however when the number of multicast grou...

Page 942: ... group of ports Follow these steps to configure multicast group replacement on a port or a group of ports To do Use the command Remarks Enter system view system view interface interface type interface number Enter Ethernet port Layer 2 aggregate port view or port group view port group manual port group name Required Use either approach Enable multicast group replacement igmp snooping overflow repl...

Page 943: ...ins IGMP Snooping Configuration Examples Configuring Group Policy and Simulated Joining Network requirements z As shown in Figure 1 3 Router A connects to the multicast source through GigabitEthernet 1 0 2 and to Switch A through GigabitEthernet 1 0 1 z IGMPv2 is required on Router A IGMP Snooping version 2 is required on Switch A and Router A will act as the IGMP querier on the subnet z It is req...

Page 944: ...abitEthernet1 0 1 igmp enable RouterA GigabitEthernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA interface gigabitethernet 1 0 2 RouterA GigabitEthernet1 0 2 pim dm RouterA GigabitEthernet1 0 2 quit 3 Configure Switch A Enable IGMP Snooping globally SwitchA system view SwitchA igmp snooping SwitchA igmp snooping quit Create VLAN 100 assign GigabitEthernet 1 0 1 through GigabitEthernet 1...

Page 945: ...24 1 1 1 vlan 100 SwitchA GigabitEthernet1 0 4 quit 4 Verify the configuration View the detailed IGMP Snooping multicast groups information in VLAN 100 on Switch A SwitchA display igmp snooping group vlan 100 verbose Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 100 Total 1 IP Group s Tot...

Page 946: ... Switch A Switch B Switch C z It is required to configure GigabitEthernet 1 0 3 that connects Switch A to Switch C as a static router port so that multicast traffic can flow to the receivers nearly uninterruptedly along the path of Switch A Switch C in the case that the path of Switch A Switch B Switch C gets blocked If no static router port is configured when the path of Switch A Switch B Switch ...

Page 947: ... snooping quit Create VLAN 100 assign GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to this VLAN and enable IGMP Snooping in the VLAN SwitchA vlan 100 SwitchA vlan100 port gigabitethernet 1 0 1 to gigabitethernet 1 0 3 SwitchA vlan100 igmp snooping enable SwitchA vlan100 quit Configure GigabitEthernet 1 0 3 to be a static router port SwitchA interface gigabitethernet 1 0 3 SwitchA GigabitEth...

Page 948: ...igabitEthernet1 0 5 quit 6 Verify the configuration View the detailed IGMP Snooping multicast group information in VLAN 100 on Switch A SwitchA display igmp snooping group vlan 100 verbose Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 100 Total 1 IP Group s Total 1 IP Source s Total 1 MAC...

Page 949: ... shown in Figure 1 5 in a Layer 2 only network environment two multicast sources Source 1 and Source 2 send multicast data to multicast groups 224 1 1 1 and 225 1 1 1 respectively Host A and Host C are receivers of multicast group 224 1 1 1 while Host B and Host D are receivers of multicast group 225 1 1 1 z All the receivers are running IGMPv2 and all the switches need to run IGMP Snooping versio...

Page 950: ...SwitchA vlan100 port gigabitethernet 1 0 1 to gigabitethernet 1 0 3 Enable IGMP Snooping and the function of dropping unknown multicast traffic in VLAN 100 SwitchA vlan100 igmp snooping enable SwitchA vlan100 igmp snooping drop unknown Enable the IGMP Snooping querier function in VLAN 100 SwitchA vlan100 igmp snooping querier Set the source IP address of IGMP general queries and group specific que...

Page 951: ... IGMPv2 reports 12 Received IGMP leaves 0 Received IGMPv2 specific queries 0 Sent IGMPv2 specific queries 0 Received IGMPv3 reports 0 Received IGMPv3 reports with right and wrong records 0 Received IGMPv3 specific queries 0 Received IGMPv3 specific sg queries 0 Sent IGMPv3 specific queries 0 Sent IGMPv3 specific sg queries 0 Received error IGMP messages 0 Troubleshooting IGMP Snooping Configuratio...

Page 952: ...d Solution 1 Use the display acl command to check the configured ACL rule Make sure that the ACL rule conforms to the multicast group policy to be implemented 2 Use the display this command in IGMP Snooping view or in the corresponding port view to check whether the correct multicast group policy has been applied If not use the group policy or igmp snooping group policy command to apply the correc...

Page 953: ...n Prerequisites 1 3 Configuring Sub VLAN Based Multicast VLAN 1 3 Configuring Port Based Multicast VLAN 1 4 Configuration Prerequisites 1 4 Configuring User Port Attributes 1 4 Configuring Multicast VLAN Ports 1 5 Displaying and Maintaining Multicast VLAN 1 6 Multicast VLAN Configuration Examples 1 6 Sub VLAN Based Multicast VLAN Configuration 1 6 Port Based Multicast VLAN Configuration 1 9 ...

Page 954: ...Layer 2 device Switch A This results in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 1 1 Multicast transmission without multicast VLAN The multicast VLAN feature configured on the Layer 2 device is the solution to this issue With the multicast VLAN feature the Layer 3 device needs to replicate the multicast traffic only in the multicast VLAN instead of mak...

Page 955: ...st A Host B and Host C are in three different user VLANs All the user ports ports with attached hosts on Switch A are hybrid ports On Switch A configure VLAN 10 as a multicast VLAN assign all the user ports to this multicast VLAN and enable IGMP Snooping in the multicast VLAN and all the user VLANs Figure 1 3 Port based multicast VLAN After the configuration upon receiving an IGMP message on a use...

Page 956: ...on is given preference Configuring Sub VLAN Based Multicast VLAN Configuration Prerequisites Before configuring sub VLAN based multicast VLAN complete the following tasks z Create VLANs as required z Enable IGMP Snooping in the VLAN to be configured as a multicast VLAN Configuring Sub VLAN Based Multicast VLAN In this approach you need to configure a VLAN as a multicast VLAN and then configure use...

Page 957: ...port configurations made in Layer 2 aggregate port view are effective only for the current port configurations made in port group view are effective for all the ports in the current port group Configuration Prerequisites Before configuring port based multicast VLAN complete the following tasks z Create VLANs as required z Enable IGMP Snooping in the VLAN to be configured as a multicast VLAN z Enab...

Page 958: ...d pvid vlan and port hybrid vlan commands refer to VLAN Commands in the Access Volume Configuring Multicast VLAN Ports In this approach you need to configure a VLAN as a multicast VLAN and then assign user ports to this multicast VLAN by either adding the user ports in the multicast VLAN or specifying the multicast VLAN on the user ports These two configuration methods give the same result Configu...

Page 959: ... multicast VLAN display multicast vlan vlan id Available in any view Multicast VLAN Configuration Examples Sub VLAN Based Multicast VLAN Configuration Network requirements z Router A connects to a multicast source through GigabitEthernet1 0 1 and to Switch A through GigabitEthernet 1 0 2 z IGMPv2 is required on Router A and IGMPv2 Snooping is required on Switch A Router A is the IGMP querier z Swi...

Page 960: ...nable PIM DM on each interface and enable IGMP on the host side interface GigabitEthernet 1 0 2 RouterA system view RouterA multicast routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA interface gigabitethernet 1 0 2 RouterA GigabitEthernet1 0 2 pim dm RouterA GigabitEthernet1 0 2 igmp enable 3 Configure Switch A Ena...

Page 961: ...icast vlan s Multicast vlan 10 subvlan list vlan 2 4 port list no port View the IGMP Snooping multicast group information on Switch A SwitchA display igmp snooping group Total 4 IP Group s Total 4 IP Source s Total 4 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 2 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port ...

Page 962: ... 0100 5e01 0101 Host port s total 1 port GE1 0 4 Vlan id 10 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 0 port MAC group s MAC group address 0100 5e01 0101 Host port s total 0 port As shown above IGMP Snooping is maintaining t...

Page 963: ...different user VLANs Network diagram Figure 1 5 Network diagram for port based multicast VLAN configuration Source Receiver Host A VLAN 2 GE1 0 2 GE1 0 3 GE1 0 4 Switch A IGMP querier Router A GE1 0 1 1 1 1 2 24 GE1 0 2 10 110 1 1 24 1 1 1 1 24 Receiver Host B VLAN 3 Receiver Host C VLAN 4 GE1 0 1 Configuration procedure 1 Configure IP addresses Configure the IP address and subnet mask for each in...

Page 964: ... 2 SwitchA GigabitEthernet1 0 2 port link type hybrid SwitchA GigabitEthernet1 0 2 port hybrid pvid vlan 2 SwitchA GigabitEthernet1 0 2 port hybrid vlan 2 untagged SwitchA GigabitEthernet1 0 2 port hybrid vlan 10 untagged SwitchA GigabitEthernet1 0 2 quit The configuration for GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 is similar The detailed configuration steps are omitted Configure VLAN 10 ...

Page 965: ...AN Vlan id 10 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 3 port GE1 0 2 D GE1 0 3 D GE1 0 4 D MAC group s MAC group address 0100 5e01 0101 Host port s total 3 port GE1 0 2 GE1 0 3 GE1 0 4 As shown above IGMP Snooping is maint...

Page 966: ...ing IPv6 Multicast Routing 1 4 Configuring IPv6 Multicast Routing and Forwarding 1 4 Configuration Prerequisites 1 4 Configuring an IPv6 Multicast Routing Policy 1 4 Configuring an IPv6 Multicast Forwarding Range 1 5 Configuring the IPv6 Multicast Forwarding Table Size 1 5 Displaying and Maintaining IPv6 Multicast Routing and Forwarding 1 6 Troubleshooting IPv6 Multicast Policy Configuration 1 7 A...

Page 967: ...ticast routing protocols forms a general IPv6 multicast routing table z The IPv6 multicast forwarding table is directly used to control the forwarding of IPv6 multicast packets This is the table that guides IPv6 multicast forwarding An IPv6 multicast forwarding table consists of a set of S G entries each indicating the routing information for delivering multicast data from a multicast source to a ...

Page 968: ...routing table using the IPv6 address of the packet source as the destination address The outgoing interface in the corresponding routing entry is the RPF interface and the next hop is the RPF neighbor 2 Then the router selects one from these two optimal routes as the RPF route The selection process is as follows z If configured to use the longest match principle the router selects the longest matc...

Page 969: ...g S G entry exists and the interface on which the packet actually arrived is the incoming interface the router forwards the packet to all the outgoing interfaces 3 If the corresponding S G entry exists but the interface on which the packet actually arrived is not the incoming interface in the IPv6 multicast forwarding table the IPv6 multicast packet is subject to an RPF check z If the RPF interfac...

Page 970: ...cast routing Follow these steps to enable IPv6 multicast routing To do Use the Command Remarks Enter system view system view Enable IPv6 multicast routing multicast ipv6 routing enable Required Disabled by default Configuring IPv6 Multicast Routing and Forwarding Configuration Prerequisites Before configuring IPv6 multicast routing and forwarding complete the following tasks z Configure an IPv6 un...

Page 971: ...fic IPv6 multicast group on all interfaces that support IPv6 multicast forwarding A multicast forwarding boundary sets the boundary condition for the IPv6 multicast groups in the specified range If the destination address of an IPv6 multicast packet matches the set boundary condition the packet will not be forwarded Once an IPv6 multicast boundary is configured on an interface this interface can n...

Page 972: ...dded downstream nodes until the number of existing downstream nodes comes down below the configured value Follow these steps to configure the IPv6 multicast forwarding table size To do Use the command Remarks Enter system view system view Configure the maximum number of entries in the IPv6 multicast forwarding table multicast ipv6 forwarding table route limit limit Optional 512 by default Configur...

Page 973: ...multicast forwarding table the corresponding routing entry will also be deleted from the IPv6 multicast routing table Troubleshooting IPv6 Multicast Policy Configuration Abnormal Termination of IPv6 Multicast Data Symptom z A host sends an MLD report announcing its joining an IPv6 multicast group G However there is no member information about the IPv6 multicast group G on the immediate router The ...

Page 974: ...z Check the configuration of the multicast filter Use the display current configuration command to view the configuration of the IPv6 multicast filter and change the IPv6 ACL rule used in the source policy command so that the source address of the IPv6 multicast packets and the IPv6 multicast group address can both match the IPv6 ACL rule ...

Page 975: ... 13 Configuring MLD Message Options 1 13 Configuring MLD Query and Response Parameters 1 14 Configuring MLD Fast Leave Processing 1 17 Configuring MLD SSM Mapping 1 17 Configuration Prerequisites 1 17 Enabling MLD SSM Mapping 1 17 Configuring MLD SSM Mappings 1 18 Configuring MLD Proxying 1 18 Configuration Prerequisites 1 18 Enabling MLD Proxying 1 18 Configuring IPv6 Multicast Forwarding on a Do...

Page 976: ...rn whether there are any IPv6 multicast listeners on the directly connected subnets put corresponding records in the database and maintain timers related to IPv6 multicast addresses Routers running MLD use an IPv6 unicast link local address as the source address to send MLD messages MLD messages are Internet Control Message Protocol for IPv6 ICMPv6 messages All MLD messages are confined to the loc...

Page 977: ...uters on the local subnet the destination address is FF02 1 2 Upon hearing a general query every MLD router compares the source IPv6 address of the query message with its own interface address After comparison the router with the lowest IPv6 address wins the querier election and all other routers become non queriers 3 All the non queriers start a timer known as other querier present timer If a rou...

Page 978: ...equent IPv6 multicast forwarding where represents any IPv6 multicast source 6 When the IPv6 multicast data addressed to G1 or G2 reaches an MLD router because the G1 and G2 multicast forwarding entries exist on the MLD router the router forwards the IPv6 multicast data to the local subnet and then the receivers on the subnet receive the data Leaving an IPv6 multicast group When a host leaves a mul...

Page 979: ...2 will flow to Host B whether it needs them or not When MLDv2 is running on the hosts and routers Host B can explicitly express its interest in the IPv6 multicast data Source 1 sends to G denoted as S1 G rather than the IPv6 multicast data Source 2 sends to G denoted as S2 G Thus only IPv6 multicast data from Source 1 will be delivered to Host B MLD state A multicast router running MLDv2 maintains...

Page 980: ...s in Figure 1 3 Table 1 1 Description on fields in an MLDv2 query message Field Description Type 130 Message type For a query message this field is set to 130 Code Initialized to zero Checksum Standard IPv6 checksum Maximum Response Delay Maximum response delay allowed before a host sends a report message Reserved Reserved field and initialized to zero Multicast Address z This field is set to 0 in...

Page 981: ...resses MLD report message A host sends an MLD report message to report the current multicast listening state Figure 1 4 shows the format of an MLD report message Figure 1 4 Format of MLDv2 report message Table 1 2 describes the fields in Figure 1 4 Table 1 2 Description on fields in an MLDv2 report message Field Description Type 143 Message type For a report message this field is set to 143 Reserv...

Page 982: ...is case you need to configure the MLD SSM mapping feature to translate the G information in the MLDv1 report into G INCLUDE S1 S2 information Figure 1 5 Network diagram for MLD SSM mapping As shown in Figure 1 5 on an IPv6 SSM network Host A and Host B are running MLDv1 and Host C is running MLDv2 To provide SSM service for all the hosts while it is infeasible to run MLDv2 on Host A and Host B you...

Page 983: ...he MLD proxy device is a host but no longer an IPv6 PIM neighbor to the upstream device Figure 1 6 Network diagram for MLD proxying As shown in Figure 1 6 two types of interfaces are defined on a MLD proxy device z Upstream interface Also referred to as the proxy interface A proxy interface is an interface on which MLD proxying is configured It is in the direction toward the root of the multicast ...

Page 984: ...MLD Proxying Configuration Task List Task Remarks Enabling MLD Required Configuring the MLD Version Option Configuring Static Joining Optional Configuring an IPv6 Multicast Group Filter Optional Configuring Basic Functions of MLD Configuring the Maximum Number of IPv6 Multicast Groups on an Interface Optional Configuring MLD Message Options Optional Configuring MLD Query and Response Parameters Op...

Page 985: ...joined on an interface Enabling MLD Enable MLD on the interface on which IPv6 multicast group memberships are to be created and maintained Follow these steps to enable MLD To do Use the command Remarks Enter system view system view Enable IPv6 multicast routing multicast ipv6 routing enable Required Disable by default Enter interface view interface interface type interface number Enable MLD mld en...

Page 986: ...fter an interface is configured as a static member of an IPv6 multicast group or an IPv6 multicast source and group it will act as a virtual member of the IPv6 multicast group to receive IPv6 multicast data addressed to that IPv6 multicast group for the purpose of testing IPv6 multicast data forwarding Follow these steps to configure a static member of an IPv6 multicast group or an IPv6 multicast ...

Page 987: ...ticast groups you can set an IPv6 ACL rule on the interface as a packet filter to limit the range of multicast groups that the interface serves Follow these steps to configure an IPv6 multicast group filter To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure an IPv6 multicast group filter mld group policy acl6 number ...

Page 988: ... the following data z Startup query interval z Startup query count z MLD query interval z MLD querier robustness variable z Maximum response delay of MLD general query messages z MLD last listener query interval z MLD other querier present interval Configuring MLD Message Options MLD queries include multicast address specific queries and multicast address and source specific queries and IPv6 multi...

Page 989: ...ry the Router Alert option Configuring the Router Alert option on an interface Follow these steps to configure the Router Alert option on an interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure the interface to discard any MLD message without the Router Alert option mld require router alert Optional By defaul...

Page 990: ...e maximum response time of MLD general query messages equals the last listener query interval When multiple multicast routers exist on the same subnet the MLD querier is responsible for sending MLD query messages If a non querier router receives no MLD query from the querier within the other querier present interval it will assume that the querier has failed and a new querier election process is l...

Page 991: ...terval interval Optional 1 second by default Configure the MLD other querier present interval mld timer other querier present interval Optional For the system default see Note below z If not statically configured the startup query interval is 1 4 of the MLD query interval By default the MLD query interval is 125 seconds so the startup query interval 125 4 31 25 seconds z If not statically configur...

Page 992: ...r these receiver hosts you need to configure the MLD SSM mapping feature on the last hop router Configuration Prerequisites Before configuring the MLD SSM mapping feature complete the following tasks z Configure any IPv6 unicast routing protocol so that all devices in the domain can be interoperable at the network layer z Configure MLD basic functions Enabling MLD SSM Mapping Follow these steps to...

Page 993: ...nd In this case the corresponding IPv6 multicast group will not be created based on the configured MLD SSM mappings For details about the mld snooping host join command refer to MLD Snooping Commands in the IP Multicast Volume Configuring MLD Proxying Configuration Prerequisites Before configuring the MLD proxying feature complete the following tasks z Configure any IPv6 unicast routing protocol s...

Page 994: ... However when a downstream interface of a proxy device fails to win the querier election you need to enable IPv6 multicast forwarding on this interface Follow these steps to enable IPv6 multicast forwarding on a downstream interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enable IPv6 multicast forwarding on a non qu...

Page 995: ...ddress interface interface type interface number verbose Available in any view Clear MLD multicast group information reset mld group all interface interface type interface number all ipv6 group address prefix length ipv6 source address prefix length Available in user view Clear Layer 2 port information about MLD multicast groups reset mld group port info all ipv6 group address vlan vlan id Availab...

Page 996: ...witch A and N1 MLDv1 is also required between the other two switches Switch B and Switch C and N2 Switch B serves as the MLD querier in N2 because its IP address is lower Network diagram Figure 1 7 Network diagram for basic MLD functions configuration Ethernet Ethernet Configuration procedure 1 Enable IPv6 forwarding and configure IPv6 addresses and IPv6 unicast routing Enable IPv6 forwarding on e...

Page 997: ...terface201 quit Enable IPv6 multicast routing on Switch C enable IPv6 PIM DM on each interface and enable MLD on VLAN interface 200 SwitchC system view SwitchC multicast ipv6 routing enable SwitchC interface vlan interface 200 SwitchC Vlan interface200 mld enable SwitchC Vlan interface200 pim ipv6 dm SwitchC Vlan interface200 quit SwitchC interface vlan interface 202 SwitchC Vlan interface202 pim ...

Page 998: ...urce 1 1001 1 64 Source 3 3001 1 64 Source 2 2001 1 64 Receiver 4001 1 64 Switch A Vlan int100 1001 2 64 Switch C Vlan int300 3001 2 64 Vlan int101 1002 1 64 Vlan int103 3002 1 64 Vlan int104 1003 1 64 Vlan int102 2002 2 64 Switch B Vlan int200 2001 2 64 Switch D Vlan int400 4001 2 64 Vlan int101 1002 2 64 Vlan int103 3002 2 64 Vlan int102 2002 1 64 Vlan int104 1003 2 64 Configuration procedure 1 ...

Page 999: ... multicast ipv6 routing enable SwitchA interface vlan interface 100 SwitchA Vlan interface100 pim ipv6 sm SwitchA Vlan interface100 quit SwitchA interface vlan interface 101 SwitchA Vlan interface101 pim ipv6 sm SwitchA Vlan interface101 quit SwitchA interface vlan interface 104 SwitchA Vlan interface104 pim ipv6 sm SwitchA Vlan interface104 quit The configuration on Switch B and Switch C is simil...

Page 1000: ...ed on the configured MLD SSM mappings on Switch D SwitchD display mld ssm mapping group Total 1 MLD SSM mapping Group s Interface group report information Vlan interface400 4001 2 Total 1 MLD SSM mapping Group reported Group Address FF3E 101 Last Reporter 4001 1 Uptime 00 02 04 Expires off Use the display pim ipv6 routing table command to view the IPv6 PIM routing table information on each switch ...

Page 1001: ... traffic without running IPv6 PIM DM Network diagram Figure 1 9 Network diagram for MLD proxying configuration Configuration procedure 1 Enable IPv6 forwarding and configure the IPv6 addresses Enable IPv6 forwarding on each switch and configure the IPv6 address and prefix length of each interface as per Figure 1 9 The detailed configuration steps are omitted here 2 Enable IPv6 multicast routing IP...

Page 1002: ...led Current MLD version is 1 Multicast routing on this interface enabled Require router alert disabled Use the display mld group command to view MLD multicast group information For example View the MLD multicast group information on Switch A SwitchA display mld group Total 1 MLD Group s Interface group report information Vlan interface100 2001 1 Total 1 MLD Groups reported Group Address Last Repor...

Page 1003: ...that on the host 4 Check that no ACL rule has been configured to restrict the host from joining IPv6 multicast group G Carry out the display current configuration interface command to check whether the mld group policy command has been executed If an IPv6 ACL is configured to restrict the host from joining IPv6 multicast group G the ACL must be modified to allow IPv6 multicast group G to receive r...

Page 1004: ...nfiguring IPv6 Multicast Source Registration 1 23 Disabling SPT Switchover 1 24 Configuring IPv6 PIM SSM 1 25 IPv6 PIM SSM Configuration Task List 1 25 Configuration Prerequisites 1 25 Enabling IPv6 PIM SM 1 26 Configuring the IPv6 SSM Group Range 1 26 Configuring IPv6 PIM Common Features 1 27 IPv6 PIM Common Feature Configuration Task List 1 27 Configuration Prerequisites 1 27 Configuring an IPv6...

Page 1005: ...ii IPv6 Multicast Data Abnormally Terminated on an Intermediate Router 1 46 RPs Unable to Join SPT in IPv6 PIM SM 1 46 RPT Establishment Failure or Source Registration Failure in IPv6 PIM SM 1 47 ...

Page 1006: ... perform reverse path forwarding RPF check to implement IPv6 multicast forwarding Independent of the IPv6 unicast routing protocols running on the device IPv6 multicast routing can be implemented as long as the corresponding IPv6 multicast routing entries are created through IPv6 unicast routes IPv6 PIM uses the reverse path forwarding RPF mechanism to implement IPv6 multicast forwarding When an I...

Page 1007: ...uned again z When a new receiver on a previously pruned branch joins an IPv6 multicast group to reduce the join latency IPv6 PIM DM uses the graft mechanism to resume IPv6 multicast data forwarding to that branch Generally speaking the IPv6 multicast forwarding path is a source tree namely a forwarding tree with the IPv6 multicast source as its root and IPv6 multicast group members as its leaves B...

Page 1008: ...corresponding interface from the outgoing interface list in the S G entry and stop forwarding subsequent packets addressed to that IPv6 multicast group down to this node z An S G entry contains the multicast source address S IPv6 multicast group address G outgoing interface list and incoming interface z For a given IPv6 multicast stream the interface that receives the IPv6 multicast stream is refe...

Page 1009: ...ode that sent a graft message does not receive a graft ack message from its upstream node it will keep sending graft messages at a configurable interval until it receives an acknowledgment from its upstream node Assert The assert mechanism is used to shutoff duplicate IPv6 multicast flows onto the same multi access network where more than one multicast routers exists by electing a unique IPv6 mult...

Page 1010: ...ally request a particular IPv6 multicast stream before the data is forwarded to them The core task for IPv6 PIM SM to implement IPv6 multicast forwarding is to build and maintain rendezvous point trees RPTs An RPT is rooted at a router in the IPv6 PIM domain as the common node or rendezvous point RP through which the IPv6 multicast data travels along the RPT and reaches the receivers z When a rece...

Page 1011: ...s network connects to IPv6 multicast sources or to receivers The DR at the receiver side sends join messages to the RP the DR at the IPv6 multicast source side sends register messages to the RP z A DR is elected on a multi access subnet by means of comparison of the priorities and IPv6 link local addresses carried in hello messages z MLD must be enabled on a device that acts as a receiver side DR ...

Page 1012: ...be configured in an IPv6 PIM SM domain among which an RP is dynamically elected through the bootstrap mechanism Each elected RP serves a different multicast group range For this purpose a bootstrap router BSR must be configured The BSR serves as the administrative core of the IPv6 PIM SM domain An IPv6 PIM SM domain can have only one BSR but can have multiple candidate BSRs C BSRs Once the BSR fai...

Page 1013: ...this algorithm Table 1 1 Values in the hashing algorithm Value Description Value Hash value G The digest from the exclusive or XOR operation between the 32 bit segments of the IPv6 multicast group address For example if the IPv6 multicast address is FF0E C20 1A3 63 101 G 0xFF0E0C20 XOR 0x01A30063 XOR 0x00000000 XOR 0x00000101 M Hash mask length Ci The digest from the exclusive or XOR operation bet...

Page 1014: ...form the directly connected DR 2 Upon getting the IPv6 multicast group G s receiver information the DR sends a join message which is hop by hop forwarded to the RP corresponding to the multicast group 3 The routers along the path from the DR to the RP form an RPT branch Each router on this branch generates a G entry in its forwarding table The means any IPv6 multicast source The RP is the root whi...

Page 1015: ...in message hop by hop toward the IPv6 multicast source Thus the routers along the path from the RP to the IPv6 multicast source form an SPT branch Each router on this branch generates an S G entry in its forwarding table The DR at the IPv6 multicast source side is the root while the RP is the leaf of the SPT 3 The subsequent IPv6 multicast data from the IPv6 multicast source travels along the esta...

Page 1016: ... source to establish an SPT between the DR at the source side and the RP The subsequent IPv6 multicast data from the multicast source travel along the established SPT to the RP For details about the SPT switchover initiated by the RP refer to Multicast source registration 2 The receiver side DR initiates an SPT switchover process Upon receiving the first IPv6 multicast packet the receiver side DR ...

Page 1017: ...l receivers know exactly where an IPv6 multicast source is located by means of advertisements consultancy and so on Therefore no RP is needed no RPT is required and is no source registration process is needed for the purpose of discovering IPv6 multicast sources in other IPv6 PIM domains Compared with the ASM model the SSM model only needs the support of MLDv2 and some subsets of IPv6 PIM SM The o...

Page 1018: ...ot and receivers as its leaves This SPT is the transmission channel in IPv6 PIM SSM z If not the IPv6 PIM SM process is followed the DR needs to send a G join message to the RP and an IPv6 multicast source registration process is needed In IPv6 PIM SSM the channel concept is used to refer to an IPv6 multicast group and the channel subscription concept is used to refer to a join message Protocols a...

Page 1019: ... following data z The interval between state refresh messages z Minimum time to wait before receiving a new refresh message z Hop limit value of state refresh messages z Graft retry period Enabling IPv6 PIM DM With IPv6 PIM DM enabled a router sends hello messages periodically to discover IPv6 PIM neighbors and processes messages from the IPv6 PIM neighbors When deploying an IPv6 PIM DM domain you...

Page 1020: ...bility pim ipv6 state refresh capable Optional Enabled by default Configuring State Refresh Parameters The router directly connected with the multicast source periodically sends state refresh messages You can configure the interval for sending such messages A router may receive multiple state refresh messages within a short time of which some may be duplicated messages To keep a router from receiv...

Page 1021: ...t receive a graft ack message from the upstream router within the specified time after it sends a graft message the router keeps sending new graft messages at a configurable interval namely graft retry period until it receives a graft ack from the upstream router Follow these steps to configure IPv6 PIM DM graft retry period To do Use the command Remarks Enter system view system view Enter interfa...

Page 1022: ...e served by the static RP z C RP priority and an ACL rule defining the range of IPv6 multicast groups to be served by each C RP z A legal C RP address range and an ACL rule defining the range of IPv6 multicast groups to be served z C RP Adv interval z C RP timeout z C BSR priority z Hash mask length z An IPv6 ACL rule defining a legal BSR address range z BS period z BS timeout z An IPv6 ACL rule f...

Page 1023: ...v6 PIM network static RP configuration is a tedious job Generally static RP configuration is just a backup means for the dynamic RP election mechanism to enhance the robustness and operation manageability of a multicast network Configuring a static RP If there is only one dynamic RP in a network manually configuring a static RP can avoid communication interruption due to single point failures and ...

Page 1024: ...BSRs in the IPv6 PIM SM domain Follow these steps to configure a C RP To do Use the command Remarks Enter system view system view Enter IPv6 PIM view pim ipv6 Configure an interface to be a C RP c rp ipv6 address group policy acl6 number priority priority holdtime hold interval advertisement interval adv interval Required No C RPs are configured by default Configure a legal C RP address range and ...

Page 1025: ...address together with the RP Set information in its bootstrap messages The BSR then floods the bootstrap messages to all IPv6 routers in the network Each C RP encapsulates a timeout value in its C RP Adv messages Upon receiving a C RP Adv message the BSR obtains this timeout value and starts a C RP timeout timer If the BSR fails to hear a subsequent C RP Adv message from the C RP when the timer ti...

Page 1026: ...ponding preventive measures 1 Some maliciously configured hosts can forge bootstrap messages to fool routers and change RP mappings Such attacks often occur on border routers Because a BSR is inside the network whereas hosts are outside the network you can protect a BSR against attacks from external hosts by enabling the border routers to perform neighbor checks and RPF checks on bootstrap message...

Page 1027: ...an IPv6 PIM border domain To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configuring an IPv6 PIM domain border pim ipv6 bsr boundary Required No IPv6 PIM domain border is configured by default Configuring C BSR parameters globally In each IPv6 PIM SM domain a unique BSR is elected from C BSRs The C RPs in the IPv6 PIM SM d...

Page 1028: ...period is determined by this formula BS period BS timeout 10 2 The default BS timeout is 130 seconds so the default BS period 130 10 2 60 seconds z If this parameter is manually configured the system will use the configured value About the BS timeout z By default the BS timeout value is determined by this formula BS timeout BS period 2 10 The default BS period is 60 seconds so the default BS timeo...

Page 1029: ...iformly from the interval 0 5 times register_suppression_time 1 5 times register_suppression_time minus register_probe_time Configure a filtering rule for register messages on all C RP routers and configure them to calculate the checksum based on the entire register messages Configure the register suppression time and the register probe time on all routers that may become source side DRs Follow th...

Page 1030: ...ld infinity command on a switch that may become an RP namely a static RP or a C RP Configuring IPv6 PIM SSM The IPv6 PIM SSM model needs the support of MLDv2 Therefore be sure to enable MLDv2 on IPv6 PIM routers with receivers attached to them IPv6 PIM SSM Configuration Task List Complete these tasks to configure IPv6 PIM SSM Task Remarks Enabling IPv6 PIM SM Required Configuring the IPv6 SSM Grou...

Page 1031: ...e multicast ipv6 routing enable command see IPv6 Multicast Routing and Forwarding Commands in the IP Multicast Volume Configuring the IPv6 SSM Group Range As for whether the information from an IPv6 multicast source is delivered to the receivers based on the IPv6 PIM SSM model or the IPv6 PIM SM model this depends on whether the group address in the S G channel subscribed by the receivers falls in...

Page 1032: ...as preference over the configuration made in PIM view regardless of the configuration sequence IPv6 PIM Common Feature Configuration Task List Complete these tasks to configure IPv6 PIM common features Task Remarks Configuring an IPv6 Multicast Data Filter Optional Configuring a Hello Message Filter Optional Configuring IPv6 PIM Hello Options Optional Configuring IPv6 PIM Common Timers Optional Co...

Page 1033: ...e hand and control the information available to downstream receivers to enhance data security on the other hand Follow these steps to configure an IPv6 multicast data filter To do Use the command Remarks Enter system view system view Enter IPv6 PIM view pim ipv6 Configure an IPv6 multicast group filter source policy acl6 number Required No IPv6 multicast data filter by default z Generally a smalle...

Page 1034: ...nable neighbor tracking the neighbor tracking feature should be enabled on all IPv6 PIM routers on a multi access subnet The LAN delay setting will cause the upstream routers to delay processing received prune messages If the LAN delay setting is too small it may cause the upstream router to stop forwarding IPv6 multicast packets before a downstream router sends a prune override message Therefore ...

Page 1035: ...erval Optional 500 milliseconds by default Configure the prune override interval hello option override interval interval Optional 2 500 milliseconds by default Disable join suppression hello option neighbor tracking Required Enabled by default Configuring hello options on an interface Follow these steps to configure hello options on an interface To do Use the command Remarks Enter system view syst...

Page 1036: ...t election will prune its downstream interface and maintain the assert state for a period of time When the assert state times out the assert loser will resume IPv6 multicast forwarding When a router fails to receive subsequent IPv6 multicast data from the IPv6 multicast source S the router does not immediately delete the corresponding S G entry instead it maintains the S G entry for a period of ti...

Page 1037: ...dtime assert interval Optional 180 seconds by default If there are no special networking requirements we recommend that you use the default settings Configuring Join Prune Message Sizes A larger join prune message size will result in loss of a larger amount of information when a message is lost with a reduced join message size the loss of a single message will bring relatively minor impact By cont...

Page 1038: ...e interface number neighbor ipv6 neighbor address verbose Available in any view View IPv6 PIM neighboring information display pim ipv6 neighbor interface interface type interface number ipv6 neighbor address verbose Available in any view View the content of the IPv6 PIM routing table display pim ipv6 routing table ipv6 group address prefix length ipv6 source address prefix length incoming interfac...

Page 1039: ...witch B Vlan int200 2001 1 64 Vlan int101 2002 2 64 Vlan int101 2002 1 64 Vlan int102 3001 2 64 Switch C Vlan int200 2001 2 64 Vlan int102 3001 1 64 Configuration procedure 1 Enable IPv6 forwarding and configure IPv6 addresses and IPv6 unicast routing Enable IPv6 forwarding on each switch and configure the IPv6 address and prefix length for each interface as per Figure 1 8 Detailed configuration s...

Page 1040: ...hD Vlan interface101 pim ipv6 dm SwitchD Vlan interface101 quit SwitchD interface vlan interface 102 SwitchD Vlan interface102 pim ipv6 dm SwitchD Vlan interface102 quit 3 Verify the configuration Use the display pim ipv6 interface command to view the IPv6 PIM configuration and running status on each interface For example View the IPv6 PIM configuration information on Switch D SwitchD display pim ...

Page 1041: ... pim dm Flag WC UpTime 00 01 24 Upstream interface NULL Upstream neighbor NULL RPF prime neighbor NULL Downstream interface s information Total number of downstreams 1 1 Vlan interface100 Protocol mld UpTime 00 01 20 Expires never 4001 100 FF0E 101 Protocol pim dm Flag ACT UpTime 00 01 20 Upstream interface Vlan interface103 Upstream neighbor 1002 2 RPF prime neighbor 1002 2 Downstream interface s...

Page 1042: ...that comprises the IPv6 multicast source Source through VLAN interface 300 z Switch A connects to N1 through VLAN interface 100 and to Switch D and Switch E through VLAN interface 101 and VLAN interface 102 respectively z Switch B and Switch C connect to N2 through their respective VLAN interface 200 and to Switch E through VLAN interface 103 and VLAN interface 104 respectively z Vlan interface 10...

Page 1043: ...guration procedure 1 Enable IPv6 forwarding and configure IPv6 addresses and IPv6 unicast routing Enable IPv6 forwarding on each switch and configure the IPv6 address and prefix length for each interface as per Figure 1 9 Detailed configuration steps are omitted here Configure OSPFv3 for interoperation among the switches in the IPv6 PIM SM domain Ensure the network layer interoperation in the IPv6...

Page 1044: ...E configure the service scope of RP advertisements specify a C BSR and a C RP and set the hash mask length to 128 and the priority of the C BSR to 20 SwitchE system view SwitchE acl ipv6 number 2005 SwitchE acl6 basic 2005 rule permit source ff0e 101 64 SwitchE acl6 basic 2005 quit SwitchE pim ipv6 SwitchE pim6 c bsr 1003 2 128 20 SwitchE pim6 c rp 1003 2 group policy 2005 SwitchE pim6 quit 4 Veri...

Page 1045: ...at 00 00 48 View the BSR information and the locally configured C RP information in effect on Switch E SwitchE display pim ipv6 bsr info Elected BSR Address 1003 2 Priority 20 Hash mask length 128 State Elected Uptime 00 01 10 Next BSR message scheduled at 00 01 48 Candidate BSR Address 1003 2 Priority 20 Hash mask length 128 State Elected Candidate RP 1003 2 Vlan interface102 Priority 0 HoldTime ...

Page 1046: ...ipv6 routing table command to view the PIM routing table information on the switches For example View the IPv6 PIM multicast routing table information on Switch A SwitchA display pim ipv6 routing table Total 1 G entry 1 S G entry FF0E 100 RP 1003 2 Protocol pim sm Flag WC UpTime 00 03 45 Upstream interface Vlan interface102 Upstream neighbor 1003 2 RPF prime neighbor 1003 2 Downstream interface s ...

Page 1047: ...res 00 02 34 IPv6 PIM SSM Configuration Example Network requirements z Receivers receive VOD information through multicast The receiver groups of different organizations form stub networks and one or more receiver hosts exist in each stub network The entire PIM domain operates in the SSM mode z Host A and Host C are IPv6 multicast receivers in two stub networks N1 and N2 z Switch D connects to the...

Page 1048: ...guration procedure 1 Enable IPv6 forwarding and configure IPv6 addresses and IPv6 unicast routing Enable IPv6 forwarding on each switch and configure the IPv6 address and prefix length for each interface as per Figure 1 10 Detailed configuration steps are omitted here Configure OSPFv3 for interoperation among the switches in the IPv6 PIM SM domain Ensure the network layer interoperation in the IPv...

Page 1049: ...ommand to view the IPv6 PIM configuration and running status on each interface For example View the IPv6 PIM configuration information on Switch A SwitchA display pim ipv6 interface Interface NbrCnt HelloInt DR Pri DR Address Vlan100 0 30 1 1001 1 local Vlan101 1 30 1 1002 2 Vlan102 1 30 1 1003 2 Assume that Host A needs to receive the information a specific IPv6 multicast source S 4001 100 64 sen...

Page 1050: ...6 PIM routing entry is created based on an IPv6 unicast route whichever IPv6 PIM mode is running Multicast works only when unicast does z IPv6 PIM must be enabled on the RPF interface An RPF neighbor must be an IPv6 PIM neighbor as well If IPv6 PIM is not enabled on the RPF interface or the RPF neighbor the establishment of a multicast distribution tree will surely fail resulting in abnormal multi...

Page 1051: ... in the IPv6 PIM routing table z In addition the source policy command is used to filter received IPv6 multicast packets If the IPv6 multicast data fails to pass the ACL rule defined in this command IPv6 PIM cannot create the route entry either Solution 1 Check the IPv6 multicast forwarding boundary configuration Use the display current configuration command to check the IPv6 multicast forwarding ...

Page 1052: ... will be unable to receive the advertisements from the C RP and therefore the bootstrap messages of the BSR will not contain the information about that C RP z The RP is the core of an IPv6 PIM SM domain Make sure that the RP information on all routers is exactly the same a specific group is mapped to the same RP and a unicast route is available to the RP Solution 1 Check whether routes to C RPs th...

Page 1053: ...GP Route Dampening 1 7 Configuring IPv6 MBGP Route Attributes 1 7 Configuration Prerequisites 1 8 Configuring IPv6 MBGP Route Preferences 1 8 Configuring the Default Local Preference 1 8 Configuring the MED Attribute 1 8 Configuring the NEXT_HOP Attribute 1 9 Configuring the AS_PATH Attribute 1 9 Tuning and Optimizing IPv6 MBGP Networks 1 10 Configuration Prerequisites 1 10 Configuring IPv6 MBGP S...

Page 1054: ...gy To meet the requirement the multi protocol BGP extensions enable IPv6 BGP to carry the IPv6 unicast Network Layer Reachability Information NLRI and IPv6 multicast NLRI separately and the multicast NLRI is used to perform reverse path forwarding RPF exclusively In this way route selection for a destination through the IPv6 unicast routing table and through the IPv6 multicast routing table will h...

Page 1055: ...tribute Optional Configuring IPv6 MBGP Route Attributes Configuring the AS_PATH Attribute Optional Configuring IPv6 MBGP Soft Reset Optional Tuning and Optimizing IPv6 MBGP Networks Configuring the Maximum Number of Equal Cost Routes for Load Balancing Optional Configuring an IPv6 MBGP Peer Group Optional Configuring IPv6 MBGP Community Optional Configuring a Large Scale IPv6 MBGP Network Configur...

Page 1056: ... address preferred value value Optional The preferred value defaults to 0 If you both reference a route policy and use the command peer ipv6 group name ipv6 address preferred value value to set a preferred value for routes from a peer peer group the route policy sets a non zero preferred value for routes matching it Other routes not matching the route policy uses the value set with the command If ...

Page 1057: ...P view bgp as number Enter the MBGP multicast address family view ipv6 family multicast Enable default route redistribution into the IPv6 MBGP routing table default route imported Optional By default default route redistribution is not allowed Enable route redistribution from another routing protocol import route protocol process id med med value route policy route policy name Required Not enabled...

Page 1058: ...rks Enter system view system view Enter BGP view bgp as number Enter IPv6 MBGP address family view ipv6 family multicast Advertise a default route to an IPv6 MBGP peer or peer group peer ipv6 group name ipv6 address default route advertise route policy route policy name Required Not advertised by default With the peer default route advertise command executed the router sends a default route with t...

Page 1059: ... Use any of the commands No filtering is configured by default You can configure filter policies as needed If you configure multiple filter policies they will be applied in the following order z filter policy export z peer filter policy export z peer as path acl export z peer ipv6 prefix export z peer route policy export A filter policy can be applied only after the previous one is passed routing ...

Page 1060: ...ix import z peer route policy import A filter policy can be applied only after the previous one is passed routing information can be received only after passing all the filter policies configured Specify the upper limit of prefixes that can be imported from a peer peer group peer ipv6 group name ipv6 address route limit limit percentage Optional The number is unlimited by default A peer can has an...

Page 1061: ...IPv6 MBGP routes preference external preference internal preference local preference route policy route policy name Optional The default preference values of external internal and local routes are 255 255 and 130 respectively Configuring the Default Local Preference Follow these steps to configure the default local preference To do Use the command Remarks Enter system view system view Enter BGP vi...

Page 1062: ... IPv6 multicast iBGP peer peer group regardless of whether the peer next hop local command is configured In a third party next hop network that is the local router has two IPv6 multicast eBGP peers in a broadcast network the router does not specify itself as the next hop of routes sent to the EBGP peers by default Follow these steps to specify the router as the next hop of routes sent to a peer pe...

Page 1063: ...election policy you have to reset IPv6 MBGP connections to make it take effect causing short time disconnections After the route refresh capability is enabled on all IPv6 MBGP routers in a network when a route selection policy is modified on a router the local router can perform dynamic route updates without tearing down IPv6 MBGP connections If the peer does not support route refresh you can save...

Page 1064: ...m view Enter BGP view bgp as number Enter IPv6 MBGP address family view ipv6 family multicast Keep all routes from a peer peer group regardless of whether they pass the inbound filtering policy peer ipv6 group name ipv6 address keep all routes Required Not kept by default Exit to user view return Soft reset IPv6 MBGP connections manually refresh bgp ipv6 multicast all ipv6 address group ipv6 group...

Page 1065: ...ame as number as number Required By default no peer is added Exit to BGP view quit Enter IPv6 MBGP address family view ipv6 family multicast Enable the configured IPv6 unicast BGP peer group to create the IPv6 MBGP peer group peer ipv6 group name enable Required Add the IPv6 MBGP peer into the peer group peer ipv6 address group ipv6 group name Required By default no peer is added z To create an IP...

Page 1066: ...BGP peer peer group peer ipv6 group name ipv6 address route policy route policy name export Required Not configured by default z You need to configure a route policy to define the community attribute and apply the policy to outgoing routes z For route policy configuration refer to Route Policy Configuration in the IP Routing Volume Configuring an IPv6 MBGP Route Reflector To guarantee connectivity...

Page 1067: ...lay bgp ipv6 multicast paths as regular expression Available in any view Display IPv6 MBGP peer peer group information display bgp ipv6 multicast peer ipv6 address verbose Available in any view Display IPv6 MBGP routing table information display bgp ipv6 multicast routing table ipv6 address prefix length Available in any view Display IPv6 MBGP routing information matching a AS path ACL display bgp...

Page 1068: ...v6 multicast routing table statistic Available in any view Display the IPv6 MBGP routing table information display ipv6 multicast routing table verbose Available in any view Display the multicast routing information of the specified destination address display ipv6 multicast routing table ipv6 address prefix length longer match verbose Available in any view Resetting IPv6 MBGP Connections When an ...

Page 1069: ...6 PIM SM 1 IPv6 PIM SM 2 Device Interface IP address Device Interface IP address Source 1002 100 64 Switch C Vlan int200 3002 1 64 Switch A Vlan int100 1002 1 64 Vlan int102 2001 2 64 Vlan int101 1001 1 64 Vlan int104 3001 1 64 Switch B Vlan int101 1001 2 64 Switch D Vlan int103 2002 2 64 Vlan int102 2001 1 64 Vlan int104 3001 2 64 Vlan int103 2002 1 64 Configuration procedure 1 Configure IPv6 add...

Page 1070: ...IM domain border on Switch B SwitchB interface vlan interface 101 SwitchB Vlan interface101 pim ipv6 bsr boundary SwitchB Vlan interface101 quit 4 Configure the position of C BSR and C RP Configure the position of C BSR and C RP on Switch A SwitchA pim ipv6 SwitchA pim6 c bsr 1001 1 SwitchA pim6 c rp 1001 1 SwitchA pim6 quit Configure the position of C BSR and C RP on Switch B SwitchB pim ipv6 Swi...

Page 1071: ...icast SwitchB bgp af ipv6 mul peer 1001 1 enable SwitchB bgp af ipv6 mul import route ospfv3 1 SwitchB bgp af ipv6 mul quit SwitchB bgp quit 6 Verify the configuration You can use the display bgp ipv6 multicast peer command to display IPv6 MBGP peers on a switch For example display IPv6 MBGP peers on Switch B SwitchB display bgp ipv6 multicast peer BGP local router ID 2 2 2 2 Local AS number 200 T...

Page 1072: ...iguration Prerequisites 1 12 Enabling MLD Snooping Querier 1 12 Configuring MLD Queries and Responses 1 13 Configuring Source IPv6 Addresses of MLD Queries 1 14 Configuring an MLD Snooping Policy 1 14 Configuration Prerequisites 1 14 Configuring an IPv6 Multicast Group Filter 1 15 Configuring IPv6 Multicast Source Port Filtering 1 15 Configuring Dropping Unknown IPv6 Multicast Data 1 16 Configurin...

Page 1073: ...ween ports and multicast MAC addresses and forwards IPv6 multicast data based on these mappings As shown in Figure 1 1 when MLD Snooping is not running IPv6 multicast packets are broadcast to all devices at Layer 2 When MLD Snooping runs multicast packets for known IPv6 multicast groups are multicast to the receivers at Layer 2 Figure 1 1 Before and after MLD Snooping is enabled on the Layer 2 dev...

Page 1074: ...ts Router port Member port Ports involved in MLD Snooping as shown in Figure 1 2 are described as follows z Router port A router port is a port on the Ethernet switch that leads switch towards the Layer 3 multicast device DR or MLD querier In the figure GigabitEthernet 1 0 1 of Switch A and GigabitEthernet 1 0 1 of Switch B are router ports The switch registers all its local router ports in its ro...

Page 1075: ...h dynamic router port the switch sets a timer initialized to the dynamic router port aging time MLD general query of which the source address is not 0 0 or IPv6 PIM hello The switch removes this port from its router port list Dynamic member port aging timer When a port dynamically joins an IPv6 multicast group the switch sets a timer for the port which is initialized to the dynamic member port agi...

Page 1076: ...entry adds the port as a dynamic member port to the outgoing port list and starts a member port aging timer for that port z If a forwarding table entry exists for the reported IPv6 multicast group but the port is not included in the outgoing port list for that group the switch adds the port as a dynamic member port to the outgoing port list and starts a member port aging timer for that port z If a...

Page 1077: ...ticast group The switch resets the aging timer for the port z If no MLD report in response to the MLD multicast address specific query is received on the port before its aging timer expires this means that no hosts attached to the port are still listening to that IPv6 multicast group address The switch removes the port from the outgoing port list of the forwarding table entry for that IPv6 multica...

Page 1078: ...ynamic Ports Optional Configuring Static Ports Optional Configuring Simulated Joining Optional Configuring MLD Snooping Port Functions Configuring Fast Leave Processing Optional Enabling MLD Snooping Querier Optional Configuring MLD Queries and Responses Optional Configuring MLD Snooping Querier Configuring Source IPv6 Addresses of MLD Queries Optional Configuring an IPv6 Multicast Group Filter Op...

Page 1079: ...egate port view or port group view z For MLD Snooping configurations made on a Layer 2 aggregate port do not interfere with configurations made on its member ports nor do they take part in aggregation calculations configurations made on a member port of the aggregate group will not take effect until it leaves the aggregate group Configuring Basic Functions of MLD Snooping Configuration Prerequisit...

Page 1080: ...mand Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the version of MLD Snooping mld snooping version version number Optional Version 1 by default If you switch MLD Snooping from version 2 to version 1 the system will clear all MLD Snooping forwarding entries from dynamic joining and will z Keep forwarding entries from version 2 static G joining z Clear forwarding entr...

Page 1081: ...em view Enter MLD Snooping view mld snooping Configure dynamic router port aging time router aging time interval Optional 260 seconds by default Configure dynamic member port aging time host aging time interval Optional 260 seconds by default Configuring aging timers for dynamic ports in a VLAN Follow these steps to configure aging timers for dynamic ports in a VLAN To do Use the command Remarks E...

Page 1082: ...urce and group in addition to configuring the port as a static member port you need to use the mld static group command to configure the VLAN interface to be a static member of the IPv6 multicast group or source and group For details of the mld static group command refer to MLD Commands in the IP Multicast Volume z Static member ports and static router ports never age out To remove such a port you...

Page 1083: ...essing feature enabled when receiving an MLD done message on a port the switch immediately removes that port from the outgoing port list of the forwarding table entry for the indicated IPv6 multicast group Then when receiving MLD done multicast address specific queries for that IPv6 multicast group the switch will not forward them to that port In VLANs where only one host is attached to each port ...

Page 1084: ...D multicast address specific queries Enabling MLD Snooping Querier In an IPv6 multicast network running MLD a multicast router or Layer 3 multicast switch is responsible for sending periodic MLD general queries so that all Layer 3 multicast devices can establish and maintain multicast forwarding entries thus to forward multicast traffic correctly at the network layer This router or Layer 3 switch ...

Page 1085: ...lows hosts to respond to queries quickly and avoids bursts of MLD traffic on the network caused by reports simultaneously sent by a large number of hosts when the corresponding timers expire simultaneously z For MLD general queries you can configure the maximum response time to fill their Max Response time field z For MLD multicast address specific queries you can configure the MLD last member que...

Page 1086: ...ess of MLD queries Follow these steps to configure source IPv6 addresses of MLD queries To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the source IPv6 address of MLD general queries mld snooping general query source ip current interface ipv6 address Optional FE80 02FF FFFF FE00 0001 by default Configure the source IPv6 address of MLD multicast ad...

Page 1087: ...Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Configure an IPv6 multicast group filter group policy acl6 number vlan vlan list Required By default no group filter is globally configured that is hosts in VLANs can join any valid IPv6 multicast group Configuring an IPv6 multicast group filter on a port or a group of ports Follow these steps to configure a...

Page 1088: ... name Required Use either approach Enable IPv6 multicast source port filtering mld snooping source deny Required Disabled by default Some models of devices when enabled to filter IPv6 multicast data based on the source ports are automatically enabled to filter IPv4 multicast data based on the source ports Configuring Dropping Unknown IPv6 Multicast Data Unknown IPv6 multicast data refers to IPv6 m...

Page 1089: ...ansmitted over the network Follow these steps to configure MLD report suppression To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Enable MLD report suppression report aggregation Optional Enabled by default Configuring Maximum Multicast Groups that Can Be Joined on a Port By configuring the maximum number of IPv6 multicast groups that can be joined ...

Page 1090: ... in some specific applications an IPv6 multicast group newly joined on the switch needs to replace an existing IPv6 multicast group automatically A typical example is channel switching namely by joining the new multicast group a user automatically switches from the current IPv6 multicast group to the new one To address this situation you can enable the IPv6 multicast group replacement function on ...

Page 1091: ...erwise the IPv6 multicast group replacement functionality will not take effect Displaying and Maintaining MLD Snooping To do Use the command Remarks View MLD Snooping multicast group information display mld snooping group vlan vlan id slot slot number verbose Available in any view View the statistics information of MLD messages learned by MLD Snooping display mld snooping statistics Available in a...

Page 1092: ...even if Host A and Host B accidentally temporarily stop receiving IPv6 multicast data Network diagram Figure 1 3 Network diagram for IPv6 group policy simulated joining configuration Source Router A Switch A Receiver Receiver Host B Host A Host C GE1 0 1 GE1 0 4 GE1 0 2 GE1 0 3 MLD querier 1 1 64 GE1 0 1 2001 1 64 GE1 0 2 1 2 64 Configuration procedure 1 Enable IPv6 forwarding and configure IPv6 a...

Page 1093: ...e 101 128 SwitchA acl6 basic 2001 quit SwitchA mld snooping SwitchA mld snooping group policy 2001 vlan 100 SwitchA mld snooping quit Configure GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 as simulated hosts for IPv6 multicast group FF1E 101 SwitchA interface gigabitethernet 1 0 3 SwitchA GigabitEthernet1 0 3 mld snooping host join ff1e 101 vlan 100 SwitchA GigabitEthernet1 0 3 quit SwitchA int...

Page 1094: ...d as static member ports for multicast group 224 1 1 1 to enhance the reliability of multicast traffic transmission z Suppose STP runs on the network To avoid data loops the forwarding path from Switch A to Switch C is blocked under normal conditions and IPv6 multicast traffic flows to the receivers attached to Switch C only along the path of Switch A Switch B Switch C z It is required to configur...

Page 1095: ...PIM DM on each interface and enable MLD on GigabitEthernet 1 0 1 RouterA system view RouterA multicast ipv6 routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 mld enable RouterA GigabitEthernet1 0 1 pim ipv6 dm RouterA GigabitEthernet1 0 1 quit RouterA interface gigabitethernet 1 0 2 RouterA GigabitEthernet1 0 2 pim ipv6 dm RouterA GigabitEthernet1 0 2 quit 3 Confi...

Page 1096: ...thernet 1 0 1 through GigabitEthernet 1 0 5 to this VLAN and enable MLD Snooping in the VLAN SwitchC vlan 100 SwitchC vlan100 port gigabitethernet 1 0 1 to gigabitethernet 1 0 5 SwitchC vlan100 mld snooping enable SwitchC vlan100 quit Configure GigabitEthernet 1 0 3 and GigabitEthernet 1 0 5 as static member ports for IPv6 multicast group FF1E 101 SwitchC interface GigabitEthernet 1 0 3 SwitchC Gi...

Page 1097: ...00 on Switch C SwitchC display mld snooping group vlan 100 verbose Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 100 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 2 D 00 01 23 IP group s the following ip group s match to one mac group IP group...

Page 1098: ...n multicast traffic within the VLAN it is required to configure all the switches to drop unknown multicast data packets Network diagram Figure 1 5 Network diagram for MLD Snooping querier configuration Configuration procedure 1 Configure Switch A Enable IPv6 forwarding and enable MLD Snooping globally SwitchA system view SwitchA ipv6 SwitchA mld snooping SwitchA mld snooping quit Create VLAN 100 a...

Page 1099: ...y the configuration When the MLD Snooping querier starts to work all the switches but the querier receive MLD general queries Use the display mld snooping statistics command to view the statistics information of these MLD messages received View the MLD message statistics on Switch B SwitchB vlan100 display mld snooping statistics Received MLD general queries 3 Received MLDv1 specific queries 0 Rec...

Page 1100: ...s z The IPv6 ACL rule is incorrectly configured z The IPv6 multicast group policy is not correctly applied z The function of dropping unknown IPv6 multicast data is not enabled so unknown IPv6 multicast data is flooded Solution 1 Use the display acl ipv6 command to check the configured IPv6 ACL rule Make sure that the IPv6 ACL rule conforms to the IPv6 multicast group policy to be implemented 2 Us...

Page 1101: ...uisites 1 3 Configuring Sub VLAN Based IPv6 Multicast VLAN 1 3 Configuring Port Based IPv6 Multicast VLAN 1 4 Configuration Prerequisites 1 4 Configuring User Port Attributes 1 4 Configuring IPv6 Multicast VLAN Ports 1 5 Displaying and Maintaining IPv6 Multicast VLAN 1 6 IPv6 Multicast VLAN Configuration Examples 1 6 Sub VLAN Based Multicast VLAN Configuration Example 1 6 Port Based Multicast VLAN...

Page 1102: ... to the Layer 2 device Switch A This results in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 1 1 Multicast transmission without IPv6 multicast VLAN The IPv6 multicast VLAN feature configured on the Layer 2 device is the solution to this issue With the IPv6 multicast VLAN feature the Layer 3 device needs to replicate the multicast traffic only in the IPv6 m...

Page 1103: ... in Figure 1 3 Host A Host B and Host C are in three different user VLANs All the user ports are hybrid ports On Switch A configure VLAN 10 as an IPv6 multicast VLAN assign all the user ports to this IPv6 multicast VLAN and enable MLD Snooping in the IPv6 multicast VLAN and all the user VLANs Figure 1 3 Port based IPv6 multicast VLAN After the configuration upon receiving an MLD message on a user ...

Page 1104: ...icast VLAN on a device the port based IPv6 multicast VLAN configuration is given preference Configuring IPv6 Sub VLAN Based IPv6 Multicast VLAN Configuration Prerequisites Before configuring sub VLAN based IPv6 multicast VLAN complete the following tasks z Create VLANs as required z Enable MLD Snooping in the VLAN to be configured as an IPv6 multicast VLAN Configuring Sub VLAN Based IPv6 Multicast...

Page 1105: ... Configurations made in Ethernet port view are effective only for the current port configurations made in Layer 2 aggregate port view are effective only for the current port configurations made in port group view are effective for all the ports in the current port group Configuration Prerequisites Before configuring port based IPv6 multicast VLAN complete the following tasks z Create VLANs as requ...

Page 1106: ...rt hybrid pvid vlan and port hybrid vlan commands refer to VLAN Commands in the Access Volume Configuring IPv6 Multicast VLAN Ports In this approach you need to configure a VLAN as an IPv6 multicast VLAN and then assign user ports to this IPv6 multicast VLAN by either adding the user ports in the IPv6 multicast VLAN or specifying the IPv6 multicast VLAN on the user ports These two methods give the...

Page 1107: ... on a device with multicast routing enabled z The VLAN to be configured as an IPv6 multicast VLAN must exist z A port can belong to only one IPv6 multicast VLAN Displaying and Maintaining IPv6 Multicast VLAN To do Use the command Remarks Display information about an IPv6 multicast VLAN display multicast vlan ipv6 vlan id Available in any view IPv6 Multicast VLAN Configuration Examples Sub VLAN Bas...

Page 1108: ...rocedure 1 Enable IPv6 forwarding and configure IPv6 addresses Enable IPv6 forwarding on each device and configure an IPv6 address and address prefix for each interface as per Figure 1 4 The detailed configuration steps are omitted here 2 Configure Router A Enable IPv6 multicast routing enable IPv6 PIM DM on each interface and enable MLD on the host side interface GigabitEthernet 1 0 2 RouterA sys...

Page 1109: ...lay information about the IPv6 multicast VLAN SwitchA display multicast vlan ipv6 Total 1 IPv6 multicast vlan s IPv6 Multicast vlan 10 subvlan list vlan 2 4 port list no port View the MLD Snooping IPv6 multicast group information on Switch A SwitchA display mld snooping group Total 4 IP Group s Total 4 IP Source s Total 4 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flag...

Page 1110: ... 10 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Host port s total 0 port MAC group s MAC group address 3333 0000 0101 Host port s total 0 port As shown above MLD Snooping is maintaining the router port in the IPv6 multicast VLAN VLAN 10 and the member po...

Page 1111: ... 2 GE1 0 2 GE1 0 3 GE1 0 4 Switch A MLD querier Router A GE1 0 1 1 2 64 GE1 0 2 2001 1 64 1 1 64 Receiver Host B VLAN 3 Receiver Host C VLAN 4 GE1 0 1 Configuration procedure 1 Enable IPv6 forwarding and configure IPv6 addresses Enable IPv6 forwarding on each device and configure the IPv6 address and address prefix for each interface as per Figure 1 5 The detailed configuration steps are omitted h...

Page 1112: ...SwitchA GigabitEthernet1 0 2 port hybrid vlan 10 untagged SwitchA GigabitEthernet1 0 2 quit The configuration for GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 is similar The detailed configuration steps are omitted Configure VLAN 10 as an IPv6 multicast VLAN SwitchA multicast vlan ipv6 10 Assign GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 to IPv6 multicast VLAN 10 SwitchA ipv6 mvlan 10 port...

Page 1113: ...MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Host port s total 3 port GE1 0 2 D GE1 0 3 D GE1 0 4 D MAC group s MAC group address 3333 0000 0101 Host port s total 3 port GE1 0 2 GE1 0 3 GE1 0 4 As shown above MLD Snooping is maintaining router ports and member ports in VLAN 10 ...

Page 1114: ...ment describes z QoS overview z QoS policy configuration z Priority mapping configuration z Traffic policing Configuration z Traffic shaping Configuration z Line rate configuration z Congestion management z Congestion avoidance configuration z Traffic filtering configuration z Priority marking configuration z Traffic redirecting configuration z Traffic mirroring configuration z Class based account...

Page 1115: ...view 3 1 Introduction to Priority Mapping 3 1 Priority Mapping Tables 3 1 Priority Trust Mode on a Port 3 2 Priority Mapping Procedure 3 2 Priority Mapping Configuration Tasks 3 3 Configuring Priority Mapping 3 4 Configuring a Priority Mapping Table 3 4 Configuring the Priority Trust Mode on a Port 3 4 Configuring the Port Priority of a Port 3 5 Displaying and Maintaining Priority Mapping 3 5 Prio...

Page 1116: ...ring WRED 6 2 Configuration Prerequisites 6 2 Configuration Procedure 6 2 Configuration Example 6 2 Displaying and Maintaining WRED 6 3 7 Traffic Filtering Configuration 7 1 Traffic Filtering Overview 7 1 Configuring Traffic Filtering 7 1 Traffic Filtering Configuration Example 7 2 Traffic Filtering Configuration Example 7 2 8 Priority Marking Configuration 8 1 Priority Marking Overview 8 1 Config...

Page 1117: ...nting 11 1 Displaying and Maintaining Traffic Accounting 11 2 Class Based Accounting Configuration Example 11 2 Class Based Accounting Configuration Example 11 2 12 Appendix 12 1 Appendix A Acronym 12 1 Appendix B Default Priority Mapping Tables 12 2 Uncolored Priority Mapping Tables 12 2 Appendix C Introduction to Packet Precedences 12 3 IP Precedence and DSCP Values 12 3 802 1p Priority 12 5 ...

Page 1118: ...e QoS techniques used most widely Using these techniques reasonably in the specific environments you can improve the QoS effectively Introduction to QoS Service Models This section covers three typical QoS service models z Best effort service z Integrated service IntServ z Differentiated service DiffServ Best Effort Service Model Best effort is a single service model and also the simplest service ...

Page 1119: ...ns of the QoS techniques in a network As shown in Figure 1 1 traffic classification traffic shaping traffic policing congestion management and congestion avoidance mainly implement the following functions z Traffic classification uses certain match criteria to organize packets with different characteristics into different classes Traffic classification is the basis for providing differentiated ser...

Page 1120: ...gestion avoidance monitors the usage status of network resources and is usually applied to the outgoing traffic of a port As congestion becomes worse it actively reduces the amount of traffic by dropping packets ...

Page 1121: ...uring QoS policies A QoS policy defines what QoS actions to take on what class of traffic for purposes such as traffic shaping or traffic policing Before configuring a QoS policy be familiar with these concepts class traffic behavior and policy Class Classes are used to identify traffic A class is identified by a class name and contains some match criteria for traffic identification The relationsh...

Page 1122: ...er tcl name operator and or Required By default the relationship between match criteria is AND Configure match criteria if match match criteria Required match criteria Match criterion Table 2 1 shows the available criteria Table 2 1 The keyword and argument combinations for the match criteria argument Form Description acl access list number name acl name Specifies to match an IPv4 ACL specified by...

Page 1123: ...for this argument at a time VLAN ID is in the range 1 to 4094 In a class configured with the operator and the logical relationship between the customer VLAN IDs specified for the customer vlan id keyword is or destination mac mac address Specifies to match the packets with a specified destination MAC address dscp dscp list Specifies to match packets by DSCP precedence The dscp list argument is a l...

Page 1124: ...with a specified source MAC address Suppose the logical relationship between classification rules is and Note the following when using the if match command to define matching rules z If multiple matching rules with the acl or acl ipv6 keyword specified are defined in a class the actual logical relationship between these rules is or when the policy is applied z If multiple matching rules with the c...

Page 1125: ...mit z In a QoS policy with multiple class to traffic behavior associations if the action of creating an outer VLAN tag the action of setting customer network VLAN ID or the action of setting service provider network VLAN ID is configured in a traffic behavior we recommend you not to configure any other action in this traffic behavior Otherwise the QoS policy may not function as expected after it i...

Page 1126: ...ce only one policy can be applied Follow these steps to apply the QoS policy to an interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manual port group name Use either command Settings in interface view take effect on the current interface setti...

Page 1127: ... the user profile user profile profile name enable Required Inactive by default z If a user profile is active the QoS policy except ACLs referenced in the QoS policy applied to it cannot be configured or removed If the user profile is being used by online users the referenced ACLs cannot be modified either z The QoS policies applied in user profile view support only the remark car and filter actio...

Page 1128: ...globally Displaying and Maintaining QoS Policies To do Use the command Remarks Display information about a class and the corresponding actions associated by a policy display qos policy user defined policy name classifier classifier name Available in any view Display information about the policies applied on a port display qos policy interface interface type interface number inbound outbound Availa...

Page 1129: ...Clear the statistics of a global QoS policy reset qos policy global inbound outbound Available in user view Clear the statistics of QoS policies applied to VLANs reset qos vlan policy vlan vlan id inbound outbound Available in user view ...

Page 1130: ...lly scheduled z Drop precedence is used for making packet drop decisions Packets with the highest drop precedence are dropped preferentially When a packet enters the device from a port the device assigns a set of QoS priority parameters to the packet based on a certain priority and sometimes may modify its priority according to certain rules depending on device status This process is called priori...

Page 1131: ...elds carried in packets There are three priority trust modes on Switch 4800G series z dot1p Uses the 802 1p priority carried in packets for priority mapping z dscp Uses the DSCP carried in packets for priority mapping z undo qos trust Uses the port priority as the 802 1p priority for priority mapping The port priority is user configurable The priority mapping procedure varies with the priority mod...

Page 1132: ...e port priority as the 802 1p priority for priority mapping Look up the dot1p dp and dot1p lp mapping tables Mark the packet with local precedence and drop precedence Port priority The priority mapping procedure presented above applies in the absence of priority marking If priority marking is configured the device performs priority marking before priority mapping and then uses the re marked packet...

Page 1133: ...ping table display qos map table dot1p dp dot1p lp dscp dot1p dscp dp dscp dscp Optional Available in any view You cannot configure mapping any DSCP value to drop precedence 1 Configuring the Priority Trust Mode on a Port Follow these steps to configure the trusted packet priority type on an interface port group To do Use the command Remarks Enter system view system view Enter interface view inter...

Page 1134: ...er port group view port group manual port group name Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all ports in the port group Configure the port priority qos priority priority value Required The default port priority is 0 Displaying and Maintaining Priority Mapping To do Use the command Remarks Display priority mappin...

Page 1135: ... to GigabitEthernet 1 0 3 of Device which sets the 802 1p priority of traffic from the management department to 5 Configure port priority 802 1p to local priority mapping table and priority marking to implement the plan as described in Table 3 1 Table 3 1 Configuration plan Queuing plan Traffic destination Traffic Priority order Traffic source Output queue Queue priority R D department 6 High Mana...

Page 1136: ...igabitethernet 1 0 2 Device GigabitEthernet1 0 2 qos priority 4 Device GigabitEthernet1 0 2 quit Set the port priority of GigabitEthernet 1 0 3 to 5 Device interface gigabitethernet 1 0 3 Device GigabitEthernet1 3 qos priority 5 Device GigabitEthernet1 3 quit 2 Configure the priority mapping table Configure the 802 1p to local priority mapping table to map 802 1p priority values 3 4 and 5 to local...

Page 1137: ...avior admin quit Device qos policy admin Device qospolicy admin classifier http behavior admin Device qospolicy admin quit Device interface gigabitethernet 1 0 3 Device GigabitEthernet1 0 3 qos apply policy admin inbound Configure a priority marking policy for the marketing department and apply the policy to the incoming traffic of GigabitEthernet 1 0 1 Device traffic behavior market Device behavi...

Page 1138: ...o it it is shaped or policed to ensure that it is under the specifications Generally token buckets are used to evaluate traffic specifications Traffic Evaluation and Token Buckets Token bucket features A token bucket is analogous to a container holding a certain number of tokens The system puts tokens into the bucket at a set rate When the token bucket is full the extra tokens overflows Evaluating...

Page 1139: ...te allowed by the E bucket z Excess burst size EBS Size of the E bucket that is transient burst of traffic that the E bucket can forward CBS and EBS are carried by two different token buckets In each evaluation packets are measured against the buckets z If the C bucket has enough tokens packets are colored green z If the C bucket does not have enough tokens but the E bucket has enough tokens packe...

Page 1140: ...new DSCP precedence value and forwarding the packet Traffic Shaping Traffic shaping supports shaping traffic to the outgoing traffic Traffic shaping provides measures to adjust the rate of outbound traffic actively A typical traffic shaping application is to limit the local traffic output rate according to the downstream traffic policing parameters The difference between traffic policing and GTS i...

Page 1141: ...this way all the traffic sent to Switch B conforms to the traffic specification defined in Switch B Line Rate Line rate supports rate limiting traffic in the inbound direction The line rate of a physical interface specifies the maximum rate for forwarding packets including critical packets Line rate also uses token buckets for traffic control With line rate configured on an interface all packets t...

Page 1142: ...ort using line rate is easier Configuring Traffic Policing Configuration Procedure Follow these steps to configure traffic policing To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the match criteria if match match criteria Exit class view quit Create a behavior and enter behavior view traffic beha...

Page 1143: ...and reference ACL 3000 in the class to match HTTP traffic Sysname traffic classifier http Sysname classifier http if match acl 3000 Sysname classifier http quit Configure a traffic policing QoS policy and apply the QoS policy to the incoming packets of GigabitEthernet 1 0 1 Sysname traffic behavior http Sysname behavior http car cir 512 Sysname behavior http quit Sysname qos policy http Sysname qo...

Page 1144: ...e gigabitethernet 1 0 1 Configure GTS parameters Sysname GigabitEthernet1 0 1 qos gts queue 1 cir 512 Configuring the Line Rate Configuration Procedure Follow these steps to configure the line rate To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manual...

Page 1145: ...es you can configure traffic policing in policy based approach For related displaying and maintaining commands refer to Displaying and Maintaining QoS Policies To do Use the command Remarks Display interface GTS configuration information display qos gts interface interface type interface number Available in any view Display interface line rate configuration information display qos lr interface int...

Page 1146: ...wo common cases Figure 5 1 Traffic congestion causes 100M 10M 100M 10M 50M 100M 100M 100M 100M 50M 10M 10M 1 2 Congestion may bring these negative results z Increased delay and jitter during packet transmission z Decreased network throughput and resource use efficiency z Network resource memory in particular exhaustion and even system breakdown Congestion is unavoidable in switched networks and mu...

Page 1147: ...ueuing As shown in Figure 5 2 SP queuing classifies eight queues on a port into eight classes numbered 7 to 0 in descending priority order SP queuing schedules the eight queues strictly according to the descending order of priority It sends packets in the queue with the highest priority first When the queue with the highest priority is empty it sends packets in the queue with the second highest pr...

Page 1148: ... advantage of WRR queuing is that while the queues are scheduled in turn the service time for each queue is not fixed that is if a queue is empty the next queue will be scheduled immediately This improves bandwidth resource use efficiency WFQ queuing Figure 5 4 Schematic diagram for WFQ queuing Queue 1 Band width 1 Queue2 Band width 2 Queue N 1 Band width N 1 Queue N Band width N Packets to be sen...

Page 1149: ...e port currently with the precedence being 0 1 2 3 and 4 and the minimum guaranteed bandwidth being 128 kbps 128 kbps 128 kbps 64 kbps and 64 kbps respectively z The assignable bandwidth 10 Mbps 128 kbps 128 kbps 128 kbps 64 kbps and 64 kbps 9 5 Mbps z The total assignable bandwidth quota is the sum of all the precedence value 1 s that is 1 2 3 4 5 15 z The bandwidth percentage assigned to each fl...

Page 1150: ...ce settings in port group view take effect on all ports in the port group Configure SP queuing qos sp Required By default all the ports adopt the WRR queue scheduling algorithm with the weight values assigned to queue 0 through queue 7 being 1 2 3 4 5 9 13 and 15 Configuration example 1 Network requirements Configure GigabitEthernet 1 0 1 to use SP queuing 2 Configuration procedure Enter system vi...

Page 1151: ... group with their weights being 1 2 4 6 8 10 12 and 14 2 Configuration procedure Enter system view Sysname system view Configure the WRR queues on port GigabitEthernet1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 qos wrr Sysname GigabitEthernet1 0 1 qos wrr 0 group 1 weight 1 Sysname GigabitEthernet1 0 1 qos wrr 1 group 1 weight 2 Sysname GigabitEthernet1 0 1 qos wrr 2...

Page 1152: ...2 4 6 8 10 12 and 14 respectively z Set the minimum guaranteed bandwidth of queue 0 to 128 kbps 2 Configuration procedure Enter system view Sysname system view Configure WFQ queues on GigabitEthernet 1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 qos wfq Sysname GigabitEthernet1 0 1 qos wfq 0 weight 1 Sysname GigabitEthernet1 0 1 qos wfq 1 weight 2 Sysname GigabitEthern...

Page 1153: ...assigned to queue 0 through queue 7 being 1 2 3 4 5 9 13 and 15 Configuration Example Network requirements z Configure to adopt SP WRR queue scheduling algorithm on GigabitEthernet1 0 1 z Configure queue 0 queue 1 queue 2 and queue 3 on GigabitEthernet1 0 1 to be in SP queue scheduling group z Configure queue 4 queue 5 queue 6 and queue 7 on GigabitEthernet1 0 1 to be in WRR queue scheduling group...

Page 1154: ...nfiguration information display qos wrr interface interface type interface number Display SP queue configuration information display qos sp interface interface type interface number Display WFQ queue configuration information display qos wfq interface interface type interface number Available in any view ...

Page 1155: ...elay Traditional packet drop policy The traditional packet drop policy is tail drop When the length of a queue reaches the maximum threshold all the subsequent packets are dropped Such a policy results in global TCP synchronization That is if packets from multiple TCP connections are dropped these TCP connections go into the state of congestion avoidance and slow start to reduce traffic but traffi...

Page 1156: ...t argument is 10 and the discard prob argument is 10 Enter port view interface interface type interface number Enter port view or port group view Enter port group view port group manual port group name Use either command The configuration performed in Ethernet interface view applies to the current port only The configuration performed in port group view applies to all the ports in the port group A...

Page 1157: ... WRED configuration information on the interface or all interfaces display qos wred interface interface type interface number Available in any view Display configuration information about a WRED table or all WRED tables display qos wred table table name Available in any view ...

Page 1158: ...s to configure traffic filtering To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the match criteria if match match criteria Exit class view quit Create a behavior and enter behavior view traffic behavior behavior name Configure the traffic filtering action filter deny permit Required z deny Drops ...

Page 1159: ... filtering configuration Configuration procedure Create advanced ACL 3000 and configure a rule to match packets whose source port number is 21 DeviceA system view DeviceA acl number 3000 DeviceA acl basic 3000 rule 0 permit tcp source port eq 21 DeviceA acl basic 3000 quit Create a class named classifier_1 and reference ACL 3000 in the class DeviceA traffic classifier classifier_1 DeviceA classifi...

Page 1160: ...viceA qospolicy policy quit Apply the policy named policy to the incoming traffic of GigabitEthernet 1 0 1 DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 qos apply policy policy inbound ...

Page 1161: ...cedence or DSCP for a class of IP traffic to change its transmission priority in the network To configure priority marking you can associate a class with a behavior configured with the priority marking action to set the priority fields or flag bits of the class of packets Configuring Priority Marking Follow these steps to configure priority marking To do Use the command Remarks Enter system view s...

Page 1162: ...guration display traffic behavior user defined behavior name Optional Available in any view Table 8 1 shows the support for priority marking actions in the inbound and outbound directions Table 8 1 Support for priority marking actions in the inbound and outbound directions Action Inbound Outbound Marking 802 1p priority Supported Supported Marking drop precedence Supported Not Supported Marking DS...

Page 1163: ...e to match packets with destination IP address 192 168 0 2 Device acl number 3001 Device acl adv 3001 rule permit ip destination 192 168 0 2 0 Device acl adv 3001 quit Create advanced ACL 3002 and configure a rule to match packets with destination IP address 192 168 0 3 Device acl number 3002 Device acl adv 3002 rule permit ip destination 192 168 0 3 0 Device acl adv 3002 quit Create a class named...

Page 1164: ...or behavior_mserver quit Create a behavior named behavior_fserver and configure the action of setting the local precedence value to 2 for the behavior Device traffic behavior behavior_fserver Device behavior behavior_fserver remark local precedence 2 Device behavior behavior_fserver quit Create a policy named policy_server and associate classes with behaviors in the policy Device qos policy policy...

Page 1165: ...ayer 2 interface z Redirecting traffic to the next hop redirects packets which require processing by an interface to the interface This action is applicable to only Layer 3 packets Configuring Traffic Redirecting Follow these steps to configure traffic redirecting To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator an...

Page 1166: ...enerally the action of redirecting traffic to the CPU the action of redirecting traffic to an interface and the action of redirecting traffic to the next hop are mutually exclusive with each other in the same traffic behavior z You can use the display traffic behavior command to view the traffic redirecting configuration z A QoS policy that contains a traffic redirecting action can be applied only...

Page 1167: ...interface z Mirroring traffic to the CPU copies the matching packets on an interface to a CPU the CPU of the device where the traffic mirroring enabled interface resides Configuring Traffic Mirroring To configure traffic mirroring you must enter the view of an existing traffic behavior In a traffic behavior the action of mirroring traffic to an interface and the action of mirroring traffic to a CP...

Page 1168: ...e outbound direction do not configure any other action in the behavior Mirroring Traffic to the CPU Follow these steps to mirror traffic to the CPU To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the match criteria if match match criteria Exit class view quit Create a behavior and enter behavior v...

Page 1169: ...y QoS policy configuration information display qos policy user defined policy name classifier tcl name Available in any view Traffic Mirroring Configuration Examples Example for Mirroring Traffic to an Interface Network requirements On the network as shown in Figure 10 1 Host A with the IP address 192 168 0 1 and Host B are connected to GigabitEthernet1 0 1 of the switch a data monitoring device i...

Page 1170: ...e the action of mirroring traffic to GigabitEthernet1 0 2 in the traffic behavior Sysname traffic behavior 1 Sysname behavior 1 mirror to interface GigabitEthernet 1 0 2 Sysname behavior 1 quit Create QoS policy 1 and associate traffic behavior 1 with class 1 in the QoS policy Sysname qos policy 1 Sysname policy 1 classifier 1 behavior 1 Sysname policy 1 quit Apply the QoS policy to the incoming t...

Page 1171: ... steps to configure class based accounting To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the match criteria if match match criteria Exit class view quit Create a behavior and enter behavior view traffic behavior behavior name Required Configure the accounting action accounting Optional The class...

Page 1172: ...ts with source IP address 1 1 1 1 DeviceA system view DeviceA acl number 2000 DeviceA acl basic 2000 rule permit source 1 1 1 1 0 DeviceA acl basic 2000 quit Create a class named classifier_1 and reference ACL 2000 in the class DeviceA traffic classifier classifier_1 DeviceA classifier classifier_1 if match acl 2000 DeviceA classifier classifier_1 quit Create behavior behavior_1 and configure an a...

Page 1173: ...s to verify the configuration DeviceA display qos policy interface gigabitethernet 1 0 1 Interface GigabitEthernet1 0 1 Direction Inbound Policy policy Classifier classifier_1 Operator AND Rule s If match acl 2000 Behavior behavior_1 Accounting Enable 28529 Packets ...

Page 1174: ...Class Based Weighted Fair Queuing CE Customer Edge CIR Committed Information Rate CQ Custom Queuing DAR Deeper Application Recognition DiffServ Differentiated Service DSCP Differentiated Services Codepoint EACL Enhanced ACL EBS Excess Burst Size EF Expedited Forwarding FEC Forwarding Equivalence Class FIFO First in First out GTS Generic Traffic Shaping IntServ Integrated Service ISP Internet Servi...

Page 1175: ...c Shaping VoIP Voice over IP VPN Virtual Private Network WFQ Weighted Fair Queuing WRED Weighted Random Early Detection Appendix B Default Priority Mapping Tables Uncolored Priority Mapping Tables For the default dscp dscp priority mapping table an input value yields a target value that is equal to it Table 12 2 The default dot1p lp dot1p dp dot1p dscp and dot1p rpr priority mapping tables Input p...

Page 1176: ...to 39 0 4 40 to 47 0 5 48 to 55 0 6 56 to 63 0 7 Appendix C Introduction to Packet Precedences IP Precedence and DSCP Values Figure 12 1 ToS and DS fields As shown in Figure 12 1 the ToS field of the IP header contains eight bits and the first three bits 0 to 2 represent IP precedence from 0 to 7 According to RFC 2474 the ToS field of the IP header is redefined as the differentiated services DS fi...

Page 1177: ...7 111 network Table 12 5 Description on DSCP values DSCP value decimal DSCP value binary Description 46 101110 ef 10 001010 af11 12 001100 af12 14 001110 af13 18 010010 af21 20 010100 af22 22 010110 af23 26 011010 af31 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs6 56 111000 cs7 0 000000 ...

Page 1178: ...f the 802 1Q tag header The Priority field in the 802 1Q tag header is called the 802 1p priority because its use is defined in IEEE 802 1p Table 12 6 presents the values for 802 1p priority Figure 12 3 802 1Q tag header 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 Priority VLAN ID TPID Tag protocol identifier TCI Tag control information Byte 1 Byte 2 0 Byte 3 Byte 4 CFI 7 5 4 3 2 1 0 7 5 4 3 2 1 0 6 6 7 5 4 3 2...

Page 1179: ...ion 1 1 User Profile Overview 1 1 User Profile Configuration 1 1 User Profile Configuration Task List 1 1 Creating a User Profile 1 2 Applying a QoS Policy to User Profile 1 2 Enabling a User Profile 1 3 Displaying and Maintaining User Profile 1 3 ...

Page 1180: ... access no users pass the authentication or users have logged out user profile does not take effect as it is a predefined configuration With user profile you can z Make use of system resources more granularly For example without user profile you can apply a QoS policy based on interface VLAN globally and so on This QoS policy is applicable to a group of users With user profile however you can appl...

Page 1181: ...ot1x Create a user profile and enter the corresponding user profile view Create a user profile and enter user profile portal view user profile profile name portal Use one of the two approaches If the specified user profile already exists you will directly enter the corresponding user profile view The two user profile views respectively correspond to the three upper layer authentication types 802 1...

Page 1182: ...actions z Do not apply an empty QoS policy in user profile view because even if you can do that the user profile cannot be activated Enabling a User Profile A created user profile takes effect only after being enabled Follow these steps to enable a user profile To do Use the command Remarks Enter system view system view Enable a user profile user profile profile name enable Required A user profile...

Page 1183: ...is used as the standard for LAN user access authentication This document describes z 802 1X overview z 802 1X configuration z 802 1X Guest VLAN configuration HABP On an HABP capable switch HABP packets can bypass 802 1X authentication and MAC authentication allowing communication among switches in a cluster This document describes z Introduction to HABP z HABP configuration MAC Authentication MAC ...

Page 1184: ...ent z Configuring an SFTP Server z Configuring an SFTP Client PKI The Public Key Infrastructure PKI is a hierarchical framework designed for providing information security through public key technologies and digital certificates and verifying the identities of the digital certificate owners This document describes PKI related configuration SSL Secure Sockets Layer SSL is a security protocol provid...

Page 1185: ...Features Description URPF Unicast Reverse Path Forwarding URPF protects a network against source address spoofing attacks This document describes z URPF Overview z URPF configuration ...

Page 1186: ...Domain 1 15 Configuring AAA Accounting Methods for an ISP Domain 1 17 Configuring Local User Attributes 1 19 Configuring User Group Attributes 1 20 Tearing down User Connections Forcibly 1 21 Displaying and Maintaining AAA 1 21 Configuring RADIUS 1 22 Creating a RADIUS Scheme 1 22 Specifying the RADIUS Authentication Authorization Servers 1 23 Specifying the RADIUS Accounting Servers and Relevant ...

Page 1187: ...ed to the Data Sent to HWTACACS Server 1 33 Setting Timers Regarding HWTACACS Servers 1 34 Displaying and Maintaining HWTACACS 1 35 AAA Configuration Examples 1 35 AAA for Telnet Users by a HWTACACS Server 1 35 AAA for Telnet Users by Separate Servers 1 37 AAA for SSH Users by a RADIUS Server 1 38 Troubleshooting AAA 1 42 Troubleshooting RADIUS 1 42 Troubleshooting HWTACACS 1 43 ...

Page 1188: ...he network access server NAS and the server maintains user information centrally In an AAA network a NAS is a server for users but a client for the AAA servers as shown in Figure 1 1 Figure 1 1 AAA networking diagram When a user tries to establish a connection to the NAS and to obtain the rights to access other networks or some network resources the NAS authenticates the user or the corresponding ...

Page 1189: ...ls Currently the device supports using RADIUS HWTACACS for AAA and RADIUS is often used in practice Introduction to RADIUS Remote Authentication Dial In User Service RADIUS is a distributed information interaction protocol in a client server model RADIUS can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are re...

Page 1190: ...intercepted in non secure networks RADIUS encrypts passwords before transmitting them A RADIUS server supports multiple user authentication methods for example the Password Authentication Protocol PAP and Challenge Handshake Authentication Protocol CHAP Moreover a RADIUS server can act as the client of another AAA server to provide authentication proxy services Basic Message Exchange Process of RA...

Page 1191: ... host requests the RADIUS client to tear down the connection and the RADIUS client sends a stop accounting request Accounting Request to the RADIUS server 8 The RADIUS server returns a stop accounting response Accounting Response and stops accounting for the user 9 The user stops access to network resources RADIUS Packet Format RADIUS uses UDP to transmit messages It ensures the smooth message exc...

Page 1192: ...or and Attribute fields The value of the field is in the range 20 to 4096 Bytes beyond the length are considered the padding and are neglected upon reception If the length of a received packet is less than that indicated by the Length field the packet is dropped 5 The Authenticator field 16 byte long is used to authenticate replies from the RADIUS server and is also used in the password hiding alg...

Page 1193: ...70 ARAP Password 24 State 71 ARAP Features 25 Class 72 ARAP Zone Access 26 Vendor Specific 73 ARAP Security 27 Session Timeout 74 ARAP Security Data 28 Idle Timeout 75 Password Retry 29 Termination Action 76 Prompt 30 Called Station Id 77 Connect Info 31 Calling Station Id 78 Configuration Token 32 NAS Identifier 79 EAP Message 33 Proxy State 80 Message Authenticator 34 Login LAT Service 81 Tunnel...

Page 1194: ... a code complying with RFC 1700 z Vendor Type Indicates the type of the sub attribute z Vendor Length Indicates the length of the sub attribute z Vendor Data Indicates the contents of the sub attribute Figure 1 5 Segment of a RADIUS packet containing an extended attribute Introduction to HWTACACS HW Terminal Access Controller Access Control System HWTACACS is an enhanced security protocol based on...

Page 1195: ...ts only the user password field in an authentication packet Protocol packets are complicated and authorization is independent of authentication Authentication and authorization can be deployed on different HWTACACS servers Protocol packets are simple and authorization is combined with authentication Supports authorized use of configuration commands For example an authenticated login user can be au...

Page 1196: ... continuance packet with the login password 1 A Telnet user sends an access request to the NAS 2 Upon receiving the request the HWTACACS client sends a start authentication packet to the HWTACACS server 3 The HWTACACS server sends back an authentication response requesting the username 4 Upon receiving the response the HWTACACS client asks the user for the username 5 The user inputs the username 6...

Page 1197: ...odifications for Tunnel Protocol Support z RFC 2868 RADIUS Attributes for Tunnel Protocol Support z RFC 2869 RADIUS Extensions z RFC 1492 An Access Control Protocol Sometimes Called TACACS AAA Configuration Task List The basic procedure to configure AAA is as follows 1 Configure the required AAA schemes z Local authentication Configure local users and related attributes including usernames and pas...

Page 1198: ...n User Connections Forcibly Optional Displaying and Maintaining AAA Optional RADIUS Configuration Task List Task Remarks Creating a RADIUS Scheme Required Specifying the RADIUS Authentication Authorization Servers Required Specifying the RADIUS Accounting Servers and Relevant Parameters Optional Setting the Shared Key for RADIUS Packets Required Setting the Upper Limit of RADIUS Request Retransmis...

Page 1199: ...ate authentication authorization accounting policies for all the other types of users For a user who has logged in to the device AAA can provide the command authorization service to enhance device security Allows the authorization server to check each command executed by the login user and only authorized commands can be successfully executed Configuration Prerequisites For remote authentication a...

Page 1200: ... an ISP domain name the device uses the authentication method configured for the default ISP domain to authenticate the user Configuring ISP Domain Attributes Follow these steps to configure ISP domain attributes To do Use the command Remarks Enter system view system view Create an ISP domain and enter ISP domain view domain isp name Required Place the ISP domain to the state of active or blocked ...

Page 1201: ...or HWTACACS server to authenticate users As for RADIUS the device can use the standard RADIUS protocol or extended RADIUS protocol in collaboration with systems like iMC to implement user authentication Remote authentication features centralized information management high capacity high reliability and support for centralized authentication for multiple devices You can configure local authenticati...

Page 1202: ...ept message from the RADIUS server does include the authorization information but the authentication process ignores the information z With the radius scheme radius scheme name local or hwtacacs scheme hwtacacs scheme name local keyword and argument combination configured local authentication is the backup method and is used only when the remote server is not available z If the primary authenticat...

Page 1203: ...e or service type to be configured With AAA you can configure an authorization scheme specifically for each access mode and service type limiting the authorization protocols that can be used for access 3 Determine whether to configure an authorization method for all access modes or service types Follow these steps to configure AAA authorization methods for an ISP domain To do Use the command Remar...

Page 1204: ... ISP Domain In AAA accounting is a separate process at the same level as authentication and authorization Its responsibility is to send accounting start update end requests to the specified accounting server Accounting is not required and therefore accounting method configuration is optional AAA supports the following accounting methods z No accounting The system does not perform accounting for th...

Page 1205: ... used by default z With the accounting optional command configured a user to be disconnected can still use the network resources even when there is no available accounting server or communication with the current accounting server fails z The local accounting is not used for accounting implementation but together with the attribute access limit command for limiting the number of local user connect...

Page 1206: ...authorization attribute configured in local user view takes precedence over the same attribute configured in user group view Follow these steps to configure the attributes for a local user To do Use the command Remarks Enter system view system view Set the password display mode for all local users local user password display mode auto cipher force Optional auto by default indicating to display the...

Page 1207: ...local user takes effect only when local accounting is used z Local authentication checks the service types of a local user If the service types are not available the user cannot pass authentication z In the authentication method that requires the username and password including local authentication RADIUS authentication and HWTACACS authentication the commands that a login user can use after loggi...

Page 1208: ...By default no authorization attribute is configured for a user group Tearing down User Connections Forcibly Follow these steps to tear down user connections forcibly To do Use the command Remarks Enter system view system view Tear down AAA user connections forcibly cut connection access type dot1x mac authentication portal all domain isp name interface interface type interface number ip ip address...

Page 1209: ...ADIUS scheme mainly include IP addresses of primary and secondary servers shared key and RADIUS server type Actually the RADIUS protocol configurations only set the parameters necessary for the information interaction between a NAS and a RADIUS server For these settings to take effect you must reference the RADIUS scheme containing those settings in ISP domain view For information about the comman...

Page 1210: ...ion servers respectively At one time a server can be the primary authentication authorization server for a scheme and the secondary authentication authorization servers for another scheme z The IP addresses of the primary and secondary authentication authorization servers for a scheme cannot be the same Otherwise the configuration fails Specifying the RADIUS Accounting Servers and Relevant Paramet...

Page 1211: ...limit In the latter case the device discards the packet z You can set the maximum number of accounting request transmission attempts on the device allowing the device to disconnect a user when the number of accounting request transmission attempts for the user reaches the limit but it still receives no response to the accounting request z The IP addresses of the primary and secondary accounting se...

Page 1212: ... scheme radius scheme name Required Not defined by default Set the number of retransmission attempts of RADIUS packets retry retry times Optional 3 by default z The maximum number of retransmission attempts of RADIUS packets multiplied by the RADIUS server response timeout period cannot be greater than 75 z Refer to the timer response timeout command in the command manual for configuring RADIUS se...

Page 1213: ... server remains the same z If the secondary server fails the device restores the status of the primary server to active immediately If the primary server has resumed the device turns to use the primary server and stops communicating with the secondary server After accounting starts the communication between the client and the secondary server remains unchanged Follow these steps to set the status ...

Page 1214: ...e the command Remarks Enter system view system view Enable the RADIUS trap function radius trap accounting server down authentication server down Optional Disabled by default Create a RADIUS scheme and enter RADIUS scheme view radius scheme radius scheme name Required Not defined by default Specify the format of the username to be sent to a RADIUS server user name format keep original with domain ...

Page 1215: ...ting request it has to resend the request so that the user has more opportunity to obtain the RADIUS service The NAS uses the RADIUS server response timeout timer to control the transmission interval z Primary server quiet timer timer quiet If the primary server is not reachable its state changes to blocked and the device will turn to the specified secondary server If the secondary server is reach...

Page 1216: ...ission attempts of RADIUS packets refer to the command retry in the command manual Specifying a Security Policy Server The core of the EAD solution is integration and cooperation and the security policy server system is the management and control center As a collection of software the security policy server system can run on Windows and Linux to provide functions such as user management security p...

Page 1217: ...ics slot slot number Available in any view Display information about buffered stop accounting requests that get no responses display stop accounting buffer radius scheme radius server name session id session id time range start time stop time user name user name slot slot number Available in any view Clear RADIUS statistics reset radius statistics slot slot number Available in user view Clear buff...

Page 1218: ...HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Specify the primary HWTACACS authentication server primary authentication ip address port number Specify the secondary HWTACACS authentication server secondary authentication ip address port number Required Configure at least one of the commands No authentication server by default z ...

Page 1219: ... secondary authorization servers cannot be the same Otherwise the configuration fails z You can remove an authorization server only when no active TCP connection for sending authorization packets is using it Specifying the HWTACACS Accounting Servers Follow these steps to specify the HWTACACS accounting servers and perform related configurations To do Use the command Remarks Enter system view syst...

Page 1220: ...packets Only when the same key is used can they properly receive the packets and make responses Follow these steps to set the shared key for HWTACACS packets To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Set the shared keys for HWTACACS authentication authoriza...

Page 1221: ...re sending the username to the server z The nas ip command in HWTACACS scheme view is only for the current HWTACACS scheme while the hwtacacs nas ip command in system view is for all HWTACACS schemes However the nas ip command in HWTACACS scheme view overwrites the configuration of the hwtacacs nas ip command Setting Timers Regarding HWTACACS Servers Follow these steps to set timers regarding HWTA...

Page 1222: ...buffer hwtacacs scheme hwtacacs scheme name slot slot number Available in any view Clear HWTACACS statistics reset hwtacacs statistics accounting all authentication authorization slot slot number Available in user view Clear buffered stop accounting requests that get no responses reset stop accounting buffer hwtacacs scheme hwtacacs scheme name slot slot number Available in user view AAA Configura...

Page 1223: ...g 10 1 1 1 49 Switch hwtacacs hwtac key authentication expert Switch hwtacacs hwtac key authorization expert Switch hwtacacs hwtac key accounting expert Switch hwtacacs hwtac user name format without domain Switch hwtacacs hwtac quit Configure the AAA methods for the domain Switch domain bbb Switch isp bbb authentication login hwtacacs scheme hwtac Switch isp bbb authorization login hwtacacs schem...

Page 1224: ...nting Its IP address is 10 1 1 1 On the switch set the shared keys for packets exchanged with the RADIUS server to expert Configuration of separate AAA for other types of users is similar to that given in this example The only difference lies in the access type Figure 1 8 Configure AAA by separate servers for Telnet users Configuration procedure Configure the IP addresses of various interfaces omi...

Page 1225: ...ods for all types of users Switch domain bbb Switch isp bbb authentication default local Switch isp bbb authorization default hwtacacs scheme hwtac Switch isp bbb accounting default radius scheme imc When telneting into the switch a user enters username telnet bbb for authentication using domain bbb AAA for SSH Users by a RADIUS Server Network requirements As shown in Figure 1 9 configure the swit...

Page 1226: ...t Access Service Access Device from the navigation tree to enter the Access Device page Then click Add to enter the Add Access Device window and perform the following configurations z Set both the shared keys for authentication and accounting packets to expert z Specify the ports for authentication and accounting as 1812 and 1813 respectively z Select Device Management Service as the service type ...

Page 1227: ... the navigation tree to enter the Device Management User page Then click Add to enter the Add Device Management User window and perform the following configurations z Add a user named hello bbb and specify the password z Select SSH as the service type z Specify the IP address range of the hosts to be managed as 192 168 1 0 to 192 168 1 255 and click Add to finish the operation ...

Page 1228: ... switch access the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit Generate RSA and DSA key pairs and enable the SSH server Switch public key local create rsa Switch public key local create dsa Switch ssh server enable Configure the switch to use AAA for SSH users Switch user interface vty 0 4 Switch ui vty0 4 authentica...

Page 1229: ...AA Troubleshooting RADIUS Symptom 1 User authentication authorization always fails Analysis 1 A communication failure exists between the NAS and the RADIUS server 2 The username is not in the format of userid isp name or no default ISP domain is specified for the NAS 3 The user is not configured on the RADIUS server 4 The password of the user is incorrect 5 The RADIUS server and the NAS are config...

Page 1230: ...tion and accounting are available Symptom 3 A user is authenticated and authorized but accounting for the user is not normal Analysis 1 The accounting port number is not correct 2 Configuration of the authentication authorization server and the accounting server are not correct on the NAS For example one server is configured on the NAS to provide all the services of authentication authorization an...

Page 1231: ...g 802 1X for a Port 1 13 Configuring an 802 1X Port based Guest VLAN 1 14 Displaying and Maintaining 802 1X 1 15 802 1X Configuration Example 1 15 Guest VLAN and VLAN Assignment Configuration Example 1 18 ACL Assignment Configuration Example 1 20 2 802 1X based EAD Fast Deployment Configuration 2 1 EAD Fast Deployment Overview 2 1 Overview 2 1 EAD Fast Deployment Implementation 2 1 Configuring EAD...

Page 1232: ...ss control device can access the resources on the LAN only after passing authentication The port security feature provides rich security modes that combine or extend 802 1X and MAC address authentication In a networking environment that requires flexible use of 802 1X and MAC address authentication you are recommended to configure the port security feature In a network environment that requires on...

Page 1233: ... on the LAN z Between the device and the RADIUS server EAP protocol packets can be handled in two modes EAP relay and EAP termination In EAP relay mode EAP protocol packets are encapsulated by using the EAP over RADIUS EAPOR and then relayed to the RADIUS server In EAP termination mode EAP protocol packets are terminated at the device repackaged in the Password Authentication Protocol PAP or Chall...

Page 1234: ... to access the network without authentication z unauthorized force Places the port in the unauthorized state denying any access requests from users of the ports z auto Places the port in the unauthorized state initially to allow only EAPOL frames to pass and turns the ports into the authorized state to allow access to the network after the users pass authentication This is the most common choice C...

Page 1235: ...h Length of the data that is length of the Packet body field in bytes If the value of this field is 0 no subsequent data field is present z Packet body Content of the packet The format of this field varies with the value of the Type field EAP Packet Format An EAPOL frame of the type of EAP Packet carries an EAP packet in its Packet body field The format of the EAP packet is shown in Figure 1 4 Fig...

Page 1236: ...ws its encapsulation format The value of the Type field is 79 The String field can be up to 253 bytes If the EAP packet is longer than 253 bytes it can be fragmented and encapsulated into multiple EAP Message attributes Figure 1 6 Encapsulation format of the EAP Message attribute 0 15 Type String 7 Length N EAP packets Message Authenticator Figure 1 7 shows the encapsulation format of the Message ...

Page 1237: ... 30 seconds by default This method can be used to authenticate clients which cannot send EAPOL Start frames and therefore cannot trigger authentication for example the 802 1X client provided by Windows XP Authentication Process of 802 1X An 802 1X device communicates with a remotely located RADIUS server in two modes EAP relay and EAP termination The following description takes the EAP relay as an...

Page 1238: ... packet it encapsulates the username in an EAP Response Identity packet and sends the packet to the device 4 Upon receiving the EAP Response Identity packet the device relays the packet in a RADIUS Access Request packet to the authentication server 5 When receiving the RADIUS Access Request packet the RADIUS server compares the identify information against its user information table to obtain the ...

Page 1239: ...has gone offline and performs the necessary operations guaranteeing that the device always knows when a client goes offline 11 The client can also send an EAPOL Logoff frame to the device to go offline unsolicitedly In this case the device changes the status of the port from authorized to unauthorized and sends an EAP Failure frame to the client In EAP relay mode a client must use the same authent...

Page 1240: ...is section describes the timers used on an 802 1X device to guarantee that the client the device and the RADIUS server can interact with each other in a reasonable manner z Username request timeout timer tx period The device starts this timer when it sends an EAP Request Identity frame to a client If it receives no response before this timer expires the device retransmits the request When cooperat...

Page 1241: ...n contains VLAN authorization information the device adds the port connecting the client to the assigned VLAN This neither changes nor affects the configurations of the port The only result is that the assigned VLAN takes precedence over the manually configured one that is the assigned VLAN takes effect After the client goes offline the configured one takes effect Features Working Together with 80...

Page 1242: ...t into the guest VLAN according to the port s link type in the similar way as described in VLAN assignment When a user of a port in the guest VLAN initiates an authentication if the authentication is not successful the port stays in the guest VLAN if the authentication is successful the port leaves the guest VLAN and z If the authentication server assigns a VLAN the port joins the assigned VLAN Af...

Page 1243: ...on or RADIUS z For remote RADIUS authentication the username and password information must be configured on the RADIUS server z For local authentication the username and password information must be configured on the device and the service type must be set to lan access For detailed configuration of the RADIUS client refer to AAA Configuration in the Security Volume Configuring 802 1X Globally Fol...

Page 1244: ... port in Ethernet interface view For detailed configuration refer to Configuring 802 1X for a Port The only difference between configuring 802 1X globally and configuring 802 1X for a port lies in the applicable scope If both a global setting and a local setting exist for an argument of a port the last configured one is in effect z 802 1X timers only need to be changed in special or extreme networ...

Page 1245: ... 802 1X user information in the EAP attributes of RADIUS packets and sends the packets to the RADIUS server for authentication In this case you can configure the user name format command but it does not take effect For information about the user name format command refer to AAA Commands in the Security Volume z If the username of a client contains the version number or one or more blank spaces you...

Page 1246: ...t VLAN function and the free IP function in EAD fast deployment If the data flows from a user side device carry VLAN tags and 802 1X and guest VLAN are enabled on the access port you are recommended to configure different VLAN IDs for the voice VLAN the default port VLAN and the guest VLAN of 802 1X Displaying and Maintaining 802 1X To do Use the command Remarks Display 802 1X session information ...

Page 1247: ...esponse from the server and to send real time accounting packets to the accounting server every 15 minutes z Specify the device to remove the domain name from the username before passing the username to the RADIUS server z Set the username of the 802 1X user as localuser and the password as localpass and specify to use clear text mode Enable the idle cut function to get the user offline whenever t...

Page 1248: ... radius1 timer response timeout 5 Device radius radius1 retry 5 Set the interval for the device to send real time accounting packets to the RADIUS server Device radius radius1 timer realtime accounting 15 Specify the device to remove the domain name of any username before passing the username to the RADIUS server Device radius radius1 user name format without domain Device radius radius1 quit Crea...

Page 1249: ...ort GigabitEthernet 1 0 3 of the device which is in VLAN 5 is for accessing the Internet As shown in Figure 1 12 z On port GigabitEthernet 1 0 2 enable 802 1X and set VLAN 10 as the guest VLAN of the port If the device sends an EAP Request Identity packet from the port for the maximum number of times but still receives no response the device adds the port to its guest VLAN In this case the host an...

Page 1250: ...he following configuration procedure uses many AAA RADIUS commands For detailed configuration of these commands refer to AAA Configuration in the Security Volume z Configurations on the 802 1X client and RADIUS server are omitted Configure RADIUS scheme 2000 Device system view Device radius scheme 2000 Device radius 2000 primary authentication 10 11 1 1 1812 ...

Page 1251: ... GigabitEthernet1 0 2 dot1x port control auto Device GigabitEthernet1 0 2 quit Create VLAN 10 Device vlan 10 Device vlan10 quit Specify port GigabitEthernet 1 0 2 to use VLAN 10 as its guest VLAN Device dot1x guest vlan 10 interface GigabitEthernet 1 0 2 You can use the display current configuration or display interface GigabitEthernet 1 0 2 command to view your configuration You can also use the ...

Page 1252: ... radius 2000 key authentication abc Device radius 2000 key accounting abc Device radius 2000 user name format without domain Device radius 2000 quit Create an ISP domain and specify the AAA schemes Device domain 2000 Device isp 2000 authentication default radius scheme 2000 Device isp 2000 authorization default radius scheme 2000 Device isp 2000 accounting default radius scheme 2000 Device isp 200...

Page 1253: ... 22 C ping 10 0 0 1 Pinging 10 0 0 1 with 32 bytes of data Request timed out Request timed out Request timed out Request timed out Ping statistics for 10 0 0 1 Packets Sent 4 Received 0 Lost 4 100 loss C ...

Page 1254: ...device which tends to be time consuming and inefficient To address the issue quick EAD deployment was developed In conjunction with 802 1X it can have an access switch to force all attached devices to download and install the EAD client before permitting them to access the network EAD Fast Deployment Implementation To support the fast deployment of EAD schemes 802 1X provides the following two mec...

Page 1255: ...s before passing 802 1X authentication Once a free IP is configured the fast deployment of EAD is enabled Follow these steps to configure a freely accessible network segment To do Use the command Remarks Enter system view system view Configure a freely accessible network segment dot1x free ip ip address mask address mask length Required No freely accessible network segment is configured by default...

Page 1256: ...ork segment but fail the authentication ACLs will soon be used up and new users will be rejected An EAD rule timeout timer is designed to solve this problem When a user accesses the network this timer is started If the user neither downloads client software nor performs authentication before the timer expires the occupied ACL will be released so that other users can use it When there are a large n...

Page 1257: ... 192 168 2 0 24 GE1 0 1 Configuration procedure 1 Configure the WEB server Before using the EAD fast deployment function you need to configure the WEB server to provide the download service of 802 1X client software 2 Configure the device to support EAD fast deployment Configure the IP addresses of the interfaces omitted Configure the free IP Device system view Device dot1x free ip 192 168 2 0 24 ...

Page 1258: ...ecified URL Analysis z The address is in the string format In this case the operating system of the host regards the string a website name and tries to have it resolved If the resolution fails the operating system sends an ARP request with the address in the format other than X X X X The redirection function does redirect this kind of ARP request z The address is within the freely accessible netwo...

Page 1259: ...f Contents 1 HABP Configuration 1 1 Introduction to HABP 1 1 Configuring HABP 1 2 Configuring the HABP Server 1 2 Configuring an HABP Client 1 3 Displaying and Maintaining HABP 1 3 HABP Configuration Example 1 3 ...

Page 1260: ... devices of the cluster to bypass 802 1X authentication because network devices usually do not support 802 1 client Otherwise the management device will fail to perform centralized management of the cluster member devices For more information about the cluster function refer to Cluster Configuration in the System Volume As shown in Figure 1 1 802 1X authenticator Switch A has two switches attached...

Page 1261: ...en link layer frames exchanged between the clients can bypass the 802 1X authentication on ports of the server without affecting the normal operation of the whole network All HABP packets must travel in a VLAN which is called the management VLAN Communication between the HABP server and the HABP clients is implemented through the management VLAN Configuring HABP Complete the following tasks to con...

Page 1262: ...by default Configure HABP to work in client mode undo habp server Optional HABP works in client mode by default Displaying and Maintaining HABP To do Use the command Remarks Display HABP configuration information display habp Available in any view Display HABP MAC address table entries display habp table Available in any view Display HABP packet statistics display habp traffic Available in any vie...

Page 1263: ...onfigure Switch B and Switch C Configure Switch B and Switch C to work in HABP client mode This configuration is usually unnecessary because HABP is enabled and works in client mode by default 3 Verify your configuration Display HABP configuration information SwitchA display habp Global HABP information HABP Mode Server Sending HABP request packets every 50 seconds Bypass VLAN 2 Display HABP MAC a...

Page 1264: ... 1 2 Quiet MAC Address 1 2 VLAN Assigning 1 2 ACL Assigning 1 2 Configuring MAC Authentication 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 3 Displaying and Maintaining MAC Authentication 1 4 MAC Authentication Configuration Examples 1 4 Local MAC Authentication Configuration Example 1 4 RADIUS Based MAC Authentication Configuration Example 1 6 ACL Assignment Configuration Example...

Page 1265: ... and password z Fixed username where all users use the same preconfigured username and password for authentication regardless of the MAC addresses RADIUS Based MAC Authentication In RADIUS based MAC authentication the device serves as a RADIUS client and requires a RADIUS server to cooperate with it z If the type of username is MAC address the device forwards a detected MAC address as the username...

Page 1266: ...quiet MAC address is the same as a static MAC address configured or an MAC address that has passed another type of authentication the quiet function does not take effect VLAN Assigning For separation of users from restricted network resources users and restricted resources are usually put into different VLANs After a user passes identity authentication the authorization server assigns to the user ...

Page 1267: ...interface list Enable MAC authentication for specified ports interface interface type interface number mac authentication quit Required Use either approach Disabled by default Specify the ISP domain for MAC authentication mac authentication domain isp name Optional The default ISP domain is used by default Set the offline detect timer mac authentication timer offline detect offline detect value Op...

Page 1268: ...erface list Available in user view MAC Authentication Configuration Examples Local MAC Authentication Configuration Example Network requirements As illustrated in Figure 1 1 a supplicant is connected to the device through port GigabitEthernet 1 0 1 z Local MAC authentication is required on every port to control user access to the Internet z All users belong to domain aabbcc net z Local users use t...

Page 1269: ...s that is using the MAC address with hyphens of a user as the username and password for MAC authentication of the user Device mac authentication user name format mac address with hyphen 2 Verify the configuration Display global MAC authentication information Device display mac authentication MAC address authentication is enabled User name format is MAC address like xx xx xx xx xx xx Fixed username...

Page 1270: ...123456 Figure 1 2 Network diagram for MAC authentication using RADIUS Configuration procedure It is required that the RADIUS server and the device are reachable to each other and the username and password are configured on the server 1 Configure MAC authentication on the device Configure a RADIUS scheme Device system view Device radius scheme 2000 Device radius 2000 primary authentication 10 1 1 1...

Page 1271: ...Device display mac authentication MAC address authentication is enabled User name format is fixed account Fixed username aaa Fixed password 123456 Offline detect period is 180s Quiet period is 180s Server response timeout value is 100s The max allowed user number is 1024 per slot Current user number amounts to 1 Current domain is 2000 Silent Mac User info MAC Addr From Port Port Index GigabitEther...

Page 1272: ...re you need to add the username and password of each user on the RADIUS server correctly z You need to configure the RADIUS server to assign ACL 3000 as the authorization ACL Configure the RADIUS scheme Sysname system view Sysname radius scheme 2000 Sysname radius 2000 primary authentication 10 1 1 1 1812 Sysname radius 2000 primary accounting 10 1 1 2 1813 Sysname radius 2000 key authentication a...

Page 1273: ... password for MAC authentication of the user Sysname mac authentication user name format mac address Enable MAC authentication for port GigabitEthernet 1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 mac authentication After completing the above configurations you can use the ping command to verify whether the ACL 3000 assigned by the RADIUS server functions C ping 10 0 ...

Page 1274: ...ing out Users 1 9 Specifying a Mandatory Authentication Domain 1 10 Displaying and Maintaining Portal 1 10 Portal Configuration Examples 1 11 Configuring Direct Portal Authentication 1 11 Configuring Re DHCP Portal Authentication 1 15 Configuring Layer 3 Portal Authentication 1 17 Configuring Direct Portal Authentication with Extended Functions 1 19 Configuring Re DHCP Portal Authentication with E...

Page 1275: ...ortal website enter username and password for authentication This authentication mode is called active authentication There is still another authentication mode namely forced authentication in which the access device forces a user trying to access the Internet through HTTP to log in to a portal website for authentication The portal feature provides the flexibility for Internet service providers IS...

Page 1276: ...ation of a client depends on the communications between the portal client and the security policy server Access device Device for broadband access It can be a switch or a router that provides the following three functions z Before authentication redirecting all HTTP requests from users in the subnet to be authenticated to the portal server z During authentication interacting with the portal server...

Page 1277: ...ecurity authentication result z Since a portal client uses an IP address as its ID ensure that there is no Network Address Translation NAT device between the authentication client access device portal server and authentication accounting server when deploying portal authentication This is to avoid authentication failure due to NAT operations z Currently only a RADIUS server can serve as the authen...

Page 1278: ...e a client is uniquely identified by an IP address This is because the mode supports Layer 3 forwarding devices between the authentication client and the access device but the access device does not learn the MAC address of the authentication client In non Layer 3 authentication mode a client is uniquely identified by the combination of its IP address and MAC address because the access device can ...

Page 1279: ...request message and sends it to the access device Meanwhile the portal server starts a timer to wait for an authentication acknowledgment message 5 The access device and the RADIUS server exchange RADIUS packets to authenticate the user 6 If the user passes authentication the access device sends an authentication acknowledgment message to the portal server 7 The portal server sends an authenticati...

Page 1280: ...tal server that it has obtained a public IP address 8 The portal server notifies the access device that the authentication client has obtained a new public IP address 9 Detecting the change of the IP address by examining ARP packets received the access device notifies the portal server of the change 10 The portal server notifies the authentication client of logon success 11 The portal server sends...

Page 1281: ... the users are configured on the RADIUS server and the RADIUS client configurations are performed on the access device For information about RADIUS client configuration refer to AAA Configuration in the Security Volume z To implement extended portal functions you need install and configure the security policy server and ensure that the ACLs configured on the access device correspond to those speci...

Page 1282: ...authentication mode can be used in applications with Layer 3 forwarding devices present between the authentication clients and the access device However Layer 3 authentication does not require any Layer 3 forwarding devices between the access device and the authentication clients z In re DHCP authentication mode a user is allowed to send packets using a public IP address before portal authenticati...

Page 1283: ...Remarks Enter system view system view Enter interface view interface interface type interface number Configure an authentication subnet portal auth network network address mask length mask Optional By default the authentication subnet is 0 0 0 0 0 which means that users with any source IP addresses are to be authenticated z Configuration of authentication subnets applies to only Layer 3 portal aut...

Page 1284: ...Security Volume Displaying and Maintaining Portal To do Use the command Remarks Display the ACLs on a specified interface display portal acl all dynamic static interface interface type interface number Available in any view Display portal connection statistics on a specified interface or all interfaces display portal connection statistics all interface interface type interface number Available in ...

Page 1285: ...authentication The host is assigned with a public network IP address manually or automatically by a DHCP server Before portal authentication users using the host can access only the portal server After passing portal authentication they can access unrestricted Internet resources z A RADIUS server serves as the authentication accounting server Figure 1 4 Configure direct portal authentication RADIU...

Page 1286: ...entication main page in the format of http ip port portal where ip and port are those configured during the iMC UAM installation Usually their default settings are used Figure 1 5 Portal server configuration Configure the IP address group Select Portal Service Management IP Group from the navigation tree to enter the portal IP address group configuration page Then click Add to enter the page for a...

Page 1287: ...herefore select No from the Reallocate IP drop down list Figure 1 7 Add a portal device Associate the portal device with the IP address group As shown in Figure 1 8 in the device list on the portal device configuration page click the icon in the Port Group Information Management column of device Switch to enter the port group configuration page Figure 1 8 Device list On the port group configuratio...

Page 1288: ...igure the keys for communication with the servers Switch radius rs1 primary authentication 192 168 0 112 Switch radius rs1 primary accounting 192 168 0 112 Switch radius rs1 key authentication radius Switch radius rs1 key accounting radius Specify that the ISP domain name should not be included in the username sent to the RADIUS server Switch radius rs1 user name format without domain Switch radiu...

Page 1289: ...thentication on the interface connecting the host Switch interface vlan interface 100 Switch Vlan interface100 portal server newpt method direct Switch quit Configuring Re DHCP Portal Authentication Network requirements z The host is directly connected to the switch and the switch is configured for re DHCP authentication The host is assigned with an IP address through the DHCP server Before portal...

Page 1290: ...rver type for the RADIUS scheme When using the iMC server you need set the server type to extended Switch radius rs1 server type extended Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers Switch radius rs1 primary authentication 192 168 0 113 Switch radius rs1 primary accounting 192 168 0 113 Switch radius rs1 key auth...

Page 1291: ...ct relay Switch Vlan interface100 dhcp relay server select 0 Switch Vlan interface100 dhcp relay address check enable Enable re DHCP portal authentication on the interface connecting the host Switch Vlan interface100 portal server newpt method redhcp Switch Vlan interface100 quit Configure the IP address of the interface connected with the portal server Switch interface vlan interface 2 Switch Vla...

Page 1292: ...d enter its view SwitchA system view SwitchA radius scheme rs1 Set the server type for the RADIUS scheme When using the iMC server you need set the server type to extended SwitchA radius rs1 server type extended Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers SwitchA radius rs1 primary authentication 192 168 0 112 Sw...

Page 1293: ... interface 4 SwitchA Vlan interface4 portal server newpt method layer3 SwitchA Vlan interface4 quit Configure the IP address of the interface connected with the portal server SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 192 168 0 100 255 255 255 0 SwitchA Vlan interface2 quit On Switch B you need to configure a default route to subnet 192 168 0 0 24 setting the next hop as...

Page 1294: ...IUS scheme Create a RADIUS scheme named rs1 and enter its view Switch system view Switch radius scheme rs1 Set the server type for the RADIUS scheme When using the iMC server you need set the server type to extended Switch radius rs1 server type extended Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers Switch radius r...

Page 1295: ...1 for unrestricted resources On the security policy server you need to specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL Switch acl number 3000 Switch acl adv 3000 rule permit ip destination 192 168 0 0 0 0 0 255 Switch acl adv 3000 rule deny ip Switch acl adv 3000 quit Switch acl number 3001 Switch acl adv 3001 rule permit ip Switch acl adv 3001 quit 4 Configure portal authen...

Page 1296: ...Configure re DHCP portal authentication with extended functions Configuration procedure z For re DHCP authentication you need to configure a public address pool 20 20 20 0 24 in this example and a private address pool 10 0 0 0 24 in this example on the DHCP server The configuration steps are omitted For DHCP configuration information refer to DHCP Configuration in the IP Services Volume z For re D...

Page 1297: ...s1 quit 2 Configure an authentication domain Create an ISP domain named dm1 and enter its view Switch domain dm1 Configure the ISP domain to use RADIUS scheme rs1 Switch isp dm1 authentication portal radius scheme rs1 Switch isp dm1 authorization portal radius scheme rs1 Switch isp dm1 accounting portal radius scheme rs1 Switch isp dm1 quit Configure dm1 as the default ISP domain for all users The...

Page 1298: ...s 10 0 0 1 255 255 255 0 sub Switch Vlan interface100 dhcp select relay Switch Vlan interface100 dhcp relay server select 0 Switch Vlan interface100 dhcp relay address check enable Enable re DHCP portal authentication on the interface connecting the host Switch Vlan interface100 portal server newpt method redhcp Switch Vlan interface100 quit Configuring Layer 3 Portal Authentication with Extended ...

Page 1299: ...me rs1 Set the server type for the RADIUS scheme When using the iMC server you need set the server type to extended SwitchA radius rs1 server type extended Specify the primary authentication server and primary accounting server and configure the keys for communication with the servers SwitchA radius rs1 primary authentication 192 168 0 112 SwitchA radius rs1 primary accounting 192 168 0 112 Switch...

Page 1300: ...d ACL 3001 as the security ACL SwitchA acl number 3000 SwitchA acl adv 3000 rule permit ip destination 192 168 0 0 0 0 0 255 SwitchA acl adv 3000 rule deny ip SwitchA acl adv 3000 quit SwitchA acl number 3001 SwitchA acl adv 3001 rule permit ip SwitchA acl adv 3001 quit 4 Configure portal authentication Configure the portal server as follows z Name newpt z IP address 192 168 0 111 z Key portal z P...

Page 1301: ...uthentication client Analysis When you execute the portal delete user command on the access device to force the user to log out the access device actively sends a REQ_LOGOUT message to the portal server The default listening port of the portal server is 50100 However if the listening port configured on the access device is not 50100 the destination port of the REQ_LOGOUT message is not the actual ...

Page 1302: ...rt Security Features 1 7 Configuring NTK 1 7 Configuring Intrusion Protection 1 8 Configuring Trapping 1 9 Configuring Secure MAC Addresses 1 9 Configuration Prerequisites 1 9 Configuration Procedure 1 9 Ignoring Authorization Information from the Server 1 10 Displaying and Maintaining Port Security 1 10 Port Security Configuration Examples 1 11 Configuring the autoLearn Mode 1 11 Configuring the ...

Page 1303: ... needed When a port security enabled device detects an illegal frame it triggers the corresponding port security feature and takes a pre defined action automatically This reduces your maintenance workload and greatly enhances system security The following types of frames are classified as illegal z Received frames with unknown source MAC addresses when MAC address learning is disabled z Received f...

Page 1304: ...noRestrictions Port security is disabled on the port and access to the port is not restricted In this mode neither the NTK nor the intrusion protection feature is triggered autoLearn In this mode a port can learn a specified number of MAC addresses and save those addresses as secure MAC addresses It permits only frames whose source MAC addresses are secure MAC addresses or static MAC addresses con...

Page 1305: ...authentication upon receiving 802 1X frames macAddressElseUs erLoginSecure This mode is the combination of the macAddressWithRadius and userLoginSecure modes with MAC authentication having a higher priority z Upon receiving a non 802 1X frame a port in this mode performs only MAC authentication z Upon receiving an 802 1X frame the port performs MAC authentication and then if MAC authentication fai...

Page 1306: ...ntication fails the protocol type of the authentication request determines whether to turn to the authentication method following the Else z In a security mode with Or the protocol type of the authentication request determines which authentication method is to be used However 802 1X authentication is preferred by wireless users z userLogin with Secure specifies MAC based 802 1X authentication z Ex...

Page 1307: ...gurations on a port to the bracketed defaults z Port security mode noRestrictions z 802 1X disabled port access control method macbased and port access control mode auto z MAC authentication disabled 3 Port security cannot be disabled if there is any user present on a port z For detailed 802 1X configuration refer to 802 1X Configuration in the Security Volume z For detailed MAC based authenticati...

Page 1308: ...e that z 802 1X is disabled the port access control method is macbased and the port access control mode is auto z MAC authentication is disabled z The port does not belong to any aggregation group or service loopback group The above requirements must be all met Otherwise you will see an error message and your configuration will fail On the other hand after setting the port security mode on a port ...

Page 1309: ... vendor z You can configure multiple OUI values However a port in userLoginWithOUI mode allows only one 802 1X user and one user whose MAC address contains a specified OUI z After enabling port security you can change the port security mode of a port only when the port is operating in noRestrictions mode the default mode To change the port security mode of a port operating in any other mode use th...

Page 1310: ...z blockmac Adds the source MAC addresses of illegal frames to the blocked MAC addresses list and discards frames with blocked source MAC addresses A blocked MAC address is restored to normal after being blocked for three minutes which is fixed and cannot be changed z disableport Disables the port permanently z disableport temporarily Disables the port for a specified period of time Use the port se...

Page 1311: ...rt security trap addresslearned dot1xlogfailure dot1xlogoff dot1xlogon intrusion ralmlogfailure ralmlogoff ralmlogon Required By default no port security trap is enabled Configuring Secure MAC Addresses Secure MAC addresses are special MAC addresses They never age out or get lost if saved before the device restarts One secure MAC address can be added to only one port in the same VLAN Thus you can ...

Page 1312: ...n the RADIUS server delivers the authorization information to the device You can configure a port to ignore the authorization information from the RADIUS server Follow these steps to configure a port to ignore the authorization information from the RADIUS server To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Ignore the...

Page 1313: ...gram for configuring the autoLearn mode Configuration procedure 1 Configure port security Enable port security Switch system view Switch port security enable Enable intrusion protection trap Switch port security trap intrusion Switch interface gigabitethernet 1 0 1 Set the maximum number of secure MAC addresses allowed on the port to 64 Switch GigabitEthernet1 0 1 port security max mac count 64 Se...

Page 1314: ...y this interface GigabitEthernet1 0 1 port security max mac count 64 port security port mode autolearn port security intrusion mode disableport temporarily port security mac address security 0002 0000 0015 vlan 1 port security mac address security 0002 0000 0014 vlan 1 port security mac address security 0002 0000 0013 vlan 1 port security mac address security 0002 0000 0012 vlan 1 port security ma...

Page 1315: ... client is authorized to access the Internet z RADIUS server 192 168 1 2 functions as the primary authentication server and the secondary accounting server and RADIUS server 192 168 1 3 functions as the secondary authentication server and the primary accounting server The shared key for authentication is name and that for accounting is money z All users belong to default domain sun which can accom...

Page 1316: ...retry 5 Switch radius radsun timer realtime accounting 15 Switch radius radsun user name format without domain Switch radius radsun quit Configure an ISP domain named sun Switch domain sun Switch isp sun authentication default radius scheme radsun Switch isp sun authorization default radius scheme radsun Switch isp sun accounting default radius scheme radsun Switch isp sun access limit enable 30 S...

Page 1317: ...val for realtime accounting minute 15 Retransmission times of realtime accounting packet 5 Retransmission times of stop accounting packet 500 Quiet interval min 5 Username format without domain Data flow unit Byte Packet unit one Use the following command to view the configuration information of the ISP domain named sun Switch display domain sun Domain sun State Active Access limit 30 Accounting m...

Page 1318: ... Timer is disabled Supp Timeout 30 s Server Timeout 100 s The maximal retransmitting times 2 EAD quick deploy configuration EAD timeout 30m The maximum 802 1X user resource number is 1024 per slot Total current used 802 1X resource number is 1 GigabitEthernet1 0 1 is link up 802 1X protocol is enabled Handshake is enabled The port is an authenticator Authentication Mode is Auto Port Control Type i...

Page 1319: ...perform MAC authentication first and then if MAC authentication fails 802 1X authentication Allow only one 802 1X user to log on z Set fixed username and password for MAC based authentication Set the total number of MAC authenticated users and 802 1X authenticated users to 64 z Enable NTK to prevent frames from being sent to unknown MAC addresses See Figure 1 2 Configuration procedure z Configurat...

Page 1320: ...ode is macAddressElseUserLoginSecure NeedToKnow mode is NeedToKnowOnly Intrusion Protection mode is NoAction Max MAC address number is 64 Stored MAC address number is 0 Authorization is permitted Use the following command to view MAC authentication information Switch display mac authentication interface gigabitethernet 1 0 1 GigabitEthernet1 0 1 is link up MAC address authentication is enabled Aut...

Page 1321: ...ackets 4 Fail Packets 5 Received EAPOL Start Packets 6 EAPOL LogOff Packets 2 EAP Response Identity Packets 80 EAP Response Challenge Packets 6 Error Packets 0 1 Authenticated user MAC address 0002 0000 0011 Controlled User s amount to 1 In addition as NTK is enabled frames with unknown destination MAC addresses multicast addresses and broadcast addresses should be discarded Troubleshooting Port S...

Page 1322: ...ax mac count 64 Switch GigabitEthernet1 0 1 port security port mode autolearn Switch GigabitEthernet1 0 1 port security mac address security 1 1 2 vlan 1 Cannot Change Port Security Mode When a User Is Online Symptom Port security mode cannot be changed when an 802 1X authenticated or MAC authenticated user is online Switch GigabitEthernet1 0 1 undo port security port mode Error Cannot configure p...

Page 1323: ...ring Dynamic Binding Function 1 2 Displaying and Maintaining IP Source Guard 1 3 IP Source Guard Configuration Examples 1 3 Static Binding Entry Configuration Example 1 3 Dynamic Binding Function Configuration Example 1 4 Troubleshooting IP Source Guard 1 6 Failed to Configure Static Binding Entries and Dynamic Binding Function 1 6 ...

Page 1324: ...h the port forwards the packet Otherwise the port discards the packet IP source guard filters packets based on the following types of binding entries z IP port binding entry z MAC port binding entry z IP MAC port binding entry z IP VLAN port binding entry z MAC VLAN port binding entry z IP MAC VLAN port binding entry You can manually set static binding entries or use DHCP snooping or DHCP relay to...

Page 1325: ...r 0 0 0 0 z A static binding entry can be configured on only Layer 2 Ethernet ports Configuring Dynamic Binding Function After the dynamic binding function is enabled on a port IP source guard will receive and process corresponding DHCP snooping or DHCP relay entries which contain such information as MAC address IP address VLAN tag port information or entry type It adds the obtained information to...

Page 1326: ...re static binding entries on Switch A and Switch B to meet the following requirements z On port GigabitEthernet 1 0 2 of Switch A only IP packets from Host C can pass z On port GigabitEthernet 1 0 1 of Switch A only IP packets from Host A can pass z On port GigabitEthernet 1 0 2 of Switch B only IP packets from Host A can pass z On port GigabitEthernet 1 0 1 of Switch B only IP packets from Host B...

Page 1327: ... SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 user bind ip address 192 168 0 2 mac address 0001 0203 0407 3 Verify the configuration On Switch A static binding entries are configured successfully SwitchA display user bind Total entries found 2 MAC IP Vlan Port Status 0001 0203 0405 192 168 0 3 N A GigabitEthernet1 0 2 Static 0001 0203 0406 192 168 0 1 N A GigabitEthernet1 0...

Page 1328: ...ce gigabitethernet 1 0 2 SwitchA GigabitEthernet1 0 2 dhcp snooping trust SwitchA GigabitEthernet1 0 2 quit 2 Verify the configuration Display dynamic binding function is configured successfully on port GigabitEthernet 1 0 1 SwitchA interface gigabitethernet 1 0 1 SwitchA GigabitEthernet1 0 1 display this interface GigabitEthernet1 0 1 ip check source ip address mac address return Display the dyna...

Page 1329: ...ated by DHCP snooping after it is configured with dynamic binding function Troubleshooting IP Source Guard Failed to Configure Static Binding Entries and Dynamic Binding Function Symptom Configuring static binding entries and dynamic binding function fails on a port Analysis IP Source Guard is not supported on the port which has joined an aggregation group Neither static binding entries nor dynami...

Page 1330: ... and Maintaining SSH 1 11 SSH Server Configuration Examples 1 12 When Switch Acts as Server for Password Authentication 1 12 When Switch Acts as Server for Publickey Authentication 1 14 SSH Client Configuration Examples 1 19 When Switch Acts as Client for Password Authentication 1 19 When Switch Acts as Client for Publickey Authentication 1 22 2 SFTP Service 2 1 SFTP Overview 2 1 Configuring an SF...

Page 1331: ...ients but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server Currently when acting as an SSH server the device supports two SSH versions SSH2 0 and SSH1 When acting as an SSH client the device supports SSH2 0 only Operation of SSH The session establishment and interaction between an SSH client and the SSH server involves the followi...

Page 1332: ...upports the version the server and client will use the version Otherwise the negotiation fails 5 If the negotiation is successful the server and the client proceed with key and algorithm negotiation otherwise the server breaks the TCP connection All the packets involved in the above steps are transferred in plain text Key and algorithm negotiation z The server and the client send key algorithm neg...

Page 1333: ...alid the authentication fails otherwise the server authenticates the client by the digital signature Finally the server sends a message to the client to inform the success or failure of the authentication Currently the device supports two publickey algorithms for digital signature RSA and DSA The following gives the steps of the authentication stage 1 The client sends to the server an authenticati...

Page 1334: ...commands in text format the text must be within 2000 bytes It is recommended that the commands are in the same view otherwise the server may not be able to perform the commands correctly z If the command text exceeds 2000 bytes you can execute the commands by saving the text as a configuration file uploading the configuration file to the server through SFTP and then using the configuration file to...

Page 1335: ...e key As SSH2 uses the DH algorithm to generate the session key on the SSH server and client respectively no session key transmission is required in SSH2 and the server key pair is not used z The length of the modulus of RSA server keys and host keys must be in the range 512 to 2048 bits Some SSH2 clients require that the length of the key modulus be at least 768 bits on the SSH server side z The ...

Page 1336: ...For a user interface configured to support SSH you cannot change the authentication mode To change the authentication mode undo the SSH support configuration first Configuring a Client Public Key This configuration task is only necessary for SSH users using publickey authentication For each SSH user that uses publickey authentication to login you must configure the client s DSA or RSA host public ...

Page 1337: ...public key code end When you exit public key code view the system automatically saves the public key Return from public key view to system view peer public key end Importing a client public key from a public key file Follow these steps to import a public key from a public key file To do Use the command Remarks Enter system view system view Import the public key from a public key file public key pe...

Page 1338: ...all z As SSH1 does not support service type sftp if the client uses SSH1 to log into the server you must set the service type to stelnet or all on the server Otherwise the client will fail to log in z The working folder of an SFTP user is subject to the user authentication method For a user using only password authentication the working folder is the AAA authorized one For a user using only public...

Page 1339: ... RSA server key pair update interval ssh server rekey interval hours Optional 0 by default that is the RSA server key pair is not updated Set the SSH user authentication timeout period ssh server authentication timeout time out value Optional 60 seconds by default Set the maximum number of SSH authentication attempts ssh server authentication retries times Optional 3 by default Authentication will...

Page 1340: ...st public key accesses the server for the first time the user can continue accessing the server and save the host public key on the client When accessing the server again the client will use the saved server host public key to authenticate the server z Without first time authentication a client not configured with the server host public key will deny to access the server To access the server a use...

Page 1341: ...c hmac md5 md5 96 sha1 sha1 96 Establish a connection between the SSH client and server and specify the public key algorithm preferred encryption algorithms preferred HMAC algorithms and preferred key exchange algorithm For an IPv4 IPv6 server ssh2 ipv6 server port number identity key dsa rsa prefer ctos cipher aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh gro...

Page 1342: ...k requirements z As shown in Figure 1 1 a local SSH connection is established between the host the SSH client and the switch the SSH server for secure data exchange z Password authentication is required The username and password are saved on the switch Figure 1 1 Switch acts as server for password authentication Configuration procedure 1 Configure the SSH server Generate RSA and DSA key pairs and ...

Page 1343: ...ation attribute level 3 Switch luser client001 quit Specify the service type for user client001 as Stelnet and the authentication mode as password This step is optional Switch ssh user client001 service type stelnet authentication type password 2 Configure the SSH client There are many kinds of SSH client software such as PuTTY and OpenSSH The following is an example of configuring SSH client usin...

Page 1344: ... interface When Switch Acts as Server for Publickey Authentication Network requirements z As shown in Figure 1 3 a local SSH connection is established between the host the SSH client and the switch the SSH server for secure data exchange z Publickey authentication is used the algorithm is RSA Figure 1 3 Switch acts as server for publickey authentication Configuration procedure 1 Configure the SSH ...

Page 1345: ...to 3 Switch ui vty0 4 user privilege level 3 Switch ui vty0 4 quit Before performing the following tasks you must use the client software to generate an RSA key pair on the client save the public key in a file named key pub and then upload the file to the SSH server through FTP or TFTP For details refer to Configure the SSH client below Import the client s public key from file key pub and name it ...

Page 1346: ... key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1 5 Otherwise the process bar stops moving and the key pair generating process will be stopped ...

Page 1347: ... file name as key pub to save the public key Figure 1 6 Generate a client key pair 3 Likewise to save the private key click Save private key A warning window pops up to prompt you whether to save the private key without any protection Click Yes and enter the name of the file for saving the key private in this case ...

Page 1348: ...he client Specify the private key file and establish a connection with the SSH server Launch PuTTY exe to enter the following interface In the Host Name or IP address text box enter the IP address of the server 192 168 1 40 Figure 1 8 SSH client configuration interface 1 Select Connection SSH Auth from the navigation tree The following window appears Click Browse to bring up the file selection win...

Page 1349: ... as Client for Password Authentication Network requirements z As shown in Figure 1 10 Switch A the SSH client needs to log into Switch B the SSH server through the SSH protocol z The username of the SSH client is client001 and the password is aabbcc Password authentication is required Figure 1 10 Switch acts as client for password authentication Configuration procedure 1 Configure the SSH server C...

Page 1350: ... level 3 SwitchB luser client001 quit Specify the service type for user client001 as Stelnet and the authentication type as password This step is optional SwitchB ssh user client001 service type stelnet authentication type password 2 Configure the SSH client Configure an IP address for VLAN interface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 10 165...

Page 1351: ... code 94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02 492B3959EC6499625BC4FA5082E22C5 SwitchA pkey key code B374E16DD00132CE71B020217091AC717B612391C76C1FB2E 88317C1BD8171D41ECB83E210C03CC9 SwitchA pkey key code B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC 9B09EEF0381840002818000AF995917 SwitchA pkey key code E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5D F257523777D033BEE77FC378145F2AD ...

Page 1352: ...nt will use as the destination for SSH connection SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Set the authentication mode for the user interfaces to AAA SwitchB user interface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH SwitchB ui vty0 4 protocol inbound ssh Set the...

Page 1353: ... a DSA key pair SwitchA public key local create dsa Export the DSA public key to the file key pub SwitchA public key local export dsa ssh2 key pub SwitchA quit After generating a key pair on a client you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the server done before continuing configuration of the client Establish an SSH connection...

Page 1354: ...FTP client enabling a user to login from the device to a remote device for secure file transfer Configuring an SFTP Server Configuration Prerequisites z You have configured the SSH server For the detailed configuration procedure refer to Configuring the Device as an SSH Server z You have used the ssh user service type command to set the service type of SSH users to sftp or all For configuration pr...

Page 1355: ...or the SFTP Client You can configure a client to use only a specified source IP address or interface to access the SFTP server thus enhancing the service manageability Follow these steps to specify a source IP address or interface for the SFTP client To do Use the command Remarks Enter system view system view Specify a source IPv4 address or interface for the SFTP client sftp client source ip ip a...

Page 1356: ...include z Changing or displaying the current working directory z Displaying files under a specified directory or the directory information z Changing the name of a specified directory on the server z Creating or deleting a directory Follow these steps to work with the SFTP directories To do Use the command Remarks Enter SFTP client view sftp ipv6 server port number identity key dsa rsa prefer ctos...

Page 1357: ...1 96 Required Execute the command in user view Change the name of a specified file or directory on the SFTP server rename old name new name Optional Download a file from the remote server and save it locally get remote file local file Optional Upload a local file to the remote SFTP server put local file remote file Optional dir a l remote path Display the files under a specified directory ls a l r...

Page 1358: ...t number identity key dsa rsa prefer ctos cipher aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Execute the command in user view bye exit Terminate the connection to the remote SFTP server and return to user view quit Required Use any of the commands These three co...

Page 1359: ...e use the client software to generate RSA key pairs on the client save the host public key in a file named pubkey and then upload the file to the SSH server through FTP or TFTP For details refer to Configure the SFTP client Switch A below Import the peer public key from the file pubkey SwitchB public key peer Switch001 import sshkey pubkey For user client001 set the service type as SFTP authentica...

Page 1360: ...uccessfully sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub rwxrwxrwx 1 noone nogroup 0 Sep 01 08 00 z sftp client delete z The following File will be deleted z Are you sure to delete...

Page 1361: ...e the name to public sftp client get pubkey2 public Remote file pubkey2 Local file public Downloading file successfully ended Upload the local file pu to the server save it as puk and check if the file has been uploaded successfully sftp client put pu puk Local file pu Remote file puk Uploading file successfully ended sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx...

Page 1362: ...itch interface vlan interface 1 Switch Vlan interface1 ip address 192 168 1 45 255 255 255 0 Switch Vlan interface1 quit Set the authentication mode of the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH Switch ui vty0 4 protocol inbound ssh Switch ui vty0 4 quit Configure a local user named client002 with t...

Page 1363: ... supports only password authentication Establish a connection with the remote SFTP server Run the psftp exe to launch the client interface as shown in Figure 2 3 and enter the following command open 192 168 1 45 Enter username client002 and password aabbcc as prompted to log into the SFTP server Figure 2 3 SFTP client interface ...

Page 1364: ...e 1 8 Retrieving a Certificate Manually 1 9 Configuring PKI Certificate Verification 1 10 Destroying a Local RSA Key Pair 1 11 Deleting a Certificate 1 11 Configuring an Access Control Policy 1 12 Displaying and Maintaining PKI 1 12 PKI Configuration Examples 1 13 Requesting a Certificate from a CA Running RSA Keon 1 13 Requesting a Certificate from a CA Running Windows 2003 Server 1 16 Configurin...

Page 1365: ...ve this problem The digital certificate mechanism binds public keys to their owners helping distribute public keys in large networks securely With digital certificates the PKI system provides network communication and e commerce with security services such as user authentication data non repudiation data confidentiality and data integrity PKI Terms Digital certificate A digital certificate is a fi...

Page 1366: ... is so large that publishing them in a single CRL may degrade network performance and it uses CRL distribution points to indicate the URLs of these CRLs CA policy A CA policy is a set of criteria that a CA follows in processing certificate requests issuing and revoking certificates and publishing CRLs Usually a CA advertises its policy in the form of certification practice statement CPS A CA polic...

Page 1367: ... PKI technology can satisfy the security requirements of online transactions As an infrastructure PKI has a wide range of applications Here are some application examples VPN A virtual private network VPN is a private data communication network built on the public communication infrastructure A VPN can leverage network layer security protocols for instance IPSec in conjunction with PKI based encryp...

Page 1368: ...ting a Certificate Request in Manual Mode Required Use either approach Retrieving a Certificate Manually Optional Configuring PKI Certificate Optional Destroying a Local RSA Key Pair Optional Deleting a Certificate Optional Configuring an Access Control Policy Optional Configuring an Entity DN A certificate is the binding of a public key and the identity information of an entity where the identity...

Page 1369: ...y fqdn name str Optional No FQDN is specified by default Configure the IP address for the entity ip ip address Optional No IP address is specified by default Configure the locality of the entity locality locality name Optional No locality is specified by default Configure the organization name for the entity organization org name Optional No organization is specified by default Configure the unit ...

Page 1370: ...a dedicated protocol for an entity to communicate with a CA z Polling interval and count After an applicant makes a certificate request the CA may need a long period of time if it verifies the certificate request manually During this period the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed You can configur...

Page 1371: ...and optional when the certificate request mode is manual In the latter case if you do not configure this command the fingerprint of the root certificate must be verified manually No fingerprint is configured by default z Currently up to two PKI domains can be created on a device z The CA name is required only when you retrieve a CA certificate It is not used when in local certificate request z Cur...

Page 1372: ...t The key pair includes a public key and a private key The private key is kept by the user while the public key is transferred to the CA along with some other information For detailed information about RSA key pair configuration refer to Public Key Configuration in the Security Volume Follow these steps to submit a certificate request in manual mode To do Use the command Remarks Enter system view ...

Page 1373: ...n command with the pkcs10 and filename keywords and then send the file to the CA by an out of band means z Make sure the clocks of the entity and the CA are synchronous Otherwise the validity period of the certificate will be abnormal z The pki request certificate domain configuration will not be saved in the configuration file Retrieving a Certificate Manually You can download an existing CA cert...

Page 1374: ...RL checking CRLs will be used in verification of a certificate Configuring CRL checking enabled PKI certificate verification Follow these steps to configure CRL checking enabled PKI certificate verification To do Use the command Remarks Enter system view system view Enter PKI domain view pki domain domain name Specify the URL of the CRL distribution point crl url url string Optional No CRL distrib...

Page 1375: ...n file z Currently the URL of the CRL distribution point does not support domain name resolving Destroying a Local RSA Key Pair A certificate has a lifetime which is determined by the CA When the private key leaks or the certificate is about to expire you can destroy the old RSA key pair and then create a pair to request a new certificate Follow these steps to destroy a local RSA key pair To do Us...

Page 1376: ...tive subject name attribute id alt subject name fqdn ip issuer name subject name dn fqdn ip ctn equ nctn nequ attribute value Optional There is no restriction on the issuer name certificate subject name and alternative subject name by default Return to system view quit Create a certificate attribute based access control policy and enter its view pki certificate access control policy policy name Re...

Page 1377: ...the certificate request from ra command to specify that the entity requests a certificate from an RA z The SCEP plug in is not required when RSA Keon is used In this case when configuring a PKI domain you need to use the certificate request from ca command to specify that the entity requests a certificate from a CA Requesting a Certificate from a CA Running RSA Keon The CA server runs RSA Keon in ...

Page 1378: ...retrieve CRLs properly 2 Configure the switch z Configure the entity DN Configure the entity name as aaa and the common name as switch Switch system view Switch pki entity aaa Switch pki entity aaa common name switch Switch pki entity aaa quit z Configure the PKI domain Create PKI domain torsa and enter its view Switch pki domain torsa Configure the name of the trusted CA as myca Switch pki domain...

Page 1379: ...trieval success Retrieve CRLs and save them locally Switch pki retrieval crl domain torsa Connecting to server for retrieving CRL Please wait a while CRL retrieval success Request a local certificate manually Switch pki request certificate domain torsa challenge word Certificate is being requested please wait Switch Enrolling the local certificate please wait a while Certificate request Successful...

Page 1380: ...istribution Points URI http 4 4 4 133 447 myca crl Signature Algorithm sha1WithRSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE B30C0133 C4363F2F 73454D51 E9F95962 EDE9E590 E7458FA6 765A0D3F C4047BC2 9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4A 3E598D81 96476875 E2F86C33 75B51661 B6556C5E 8F546E97 5197734B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C You can also use so...

Page 1381: ...ates issued by the CA to the RA Right click on the CA server in the navigation tree and select Properties Policy Module Click Properties and then select Follow the settings in the certificate template if applicable Otherwise automatically issue the certificate z Modify the Internet Information Services IIS attributes From the start menu select Control Panel Administrative Tools Internet Informatio...

Page 1382: ...12 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits in the modulus default 1024 Generating Keys z Apply for certificates Retrieve the CA certificate and save it locally Switch pki retrieval certificate ca domain torsa Retrieving CA RA certificates Please wait a while The trusted CA s finger print is MD5 fingerprint 766C D2C8 9E46 845...

Page 1383: ...C 6CE8FEBB 5570178B 10242FDD D3947F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F 6B Exponent 65537 0x10001 X509v3 extensions X509v3 Subject Key Identifier B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1 X509v3 Authority Key Identifier keyid 9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4F...

Page 1384: ...tailed information about SSL configuration refer to SSL Configuration in the Security Volume z For detailed information about HTTPS configuration refer to HTTP Configuration in the System Volume z The PKI domain to be referenced by the SSL policy must be created in advance For detailed configuration of the PKI domain refer to Configure the PKI domain 1 Configure the HTTPS server Configure the SSL ...

Page 1385: ... certificate access control policy myacp Switch pki cert acp myacp rule 1 deny mygroup1 Switch pki cert acp myacp rule 2 permit mygroup2 Switch pki cert acp myacp quit 4 Apply the SSL server policy and certificate attribute based access control policy to HTTPS service and enable HTTPS service Apply SSL server policy myssl to HTTPS service Switch ip https ssl server policy myssl Apply the certifica...

Page 1386: ... not configured Solution z Make sure that the network connection is physically proper z Retrieve a CA certificate z Regenerate a key pair z Specify a trusted CA z Use the ping command to check that the RA server is reachable z Specify the authority for certificate request z Configure the required entity DN parameters Failed to Retrieve CRLs Symptom Failed to retrieve CRLs Analysis Possible reasons...

Page 1387: ...1 23 ...

Page 1388: ...k List 1 2 Configuring an SSL Server Policy 1 3 Configuration Prerequisites 1 3 Configuration Procedure 1 3 SSL Server Policy Configuration Example 1 4 Configuring an SSL Client Policy 1 6 Configuration Prerequisites 1 6 Configuration Procedure 1 6 Displaying and Maintaining SSL 1 6 Troubleshooting SSL 1 7 SSL Handshake Failure 1 7 ...

Page 1389: ...r and client by using the digital signatures with the authentication of the client being optional The SSL server and client obtain certificates from a certificate authority CA through the Public Key Infrastructure PKI z Reliability SSL uses the key based message authentication code MAC to verify message integrity A MAC algorithm transforms a message of any length to a fixed length message Figure 1...

Page 1390: ...tity authentication of the server and client Through the SSL handshake protocol a session is established between a client and the server A session consists of a set of parameters including the session ID peer certificate cipher suite and master secret z SSL change cipher spec protocol Used for notification between a client and the server that the subsequent packets are to be protected and transmit...

Page 1391: ...and enter its view ssl server policy policy name Required Specify a PKI domain for the SSL server policy pki domain domain name Required By default no PKI domain is specified for an SSL server policy Specify the cipher suite s for the SSL server policy to support ciphersuite rsa_aes_128_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha Optional By default an SSL server policy supports all ci...

Page 1392: ...ent to use SSL 3 0 or TLS 1 0 to communicate with the server SSL Server Policy Configuration Example Network requirements z Device works as the HTTPS server z A host works as the client and accesses the HTTPS server through HTTP secured with SSL z A certificate authority CA issues a certificate to Device In this instance Windows Server works as the CA and the Simple Certificate Enrollment Protocol...

Page 1393: ...in for the SSL server policy as 1 Device ssl server policy myssl pki domain 1 Enable client authentication Device ssl server policy myssl client verify enable Device ssl server policy myssl quit 3 Associate HTTPS service with the SSL server policy and enable HTTPS service Configure HTTPS service to use SSL server policy myssl Device ip https ssl server policy myssl Enable HTTPS service Device ip h...

Page 1394: ...licy To do Use the command Remarks Enter system view system view Create an SSL client policy and enter its view ssl client policy policy name Required Specify a PKI domain for the SSL client policy pki domain domain name Required No PKI domain is configured by default Specify the preferred cipher suite for the SSL client policy prefer cipher rsa_aes_128_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_...

Page 1395: ...he problem z If the SSL server has no certificate request one for it z If the server certificate cannot be trusted install on the SSL client the root certificate of the CA that issues the local certificate to the SSL server or let the server requests a certificate from the CA that the SSL client trusts z If the SSL server is configured to authenticate the client but the certificate of the SSL clie...

Page 1396: ... Asymmetric Key Pair 1 2 Creating an Asymmetric Key Pair 1 2 Displaying or Exporting the Local RSA or DSA Host Public Key 1 3 Destroying an Asymmetric Key Pair 1 3 Configuring the Public Key of a Peer 1 3 Displaying and Maintaining Public Keys 1 4 Public Key Configuration Examples 1 5 Configuring the Public Key of a Peer Manually 1 5 Importing the Public Key of a Peer from a Public Key File 1 6 ...

Page 1397: ...entiality The cipher text is transmitted in the network and then is decrypted by the receiver to obtain the original pain text Figure 1 1 Encryption and decryption There are two types of key algorithms based on whether the keys for encryption and decryption are the same z Symmetric key algorithm The same key is used for both encryption and decryption Commonly used symmetric key algorithms include ...

Page 1398: ...mir Adleman Algorithm RSA and Digital Signature Algorithm DSA are all asymmetric key algorithms RSA can be used for data encryption decryption and signature whereas DSA are used for signature only Asymmetric key algorithms are usually used in digital signature applications for peer identity authentication because they involve complex calculations and are time consuming symmetric key algorithms are...

Page 1399: ...the local RSA or DSA host public key on the remote end Follow these steps to display or export the local RSA or DSA host public key To do Use the command Remarks Enter system view system view Display the local RSA host public key on the screen in a specified format or export it to a specified file public key local export rsa openssh ssh1 ssh2 filename Display the local DSA host public key on the s...

Page 1400: ...blic key of a peer manually To do Use the command Remarks Enter system view system view Enter public key view public key peer keyname Enter public key code view public key code begin Configure a public key of the peer Type or copy the key Required Spaces and carriage returns are allowed between characters Return to public key view public key code end When you exit public key code view the system a...

Page 1401: ... A Create RSA key pairs on Device A DeviceA system view DeviceA public key local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Display the public keys of the created RSA key pairs DeviceA display public key local rsa public Time of Key pair ...

Page 1402: ...t view with public key code end DeviceB pkey key code 30819F300D06092A864886F70D010101050003818D0030818902818100D90003F A95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A 9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326 470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 DeviceB pkey key c...

Page 1403: ...CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Display the public keys of the created RSA key pairs DeviceA display public key local rsa public Time of Key pair created 09 50 06 2007 08 07 Key name HOST_KEY Key type RSA Encryption Key Key code 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F985 4C4421B57CAC64CFFE4782A87B0360B600497D8...

Page 1404: ...ftp quit 3 Upload the public key file of Device A to Device B FTP the public key file devicea pub to Device B with the file transfer mode of binary DeviceA ftp 10 1 1 2 Trying 10 1 1 2 Press CTRL K to abort Connected to 10 1 1 2 220 FTP service ready User 10 1 1 2 none ftp 331 Password required for ftp Password 230 User logged in ftp binary 200 Type set to I ftp put devicea pub 227 Entering Passiv...

Page 1405: ...003FA95F5A44A2A2CD3F814F985 4C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A78 4AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA 80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 ...

Page 1406: ...ge 2 1 Configuration Procedure 2 1 Configuration Example 2 2 Configuring a Basic IPv4 ACL 2 2 Configuration Prerequisites 2 2 Configuration Procedure 2 3 Configuration Example 2 3 Configuring an Advanced IPv4 ACL 2 4 Configuration Prerequisites 2 4 Configuration Procedure 2 4 Configuration Example 2 5 Configuring an Ethernet Frame Header ACL 2 6 Configuration Prerequisites 2 6 Configuration Proced...

Page 1407: ...dvanced IPv6 ACL 3 2 Configuration Prerequisites 3 3 Configuration Procedure 3 3 Configuration Example 3 4 Copying an IPv6 ACL 3 4 Configuration Prerequisites 3 4 Configuration Procedure 3 4 Displaying and Maintaining IPv6 ACLs 3 5 IPv6 ACL Configuration Example 3 5 Network Requirements 3 5 Network Diagram 3 5 Configuration Procedure 3 5 ...

Page 1408: ...d be rejected based on matching criteria such as source MAC address destination MAC address source IP address destination IP address and port number Application of ACLs on the Switch The switch supports two ACL application modes z Hardware based application An ACL is assigned to a piece of hardware For example an ACL can be referenced by QoS for traffic classification Note that when an ACL is refe...

Page 1409: ...4 ACLs identified by ACL numbers fall into three categories as shown in Table 1 1 Table 1 1 IPv4 ACL categories Category ACL number Matching criteria Basic IPv4 ACL 2000 to 2999 Source IP address Advanced IPv4 ACL 3000 to 3999 Source IP address destination IP address protocol carried over IP and other Layer 3 or Layer 4 protocol header information Ethernet frame header ACL 4000 to 4999 Layer 2 pro...

Page 1410: ...Depth first match for an advanced IPv4 ACL The following shows how your device performs depth first match in an advanced IPv4 ACL 1 Sort rules by VPN instance first and compare packets against the rule configured with a VPN instance 2 In case of a tie look at the protocol carried over IP A rule with no limit to the protocol type that is configured with the ip keyword has the lowest precedence Rule...

Page 1411: ... assign a newly defined rule a number that is the smallest multiple of the step bigger than the current biggest number For example with a step of five if the biggest number is currently 28 the newly defined rule will get a number of 30 If the ACL has no rule defined already the first defined rule will get a number of 0 Another benefit of using the step is that it allows you to insert new rules bet...

Page 1412: ...r to specify a name for an ACL is up to you After creating an ACL you cannot specify a name for it nor can you change or remove its name The name of an IPv6 ACL must be unique among IPv6 ACLs However an IPv6 ACL and an IPv4 ACL can share the same name IPv6 ACL Match Order Similar to IPv4 ACLs an IPv6 ACL consists of multiple rules each of which specifies different matching criteria These criteria ...

Page 1413: ...e IPv6 address prefixes Then compare packets against the rule configured with a longer prefix for the source IPv6 address 3 If the prefix lengths for the source IPv6 addresses are the same look at the destination IPv6 address prefixes Then compare packets against the rule configured with a longer prefix for the destination IPv6 address 4 If the prefix lengths for the destination IPv6 addresses are...

Page 1414: ...equired Display the configuration and status of one or all time ranges display time range time range name all Optional Available in any view You may create a maximum of 256 time ranges A time range can be one of the following z Periodic time range created using the time range time range name start time to end time days command A time range thus created recurs periodically on the day or days of the...

Page 1415: ...ge ends at the latest time that the system supports namely 24 00 12 31 2100 Configuration Example Create a time range that is active from 8 00 to 18 00 every working day Sysname system view Sysname time range test 8 00 to 18 00 working day Verify the configuration Sysname display time range test Current time is 22 17 42 1 5 2006 Thursday Time range test Inactive 08 00 to 18 00 working day Create a...

Page 1416: ...c IPv4 ACL description text Optional By default a basic IPv4 ACL has no ACL description Configure a rule description rule rule id comment text Optional By default an IPv4 ACL rule has no rule description Note that z You can only modify the existing rules of an ACL that uses the match order of config When modifying a rule of such an ACL you may choose to change just some of the settings in which ca...

Page 1417: ...kets based on three priority criteria type of service ToS IP precedence and differentiated services codepoint DSCP priority Advanced IPv4 ACLs are numbered in the range 3000 to 3999 Compared with basic IPv4 ACLs they allow of more flexible and accurate filtering Configuration Prerequisites If you want to reference a time range in a rule define it with the time range command first Configuration Pro...

Page 1418: ...nced IPv4 ACL description text Optional By default an advanced IPv4 ACL has no ACL description Configure a rule description rule rule id comment text Optional By default an IPv4 ACL rule has no rule description Note that z You can only modify the existing rules of an ACL that uses the match order of config When modifying a rule of such an ACL you may choose to change just some of the settings in w...

Page 1419: ...e the command Remarks Enter system view system view Create an Ethernet frame header ACL and enter its view acl number acl number name acl name match order auto config Required The default match order is config If you specify a name for an IPv4 ACL when creating the ACL you can use the acl name acl name command to enter the view of the ACL later Create or modify a rule rule rule id deny permit cos ...

Page 1420: ...exist Configuration Example Configure ACL 4000 to deny frames with the 802 1p priority of 3 Sysname system view Sysname acl number 4000 Sysname acl ethernetframe 4000 rule deny cos 3 Verify the configuration Sysname acl ethernetframe 4000 display acl 4000 Ethernet frame ACL 4000 named none 1 rule ACL s step is 5 rule 0 deny cos excellent effort 5 times matched Copying an IPv4 ACL This feature allo...

Page 1421: ...ime range name all Available in any view Clear statistics about a specified or all IPv4 ACLs that are referenced by upper layer software reset acl counter acl number all name acl name Available in user view IPv4 ACL Configuration Example Network Requirements As shown in Figure 2 1 a company interconnects its departments through the switch Configure an ACL to deny access of all departments but the ...

Page 1422: ...IPv4 ACL 3000 Switch traffic classifier c_rd Switch classifier c_rd if match acl 3000 Switch classifier c_rd quit Configure traffic behavior b_rd to deny matching packets Switch traffic behavior b_rd Switch behavior b_rd filter deny Switch behavior b_rd quit Configure class c_market for packets matching IPv4 ACL 3001 Switch traffic classifier c_market Switch classifier c_market if match acl 3001 S...

Page 1423: ...tch GigabitEthernet1 0 2 qos apply policy p_rd inbound Switch GigabitEthernet1 0 2 quit Apply QoS policy p_market to interface GigabitEthernet 1 0 3 Switch interface GigabitEthernet 1 0 3 Switch GigabitEthernet1 0 3 qos apply policy p_market inbound ...

Page 1424: ...dure Follow these steps to configure an IPv6 ACL To do Use the command Remarks Enter system view system view Create a basic IPv6 ACL view and enter its view acl ipv6 number acl6 number name acl6 name match order auto config Required The default match order is config If you specify a name for an IPv6 ACL when creating the ACL you can use the acl ipv6 name acl6 name command to enter the view of the ...

Page 1425: ...cl ipv6 number acl6 number name acl6 name match order auto config command but only when the ACL does not contain any rules z The rule specified in the rule comment command must already exist Configuration Example Configure IPv6 ACL 2000 to permit IPv6 packets with the source address of 2030 5060 9050 64 and deny IPv6 packets with the source address of fe80 5060 8050 96 Sysname system view Sysname ...

Page 1426: ...pv6 type icmpv6 code icmpv6 message logging source source source prefix source source prefix any source port operator port1 port2 time range time range name Required To create or modify multiple rules repeat this step Note that if the ACL is to be referenced by a QoS policy for traffic classification the logging and fragment keywords are not supported and the operator argument cannot be z neq if t...

Page 1427: ... tcp source 2030 5060 9050 64 Verify the configuration Sysname acl6 adv 3000 display acl ipv6 3000 Advanced IPv6 ACL 3000 named none 1 rule ACL s step is 5 rule 0 permit tcp source 2030 5060 9050 64 5 times matched Copying an IPv6 ACL This feature allows you to copy an existing IPv6 ACL to generate a new one which is of the same type and has the same match order rules rule numbering step and descr...

Page 1428: ...Display the configuration and status on time range display time range time range name all Available in any view Clear statistics about a specified or all IPv6 ACLs that are referenced by upper layer software reset acl ipv6 counter acl6 number all name acl6 name Available in user view IPv6 ACL Configuration Example Network Requirements As shown in Figure 3 1 a company interconnects its departments ...

Page 1429: ...raffic behavior b_rd to deny matching packets Switch traffic behavior b_rd Switch behavior b_rd filter deny Switch behavior b_rd quit Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd Switch qos policy p_rd Switch qospolicy p_rd classifier c_rd behavior b_rd Switch qospolicy p_rd quit Apply QoS policy p_rd to interface GigabitEthernet 1 0 1 Switch interface GigabitEthernet 1 0 ...

Page 1430: ...uction 1 3 Configuration Procedure 1 4 Displaying and Maintaining Source MAC Address Based ARP Attack Detection 1 4 Configuring ARP Packet Source MAC Address Consistency Check 1 4 Introduction 1 4 Configuration Procedure 1 5 Configuring ARP Active Acknowledgement 1 5 Introduction 1 5 Configuring the ARP Active Acknowledgement Function 1 5 Configuring ARP Detection 1 5 Introduction to ARP Detection...

Page 1431: ...device continuously resolves destination IP addresses and thus its CPU is overloaded z A large number of ARP packets to bring a great impact to the CPU For details about ARP attack features and types refer to ARP Attack Protection Technology White Paper Currently ARP attacks and viruses are threatening LAN security The device can provide multiple features to detect and prevent such attacks This ch...

Page 1432: ...e suppression function With the function enabled whenever the number of ARP requests triggered by the packets with unresolvable destination IP addresses from a host within five seconds exceeds a specified threshold the device suppresses the sending host from triggering any ARP requests within the following five seconds If the packets have various source addresses you can enable the ARP black hole ...

Page 1433: ...esult the device fails to deliver other functions properly or even crashes To prevent this you need to configure ARP packet rate limit It is recommended that you enable this feature after the ARP detection is configured or use this feature to prevent ARP flood attacks Configuration Procedure Follow these steps to configure ARP packet rate limit To do Use the command Remarks Enter system view syste...

Page 1434: ...fault Configure the threshold arp anti attack source mac threshold threshold value Optional 50 by default Configure the aging timer for source MAC address based ARP attack detection entries arp anti attack source mac aging time time Optional Five minutes by default Configure protected MAC addresses arp anti attack source mac exclude mac mac address 1 10 Optional Not configured by default After an ...

Page 1435: ...ks whether the ARP entry has been updated within the last minute z If yes the gateway does not update the ARP entry z If not the gateway unicasts an ARP request to the source MAC address of the ARP entry Then z If an ARP reply is received within five seconds the ARP packet is ignored z If not the gateway unicasts an ARP request to the MAC address of the ARP packet Then z If an ARP reply is receive...

Page 1436: ...he DHCP snooping entries If a match is found that is the parameters such as IP address MAC addresses port index and VLAN ID are consistent the ARP packet passes the check if not the ARP packet cannot pass the check z Upon receiving an ARP packet from an ARP trusted port the device does not check the ARP packet z If ARP detection is not enabled for the VLAN the ARP packet is not checked even if it ...

Page 1437: ...ommand Remarks Enter system view system view Enter VLAN view vlan vlan id Enable ARP detection for the VLAN arp detection enable Required Disabled by default That is the ARP packets received on all the ports in the VLAN will not be checked Return to system view quit Enter Ethernet interface view interface interface type interface number Configure the port as a trusted port arp detection trust Opti...

Page 1438: ...er the sender MAC address of an ARP packet is identical to the source MAC address in the Ethernet header If they are identical the packet is forwarded otherwise the packet is discarded z dst mac Checks the target MAC address of ARP replies If the target MAC address is all zero all one or inconsistent with the destination MAC address in the Ethernet header the packet is considered invalid and disca...

Page 1439: ... with ARP detection display arp detection Available in any view Display the ARP detection statistics display arp detection statistics interface interface type interface number Available in any view Clear the ARP detection statistics reset arp detection statistics interface interface type interface number Available in user view ARP Detection Configuration Example I Network requirements z Configure ...

Page 1440: ...kets output 0 bytes 0 drops From the above information you can see that the MAC address of VLAN interface 10 is 000f e249 8050 3 Configure Host A and Host B as DHCP clients the configuration procedure is omitted 4 Configure Switch B Enable DHCP snooping SwitchB system view SwitchB dhcp snooping SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 dhcp snooping trust SwitchB Gigabit...

Page 1441: ... A as a DHCP server and enable 802 1X on Switch B Enable ARP detection for VLAN 10 to allow only packets from valid clients to pass z Configure Host A and Host B as local 802 1X access users Figure 1 2 Network diagram for ARP detection configuration Configuration procedure 1 Add all the ports on Switch B into VLAN 10 and configure the IP address of VLAN interface 10 on Switch A the configuration p...

Page 1442: ...e 802 1x function SwitchB system view SwitchB dot1x SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 dot1x SwitchB GigabitEthernet1 0 1 quit SwitchB interface gigabitethernet 1 0 2 SwitchB GigabitEthernet1 0 2 dot1x SwitchB GigabitEthernet1 0 2 quit Add local access user test SwitchB local user test SwitchB luser test service type lan access SwitchB luser test password simple t...

Page 1443: ...i Table of Contents 1 URPF Configuration 1 1 URPF Overview 1 1 What is URPF 1 1 How URPF Works 1 1 Configuring URPF 1 2 ...

Page 1444: ...2 2 2 1 8 in response to the request Consequently both Switch B and Switch C are attacked URPF can prevent source address spoofing attacks How URPF Works URPF works as follows 1 First URPF checks the source address validity and then z Discards packets with broadcast source addresses z Discards packets with all zero source addresses but non broadcast destination addresses A packet with source addre...

Page 1445: ...1 2 Configuring URPF Follow these steps to configure URPF To do Use the command Remarks Enter system view system view Enable URPF check ip urpf strict Required Disabled by default ...

Page 1446: ... Smart Link Overview z Configuring a Smart Link Device z Configuring an Associated Device Monitor Link Monitor link is a port collaboration function used to enable a device to be aware of the up down state change of the ports on an indirectly connected link This document describes z Monitor Link Overview z Configuring Monitor Link RRPP RRPP is a link layer protocol designed for Ethernet rings RRPP...

Page 1447: ...nnectivity Fault Detection Overview z Basic Configuration Tasks z Configuring CC on MEPs z Configuring LB on MEPs z Configuring LT on MEPs BFD Bidirectional forwarding detection BFD provides a single mechanism to quickly detect and monitor the connectivity of links in networks z Configuring BFD Basic Functions z Configuring Protocol based BFD z Enabling Trap Track The track module is used to imple...

Page 1448: ...playing and Maintaining VRRP for IPv4 1 13 Configuring VRRP for IPv6 1 13 VRRP for IPv6 Configuration Task List 1 13 Configuring the Association Between Virtual IPv6 Address and MAC Address 1 13 Creating VRRP Group and Configuring Virtual IPv6 Address 1 14 Configuring Router Priority Preemptive Mode and Interface Tracking 1 15 Configuring VRRP Packet Attributes 1 16 Displaying and Maintaining VRRP...

Page 1449: ...nt the interfaces that VRRP involves can only be VLAN interfaces unless otherwise specified Introduction to VRRP VRRP Overview Normally as shown in Figure 1 1 you can configure a default route with the gateway as the next hop for every host on a network segment All packets destined to other network segments are sent over the default route to the gateway and then be forwarded by the gateway However...

Page 1450: ...v2 and VRRPv3 VRRPv2 is based on IPv4 and VRRPv3 is based on IPv6 The two versions implement the same functions but provide different commands VRRP Group Overview VRRP combines a group of routers including a master and multiple backups on a LAN into a virtual router called VRRP group A VRRP group has the following features z A virtual router has a virtual IP address A host on the LAN only needs to...

Page 1451: ...e same priority the router with a higher IP address becomes the master Working mode A router in a VRRP group works in one of the following two modes z Non preemptive mode When a router in the VRRP group becomes the master it stays as the master as long as it operates normally even if a backup is assigned a higher priority later z Preemptive mode When a backup finds its priority higher than that of...

Page 1452: ... master and sends VRRP advertisements to start a new master election VRRP preemption delay timer In an unstable network a backup can fail to receive the packets from the master due to network congestion and thus the members in the group change their states frequently Set the VRRP preemption delay timer to address the problem With the VRRP preemption delay timer set if a backup receives no advertis...

Page 1453: ...he number of the virtual IP addresses z Authentication Data Authentication key Currently this field is used only for simple authentication and is 0 for any other authentication modes IPv6 based VRRP packet format Figure 1 4 Format of IPv6 based VRRP packet Version Type Virtual Rtr ID Priority Count IPv6 Addrs Auth Type Adver Int Checksum IPv6 address 1 Authentication data 1 Authentication data 2 I...

Page 1454: ... does not receive any VRRP advertisement it considers that the master fails In this case the backup considers itself as the master and sends VRRP advertisements to start a new master election VRRP Tracking Tracking a specified interface The interface tracking function expands the backup functionality of VRRP It provides backup not only when the interface to which a VRRP group is assigned fails but...

Page 1455: ...s the master and therefore can forward packets to external networks whereas Router B and Router C are backups and are thus in the state of listening If Router A fails Router B and Router C elect for a new master The new master takes over the forwarding task to provide services to hosts on the LAN Load balancing You can create more than one VRRP group on an interface of a router and allow the route...

Page 1456: ...that each router holds such a priority in each VRRP group that it will take the expected role in the group Configuring VRRP for IPv4 VRRP for IPv4 Configuration Task List Complete these tasks to configure VRRP for IPv4 Task Remarks Configuring the Association Between Virtual IP Address and MAC Address Optional Creating VRRP Group and Configuring Virtual IP Address Required Configuring Router Prior...

Page 1457: ...ess owner according the real MAC address Follow these steps to configure the association between MAC address and virtual IP address To do Use the command Remarks Enter system view system view Configure the association between virtual IP address and MAC address vrrp method real mac virtual mac Optional The virtual MAC address is associated with the virtual IP address by default You should configure...

Page 1458: ...group resides or the IP address of an interface on a router in the VRRP group In the latter case the router is called the IP address owner z Removal of the VRRP group on the IP address owner will cause IP address collision In such a case it is recommended to modify the IP address of the interface on the IP address owner to resolve the collision z The virtual IP address of the VRRP group cannot be ...

Page 1459: ... tracked vrrp vrid virtual router id track interface interface type interface number reduced priority reduced Optional No interface is being tracked by default Configure VRRP to track a specified Track object vrrp vrid virtual router id track track entry number reduced priority reduced switchover Optional Not configured by default z The running priority of an IP address owner is always 255 and you...

Page 1460: ...he members of the same VRRP group must use the same authentication mode and authentication key z Excessive traffic or different timer setting on routers can cause the Backup timer to time out abnormally and trigger a change of the state To solve this problem you can prolong the time interval to send VRRP packets and configure a preemption delay Enabling the Trap Function of VRRP After the trap fun...

Page 1461: ...ing Virtual IPv6 Address Required Configuring Router Priority Preemptive Mode and Interface Tracking Optional Configuring VRRP Packet Attributes Optional Configuring the Association Between Virtual IPv6 Address and MAC Address After the virtual IPv6 address of a VRRP group is associated with the MAC address the master takes the configured MAC address as the source MAC address of the packets to be ...

Page 1462: ...d configure this function before creating a VRRP group Otherwise you cannot modify the mapping between the virtual IPv6 address and the MAC address Creating VRRP Group and Configuring Virtual IPv6 Address You need to configure a virtual IPv6 address for a VRRP group when creating the VRRP group You can configure multiple virtual IPv6 addresses for a VRRP group A VRRP group is created automatically...

Page 1463: ...ses in it In addition configurations on that VRRP group no longer take effect z Removal of the VRRP group on the IP address owner will cause IP address collision In such a case it is recommended to modify the IPv6 address of the interface on the IP address owner to resolve the collision Configuring Router Priority Preemptive Mode and Interface Tracking Configuration prerequisites Before configurin...

Page 1464: ...relevant attributes of VRRP packets you should first create a VRRP group and configure a virtual IPv6 address Configuration procedure Follow these steps to configure VRRP packet attributes To do Use the command Remarks Enter system view system view Enter the specified interface view interface interface type interface number Configure the authentication mode and authentication key when the VRRP gro...

Page 1465: ... Example z VRRP Interface Tracking Configuration Example z Multiple VRRP Group Configuration Example Single VRRP Group Configuration Example Network requirements z Host A needs to access Host B on the Internet using 202 38 160 111 24 as its default gateway z Switch A and Switch B belong to VRRP group 1 with the virtual IP address of 202 38 160 111 24 z If Switch A operates normally packets sent fr...

Page 1466: ...e VRRP group 1 and set its virtual IP address to be 202 38 160 111 SwitchB Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Set Switch B to work in preemptive mode The preemption delay is five seconds SwitchB Vlan interface2 vrrp vrid 1 preempt mode timer delay 5 3 Verify the configuration After the configuration Host B can be pinged through on Host A You can use the display vrrp verbose comm...

Page 1467: ...Method VIRTUAL MAC Total number of virtual routers 1 Interface Vlan interface2 VRID 1 Adver Timer 1 Admin Status UP State Master Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 5 Auth Type NONE Virtual IP 202 38 160 111 Virtual MAC 0000 5e00 0101 Master IP 202 38 160 2 The above information indicates that if Switch A fails Switch B becomes the master and packets sent from Host A to Host B a...

Page 1468: ...ce2 vrrp vrid 1 priority 110 Configure the authentication mode of the VRRP group as simple and authentication key as hello SwitchA Vlan interface2 vrrp vrid 1 authentication mode simple hello Set the interval for Master to send VRRP advertisement to five seconds SwitchA Vlan interface2 vrrp vrid 1 timer advertise 5 Set the interface to be tracked SwitchA Vlan interface2 vrrp vrid 1 track interface...

Page 1469: ... IF Vlan3 Pri Reduced 30 Virtual IP 202 38 160 111 Virtual MAC 0000 5e00 0101 Master IP 202 38 160 1 Display detailed information of VRRP group 1 on Switch B SwitchB Vlan interface2 display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Total number of virtual routers 1 Interface Vlan interface2 VRID 1 Adver Timer 5 Admin Status UP State Backup Config Pri 100 Run Pri 100 Preempt Mode...

Page 1470: ...bove information indicates that if VLAN interface 3 on Switch A is not available the priority of Switch A is reduced to 80 and it becomes the backup Switch B becomes the master and packets sent from Host A to Host B are forwarded by Switch B Multiple VRRP Group Configuration Example Network requirements z Hosts in VLAN 2 use 202 38 160 100 25 as their default gateway and hosts in VLAN 3 use 202 38...

Page 1471: ...ip address 202 38 160 1 255 255 255 128 Create a VRRP group 1 and set its virtual IP address to 202 38 160 100 SwitchA Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 100 Configure the priority of Switch A in VRRP group 1 as 110 SwitchA Vlan interface2 vrrp vrid 1 priority 110 SwitchA Vlan interface2 quit Configure VLAN 3 SwitchA vlan 3 SwitchA vlan3 port gigabitethernet 1 0 6 SwitchA vlan3 quit...

Page 1472: ...10 3 Verify the configuration You can use the display vrrp verbose command to verify the configuration Display detailed information of the VRRP group on Switch A SwitchA Vlan interface3 display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Total number of virtual routers 2 Interface Vlan interface2 VRID 1 Adver Timer 1 Admin Status UP State Master Config Pri 110 Run Pri 110 Preempt ...

Page 1473: ...ugh Switch A in VRRP group 2 Switch A is the backup Switch B is the master and hosts with the default gateway of 202 38 160 200 25 accesses the Internet through Switch B IPv6 Based VRRP Configuration Examples This section provides these configuration examples z Single VRRP Group Configuration Example z VRRP Interface Tracking Configuration Example z Multiple VRRP Group Configuration Example Single...

Page 1474: ...ate a VRRP group 1 and set its virtual IPv6 addresses to FE80 10 and 1 10 SwitchA Vlan interface2 vrrp ipv6 vrid 1 virtual ip fe80 10 link local SwitchA Vlan interface2 vrrp ipv6 vrid 1 virtual ip 1 10 Set the priority of Switch A in VRRP group 1 to 110 SwitchA Vlan interface2 vrrp ipv6 vrid 1 priority 110 Set Switch A to work in preemptive mode with the preemption delay set to 5 seconds SwitchA V...

Page 1475: ...bose IPv6 Standby Information Run Method VIRTUAL MAC Total number of virtual routers 1 Interface Vlan interface2 VRID 1 Adver Timer 100 Admin Status UP State Master Config Pri 110 Run Pri 110 Preempt Mode YES Delay Time 5 Auth Type NONE Virtual IP FE80 10 1 10 Virtual MAC 0000 5e00 0201 Master IP FE80 1 Display detailed information of VRRP group 1 on Switch B SwitchB Vlan interface2 display vrrp i...

Page 1476: ...tch B becomes the master and packets sent from Host A to Host B are forwarded by Switch B VRRP Interface Tracking Configuration Example Network requirements z Host A needs to access Host B on the Internet using 1 10 64 as its default gateway z Switch A and Switch B belong to VRRP group 1 with the virtual IP addresses of 1 10 64 and FE80 10 z If Switch A operates normally packets sent from Host A t...

Page 1477: ...chA Vlan interface2 vrrp ipv6 vrid 1 preempt mode timer delay 5 Set the interface to be tracked SwitchA Vlan interface2 vrrp ipv6 vrid 1 track interface vlan interface 3 reduced 30 2 Configure Switch B Configure VLAN 2 SwitchB system view SwitchB ipv6 SwitchB vlan 2 SwitchB vlan2 port gigabitethernet 1 0 5 SwitchB vlan2 quit SwitchB interface vlan interface 2 SwitchB Vlan interface2 ipv6 address f...

Page 1478: ...MAC Total number of virtual routers 1 Interface Vlan interface2 VRID 1 Adver Timer 500 Admin Status UP State Backup Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 5 Auth Type SIMPLE TEXT Key hello Virtual IP FE80 10 1 10 Master IP FE80 1 The above information indicates that in VRRP group 1 Switch A is the master Switch B is the backup and packets sent from Host A to Host B are forwarded by...

Page 1479: ... is not available the priority of Switch A is reduced to 80 and Switch A becomes the backup Switch B becomes the master and packets sent from Host A to Host B are forwarded by Switch B Multiple VRRP Group Configuration Example Network requirements z Hosts in VLAN 2 use 1 10 64 as their default gateway and hosts in VLAN 3 use 2 10 64 as their default gateway z Switch A and Switch B belong to both V...

Page 1480: ...v6 vrid 1 virtual ip fe80 10 link local SwitchA Vlan interface2 vrrp ipv6 vrid 1 virtual ip 1 10 Set the priority of Switch A in VRRP group 1 to 110 SwitchA Vlan interface2 vrrp ipv6 vrid 1 priority 110 SwitchA Vlan interface2 quit Configure VLAN 3 SwitchA vlan 3 SwitchA vlan3 port gigabitethernet 1 0 6 SwitchA vlan3 quit SwitchA interface vlan interface 3 SwitchA Vlan interface3 ipv6 address fe90...

Page 1481: ... 64 Create VRRP group 2 and set its virtual IPv6 addresses to FE90 10 and 2 10 SwitchB Vlan interface3 vrrp ipv6 vrid 2 virtual ip fe90 10 link local SwitchB Vlan interface3 vrrp ipv6 vrid 2 virtual ip 2 10 Set the priority of Switch B in VRRP group 2 to 110 SwitchB Vlan interface3 vrrp ipv6 vrid 2 priority 110 3 Verify the configuration You can use the display vrrp ipv6 verbose command to verify ...

Page 1482: ...erface3 VRID 2 Adver Timer 100 Admin Status UP State Master Config Pri 110 Run Pri 110 Preempt Mode YES Delay Time 0 Auth Type NONE Virtual IP FE90 10 2 10 Virtual MAC 0000 5e00 0202 Master IP FE90 2 The above information indicates that in VRRP group 1 Switch A is the master Switch B is the backup and hosts with the default gateway of 1 10 64 accesses the Internet through Switch A in VRRP group 2 ...

Page 1483: ...a short period This is normal and requires no manual intervention z Multiple masters coexist for a long period This is because devices in the VRRP group cannot receive VRRP packets or the received VRRP packets are illegal Solution Ping between these masters and do the following z If the ping fails check network connectivity z If the ping succeeds check that their configurations are consistent in t...

Page 1484: ...Ports for a Smart Link Group 1 6 Configuring Role Preemption for a Smart Link Group 1 7 Enabling the Sending of Flush Messages 1 7 Smart Link Device Configuration Example 1 8 Configuring an Associated Device 1 8 Enabling the Receiving of Flush Messages 1 8 Associated Device Configuration Example 1 9 Displaying and Maintaining Smart Link 1 9 Smart Link Configuration Examples 1 10 Single Smart Link ...

Page 1485: ...vice connects to two different upstream devices as shown in Figure 1 1 Figure 1 1 Diagram for a dual uplink network GE1 0 1 GE1 0 2 GE1 0 1 GE1 0 1 GE1 0 2 GE1 0 2 A dual uplink network demonstrates high reliability but it may contain network loops In most cases Spanning Tree Protocol STP or Rapid Ring Protection Protocol RRPP is used to remove network loops The problem with STP however is that ST...

Page 1486: ...ach form a smart link group with GE1 0 1 being active and GE1 0 2 being standby Master slave port Master port and slave port are two port roles in a smart link group When both ports in a smart link group are up the master port preferentially transits to the forwarding state while the slave port stays in the standby state Once the master port fails the slave port takes over to forward traffic As sh...

Page 1487: ...ange z To keep traffic forwarding stable the master port that has been blocked due to link failure does not take over immediately upon its recovery Instead link switchover will occur at next link switchover Topology change mechanism As link switchover can outdate the MAC address forwarding entries and ARP ND entries on all devices you need a forwarding entry update mechanism to ensure proper trans...

Page 1488: ... Ports for a Smart Link Group Required Configuring Role Preemption for a Smart Link Group Optional Configuring a Smart Link Device Enabling the Sending of Flush Messages Optional Configuring an Associated Device Enabling the Receiving of Flush Messages Required z A smart link device is a device that supports Smart Link and is configured with a smart link group and a transmit control VLAN for flush...

Page 1489: ... MSTIs To view VLAN to MSTI mappings use the display stp region configuration command For VLAN to MSTI mapping configuration refer to MSTP Configuration in the Access Volume Configuring Member Ports for a Smart Link Group You can configure member ports for a smart link group either in smart link group view or in interface view The configurations made in these two views have the same effect In smar...

Page 1490: ...ink group view smart link group group id Enable role preemption preemption mode role Required Disabled by default Configure the preemption delay preemption delay delay time Optional 1 second by default The preemption delay configuration takes effect only after role preemption is enabled Enabling the Sending of Flush Messages Follow these steps to enable the sending of flush messages To do Use the ...

Page 1491: ... 1 Sysname GigabitEthernet1 0 1 undo stp enable Sysname GigabitEthernet1 0 1 port link type trunk Sysname GigabitEthernet1 0 1 port trunk permit vlan 20 Sysname GigabitEthernet1 0 1 quit Sysname interface gigabitethernet 1 0 2 Sysname GigabitEthernet1 0 2 undo stp enable Sysname GigabitEthernet1 0 2 port link type trunk Sysname GigabitEthernet1 0 2 port trunk permit vlan 20 Sysname GigabitEthernet...

Page 1492: ...they are not the same the associated device will forward the received flush messages directly without any processing z Do not remove the control VLANs Otherwise flush messages cannot be sent properly z Make sure that the control VLANs are existing VLANs and assign the ports capable of receiving flush messages to the control VLANs Associated Device Configuration Example Network requirements Configu...

Page 1493: ...e C and Device D are dually uplinked to Device A z Configure Smart Link on the devices for dual uplink backup using VLAN 1 the default for flush update Figure 1 2 Single smart link group configuration Configuration procedure 1 Configuration on Device C Create VLANs 1 through 30 map VLANs 1 through 10 VLANs 11 through 20 and VLANs 21 through 30 to MSTI 0 MSTI 1 and MSTI 2 respectively and activate ...

Page 1494: ...port gigabitethernet 1 0 2 slave Enable flush message sending in smart link group 1 DeviceC smlk group1 flush enable DeviceC smlk group1 quit 2 Configuration on Device D Create VLANs 1 through 30 map VLANs 1 through 10 VLANs 11 through 20 and VLANs 21 through 30 to MSTI 0 MSTI 1 and MSTI 2 respectively and activate the MST region configuration DeviceD system view DeviceD vlan 1 to 30 DeviceD stp r...

Page 1495: ...viceB GigabitEthernet1 0 1 port trunk permit vlan 1 to 30 DeviceB GigabitEthernet1 0 1 smart link flush enable DeviceB GigabitEthernet1 0 1 quit DeviceB interface gigabitethernet 1 0 2 DeviceB GigabitEthernet1 0 2 port link type trunk DeviceB GigabitEthernet1 0 2 port trunk permit vlan 1 to 30 DeviceB GigabitEthernet1 0 2 smart link flush enable DeviceB GigabitEthernet1 0 2 quit DeviceB interface ...

Page 1496: ... to 30 DeviceA GigabitEthernet1 0 1 smart link flush enable DeviceA GigabitEthernet1 0 1 quit DeviceA interface gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 port link type trunk DeviceA GigabitEthernet1 0 2 port trunk permit vlan 1 to 30 DeviceA GigabitEthernet1 0 2 smart link flush enable DeviceA GigabitEthernet1 0 2 quit 6 Verifying the configurations You can use the display smart link gro...

Page 1497: ...roup 1 references MSTI 0 and smart link group 2 references MSTI 2 z The control VLAN of smart link group 1 is VLAN 10 and that of smart link group 2 is VLAN 101 Figure 1 3 Multiple smart link groups load sharing configuration Device A Device D Device B GE1 0 1 GE1 0 2 GE1 0 1 GE1 0 1 GE1 0 2 GE1 0 2 Device C GE1 0 1 GE1 0 2 Configuration procedure 1 Configuration on Device C Create VLAN 1 through ...

Page 1498: ...mlk group 1 flush enable control vlan 10 DeviceC smlk group 1 quit Create smart link group 2 and configure all VLANs mapped to MSTI 2 as the protected VLANs for smart link group 2 DeviceC smart link group 2 DeviceC smlk group2 protected vlan reference instance 2 Configure GigabitEthernet 1 0 1 as the slave port and GigabitEthernet 1 0 2 as the master port for smart link group 2 DeviceC smlk group2...

Page 1499: ...gigabitethernet 1 0 2 DeviceD GigabitEthernet1 0 2 port link type trunk DeviceD GigabitEthernet1 0 2 port trunk permit vlan 1 to 200 DeviceD GigabitEthernet1 0 2 smart link flush enable control vlan 10 101 DeviceD GigabitEthernet1 0 2 quit 4 Configuration on Device A Create VLAN 1 through VLAN 200 DeviceA system view DeviceA vlan 1 to 200 Configure GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 a...

Page 1500: ...e ROLE Control VLAN 101 Protected VLAN Reference Instance 2 Member Role State Flush count Last flush time GigabitEthernet1 0 2 MASTER ACTVIE 5 16 37 20 2009 02 21 GigabitEthernet1 0 1 SLAVE STANDBY 1 17 45 20 2009 02 21 You can use the display smart link flush command to display the flush messages received on each device For example Display the flush messages received on Device B DeviceB display s...

Page 1501: ...ew 1 1 Terminology 1 1 How Monitor Link Works 1 1 Configuring Monitor Link 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 2 Monitor Link Configuration Example 1 2 Displaying and Maintaining Monitor Link 1 3 Monitor Link Configuration Example 1 3 ...

Page 1502: ... port can be assigned to only one monitor link group Both Layer 2 Ethernet ports and Layer 2 aggregate interfaces can be assigned to a monitor link group Uplink The uplink is the link monitored by the monitor link group The monitor link group is down when the group has no uplink ports or all uplink ports are down The monitor link group is up when any uplink port is up Downlink The downlink is the ...

Page 1503: ... more uplink ports In monitor link group view port interface type interface number downlink Configure the downlink for the monitor link group In Ethernet port view or Layer 2 aggregate interface view port monitor link group group id downlink Use either approach Repeat this step to add more downlink ports z A port can be assigned to only one monitor link group z You are recommended to configure upl...

Page 1504: ...ver in the smart link group For detailed information about smart link refer to Smart Link Configuration in the High Availability Volume Figure 1 1 Network diagram for smart link in combination with monitor link configuration Device A Device B Device C Device D GE1 0 1 GE1 0 2 GE1 0 1 GE1 0 2 GE1 0 1 GE1 0 2 GE1 0 1 GE1 0 2 Configuration procedure 1 Configuration on Device C Disable STP on GigabitE...

Page 1505: ...0 2 DeviceA GigabitEthernet1 0 2 smart link flush enable 3 Configuration on Device B Create monitor link group 1 DeviceB system view DeviceB monitor link group 1 Configure GigabitEthernet 1 0 1 as an uplink port and GigabitEthernet 1 0 2 as a downlink port for monitor link group 1 DeviceB mtlk group1 port gigabitethernet 1 0 1 uplink DeviceB mtlk group1 port gigabitethernet 1 0 2 downlink DeviceB ...

Page 1506: ... 1 and GigabitEthernet 1 0 2 separately DeviceD interface gigabitethernet 1 0 1 DeviceD GigabitEthernet1 0 1 smart link flush enable DeviceD GigabitEthernet1 0 1 quit DeviceD interface gigabitethernet 1 0 2 DeviceD GigabitEthernet1 0 2 smart link flush enable ...

Page 1507: ...figuring Control VLANs 1 11 Configuring Protected VLANs 1 11 Configuring RRPP Rings 1 12 Configuring RRPP Ports 1 12 Configuring RRPP Nodes 1 13 Activating an RRPP Domain 1 15 Configuring RRPP Timers 1 15 Configuring an RRPP Ring Group 1 16 Displaying and Maintaining RRPP 1 17 RRPP Configuration Examples 1 17 Single Ring Configuration Example 1 17 Intersecting Ring Configuration Example 1 19 Inter...

Page 1508: ...ee protocols RRPP features the following z Fast topology convergence z Convergence time independent of Ethernet ring size Background Metropolitan area networks MANs and enterprise networks usually use the ring structure to improve reliability However services will be interrupted if any node in the ring network fails A ring network usually uses Resilient Packet Ring RPR or Ethernet rings RPR is hig...

Page 1509: ...one of the following two states z Health state All the physical links on the Ethernet ring are connected z Disconnect state Some physical links on the Ethernet ring are broken As shown in Figure 1 1 Domain 1 contains two RRPP rings Ring 1 and Ring 2 The level of Ring 1 is set to 0 that is Ring 1 is configured as the primary ring the level of Ring 2 is set to 1 that is Ring 2 is configured as a sub...

Page 1510: ...o detect the integrity of the primary ring and perform loop guard As shown in Figure 1 1 Ring 1 is the primary ring and Ring 2 is a subring Device A is the master node of Ring 1 Device B Device C and Device D are the transit nodes of Ring 1 Device E is the master node of Ring 2 Device B is the edge node of Ring 2 and Device C is the assistant edge node of Ring 2 Primary port and secondary port Eac...

Page 1511: ...ode RRPP ring group Up to one subring in an edge node RRPP ring group is allowed to send Edge Hello packets RRPPDUs Table 1 1 shows the types of RRPPDUs and their functions Table 1 1 RRPPDU types and their functions Type Description Hello The master node initiates Hello packets to detect the integrity of a ring in a network Link Down The transit node the edge node or the assistant edge node initia...

Page 1512: ... to check the Health state of the ring network The master node sends Hello packets out its primary port periodically and these Hello packets travel through each transit node on the ring in turn z If the ring is complete the secondary port of the master node will receive Hello packets before the Fail timer expires and the master node will keep the secondary port blocked z If the ring is torn down t...

Page 1513: ... VLANs referred to as protected VLANs in a ring network traffic of different VLANs can be transmitted according to different topologies in the ring network In this way load balancing is achieved As shown in Figure 1 6 Ring 1 is configured as the primary ring of Domain 1 and Domain 2 which are configured with different protected VLANs Device A is the master node of Ring 1 in Domain 1 Device B is th...

Page 1514: ... or more rings in the network topology and only one common node between rings In this case you need to define an RRPP domain for each ring Figure 1 3 Schematic diagram for a tangent ring network Intersecting rings As shown in Figure 1 4 there are two or more rings in the network topology and two common nodes between rings In this case you only need to define an RRPP domain and configure one ring a...

Page 1515: ...m for a dual homed ring network Single ring load balancing In a single ring network you can achieve load balancing by configuring multiple domains As shown in Figure 1 6 Ring 1 is configured as the primary ring of both Domain 1 and Domain 2 Domain 1 and Domain 2 are configured with different protected VLANs In Domain 1 Device A is configured as the master node of Ring 1 in Domain 2 Device B is con...

Page 1516: ... Device E is configured as the master node of Ring 2 in both Domain 1 and Domain 2 However different ports on Device E are blocked in Domain 1 and Domain 2 With the configurations you can enable traffic of different VLANs to travel over different paths in the subring and primary ring thus achieving intersecting ring load balancing Figure 1 7 Schematic diagram for an intersecting ring load balancin...

Page 1517: ...er node in the RRPP domain Configuring an RRPP Ring Group Optional Perform this task on the edge node and assistant edge node in the RRPP domain z RRPP does not have an auto election mechanism so you must configure each node in the ring network properly for RRPP to monitor and protect the ring network z Before configuring RRPP you need to construct a ring shaped Ethernet topology physically Creati...

Page 1518: ...red with RRPP you must ensure only the two ports connecting the device to the RRPP ring permit the packets of the control VLANs Otherwise the packets from other VLANs may go into the control VLANs in transparent transmission mode and strike the RRPP ring Configuring Protected VLANs Before configuring RRPP rings in an RRPP domain configure the same protected VLANs for all nodes in the RRPP domain f...

Page 1519: ...ng RRPP Ports Perform this configuration on each node s ports intended for accessing RRPP rings Follow these steps to configure RRPP ports To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Configure the link type of the interface as trunk port link type trunk Required By default the link type of an interface is access Configu...

Page 1520: ...me Configuring RRPP Nodes z The maximum number of rings that can be configured on a device in all RRPP domains is 16 z If a device carries multiple RRPP rings in an RRPP domain only one ring can be configured as the primary ring on the device and the role of the device on a subring can only be an edge node or an assistant edge node Specifying a master node Perform this configuration on a device to...

Page 1521: ...e interface number secondary port interface type interface number level level value Required Specify the current device as the edge node of a subring and specify the edge port ring ring id node mode edge edge port interface type interface number Required Specifying an assistant edge node When configuring an assistant edge node you must first configure the primary ring before configuring the subrin...

Page 1522: ...de or assistant edge node enable disable the primary ring and subrings separately as follows z Enable the primary ring of an RRPP domain before enabling subrings of the RRPP domain z Disable the primary ring of an RRPP domain after disabling all subrings of the RRPP domain Configuring RRPP Timers Perform this configuration on the master node of an RRPP domain Follow these steps to configure RRPP t...

Page 1523: ...emarks Enter system view system view Create an RRPP ring group and enter RRPP ring group view rrpp ring group ring group id Required Assign the specified subrings to the RRPP ring group domain domain id ring ring id list Required z You can assign a subring to only one RRPP ring group Make sure that the RRPP ring group configured on the edge node and that configured on the assistant edge node must ...

Page 1524: ...y control VLAN of RRPP domain 1 as VLAN 4092 and RRPP domain 1 protects all VLANs z Device A Device B Device C and Device D constitute primary ring 1 z Specify Device A as the master node of primary ring 1 GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port z Specify Device B Device C and Device D as the transit nodes of primary ring 1 their GigabitEthernet 1 ...

Page 1525: ...ing 1 with GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port and enable ring 1 DeviceA rrpp domain1 ring 1 node mode master primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 DeviceA rrpp domain1 ring 1 enable DeviceA rrpp domain1 quit Enable RRPP DeviceA rrpp enable 2 Configuration on Device B Configure the suppression time of p...

Page 1526: ...d here 5 Verification After the above configuration you can use the display command to view RRPP configuration and operational information on each device Intersecting Ring Configuration Example Networking requirements As shown in Figure 1 9 z Device A Device B Device C and Device D constitute RRPP domain 1 VLAN 4092 is the primary control VLAN of RRPP domain 1 and RRPP domain 1 protects all the VL...

Page 1527: ... interface gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 link delay 0 DeviceA GigabitEthernet1 0 2 undo stp enable DeviceA GigabitEthernet1 0 2 port link type trunk DeviceA GigabitEthernet1 0 2 port trunk permit vlan all DeviceA GigabitEthernet1 0 2 qos trust dot1p DeviceA GigabitEthernet1 0 2 quit Create RRPP domain 1 configure VLAN 4092 as the primary control VLAN of RRPP domain 1 and confi...

Page 1528: ...tEthernet1 0 2 quit DeviceB interface gigabitethernet 1 0 3 DeviceB GigabitEthernet1 0 3 link delay 0 DeviceB GigabitEthernet1 0 3 undo stp enable DeviceB GigabitEthernet1 0 3 port link type trunk DeviceB GigabitEthernet1 0 3 port trunk permit vlan all DeviceB GigabitEthernet1 0 3 qos trust dot1p DeviceB GigabitEthernet1 0 3 quit Create RRPP domain 1 configure VLAN 4092 as the primary control VLAN...

Page 1529: ... interface gigabitethernet 1 0 3 DeviceC GigabitEthernet1 0 3 link delay 0 DeviceC GigabitEthernet1 0 3 undo stp enable DeviceC GigabitEthernet1 0 3 port link type trunk DeviceC GigabitEthernet1 0 3 port trunk permit vlan all DeviceC GigabitEthernet1 0 3 qos trust dot1p DeviceC GigabitEthernet1 0 3 quit Create RRPP domain 1 configure VLAN 4092 as the primary control VLAN of RRPP domain 1 and confi...

Page 1530: ...PP domain 1 and configure VLANs mapped to MSTIs 0 through 32 as the protected VLANs of RRPP domain 1 DeviceD rrpp domain 1 DeviceD rrpp domain1 control vlan 4092 DeviceD rrpp domain1 protected vlan reference instance 0 to 32 Configure Device D as the transit node of primary ring 1 with GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port and enable ring 1 Devic...

Page 1531: ...al information on each device Intersecting Ring Load Balancing Configuration Example Networking requirements z Device A Device B Device C Device D and Device F constitute RRPP domain 1 and VLAN 100 is the primary control VLAN of the RRPP domain Device A is the master node of the primary ring Ring 1 Device D is the transit node of the primary ring Ring 1 Device F is the master node of the subring R...

Page 1532: ...figure the suppression time of physical link state changes on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 as zero disable STP configure the two ports as trunk ports remove them from VLAN 1 and assign them to VLAN 10 and VLAN 20 and configure them to trust the 802 1p precedence of the received packets DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 link delay 0 DeviceA Giga...

Page 1533: ...rpp domain1 ring 1 enable DeviceA rrpp domain1 quit Create RRPP domain 2 configure VLAN 105 as the primary control VLAN of RRPP domain 2 and configure the VLAN mapped to MSTI 2 as the protected VLAN of RRPP domain 2 DeviceA rrpp domain 2 DeviceA rrpp domain2 control vlan 105 DeviceA rrpp domain2 protected vlan reference instance 2 Configure Device A as the master node of primary ring 1 with Gigabi...

Page 1534: ...gure the port as a trunk port remove it from VLAN 1 and assign it to VLAN 20 and configure it to trust the 802 1p precedence of the received packets DeviceB interface gigabitethernet 1 0 3 DeviceB GigabitEthernet1 0 3 link delay 0 DeviceB GigabitEthernet1 0 3 undo stp enable DeviceB GigabitEthernet1 0 3 port link type trunk DeviceB GigabitEthernet1 0 3 undo port trunk permit vlan 1 DeviceB Gigabit...

Page 1535: ... node of primary ring 1 with GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port and enable ring 1 DeviceB rrpp domain2 ring 1 node mode transit primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 DeviceB rrpp domain2 ring 1 enable Configure Device B as the assistant edge node of subring 2 in RRPP domain 2 with GigabitEthernet 1 0 3...

Page 1536: ...ce of the received packets DeviceC interface gigabitethernet 1 0 3 DeviceC GigabitEthernet1 0 3 link delay 0 DeviceC GigabitEthernet1 0 3 undo stp enable DeviceC GigabitEthernet1 0 3 port link type trunk DeviceC GigabitEthernet1 0 3 undo port trunk permit vlan 1 DeviceC GigabitEthernet1 0 3 port trunk permit vlan 20 DeviceC GigabitEthernet1 0 3 qos trust dot1p DeviceC GigabitEthernet1 0 3 quit Con...

Page 1537: ...bitEthernet 1 0 2 as the secondary port and enable ring 1 DeviceC rrpp domain2 ring 1 node mode transit primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 DeviceC rrpp domain2 ring 1 enable Configure Device C as the edge node of subring 2 in RRPP domain 2 with GigabitEthernet 1 0 3 as the edge port and enable subring 2 DeviceC rrpp domain2 ring 2 node mode edge edge po...

Page 1538: ...rence instance 1 Configure Device D as the transit node of primary ring 1 in RRPP domain 1 with GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port and enable ring 1 DeviceD rrpp domain1 ring 1 node mode transit primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 DeviceD rrpp domain1 ring 1 enable DeviceD rrpp domain1 quit Create RR...

Page 1539: ...1 0 2 undo stp enable DeviceE GigabitEthernet1 0 2 port link type trunk DeviceE GigabitEthernet1 0 2 undo port trunk permit vlan 1 DeviceE GigabitEthernet1 0 2 port trunk permit vlan 20 DeviceE GigabitEthernet1 0 2 qos trust dot1p DeviceE GigabitEthernet1 0 2 quit Create RRPP domain 2 configure VLAN 105 as the primary control VLAN and configure the VLAN mapped to MSTI 2 as the protected VLAN Devic...

Page 1540: ...k permit vlan 10 DeviceF GigabitEthernet1 0 2 qos trust dot1p DeviceF GigabitEthernet1 0 2 quit Create RRPP domain 1 configure VLAN 100 as the primary control VLAN and configure the VLAN mapped to MSTI 1 as the protected VLAN DeviceF rrpp domain 1 DeviceF rrpp domain1 control vlan 100 DeviceF rrpp domain1 protected vlan reference instance 1 Configure Device F as the master node of subring 3 in RRP...

Page 1541: ...me RRPP ring z Some ports are abnormal Solution z Use the display rrpp brief command to check whether RRPP is enabled for all nodes If not use the rrpp enable command and the ring enable command to enable RRPP and RRPP rings for all nodes z Use the display rrpp brief command to check whether the domain ID and primary control VLAN ID are the same for all nodes If not set the same domain ID and prim...

Page 1542: ...ng the Interval for Sending Advertisement Packets 1 9 Setting the DelayDown Timer 1 10 Setting the Port Shutdown Mode 1 10 Configuring DLDP Authentication 1 11 Resetting DLDP State 1 11 Resetting DLDP State in System View 1 12 Resetting DLDP State in Port view Port Group View 1 12 Displaying and Maintaining DLDP 1 12 DLDP Configuration Example 1 13 Troubleshooting 1 15 ...

Page 1543: ...ting Overview Background Sometimes unidirectional links may appear in networks On a unidirectional link one end can receive packets from the other end but the other end cannot Unidirectional links result in problems such as loops in an STP enabled network As for fiber links two kinds of unidirectional links exist One occurs when fibers are cross connected as shown in Figure 1 1 The other occurs wh...

Page 1544: ...th ends of a link are operating normally at the physical layer DLDP detects whether the link is correctly connected at the link layer and whether the two ends can exchange packets properly This is beyond the capability of the auto negotiation mechanism at the physical layer How DLDP Works DLDP link states A device is in one of these DLDP link states Initial Inactive Active Advertisement Probe Disa...

Page 1545: ... timer This timer is set to 10 seconds and is triggered when a device transits to the Probe state or an enhanced detect is launched When the Echo timer expires and no Echo packet has been received from a neighbor device the state of the link is set to unidirectional and the device transits to the Disable state In this case the device sends Disable packets prompts the user to shut down the port or ...

Page 1546: ...entry timer expires the Enhanced timer is triggered and the device sends up to eight Probe packets at a frequency of one packet per second to test the neighbor If no Echo packet is received from the neighbor when the Echo timer expires the device transits to the Disable state Table 1 3 DLDP mode and neighbor entry aging DLDP mode Detecting a neighbor after the corresponding neighbor entry ages out...

Page 1547: ... with the corresponding local configuration z Plain text authentication In this mode before sending a DLDP packet the sending side sets the Authentication field to the password configured in plain text and sets the Authentication type field to 1 The receiving side checks the values of the two fields of received DLDP packets and drops the packets with the two fields conflicting with the correspondi...

Page 1548: ... information If the corresponding neighbor entry already exists resets the Entry timer If yes no process is performed Flush packet Determines whether or not the local port is in Disable state If not removes the corresponding neighbor entry if any If the corresponding neighbor entry does not exist creates the neighbor entry transits to Probe state and returns Echo packets Probe packet Retrieves the...

Page 1549: ... port and removes the corresponding neighbor entry Link auto recovery mechanism If the port shutdown mode upon detection of a unidirectional link is set to auto DLDP sets the state of the port where a unidirectional link is detected to DLDP down automatically A DLDP down port cannot forward service traffic or send receive any PDUs except DLDPDUs On a DLDP down port DLDP monitors the unidirectional...

Page 1550: ...Authentication Optional Resetting DLDP State Optional Note that z DLDP takes effects only on Ethernet interfaces z DLDP can detect unidirectional links only after all links are connected Therefore before enabling DLDP make sure that optical fibers or copper twisted pairs are connected z To ensure unidirectional links can be detected make sure these settings are the same on the both sides DLDP stat...

Page 1551: ...re are two DLDP modes z Normal mode In this mode DLDP does not actively detect neighbors when the corresponding neighbor entries age out The system can identify only one type of unidirectional links cross connected fibers z Enhanced mode In this mode DLDP actively detects neighbors when the corresponding neighbor entries age out The system can identify two types of unidirectional links cross conne...

Page 1552: ...e Tx line fails the port goes down and then comes up again causing optical signal jitters on the Rx line When a port goes down due to a Tx failure the device transits to the DelayDown state instead of the Inactive state to prevent the corresponding neighbor entries from being removed In the same time the device triggers the DelayDown timer If the port goes up before the timer expires the device re...

Page 1553: ...mode z If the device is busy or the CPU utilization is high normal links may be treated as unidirectional links In this case you can set the port shutdown mode to manual mode to eliminate the effects caused by false unidirectional link report Configuring DLDP Authentication Follow these steps to configure DLDP authentication To do Use the command Remarks Enter system view system view Configure DLD...

Page 1554: ...state dldp reset Required Resetting DLDP State in Port view Port Group View Resetting DLDP state in port view or port group view applies to the current port or all the ports in the port group shut down by DLDP Follow these steps to reset DLDP state in port view port group view To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface nu...

Page 1555: ... Device A Enable DLDP on GigabitEthernet1 0 50 and GigabitEthernet 1 0 51 DeviceA system view DeviceA interface gigabitethernet 1 0 50 DeviceA GigabitEthernet1 0 50 dldp enable DeviceA GigabitEthernet1 0 50 quit DeviceA interface gigabitethernet 1 0 51 DeviceA GigabitEthernet1 0 51 dldp enable DeviceA GigabitEthernet1 0 51 quit Set the interval for sending Advertisement packets to 6 seconds Device...

Page 1556: ...port is 0 The output information indicates that both GigabitEthernet 1 0 50 and GigabitEthernet 1 0 51 are in Disable state and the links are down which means unidirectional links are detected and the two ports are thus shut down Correct the fiber connections after detecting the problem and perform the following operations Reset DLDP state for the ports shut down by DLDP DeviceA dldp reset Display...

Page 1557: ... the two ports are restored Troubleshooting Symptom Two DLDP enabled devices Device A and Device B are connected through two fiber pairs in which two fibers are cross connected The unidirectional links cannot be detected all the four ports involved are in Advertisement state Analysis The problem can be caused by the following z The intervals for sending Advertisement packets on Device A and Device...

Page 1558: ...ration Task List 1 5 Configuring Basic Ethernet OAM Functions 1 6 Configuring Link Monitoring 1 6 Configuring Errored Symbol Event Detection 1 7 Configuring Errored Frame Event Detection 1 7 Configuring Errored Frame Period Event Detection 1 7 Configuring Errored Frame Seconds Event Detection 1 7 Enabling OAM Remote Loopback 1 8 Displaying and Maintaining Ethernet OAM Configuration 1 9 Ethernet OA...

Page 1559: ...ernet has been absent all along hindering the usage of Ethernet in MANs and WANs Implementing Operation Administration and Maintenance OAM on Ethernet networks has now become an urgent matter As a tool monitoring Layer 2 link status Ethernet OAM is mainly used to address common link related issues on the last mile You can monitor the status of the point to point link between two directly connected...

Page 1560: ... be forwarded Source addr Source MAC address of the Ethernet OAMPDU It is the bridge MAC address of the sending side and is a unicast MAC address Type Type of the encapsulated protocol in the Ethernet OAMPDU The value is 0x8809 Subtype The specific protocol being encapsulated in the Ethernet OAMPDU The value is 0x03 Flags Status information of an Ethernet OAM entity Code Type of the Ethernet OAMPD...

Page 1561: ... interconnected OAM entities notify the peer of their OAM configuration information and the OAM capabilities of the local nodes by exchanging Information OAMPDUs and determine whether Ethernet OAM connections can be established An Ethernet OAM connection can be established only when the settings concerning Loopback link detecting and link event of the both sides match After an Ethernet OAM connect...

Page 1562: ...nk faults in various environments Ethernet OAM implements link monitoring through the exchange of Event Notification OAMPDUs Upon detecting a link error event listed in Table 1 4 the local OAM entity sends an Event Notification OAMPDU to notify the remote OAM entity With the log information network administrators can keep track of network status in time Table 1 4 describes the link events Table 1 ...

Page 1563: ...across established OAM connections an Ethernet OAM entity can inform one of its OAM peers of link faults through Information OAMPDUs Therefore the network administrator can keep track of link status in time through the log information and troubleshoot in time Remote remote loopback Remote loopback is available only after the Ethernet OAM connection is established With remote loopback enabled the E...

Page 1564: ...e Ethernet port establishes an Ethernet OAM connection with its peer port Follow these steps to configure basic Ethernet OAM functions To do Use the command Remarks Enter system view System view Enter Ethernet port view interface interface type interface number Set Ethernet OAM operating mode oam mode active passive Optional The default is active Ethernet OAM mode Enable Ethernet OAM on the curren...

Page 1565: ...tem view Configure the errored frame event detection interval oam errored frame period period value Optional 1 second by default Configure the errored frame event triggering threshold oam errored frame threshold threshold value Optional 1 by default Configuring Errored Frame Period Event Detection An errored frame period event occurs if the number of frame errors in specific number of received fra...

Page 1566: ...ss than the errored frame seconds detection interval Otherwise no errored frame seconds event can be generated Enabling OAM Remote Loopback After enabling OAM remote loopback on a port you can send loopback frames from the port to a remote port and then observe how many of these loopback frames are returned In this way you can calculate the packet loss ratio on the link thus evaluating the link pe...

Page 1567: ...ration and Service Loopback Group Configuration in the Access Volume z Enabling internal loopback test on a port in remote loopback test can terminate the remote loopback test For more information about loopback test refer to Ethernet Interface Configuration in the Access Volume Displaying and Maintaining Ethernet OAM Configuration To do Use the command Remarks Display global Ethernet OAM configur...

Page 1568: ...view DeviceB interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 oam mode active DeviceB GigabitEthernet1 0 1 oam enable DeviceB GigabitEthernet1 0 1 quit 3 Verify the configuration Use the display oam configuration command to display the Ethernet OAM configuration For example Display the Ethernet OAM configuration on Device A DeviceA display oam configuration Configuration of the link ev...

Page 1569: ...sp 0 Critical Event 0 According to the above output information no critical link event occurred on the link between Device A and Device B Display Ethernet OAM link event statistics of the remote end of Device B DeviceB display oam link event remote Port GigabitEthernet1 0 1 Link Status Up OAMRemoteErrFrameEvent ms milliseconds Event Time Stamp 5789 Errored FrameWindow 10 100ms Errored Frame Thresh...

Page 1570: ...guration Prerequisites 1 8 Configuring Procedure 1 8 Configuring LB on MEPs 1 8 Configuration Prerequisites 1 8 Configuration Procedure 1 9 Configuring LT on MEPs 1 9 Configuration Prerequisites 1 9 Finding the Path Between a Source MEP and a Target MEP 1 9 Enabling Automatic LT Messages Sending 1 9 Displaying and Maintaining CFD 1 10 CFD Configuration Examples 1 10 Configuring Service Instance 1 ...

Page 1571: ...fined by some maintenance association end points MEPs configured on the ports A MD is identified by an MD name To locate faults exactly CFD introduces eight levels from 0 to 7 to MDs The bigger the number the higher the level and the larger the area covered Domains can touch or nest if the outer domain has a higher level than the nested one but cannot intersect or overlap MD levels facilitate faul...

Page 1572: ...EP ID The MEPs of an MD define the range and boundary of the MD The MA and MD that a MEP belongs to define the VLAN attribute and level of the packets sent by the MEP MEPs fall into inward facing MEPs and outward facing MEPs The level of a MEP determines the levels of packets that the MEP can process The packets transmitted from a MEP carry the level of the MEP An MEP forwards packets at a higher ...

Page 1573: ... forwards packets at a higher level without any processing Figure 1 4 demonstrates a grading example of the CFD module In the figure there are six devices labeled 1 through 6 respectively Suppose each device has two ports and MEPs and MIPs are configured on some of these ports Four levels of MDs are designed in this example the bigger the number the higher the level and the larger the area covered...

Page 1574: ...MEPs send CCMs at the same time the multipoint to multipoint link check is achieved Loopback Similar to ping at the IP layer loopback is responsible for verifying the connectivity between a local device and a remote device To implement this function the local MEP sends loopback messages LBMs to the remote MEP Depending on whether the local MEP can receive a loopback reply message LBR from the remo...

Page 1575: ...be designed at the device port MEPs can be designed on devices or ports that are not at the edges Complete the following tasks to configure CFD Tasks Remarks Basic Configuration Tasks Required These configurations are the foundation for other configuration tasks Configuring CC on MEPs Required Configuring the MEPs to send CCMs to manage link connectivity Configuring LB on MEPs Optional Checking li...

Page 1576: ...ted by default Create a service instance cfd service instance instance id md md name ma ma name Required Not created by default z These configuration tasks are the foundation for other CFD configuration tasks z The last three steps in the table above must be performed strictly in order Configuring MEP MEPs are functional entities in a service instance CFD is implemented through operations on MEPs ...

Page 1577: ...red By default neither the MIPs nor the rules for generating MIPs are configured MIPs are generated on each port automatically according to the rules specified in the cfd mip rule command If a port has no MIP the system will check the MAs in each MD from low to high levels and follow the rules in Table 1 1 to create or not create MIPs within a single VLAN Table 1 1 Rules for generating MIP MIP exi...

Page 1578: ...n the interval field value in the CCM messages the interval between CCM messages and the timeout time of the remote MEP is illustrated in Table 1 2 Table 1 2 Relationship of the interval field value the interval between CCM messages and the timeout time of the remote MEP The interval field value The interval between CCM messages The timeout time of the remote MEP 4 1 second 3 5 seconds 5 10 second...

Page 1579: ...a MEP fails to receive the CCMs from the remote MEP within 3 5 sending intervals the link between the two is regarded as faulty and LTMs will be sent out Based on the LTRs that echo back the fault source can be located Configuration Prerequisites Before configuring this function you should first complete MEP and MIP configuration tasks Finding the Path Between a Source MEP and a Target MEP Follow ...

Page 1580: ...mep service instance instance id mep mep id Available in any view Display the content of the LTR that responds to LTM messages display cfd linktrace reply auto detection size size value Available in any view CFD Configuration Examples Configuring Service Instance Network requirements As shown in Figure 1 5 there are five devices in the MDs Each device has four ports belonging to VLAN 100 The light...

Page 1581: ...e B DeviceB system view DeviceB cfd enable DeviceB cfd md MD_A level 5 DeviceB cfd ma MA_MD_A md MD_A vlan 100 DeviceB cfd service instance 1 md MD_A ma MA_MD_A DeviceB cfd md MD_B level 3 DeviceB cfd ma MA_MD_B md MD_B vlan 100 DeviceB cfd service instance 2 md MD_B ma MA_MD_B After the above configuration you can use the commands display cfd md display cfd ma and display cfd service instance to ...

Page 1582: ... 1001 DeviceA GigabitEthernet1 0 1 cfd remote mep 4002 service instance 1 mep 1001 DeviceA GigabitEthernet1 0 1 cfd mep service instance 1 mep 1001 enable DeviceA GigabitEthernet1 0 1 cfd cc service instance 1 mep 1001 enable 2 On Device B DeviceB system view DeviceB interface gigabitethernet 1 0 3 DeviceB GigabitEthernet1 0 3 cfd mep 2001 service instance 2 outbound DeviceB GigabitEthernet1 0 3 c...

Page 1583: ...etwork requirements After finishing MEP configuration you can continue to configure the MIPs MIPs which are generated by some rules are configured in the following way z Decide the device on which MIPs are to be configured z Choose suitable rules for MIP generation By default MIP is not configured on a device If MIPs are to be configured on each port in the MD you should choose the default rule If...

Page 1584: ...own in Figure 1 6 enable LB on Device A so that Device A can send LBM messages to MEPs on Device D Configuration procedure Configure Device A DeviceA system view DeviceA cfd loopback service instance 1 mep 1001 target mep 4002 Configuring LT on MEPs Network requirements Use the LT function to find the path and locate the fault after you obtain the state of the entire network through the CC As show...

Page 1585: ...FD for VRRP 1 9 Configuring BFD for Static Routes 1 10 Enabling Trap 1 11 Displaying and Maintaining BFD 1 12 BFD Configuration Examples 1 12 Configuring BFD for OSPF 1 12 Configuring BFD for IS IS 1 15 Configuring BFD for RIP Single Hop Detection in BFD Echo Packet Mode 1 17 Configuring BFD for RIP Bidirectional Detection in BFD Control Packet Mode 1 21 Configuring BFD for BGP 1 25 Configuring BF...

Page 1586: ...erarchy transmission system alarms z If no hardware detection signals are provided or failures cannot be detected through hardware detection signals devices can use the hello mechanism of a routing protocol for failure detection which has a slower failure detection rate of more than one second In Gigabit data transmission such a rate will cause a large quantity of data to be dropped z Implement re...

Page 1587: ...dresses z BFD uses the information to establish BFD sessions Figure 1 2 BFD fault detection BFD fault detection as shown in the above figure z Upon detection of a link failure BFD clears the session and notifies the protocol of the failure z The protocol terminates the neighborship on the link z If a backup link is available the protocol will use it to forward packets No detection time resolution ...

Page 1588: ...may ask the other system to stop sending BFD Control packets except when the system feels the need to verify connectivity explicitly in which case a short sequence of BFD Control packets is exchanged and then the far system quiesces Demand mode may operate independently in each direction or simultaneously z At present only the asynchronous mode is supported z When a BFD session operates in Echo mo...

Page 1589: ...d D If set Demand mode is active in the transmitting system the system wishes to operate in Demand mode knows that the session is up in both directions and is directing the remote system to cease the periodic transmission of BFD Control packets If clear Demand mode is not active in the transmitting system z Poll P If set the transmitting system is requesting verification of connectivity or of a pa...

Page 1590: ...ckets that this system is capable of supporting If this value is zero the transmitting system does not want the remote system to send any periodic BFD Control packets z Required Min Echo Rx Interval This is the minimum interval in microseconds between received BFD Echo packets that this system is capable of supporting If this value is zero the transmitting system does not support the receipt of BF...

Page 1591: ... multiplier value Optional 5 by default Configure the authentication type bfd authentication mode md5 key id key sha1 key id key simple key id password Optional By default the interface operates in the non authentication mode Configuring Protocol based BFD Configuring BFD for OSPF After discovering neighbors by sending hello packets OSPF notifies BFD of the neighbor addresses and BFD uses theses a...

Page 1592: ... the IP Routing Volume Configuring BFD for RIP RIP periodically sends route update requests to neighbors If no route update response for a route is received within the specified interval RIP considers the route unreachable This mechanism cannot detect link faults quickly After BFD is configured for RIP when BFD detects a broken link RIP can quickly age out the unreachable route before the update t...

Page 1593: ...rface interface type interface number Enable BFD on the RIP interface rip bfd enable Required Disabled by default z Unidirectional detection in BFD echo packet mode only works for RIP neighbors that are directly connected namely one hop away from each other z Using the undo peer command does not remove the neighbor relationship at once and therefore cannot bring down the BFD session at once z For ...

Page 1594: ...notifies it to VRRP for quick VRRP master backup switchover Before associating a VRRP group with a track entry you need to create the VRRP group on the interface and assign a virtual IP address to it Follow these steps to configure BFD for VRRP To do Use the command Remarks Enter system view system view Configure the source address of echo packets bfd echo source ip ip address Required Not configu...

Page 1595: ...c dest address mask mask length interface type interface number next hop address bfd control packet preference preference value tag tag value description description text Enable BFD control packet mode for static routes ip route static vpn instance s vpn instance name 1 6 dest address mask mask length interface type interface number next hop address bfd control packet preference preference value t...

Page 1596: ...ho function is revised to specify that a BFD session is established at only one end when the echo mode is used z For static route configuration refer to Static Routing Configuration in the IP Routing Volume Enabling Trap When the trap function is enabled on the BFD module the module will generate trap messages at the notifications level to report the important events of the module The generated tr...

Page 1597: ...slot number Available in user view BFD Configuration Examples Configuring BFD for OSPF Network requirements z Switch A and Switch B are interconnected through a Layer 2 switch BFD is enabled on the switch interfaces OSPF is enabled on the switches that are reachable to each other at the network layer z When the link between Switch B and the Layer 2 switch fails BFD can quickly detect the failure a...

Page 1598: ...itchB Vlan interface10 quit 3 Configure BFD parameters Configure Switch A SwitchA bfd session init mode active SwitchA interface Vlan interface 10 SwitchA Vlan interface10 bfd min transmit interval 300 SwitchA Vlan interface10 bfd min receive interval 300 SwitchA Vlan interface10 bfd detect multiplier 7 SwitchA Vlan interface10 bfd authentication mode simple 1 zhang SwitchA Vlan interface10 quit S...

Page 1599: ...7 RMDEBUG OSPF BFD Message Type rcv BFD down Connect Type direct connect Src IP Address 10 1 0 102 Src IFIndex 5 Dst IP Address 10 1 0 100 0 50673827 SwitchA RM 7 RMDEBUG OSPF BFD Message Type delete session Connect Type direct connect Src IP Address 10 1 0 102 Src IFIndex 5 Dst IP Address 10 1 0 100 OSPF 1 Nbr 10 1 0 100 Rcv KillNbr State Full Down 0 50673829 SwitchA BFD 8 EVENT Receive Delete se...

Page 1600: ...able to each other at the network layer z When the link between Switch B and the Layer 2 switch fails BFD can quickly detect the failure and notify IS IS of the failure Figure 1 5 Network diagram for BFD configuration on an IS IS link Configuration procedure 1 Configure VLAN interfaces Configure Switch A SwitchA system view SwitchA interface Vlan interface 10 SwitchA Vlan interface10 ip address 16...

Page 1601: ...tchA quit Configure Switch B SwitchB bfd session init mode active SwitchB interface Vlan interface 10 SwitchB Vlan interface10 bfd min receive interval 500 SwitchB Vlan interface10 bfd min transmit interval 500 SwitchB Vlan interface10 bfd authentication mode simple 1 zhang SwitchB Vlan interface10 bfd detect multiplier 8 4 Verify the configuration Display BFD information of Switch A SwitchA displ...

Page 1602: ...JCHANGE Adjacency To 0 000 0000 0002 vlan10 DOWN Level 1 Circuit Down Aug 8 14 54 05 369 2008 SwitchA ISIS 4 ADJLOG ISIS 1 ADJCHANGE Adjacency To 0 000 0000 0002 vlan10 DOWN Level 1 Adjacency clear Aug 8 14 54 05 370 2008 SwitchA ISIS 6 ISIS ISIS 1 BFD Success to send msg Msg type 1 delete session IfPhyIndex 5 DstI PAddr 192 168 0 100 SrcIPAddr 192 168 0 102 NeighborType Level 2 Aug 8 14 54 05 370...

Page 1603: ...for configuring BFD for RIP single hop detection in BFD echo packet mode Configuration procedure 1 Configure VLAN interfaces Configure Switch A SwitchA system view SwitchA interface vlan interface 100 SwitchA Vlan interface100 ip address 192 168 1 1 24 SwitchA Vlan interface100 quit SwitchA interface vlan interface 200 SwitchA Vlan interface200 ip address 192 168 2 1 24 SwitchA Vlan interface200 q...

Page 1604: ... Configure BFD parameters Configure Switch A SwitchA bfd session init mode active SwitchA bfd echo source ip 11 11 11 11 SwitchA interface vlan interface 100 SwitchA Vlan interface100 bfd min transmit interval 500 SwitchA Vlan interface100 bfd min receive interval 500 SwitchA Vlan interface100 bfd detect multiplier 7 SwitchA Vlan interface100 quit SwitchA quit 4 Configure a static route on Switch ...

Page 1605: ...tect the change Jan 19 10 41 51 203 2008 SwitchA BFD 4 LOG Sess 192 168 1 1 192 168 1 2 Vlan interface 100 Ctrl Sta UP DOWN Diag 1 Jan 19 10 33 12 813 2008 SwitchA RM 6 RMDEBUG RIP BFD Message Type Disable Connect Type Direct connect Pkt Type Echo Src IP Address 192 168 1 1 Src IFIndex4 Nbr IP Address 192 168 1 2 Display the BFD information of Switch A You can see that Switch A has deleted the nei...

Page 1606: ...ch A runs RIP process 2 VLAN interface 400 on Switch C and VLAN interface 300 and VLAN interface 400 on Switch D run RIP process 1 z Enable static route redistribution into RIP on Switch A and Switch C so that Switch A and Switch C have routes to send to each other Switch A learns the static route sent by Switch C the outbound interface is the interface connected to Switch B z When the link betwee...

Page 1607: ...address 192 168 4 2 24 SwitchC Vlan interface400 quit Configure Switch D SwitchD system view SwitchD interface vlan interface 300 SwitchD Vlan interface300 ip address 192 168 3 2 24 SwitchD Vlan interface300 quit SwitchD interface vlan interface 400 SwitchD Vlan interface400 ip address 192 168 4 1 24 SwitchD Vlan interface400 quit 2 Configure RIP basic functions and enable static route redistribut...

Page 1608: ...0 quit Configure Switch C SwitchC bfd session init mode active SwitchC interface vlan interface 200 SwitchC Vlan interface200 bfd min transmit interval 500 SwitchC Vlan interface200 bfd min receive interval 500 SwitchC Vlan interface200 bfd detect multiplier 7 SwitchC Vlan interface200 quit 4 Configure static routes Configure a static route to Switch C on Switch A SwitchA ip route static 192 168 2...

Page 1609: ...Switch C fails you can see that Switch A quickly detects the link state change Jan 19 10 41 51 203 2008 SwitchA BFD 4 LOG Sess 192 168 1 1 192 168 2 2 Vlan interface 100 Ctrl Sta UP DOWN Diag 1 Jan 19 10 41 51 203 2008 SwitchA RM 6 RMDEBUG RIP BFD Message Type Disable Connect Type Indirect connect Pkt Type Control Src IP Address 192 168 1 1 Src IFIndex 4 Nbr IP Address 192 168 2 2 Display the BFD ...

Page 1610: ...e reachable to each other at the network layer z When the link between Switch A and Switch B fails BFD can quickly detect the failure and notify BGP of the failure Figure 1 8 Network diagram for BFD configuration on a BGP link Configuration procedure 1 Configure VLAN interfaces Configure Switch A SwitchA system view SwitchA interface Vlan interface 10 SwitchA Vlan interface10 ip address 10 1 0 102...

Page 1611: ...B vlan10 interface Vlan interface 10 SwitchB Vlan interface10 bfd min transmit interval 300 SwitchB Vlan interface10 bfd min receive interval 300 SwitchB Vlan interface10 bfd detect multiplier 6 SwitchB Vlan interface10 bfd authentication mode simple 1 zhang 4 Verify the configuration Enable BFD debugging on Switch A SwitchA debugging bfd scm SwitchA debugging bfd event SwitchA debugging bgp bfd D...

Page 1612: ...ages 0 Maximum allowed prefix number 4294967295 Threshold 75 Minimum time between advertisement runs is 15 seconds Optional capabilities Route refresh capability has been enabled Peer Preferred Value 0 BFD Enabled Routing policy configured No routing policy is configured Configuring BFD for the VRRP Backup to Monitor the Master Network requirements If BFD is not configured when the master in a VRR...

Page 1613: ...terface2 vrrp vrid 1 priority 110 SwitchA vlan interface2 return Configure Switch B SwitchB system view SwitchB bfd session init mode active SwitchB bfd echo source ip 10 10 10 10 SwitchB interface vlan interface 2 SwitchB vlan interface2 ip address 192 168 0 102 24 SwitchB vlan interface2 bfd min echo receive interval 10 SwitchB vlan interface2 bfd detect multiplier 3 SwitchB vlan interface2 quit...

Page 1614: ...n of VRRP group 1 on Switch B SwitchB display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Total number of virtual routers 1 Interface vlan interface2 VRID 1 Adver Timer 1 Admin Status UP State Backup Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 0 Auth Type NONE Track Object 1 Switchover Virtual IP 192 168 0 10 Master IP 192 168 0 101 The display above shows that in backu...

Page 1615: ... IP 192 168 0 101 Local IP 192 168 0 102 Configuring BFD for the VRRP Master to Monitor the Uplinks Network requirements z The master monitors the state of its uplink When the uplink is down the mater decreases its priority and sends a VRRP packet with the new priority Upon receiving the packet with a lower priority the backup becomes the new master after a very short delay z The backup monitors t...

Page 1616: ...itchA bfd echo source ip 10 10 10 10 SwitchA interface vlan interface 3 SwitchA vlan interface3 ip address 1 1 1 1 24 SwitchA vlan interface3 bfd min echo receive interval 10 SwitchA vlan interface3 bfd detect multiplier 3 SwitchA vlan interface3 quit SwitchA track 1 bfd echo interface vlan interface 3 remote ip 1 1 1 2 local ip 1 1 1 1 SwitchA interface vlan interface 2 SwitchA vlan interface3 ip...

Page 1617: ...1 on Switch B SwitchB display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Total number of virtual routers 1 Interface vlan interface2 VRID 1 Adver Timer 1 Admin Status UP State Backup Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 0 Auth Type NONE Virtual IP 192 168 0 10 Master IP 192 168 0 101 The display above shows that in VRRP group 1 Switch A is the master router and ...

Page 1618: ...ual IP 192 168 0 10 Virtual MAC 0000 5e00 0101 Master IP 192 168 0 102 Display the track entry information of Switch A SwitchA display track 1 Track ID 1 Status Negative Reference Object BFD Session Packet type Echo Interface vlan interface3 Remote IP 1 1 1 2 Local IP 1 1 1 1 Configuring BFD Echo Packet Mode for Static Routing Network requirements Configure a static route on Switch A to Switch C a...

Page 1619: ...l Session Num 1 Init Mode Active Session Working Under Echo Mode LD SourceAddr DestAddr State Holdtime Interface 7 10 1 1 102 10 1 1 100 Up 1700ms Vlan10 3 Display static route information on Switch A SwitchA display ip routing table protocol static Public Routing Table Static Summary Count 2 Static Routing table Status Active Summary Count 1 Destination Mask Proto Pre Cost NextHop Interface 120 1...

Page 1620: ...tatus Active Summary Count 1 Destination Mask Proto Pre Cost NextHop Interface 120 1 1 1 24 Static 65 0 11 1 1 2 Vlan11 Static Routing table Status Inactive Summary Count 1 Destination Mask Proto Pre Cost NextHop Interface 120 1 1 1 24 Static 60 0 10 1 1 100 Vlan10 Configuring BFD Control Packet Mode for Static Routing Network requirements Configure a static route to subnet 14 1 1 0 24 on Switch A...

Page 1621: ...A display bfd session Total Session Num 1 Init Mode Active Session Working Under Ctrl Mode LD RD SourceAddr DestAddr State Holdtime Interface 4 7 12 1 1 1 12 1 1 2 Up 2000ms Vlan12 Display static routes on Switch A SwitchA display ip routing table protocol static Public Routing Table Static Summary Count 1 Static Routing table Status Active Summary Count 1 Destination Mask Proto Pre Cost NextHop I...

Page 1622: ...otify driver to stop receiving bf Display the static route on Switch A which is in the inactive state SwitchA display ip routing table protocol static Public Routing Table Static Summary Count 1 Static Routing table Status Active Summary Count 0 Static Routing table Status Inactive Summary Count 1 Destination Mask Proto Pre Cost NextHop Interface 14 1 1 0 24 Static 60 0 12 1 1 2 Vlan12 ...

Page 1623: ...ule and the Detection Modules 1 2 Configuring Track NQA Collaboration 1 2 Configuring Track BFD Collaboration 1 3 Configuring Collaboration Between the Track Module and the Application Modules 1 3 Configuring Track VRRP Collaboration 1 3 Configuring Track Static Routing Collaboration 1 4 Displaying and Maintaining Track Object s 1 5 Track Configuration Examples 1 5 VRRP Track NQA Collaboration Con...

Page 1624: ... application modules of the detection result through the Track module After the application modules are aware of the changes of network status they deal with the changes accordingly to avoid communication interruption and network performance degradation The Track module works between the application modules and the detection modules and is mainly used to obscure the difference of various detection...

Page 1625: ...ks Configuring Track NQA Collaboration Configuring Collaboration Between the Track Module and the Detection Modules Configuring Track BFD Collaboration Use either approach Configuring Track VRRP Collaboration Configuring Collaboration Between the Track Module and the Application Modules Configuring Track Static Routing Collaboration Use at least one of the two approaches Configuring Collaboration ...

Page 1626: ...ck VRRP collaboration you can z Monitor the upper link If there is a fault on the upper link of the master of a VRRP group hosts in the LAN cannot access the external network through the master In this case the status of the monitored Track object changes to Negative and the priority of the master thus decreases by a specified value allowing a higher priority router in the VRRP group to become the...

Page 1627: ...ot the egress interface when configuring a static route you can associate the static route with a Track object and thus check the validity of the static route according to the status of the Track object z If the status of the Track object is Positive then the next hop of the static route is reachable and the configured static route is valid z If the status of the Track object is Negative then the ...

Page 1628: ...a static route needs route recursion the associated Track object must monitor the next hop of the recursive route instead of that of the static route otherwise a valid route may be considered invalid z For details of static route configuration refer to Static Routing Configuration in the IP Routing Volume Displaying and Maintaining Track Object s To do Use the command Remarks Display information a...

Page 1629: ...ion entry 1 specifying that five consecutive probe failures trigger the Track NQA collaboration SwitchA nqa admin test icmp echo reaction 1 checked element probe fail threshold type consecutive 5 action type trigger only SwitchA nqa admin test icmp echo quit Start NQA probes SwitchA nqa schedule admin test start time now lifetime forever 3 Configure a Track object on Switch A Configure Track objec...

Page 1630: ...lan interface2 vrrp vrid 1 authentication mode simple hello Configure the master to send VRRP packets at an interval of five seconds SwitchB Vlan interface2 vrrp vrid 1 timer advertise 5 Configure Switch B to work in preemptive mode and set the preemption delay to five seconds SwitchB Vlan interface2 vrrp vrid 1 preempt mode timer delay 5 6 Verify the configuration After configuration ping Host B ...

Page 1631: ...rtual routers 1 Interface Vlan interface2 VRID 1 Adver Timer 5 Admin Status UP State Backup Config Pri 110 Run Pri 80 Preempt Mode YES Delay Time 5 Auth Type SIMPLE TEXT Key hello Track Object 1 Pri Reduced 30 Virtual IP 10 1 1 10 Master IP 10 1 1 2 Display detailed information about VRRP group 1 on Switch B when there is a fault on the link between Switch A and Switch C SwitchB Vlan interface2 di...

Page 1632: ...d configure the static route to associate with Track object 1 SwitchA system view SwitchA ip route static 10 1 1 2 24 10 2 1 1 track 1 3 Configure an NQA test group on Switch A Create an NQA test group with the administrator admin and the operation tag test SwitchA nqa entry admin test Configure the test type as ICMP echo SwitchA nqa admin test type icmp echo Configure the destination address as 1...

Page 1633: ...127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The output information above indicates the NQA test result that is the next hop 10 2 1 1 is reachable the status of the Track object is Positive and the configured static route is valid Remove the IP address of interface VLAN interface 3 on Switch B SwitchB system view SwitchB interface vlan interf...

Page 1634: ...InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The output information above indicates the NQA test result that is the next hop 10 2 1 1 is unreachable the status of the Track object is Negative and the configured static route is invalid ...

Page 1635: ...ontents 1 GR Overview 1 1 Introduction to Graceful Restart 1 1 Basic Concepts in Graceful Restart 1 1 Graceful Restart Communication Procedure 1 2 Graceful Restart Mechanism for Several Commonly Used Protocols 1 4 ...

Page 1636: ...tem can forward data continuously Hence it is called Graceful Restart Basic Concepts in Graceful Restart A router with the Graceful Restart function enabled is called a Graceful Restart capable router It can perform a Graceful Restart when its routing protocol restarts ensuring consistent forwarding services Routers that are not Graceful Restart capable will follow the normal restart procedures af...

Page 1637: ...er and GR Helper can replace each other The communication procedure between the GR Restarter and the GR Helper works as follows 1 Establishing a GR session Figure 1 1 A GR session is established between the GR Restarter and the GR Helper As illustrated in Figure 1 1 Router A works as GR Restarter Router B Router C and Router D are the GR Helpers of Router A A GR session is established between the ...

Page 1638: ...e the GR Time expires the GR Helper will neither terminate the session with the GR Restarter nor delete the topology or routing information of the latter 3 Signaling to GR Helper Figure 1 3 The GR Restarter signals to the GR Helper s after restart As illustrated in Figure 1 3 after the GR Restarter has recovered it will signal to all its neighbors and reestablish GR Session 4 Obtaining topology an...

Page 1639: ...es its own routing table based on this information Graceful Restart Mechanism for Several Commonly Used Protocols Comware supports Graceful Restart based on Border Gateway Protocol BGP Open Shortest Path First OSPF Intermediate System to Intermediate System IS IS For the implementation and configuration procedure of the Graceful Restart mechanism of the above protocols refer to BGP Configuration O...

Page 1640: ...m Configuration Basic system configuration involves the configuration of device name system clock welcome message user privilege levels and so on This document describes z Configuration display z Basic configurations z CLI features Device Management Through the device management function you can view the current condition of your device and configure running parameters This document describes z De...

Page 1641: ...tion configuration z SNMP log configuration z Trap configuration z MIB style configuration RMON RMON provides an efficient means of monitoring subnets and allows SNMP to monitor remote network devices in a more proactive and effective way This document describes z RMON overview z RMON configuration MAC Address Table Management A switch maintains a MAC address table for fast forwarding packets This...

Page 1642: ...ring the PoE Interface z Configuring PoE power management z Configuring the PoE monitoring function z Online upgrading the PSE processing software z Configuring a PD Disconnection Detection Mode z Enabling the PSE to detect nonstandard PDs Hotfix Hotfix is a fast cost effective method to fix software defects of the device without interrupting the running services This document describes z Hotfix O...

Page 1643: ...Device to a Cluster z Configuring Advanced Cluster Functions IRF Intelligent Resilient Framework IRF allows you to build an IRF namely a united device by interconnecting multiple devices through IRF ports You can manage all the devices in the IRF by managing the united device This document describes z IRF Overview z IRF Working Process z Configuring IRF z Logging In to an IRF IPC Inter Process Com...

Page 1644: ...Configuration Procedure 2 7 Configuration Example 2 7 Console Port Login Configuration with Authentication Mode Being Scheme 2 9 Configuration Procedure 2 9 Configuration Example 2 10 3 Logging In Through Telnet SSH 3 1 Logging In Through Telnet 3 1 Introduction 3 1 Telnet Connection Establishment 3 1 Common Configuration 3 3 Telnet Login Configuration Task List 3 4 Telnet Login Configuration with...

Page 1645: ...rolling Telnet Users by Source and Destination IP Addresses 7 2 Controlling Telnet Users by Source MAC Addresses 7 3 Configuration Example 7 3 Controlling Network Management Users by Source IP Addresses 7 4 Prerequisites 7 4 Controlling Network Management Users by Source IP Addresses 7 4 Configuration Example 7 5 Controlling Web Users by Source IP Addresses 7 6 Prerequisites 7 6 Controlling Web Us...

Page 1646: ...r interfaces AUX and VTY z AUX port Used to manage and monitor users logging in via the console port The device provides AUX ports of EIA TIA 232 DTE type The port is usually used for the first access to the switch z VTY virtual type terminal Used to manage and monitor users logging in via VTY VTY port is usually used when you access the device by means of Telnet or SSH Table 1 1 Description on us...

Page 1647: ...ws you to uniquely specify a user interface or a group of user interfaces The numbering system starts from number 0 with a step of 1 The numbering approach numbers the two types of user interfaces in the sequence of AUX port and VTY Relative numbering Relative numbering can specify a user interface or a group of user interfaces of a specific type The number is valid only when used under that type ...

Page 1648: ... user interface all user interfaces display users all You can execute this command in any view Display the physical attributes and configuration of the current a specified user interface display user interface type number number summary You can execute this command in any view ...

Page 1649: ...gin methods By default you can log in to an 3Com Switch 4800G family through its Console port only To log in to an Ethernet switch through its Console port the related configuration of the user terminal must be in accordance with that of the Console port Table 2 1 lists the default settings of a Console port Table 2 1 The default settings of a Console port Setting Default Baud rate 19 200 bps Flow...

Page 1650: ...yperTerminal in Windows 9X Windows 2000 Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally the parameters of a terminal are configured as those listed in Table 2 1 Figure 2 2 Create a connection Figure 2 3 Specify the port used to establish the connection ...

Page 1651: ...rmation about the commands Console Port Login Configuration Common Configuration Table 2 2 lists the common configuration of Console port login Table 2 2 Common configuration of Console port login Configuration Description Enter system view system view Enter AUX user interface view user interface aux 0 Baud rate speed speed value Optional The default baud rate is 19 200 bps Check mode parity even ...

Page 1652: ...et history command buffer size history command max size value Optional By default the history command buffer can contain up to 10 commands Set the timeout time of a user interface idle timeout minutes seconds Optional The default timeout time is 10 minutes Changing of Console port configuration terminates the connection to the Console port To establish the connection again you need to modify the c...

Page 1653: ... Procedure Follow these steps to perform Console port login configuration with authentication mode being none To do Use the command Remarks Enter system view system view Enter AUX user interface view user interface aux 0 Configure not to authenticate users authentication mode none Required By default users logging in through the Console port are not authenticated Configuration Example Network requ...

Page 1654: ...i aux0 user privilege level 2 Set the baud rate of the Console port to 19200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes Sysname ui aux0...

Page 1655: ...authentication password cipher simple password Required By default no password is configured Configuration Example Network requirements Assume the switch is configured to allow you to login through Telnet and your user level is set to the administrator level level 3 After you telnet to the switch you need to limit the Console user at the following aspects z The user is authenticated against the lo...

Page 1656: ...in to the AUX user interface Sysname ui aux0 user privilege level 2 Set the baud rate of the Console port to 19200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui aux0 history command max size 20 Set the timeout time of the AUX user ...

Page 1657: ...system view quit Optional By default the local AAA scheme is applied If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to AAA Configuratio...

Page 1658: ... level is set to the administrator level level 3 After you telnet to the switch you need to limit the console user at the following aspects z Configure the name of the local user to be guest z Set the authentication password of the local user to 123456 in plain text z Set the service type of the local user to Terminal z Configure to authenticate the user logging in through the Console port in the ...

Page 1659: ...0 Set the maximum number of lines the screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes Sysname ui aux0 idle timeout 6 2 Configure the authentication scheme Configure the authentication server by referring to r...

Page 1660: ...d Refer to Table 3 2 and Table 3 3 Telnet is running Telnet terminal The IP address of the management VLAN of the switch is available Telnet Connection Establishment Telnetting to a Switch from a Terminal You can telnet to a switch and then configure the switch if the interface of the management VLAN of the switch is assigned with an IP address By default VLAN 1 is the management VLAN Following ar...

Page 1661: ...able Figure 3 1 Network diagram for Telnet connection establishment Configuration PC running Telnet Ethernet Workstation Server Workstation Ethernet port Step 4 Launch Telnet on your PC with the IP address of the management VLAN interface of the switch as the parameter as shown in the following figure Figure 3 2 Launch Telnet Step 5 Enter the password when the Telnet window displays Login authenti...

Page 1662: ... user name and password for Telnet on the switch operating as the Telnet server Refer to section Telnet Login Configuration with Authentication Mode Being None section Telnet Login Configuration with Authentication Mode Being Password and Telnet Login Configuration with Authentication Mode Being Scheme for details By default Telnet users need to pass the password authentication to login Step 2 Tel...

Page 1663: ...ng tasks escape key default character Optional By default you can use Ctrl C to terminate a task Configure the type of terminal display under the current user interface terminal type ansi vt100 Optional By default the terminal display type is ANSI Configure the command level available to users logging in to the VTY user interface user privilege level level Optional By default commands of level 0 a...

Page 1664: ...Telnet configuration with authentication mode being none To do Use the command Remarks Enter system view system view Enter one or more VTY user interface views user interface vty first number last number Configure not to authenticate users logging in to VTY user interfaces authentication mode none Required By default VTY users are authenticated after logging in Note that if you configure not to au...

Page 1665: ... command buffer can store to 20 Sysname ui vty0 history command max size 20 Set the timeout time to 6 minutes Sysname ui vty0 idle timeout 6 Telnet Login Configuration with Authentication Mode Being Password Configuration Procedure Follow these steps to perform Telnet configuration with authentication mode being password To do Use the command Remarks Enter system view system view Enter one or more...

Page 1666: ...edure Enter system view and enable the Telnet service Sysname system view Sysname telnet server enable Enter VTY 0 user interface view Sysname user interface vty 0 Configure to authenticate users logging in to VTY 0 using the local password Sysname ui vty0 authentication mode password Set the local password to 123456 in plain text Sysname ui vty0 set authentication password simple 123456 Specify c...

Page 1667: ...heme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to AAA Configuration in the Security Volume for details z Configure the user name and password accordingly on the AAA server Refer to the user manual of AAA server Create a local user and enter local user view local user user name No local...

Page 1668: ...screen can contain up to 30 lines z The history command buffer can store up to 20 commands z The timeout time of VTY 0 is 6 minutes 2 Network diagram Figure 3 6 Network diagram for Telnet configuration with the authentication mode being scheme 3 Configuration procedure z Configure the switch Enter system view and enable the Telnet service Sysname system view Sysname telnet server enable Create a l...

Page 1669: ...he timeout time to 6 minutes Sysname ui vty0 idle timeout 6 z Configure the authentication scheme Configure the authentication server by referring to related parts in AAA Configuration Logging In Through SSH Secure Shell SSH offers an approach to logging into a remote device securely With encryption and strong authentication it protects devices against attacks such as IP spoofing and plain text pa...

Page 1670: ...h is configured The route between the switch and the network management terminal is available Refer to the module IP Addressing and Performance and IP Routing for more Switch The user name and password for logging in to the Web based network management system are configured IE is available PC operating as the network management terminal The IP address of the management VLAN interface of the switch...

Page 1671: ...ess to the management VLAN interface of the switch By default VLAN 1 is the management VLAN z Connect to the console port Refer to section Setting Up the Connection to the Console Port z Execute the following commands in the terminal window to assign an IP address to the management VLAN interface of the switch Configure the IP address of the management VLAN interface to be 10 153 17 82 with the ma...

Page 1672: ...s http 10 153 17 82 Make sure the route between the Web based network management terminal and the switch is available Step 5 When the login interface shown in Figure 4 2 appears enter the user name and the password configured in step 2 and click Login to bring up the main page of the Web based network management system Figure 4 2 The login page of the Web based network management system ...

Page 1673: ...protocol is applied between the NMS and the agent To log in to a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 5 1 Requirements for logging in to a switch through an NMS Item Requirement The IP address of the management VLAN of the switch is configured The route between the NMS and the switch is available Switch The basic SNMP functions are co...

Page 1674: ... source IP address interfaces for Telnet packets also provides a way to successfully connect to servers that only accept packets with specific source IP addresses Specifying Source IP address Interface for Telnet Packets The configuration can be performed in user view and system view The configuration performed in user view only applies to the current session Whereas the configuration performed in...

Page 1675: ...for Telnet packets make sure the interface already exists z Before specifying the source IP address interface for Telnet packets make sure the route between the interface and the Telnet server is reachable Displaying the source IP address Interface Specified for Telnet Packets Follow these steps to display the source IP address interface specified for Telnet packets To do Use the command Remarks D...

Page 1676: ...ough Layer 2 ACLs Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACLs Controlling Network Management Users by Source IP Addresses Controlling Telnet Users Prerequisites The controlling policy against Telnet users is determined including the source and destination IP addresses to be controlled and the controlling actions permitting or denying Controlling ...

Page 1677: ...CL refer to ACL Configuration in the Security Volume Follow these steps to control Telnet users by source and destination IP addresses To do Use the command Remarks Enter system view system view Create an advanced ACL or enter advanced ACL view acl ipv6 number acl number match order config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule r...

Page 1678: ...ine rules as needed to filter by specific source MAC addresses Quit to system view quit Enter user interface view user interface type first number last number Apply the ACL to control Telnet users by source MAC addresses acl acl number inbound Required The inbound keyword specifies to filter the users trying to Telnet to the current switch Layer 2 ACL is invalid for this function if the source IP ...

Page 1679: ...control users accessing the switch through SNMP Prerequisites The controlling policy against network management users is determined including the source IP addresses to be controlled and the controlling actions permitting or denying Controlling Network Management Users by Source IP Addresses Follow these steps to control network management users by source IP addresses To do Use the command Remarks...

Page 1680: ...tailed configuration refer to SNMP Configuration in the System Volume Configuration Example Network requirements Only SNMP users sourced from the IP addresses of 10 110 100 52 and 10 110 100 46 are permitted to access the switch Figure 7 2 Network diagram for controlling SNMP users using ACLs Switch 10 110 100 46 Host A IP network Host B 10 110 100 52 Configuration procedure Define a basic ACL Sys...

Page 1681: ...g Web users by source IP addresses To do Use the command Remarks Enter system view system view Create a basic ACL or enter basic ACL view acl ipv6 number acl number match order config auto Required The config keyword is specified by default Define rules for the ACL rule rule id permit deny source sour addr sour wildcard any time range time name fragment logging Required Quit to system view quit Re...

Page 1682: ... network Host B 10 110 100 52 Configuration procedure Create a basic ACL Sysname system view Sysname acl number 2030 match order config Sysname acl basic 2030 rule 1 permit source 10 110 100 52 0 Reference the ACL to allow only Web users using IP address 10 110 100 52 to access the switch Sysname ip http acl 2030 ...

Page 1683: ...pyright Information 1 5 Configuring a Banner 1 6 Configuring CLI Hotkeys 1 7 Configuring User Privilege Levels and Command Levels 1 8 Displaying and Maintaining Basic Configurations 1 14 CLI Features 1 14 Introduction to CLI 1 15 Online Help with Command Lines 1 15 Synchronous Information Output 1 16 Undo Form of a Command 1 16 Editing Features 1 17 CLI Display 1 17 Saving History Commands 1 20 Co...

Page 1684: ...onfiguration file is damaged z Current configuration The currently running configuration on the device z Saved configuration Configurations saved in the startup configuration file Follow these steps to display device configurations To do Use the command Remarks Display the factory defaults of the device display default configuration Display the current validated configurations of the device displa...

Page 1685: ...ng the Device Name The device name is used to identify a device in a network Inside the system the device name corresponds to the prompt of the CLI For example if the device name is Sysname the prompt of user view is Sysname Follow these steps to configure the device name To do Use the command Remarks Enter system view system view Configure the device name sysname sysname Optional The device name ...

Page 1686: ...d and the offset time is summer offset z 1 indicates the clock datetime command is an optional configuration z The default system clock is 2005 1 1 1 00 00 in the example Table 1 1 Relationship between the configuration and display of the system clock Configuration System clock displayed by the display clock command Example 1 date time Configure clock datetime 1 00 2007 1 1 Display 01 00 00 UTC Mo...

Page 1687: ...lock datetime 3 00 2007 1 1 Display 03 00 00 ss Mon 01 01 2007 Configure clock timezone zone time add 1 and clock summer time ss one off 1 00 2007 1 1 1 00 2007 8 8 2 Display 02 00 00 zone time Sat 01 01 2005 If the value of the original system clock zone offset is not in the summer time range the original system clock zone offset is displayed Configure clock timezone zone time add 1 and clock sum...

Page 1688: ...iew after logging in to the device through the console port AUX port or asynchronous serial interface The copyright information will not be displayed under other circumstances The display format of copyright information is as shown below Copyright c 2004 2009 3Com Corp and its licensors All rights reserved This software is protected by copyright law and international treaties Without the prior wri...

Page 1689: ...n right after the command keywords The start and end characters of the input text must be the same but are not part of the banner information In this case the input text together with the command keywords cannot exceed 510 characters The other is to input all the banner information in multiple lines by pressing the Enter key In this case up to 2000 characters can be input The latter input mode can...

Page 1690: ...z Ctrl G corresponds to the display current configuration command z Ctrl L corresponds to the display ip routing table command z Ctrl O corresponds to the undo debugging all command Table 1 2 Hotkeys reserved by the system Hotkey Function Ctrl A Moves the cursor to the beginning of the current line Ctrl B Moves the cursor one character to the left Ctrl C Stops performing a command Ctrl D Deletes t...

Page 1691: ... Levels and Command Levels Introduction To restrict the different users access to the device the system manages the users by their privilege levels User privilege levels correspond to command levels After users at different privilege levels log in they can only use commands at their own or lower levels All the commands are categorized into four levels which are visit monitor system and manage from...

Page 1692: ...parameters To do Use the command Remarks Enter system view system view Enter user interface view user interface type first number last number Configure the authentication mode for logging in to the user interface as scheme authentication mode scheme command authorization Required By default the authentication mode for VTY and AUX users is password Exit to system view quit Configure the authenticat...

Page 1693: ...d to input username test and password 123 After passing the authentication users can only use the commands of level 0 If the users need to use commands of levels 0 1 2 and 3 the following configuration is required Sysname luser test authorization attribute level 3 3 Configure the user privilege level under a user interface If the user interface authentication mode is scheme when a user logs in and...

Page 1694: ...By default the authentication mode for VTY and AUX user interfaces is password Configure the privilege level of the user logging in from the current user interface user privilege level level Optional By default the user privilege level for users logging in from the console user interface is 3 and that for users logging from the other user interfaces is 0 4 Example of configuring user privilege lev...

Page 1695: ...hrough Telnet they can use the commands of level 0 after passing the authentication After you set the user privilege level under the user interface when users log in to the device through Telnet they need to input password 123 and then they can use commands of levels 0 1 and 2 Switching user privilege level Users can switch their user privilege level temporarily without logging out and disconnecti...

Page 1696: ...is configured Exit to user view quit Switch the user privilege level super level Required When logging in to the device a user has a user privilege level which is decided by user interface or authentication user level z When you configure the password for switching user privilege level with the super password command the user privilege level is 3 if no user privilege level is specified z The passw...

Page 1697: ...odule s running status to find the problem Therefore you are required to execute the corresponding display commands one by one To collect more information one time you can execute the display diagnostic information command in any view to display or save statistics of each module s running status The execution of the display diagnostic information command has the same effect as that of the commands...

Page 1698: ... command unique Take the commands save startup saved configuration and system view which start with s as an example To save the current configuration you need to input sa at least to set the configuration file for next startup you need to input st s at least to enter system view you need to input sy at least You can press Tab to complement the command or you can input the complete command Online H...

Page 1699: ...hes are found the complete keyword which is matched first is displayed the matching rule is the letters next to the input letters are arranged in alphabetic order and the letter in the first place is matched first If you repeatedly press Tab all the keywords starting with the letter that you enter are displayed in cycles Synchronous Information Output Synchronous information output refers to the f...

Page 1700: ...finding a unique match the system substitutes the complete keyword for the incomplete one and displays it in the next line when there are several matches if you repeatedly press Tab all the keywords starting with the letter that you enter are displayed in cycles If there is no match at all the system does not modify the incomplete keyword and displays it again in the next line When editing the com...

Page 1701: ...ace of any character including single character special character and blank For example l can match vlan or mpls Asterisk used to match a character or character group before it zero or multiple times For example zo can match z and zoo zo can match zo and zozo Addition used to match a character or character group one or multiple times before it For example zo can match zo and zoo but not z Vertical...

Page 1702: ...ple do can match word domain or string doa string Used to match a character string ending with string For example do can match word undo or string abcdo bcharacter2 Used to match character1character2 character1 can be any character except number letter or underline and b equals A Za z0 9_ For example ba can match a with represents character1 and a represents character2 while ba cannot match 2a or ...

Page 1703: ...the cursor to the end of the current line PageUp Displays information on the previous page PageDown Displays information on the next page Saving History Commands The CLI can automatically save the commands that have been used lately to the history buffer You can know the operations that have been executed successfully invoke and repeatedly execute them as needed By default the CLI can save up to t...

Page 1704: ...in Windows 9X HyperTerminal because they are defined in a different way You can press Ctrl P or Ctrl N instead Command Line Error Information The commands are executed only if they have no syntax error Otherwise error information is reported Table 1 7 lists some common errors Table 1 7 Common command line errors Error information Cause The command was not found The keyword was not found Parameter ...

Page 1705: ...and Lines 1 5 Disabling Boot ROM Access 1 6 Configuring a Detection Interval 1 6 Clearing the 16 bit Interface Indexes Not Used in the Current System 1 7 Identifying and Diagnosing Pluggable Transceivers 1 7 Introduction to pluggable transceivers 1 7 Identifying pluggable transceivers 1 8 Diagnosing pluggable transceivers 1 8 Displaying and Maintaining Device Management Configuration 1 9 Device Ma...

Page 1706: ...device management function you can view the current working state of a device configure running parameters and perform daily device maintenance and management Device Management Configuration Task List Complete these tasks to configure device management Task Remarks Configuring the Exception Handling Method Optional Rebooting a Device Optional Configuring the Scheduled Automatic Execution Function ...

Page 1707: ... IRF members Rebooting a Device When a fault occurs to a running device you can remove the fault by rebooting the device depending on the actual situation This operation equals to powering on the device after powering it off It is mainly used to reboot a device in remote maintenance without performing hardware reboot of the device According to the actual environment z You can reboot a member devic...

Page 1708: ...he backup boot file to restart the device z If you are performing file operations when the device is to be rebooted the system does not execute the command for the sake of security Configuring the Scheduled Automatic Execution Function The scheduled automatic execution function means that the system automatically executes a specified command at a specified time in a specified view This function is...

Page 1709: ...er the automatic execution function is configured the scheduled automatic execution configuration turns invalid automatically z Only the last configuration takes effect if you execute the schedule job command repeatedly z After you configure this feature on the master the configuration is not backed up to the slaves after the change of the master this configuration will be ineffective Upgrading De...

Page 1710: ...s Enter system view system view Enable the validity check function when upgrading the Boot ROM bootrom update security check enable Optional By default the validity check function is enabled at the time of upgrading Boot ROM Return to user view quit Upgrade the Boot ROM program on member devices bootrom update file file url slot slot number list Required Available in user view To execute the bootr...

Page 1711: ...hether you press Ctrl B or not the system does not enter the Boot ROM menu but enters the command line configuration interface directly In addition you need to set the Boot ROM access password when you enter the Boot ROM menu for the first time to protect the Boot ROM against operations of illegal users You can use the display startup command to view the status of the Boot ROM access function For ...

Page 1712: ...e you can clear all 16 bit interface indexes saved but not used in the current system in user view After the above operation z For a re created interface the new interface index may not be consistent with the original one z For existing interfaces their interface indexes remain unchanged Follow these steps to clear the 16 bit interface indexes not used in the current system To do Use the command R...

Page 1713: ...rameters of the pluggable transceiver s display transceiver interface interface type interface number Available for all pluggable transceivers Display part of the electrical label information of the anti spoofing transceiver s customized by H3C display transceiver manuinfo interface interface type interface number Available for anti spoofing pluggable transceiver s customized by H3C only z You can...

Page 1714: ...view Display history statistics of the CPU usage in a chart display cpu usage history task task id slot slot number cpu cpu number Available in any view Display information about a board subboard CF board USB or hardware on the device display device shelf shelf number frame frame number slot slot number subslot subslot number verbose Available in any view Display electrical label information of th...

Page 1715: ...the IP address of the FTP server is 2 2 2 2 24 and the FTP server is reachable z User can log in to Device via Telnet and a route exists between User and Device Figure 1 2 Network diagram for remote scheduled automatic upgrade Configuration procedure 1 Configuration on the FTP server Note that configurations may vary with different types of servers z Set the access parameters for the FTP client in...

Page 1716: ...date txt auto update bat To ensure correctness of the file you can use the more command to view the content of the file Execute the scheduled automatic execution function to enable the device to be automatically upgraded at 3 am Device schedule job at 03 00 view system execute auto update bat Info Command execute auto update bat in system view will be executed at 03 00 12 11 2007 in 12 hours and 0...

Page 1717: ...ll be transferred in binary mode Downloading file from remote TFTP server please wait TFTP 917 bytes received in 1 second s File downloaded successfully Download file new config cfg to Slave with the member ID of 2 IRF tftp 2 2 2 2 get new config cfg slot2 flash new config cfg Download file soft version2 bin on the TFTP server to Master and Slave IRF tftp 2 2 2 2 get soft version2 bin File will be...

Page 1718: ...ader file soft version2 bin slot all main This command will set the boot file of the specified board Continue Y N y The specified file will be used as the main boot file at the next reboot on slot 1 The specified file will be used as the main boot file at the next reboot on slot 2 Reboot the device The software version is upgraded now IRF reboot ...

Page 1719: ...g the Startup Configuration File 1 16 Displaying and Maintaining Device Configuration 1 17 2 FTP Configuration 2 1 FTP Overview 2 1 Introduction to FTP 2 1 Operation of FTP 2 1 Configuring the FTP Client 2 3 Establishing an FTP Connection 2 3 Configuring the FTP Client 2 4 FTP Client Configuration Example 2 6 Single Device Upgrade 2 6 IRF System Upgrade 2 7 Configuring the FTP Server 2 9 Configuri...

Page 1720: ...ii Single Device Upgrade 3 4 IRF System Upgrade 3 5 ...

Page 1721: ...d file copy and display If an operation delete or overwrite for example causes problems such as data loss or corruption the file system will prompt you to confirm the operation by default Depending on the managed object file system operations fall into Directory Operations File Operations Batch Operations Storage Medium Operations and Setting File System Prompt Modes Filename Formats When you spec...

Page 1722: ...characters flash test a txt Indicates that a file named a txt is in the test folder under the root directory of the flash memory on the master To read and write the a txt file under the root directory of the flash on a slave with the member ID 2 input slot2 flash a txt for the filename For the S5500 EI series when you specify a configuration file cfg file startup file bin file or Boot ROM file by ...

Page 1723: ...moved must be empty meaning that before you remove a directory you must delete all the files and the subdirectory under this directory For file deletion refer to the delete command for subdirectory deletion refer to the rmdir command z After you execute the rmdir command successfully the files in the recycle bin under the directory will be automatically deleted File Operations File operations incl...

Page 1724: ...w Renaming a file To do Use the command Remarks Rename a file rename fileurl source fileurl dest Required Available in user view Copying a file To do Use the command Remarks Copy a file copy fileurl source fileurl dest Required Available in user view Moving a file To do Use the command Remarks Move a file move fileurl source fileurl dest Required Available in user view Deleting a file To do Use th...

Page 1725: ...in To do Use the command Remarks Enter the original working directory of the file to be deleted cd directory Optional If the original directory of the file to be deleted is not the current working directory this command is required Available in user view Delete the file under the current directory and in the recycle bin reset recycle bin force Required Available in user view Batch Operations A bat...

Page 1726: ...se the command Remarks Restore the space of a storage medium fixdisk device Optional Available in user view Format a storage medium format device Optional Available in user view z When you format a storage medium all the files stored on it are erased and cannot be restored In particular if there is a startup configuration file on the storage medium formatting the storage medium results in loss of ...

Page 1727: ...in 4 drw Apr 26 2007 19 58 11 test 31496 KB total 9943 KB free Create a new folder called mytest under the test directory Sysname cd test Sysname mkdir mytest Created dir flash test mytest Display the current working directory Sysname pwd flash test Display the files and the subdirectories under the test directory Sysname dir Directory of flash test 0 drw Apr 26 2007 19 58 39 mytest 31496 KB total...

Page 1728: ...text file It z Saves configuration in the form of commands z Saves only non default configuration settings z Lists commands in sections by views usually in the order of system view interface view and routing protocol view Sections are separated with one or multiple blank lines or comment lines that start with a pound sign z Ends with a return Coexistence of multiple configuration files Multiple co...

Page 1729: ...iguration on your device using command line interface However the current configuration is temporary To make the modified configuration take effect at the next boot of the device you must save the current configuration to the startup configuration file before the device reboots Complete these tasks to save the current configuration Task Remarks Enabling configuration file auto save Optional Modes ...

Page 1730: ...root directories of the storage media of all the member devices and specify the file as the startup configuration file that will be used at the next system startup save safely backup main Required Use either command Available in any view z The configuration file must be with extension cfg z Whether the save safely backup main command or the save filename all command Enter takes effect on all the m...

Page 1731: ...n two ways the system saves the current running configuration at a specified interval or you can save the current running configuration as needed 3 Roll back the current running configuration to the configuration state based on a saved configuration file When the related command is entered the system first compares and then processes the differences between the current running configuration and th...

Page 1732: ...0 it restarts from 1 If you change the path or filename prefix or reboot the device the saved file serial number restarts from 1 and the system recounts the saved configuration files If you change the path of the saved configuration files the files in the original path become common configuration files and are not processed as saved configuration files The number of saved configuration files has a...

Page 1733: ...nt running configuration automatically You can configure the system to save the current running configuration at a specified interval and use the display archive configuration command to view the filenames and save time of the saved configuration files so as to roll back the current configuration to a previous configuration state Configure an automatic saving interval according to the storage medi...

Page 1734: ...nning configuration manually otherwise the operation fails Setting configuration rollback Follow these steps to set configuration rollback To do Use the command Remarks Enter system view system view Set configuration rollback configuration replace file filename Required Configuration rollback may fail if one of the following situations is present if a command cannot be rolled back the system skips...

Page 1735: ...m startup To do Use the command Remarks Specify a startup configuration file for the next system startup of all the member devices startup saved configuration cfgfile backup main Required Available in user view A configuration file must use cfg as its extension name and the startup configuration file must be saved under the root directory of the storage medium Backing Up the Startup Configuration ...

Page 1736: ...cified in the command to NULL You may need to delete the startup configuration file for the next startup for one of these reasons z After you upgrade system software the existing configuration file does not match the new system software z The configuration file is corrupted often caused by loading a wrong configuration file After the startup configuration file is deleted the system will use the nu...

Page 1737: ...e restored startup configuration file exists Displaying and Maintaining Device Configuration To do Use the command Remarks Display the information about configuration rollback display archive configuration Available in any view Display the currently running configuration file saved on the storage medium of the device display saved configuration by linenum Available in any view Display the configur...

Page 1738: ...or btm z ASCII mode for text file transmission like files with the suffixes txt bat or cfg Operation of FTP FTP adopts the client server model Your device can function either as the client or as the server as shown in Figure 2 1 z When the device serves as the FTP client the user first connects to the device from a PC through Telnet or an emulation program and then executes the ftp command to esta...

Page 1739: ... FTP server configuration on the device Configure authentication and authorization Configure the username password authorized working directory for an FTP user The device does not support anonymous FTP for security reasons Therefore you must use a valid username and password By default authenticated users can access the root directory of the device Device FTP server Configure the FTP server operat...

Page 1740: ...ined by the matched route as the source IP address to communicate with an FTP server z If the source address is specified with the ftp client source or ftp command this source address is used to communicate with an FTP server z If you use the ftp client source command and the ftp command to specify a source address respectively the source address specified with the ftp command is used to communica...

Page 1741: ...and is available in FTP client view Configuring the FTP Client After a device serving as the FTP client has established a connection with the FTP server For how to establish an FTP connection refer to Establishing an FTP Connection you can perform the following operations in the authorized directories of the FTP server To do Use the command Remarks Display help information of FTP related commands ...

Page 1742: ...server rmdir directory Optional Disconnect from the FTP server without exiting the FTP client view disconnect Optional Equal to the close command Disconnect from the FTP server without exiting the FTP client view close Optional Equal to the disconnect command Disconnect from the FTP server and exit to user view bye Optional Terminate the connection with the remote FTP server and exit to user view ...

Page 1743: ... FTP server Configuration procedure If the available memory space of the device is not enough use the fixdisk command to clear the memory or use the delete unreserved file url command to delete the files not in use and then perform the following operations Log in to the server through FTP Sysname ftp 10 1 1 1 Trying 10 1 1 1 Connected to 10 1 1 1 220 WFTPD 2 0 service by Texas Imperial Software re...

Page 1744: ...of the storage medium You can copy or move a file to the root directory of the storage medium For the details of the boot loader command refer to Device Management Commands in the System Volume IRF System Upgrade Network requirements z As shown in Figure 2 3 use Device as an FTP client and PC as the FTP server Their IP addresses are 10 2 1 1 16 and 10 1 1 1 16 respectively An available route exist...

Page 1745: ...t newest bin z Download the startup file newest bin from PC to the root directory of the storage medium of a slave with member ID of 2 ftp get newest bin slot2 flash newest bin Upload the configuration file config cfg of the device to the server for backup ftp ascii ftp put config cfg back config cfg 227 Entering Passive Mode 10 1 1 1 4 2 125 ASCII mode data connection already open transfer starti...

Page 1746: ...mode the FTP server writes data to the storage medium while receiving data This means that any anomaly power failure for example during file transfer might result in file corruption on the FTP server This mode however consumes less memory space than the fast mode Follow these steps to configure the FTP server To do Use the command Remarks Enter system view system view Enable the FTP server ftp ser...

Page 1747: ...support FTP anonymous user access Assign a password to the user password simple cipher password Required Assign the FTP service to the user service type ftp Required By default the system does not support anonymous FTP access and does not assign any service If the FTP service is assigned the root directory of the device is used by default Configure user properties authorization attribute acl acl n...

Page 1748: ...set its password to pwd and the user privilege level to level 3 the manage level Sysname system view Sysname local user ftp Sysname luser ftp password simple pwd Sysname luser ftp authorization attribute work directory level 3 Authorize ftp s access to the root directory of the flash Sysname luser ftp authorization attribute work directory flash Specify ftp to use FTP Sysname luser ftp service typ...

Page 1749: ... config cfg back config cfg Upload the configuration file newest bin to Device ftp put newest bin ftp bye z You can take the same steps to upgrade configuration file with FTP When upgrading the configuration file with FTP put the new file under the root directory of the storage medium For a device that has been partitioned the configuration file must be saved on the first partition z After you fin...

Page 1750: ... for the FTP client to log in to the FTP server Figure 2 5 Smooth upgrading using the FTP server Configuration procedure 1 Configure Device FTP Server Create an FTP user account ftp set its password to pwd and the user privilege level to level 3 the manage level Sysname system view Sysname local user ftp Sysname luser ftp password simple pwd Sysname luser ftp authorization attribute work directory...

Page 1751: ...Log in to the FTP server through FTP c ftp 1 1 1 1 Connected to 1 1 1 1 220 FTP service ready User 1 1 1 1 none abc 331 Password required for abc Password 230 User logged in Download the configuration file config cfg of the device to the PC for backup ftp get config cfg back config cfg Upload the configuration file newest bin to the root directory of the storage medium on the master ftp put newest...

Page 1752: ... file is updated at the system reboot Sysname reboot The startup file used for the next startup must be saved under the root directory of the storage medium You can copy or move a file to the root directory of the storage medium For the details of the boot loader command refer to Device Management Commands in the System Volume Displaying and Maintaining FTP To do Use the command Remarks Display th...

Page 1753: ...is initiated by the client z In a normal file downloading process the client sends a read request to the TFTP server receives data from the server and then sends the acknowledgement to the server z In a normal file uploading process the client sends a write request to the TFTP server sends data to the server and receives the acknowledgement from the server TFTP transfers files in two modes z Binar...

Page 1754: ...he secure mode or if you use the normal mode specify a filename not existing in the current directory as the target filename when downloading the startup file or the startup configuration file Source address binding means to configure an IP address on a stable interface such as a loopback interface and then use this IP address as the source IP address of a TFTP connection The source address bindin...

Page 1755: ...address get put sget source filename destination filename source interface interface type interface number ip source ip address Optional Available in user view Download or upload a file in an IPv6 network tftp ipv6 tftp ipv6 server i interface type interface number get put source file destination file Optional Available in user view z If no primary IP address is configured on the source interface ...

Page 1756: ... omitted z On the PC enable the TFTP server z Configure a TFTP working directory 2 Configure Device TFTP Client If the available memory space of the device is not enough use the fixdisk command to clear the memory or use the delete unreserved file url command to delete the files not in use and then perform the following operations Enter system view Sysname system view Download application file new...

Page 1757: ...evice and PC z Device downloads a startup file from PC for upgrading and uploads a configuration file named config cfg to PC for backup Figure 3 3 Smooth upgrading using the TFTP client function Configuration procedure 1 Configure PC TFTP Server the configuration procedure is omitted z On the PC enable the TFTP server z Configure a TFTP working directory 2 Configure Device TFTP Client If the avail...

Page 1758: ... be used at the next startup for all the member devices Sysname boot loader file newest bin slot all main This command will set the boot file of the specified board Continue Y N y The specified file will be used as the main boot file at the next reboot on slot 1 The specified file will be used as the main boot file at the next reboot on slot 2 Reboot the device and the software is upgraded Sysname...

Page 1759: ...an ACL 1 2 Displaying and Maintaining HTTP 1 2 2 HTTPS Configuration 2 1 HTTPS Overview 2 1 HTTPS Configuration Task List 2 1 Associating the HTTPS Service with an SSL Server Policy 2 2 Enabling the HTTPS Service 2 2 Associating the HTTPS Service with a Certificate Attribute Access Control Policy 2 3 Configuring the Port Number of the HTTPS Service 2 3 Associating the HTTPS Service with an ACL 2 4...

Page 1760: ...ly the port number is 80 2 The client sends a request to the server 3 The server processes the request and sends back a response 4 The TCP connection is closed Logging In to the Device Through HTTP You can log onto the device using the HTTP protocol with HTTP service enabled accessing and controlling the device with Web based network management To implement security management on the device you ca...

Page 1761: ...rt number Required By default the port number of the HTTP service is 80 If you execute the ip http port command for multiple times the last configured port number is used Associating the HTTP Service with an ACL By associating the HTTP service with an ACL only the clients that pass ACL filtering are allowed to access the device Follow these steps to associate the HTTP service with an ACL To do Use...

Page 1762: ...es the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal clients z Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity thus realizing the security management of the device z Defines certificate attribute based access control policy for the device to control the access right of the client in orde...

Page 1763: ...l server policy command is executed repeatedly the HTTPS service is only associated with the last specified SSL server policy z When the HTTPS service is disabled the association between the HTTPS service and the SSL server is automatically removed To enable it again you need to re associate the HTTPS service with an SSL server policy z When the HTTPS service is enabled no modification of its asso...

Page 1764: ...associate the HTTPS service with a certificate attribute access control policy To do Use the command Remarks Enter system view system view Associate the HTTPS service with a certificate attribute access control policy ip https certificate access control policy policy name Required Not associated by default z If the ip https certificate access control policy command is executed repeatedly the HTTPS...

Page 1765: ...he HTTPS service with an ACL To do Use the command Remarks Enter system view system view Associate the HTTPS service with an ACL ip https acl acl number Required Not associated by default Displaying and Maintaining HTTPS To do Use the command Remarks Display information about HTTPS display ip https Available in any view HTTPS Configuration Example Network requirements z Host acts as the HTTPS clie...

Page 1766: ...ficate request entity en Device pki domain 1 quit Generate a local RSA key pair Device public key local create rsa Obtain a server certificate from CA Device pki retrieval certificate ca domain 1 Apply for a local certificate Device pki request certificate domain 1 2 Configure an SSL server policy associated with the HTTPS service Configure an SSL server policy Device ssl server policy myssl Devic...

Page 1767: ...th certificate attribute access control policy myacp Device ip https certificate access control policy myacp 6 Enable the HTTPS service Enable the HTTPS service Device ip https enable 7 Verify the configuration Launch the IE explorer on Host and enter https 10 1 1 1 You can log in to Device and control it z The URL of the HTTPS server starts with https and that of the HTTP server starts with http ...

Page 1768: ...NMP Logging 1 5 Introduction to SNMP Logging 1 5 Enabling SNMP Logging 1 5 SNMP Trap Configuration 1 6 Enabling the Trap Function 1 6 Configuring Trap Parameters 1 7 Displaying and Maintaining SNMP 1 8 SNMP Configuration Example 1 9 SNMP Logging Configuration Example 1 10 2 MIB Style Configuration 2 1 Setting the MIB Style 2 1 Displaying and Maintaining MIB 2 1 ...

Page 1769: ... the underlying networking technology Thus SNMP achieves effective management of devices from different manufacturers especially in small high speed and low cost network environments SNMP Mechanism An SNMP enabled network comprises a Network Management Station NMS and an agent z An NMS is a station that runs the SNMP client software It offers a user friendly interface making it easier for network ...

Page 1770: ...ween the NMS and agent preventing the packets from being intercepted USM ensures a more secure communication between SNMP NMS and SNMP agent by authentication with privacy authentication without privacy or no authentication no privacy Successful interaction between NMS and agent requires consistency of SNMP versions configured on them You can configure multiple SNMP versions for an agent to intera...

Page 1771: ...are as follows 3Com Corporation for contact Marlborough MA 01752 USA for location and SNMP v3 for the version Configure an SNMP agent group snmp agent group v3 group name authentication privacy read view read view write view write view notify view notify view acl acl number Required Convert the user defined plain text password to a cipher text password snmp agent calculate password plain password ...

Page 1772: ... v3 all Required The defaults are as follows 3Com Corporation for contact Marlborough MA 01752 USA for location and SNMP v3 for the version Configur e directly Create an SNMP commun ity snmp agent community read write community name acl acl number mib view view name Configur e an SNMP group snmp agent group v1 v2c group name read view read view write view write view notify view notify view acl acl...

Page 1773: ...dex of the SET response These logs will be sent to the information center and the level of them is informational that is they are taken as the system prompt information With parameters for the information center set the output rules for SNMP logs are decided that is whether the logs are permitted to output and the output destinations SNMP logs GET request SET request and SET response but does not ...

Page 1774: ...ted by the module will be sent to the information center The information center has seven information output destinations By default traps of all modules are allowed to be output to the console monitor terminal monitor loghost and logfile traps of all modules and with level equal to or higher than warnings are allowed to be output to the trapbuffer and SNMP module snmpagent and traps cannot be sen...

Page 1775: ...ate each other Configuration procedure After traps are sent to the SNMP module the SNMP module saves the traps in the trap queue You can set the size of the queue and the holding time of the traps in the queue and you can also send the traps to the specified destination host usually the NMS Follow these steps to configure trap parameters To do Use the command Remarks Enter system view system view ...

Page 1776: ... and Maintaining SNMP To do Use the command Remarks Display SNMP agent system information including the contact location and version of the SNMP display snmp agent sys info contact location version Display SNMP agent statistics display snmp agent statistics Display the SNMP agent engine ID display snmp agent local engineid Display SNMP agent group information display snmp agent group group name Di...

Page 1777: ...nmp agent community write private Configure VLAN interface 2 with the IP address of 1 1 1 1 24 Add the port GigabitEthernet 1 0 1 to VLAN 2 Sysname vlan 2 Sysname vlan2 port GigabitEthernet 1 0 1 Sysname Vlan2 quit Sysname interface vlan interface 2 Sysname Vlan interface2 ip address 1 1 1 1 255 255 255 0 Sysname Vlan interface2 quit Configure the contact person and physical location information o...

Page 1778: ...VLAN interface on the agent is 1 1 1 1 24 z Configure community name access right and SNMP version on the agent Figure 1 4 Network diagram for SNMP logging Configuration procedure The configurations for the NMS and agent are omitted Enable logging display on the terminal This function is enabled by default so that you can omit this configuration Sysname terminal monitor Sysname terminal logging En...

Page 1779: ...n 1 02 49 40 566 2006 The time when SNMP log is generated seqNO Sequence number of the SNMP log srcIP IP address of NMS op SNMP operation type GET or SET node Node name of the SNMP operations and OID of the instance erroIndex Error index with 0 meaning no error errorstatus Error status with noError meaning no error value Value set when the SET operation is performed This field is null meaning the ...

Page 1780: ...lexible management of the device the device allows you to configure MIB style that is you can switch between the two styles of MIBs However you need to ensure that the MIB style of the device is the same as that of the NMS Setting the MIB Style Follow these steps to set the MIB style To do Use the command Remarks Enter system view system view Set the MIB style of the device mib style new compatibl...

Page 1781: ...guration 1 1 RMON Overview 1 1 Introduction 1 1 Working Mechanism 1 1 RMON Groups 1 2 Configuring RMON 1 3 Configuration Prerequisites 1 3 Configuration Procedure 1 3 Displaying and Maintaining RMON 1 5 RMON Configuration Example 1 5 ...

Page 1782: ...rk monitor or a network probe It monitors and collects statistics on traffic over the network segments connected to its interfaces such as the total number of packets passed through a network segment over a specified period or the total number of good packets sent to a host Working Mechanism RMON allows multiple monitors A monitor provides two ways of data gathering z Using RMON probes NMSs can ob...

Page 1783: ... an upper event is triggered if the sampled value of the monitored variable is lower than or equal to the lower threshold a lower event is triggered The event is then handled as defined in the event group The following is how the system handles entries in the RMON alarm table 1 Samples the alarm variables at the specified interval 2 Compares the sampled values with the predefined threshold and tri...

Page 1784: ...s undersize oversize packets broadcasts multicasts bytes received packets received bytes sent packets sent and so on After the creation of a statistics entry on an interface the statistics group starts to collect traffic statistics on the current interface The result of the statistics is a cumulative sum Configuring RMON Configuration Prerequisites Before configuring RMON configure the SNMP agent ...

Page 1785: ... that can be created the creation fails z When you create an entry in the history table if the specified buckets number argument exceeds the history table size supported by the device the entry will be created However the validated value of the buckets number argument corresponding to the entry is the history table size supported by the device Table 1 1 Restrictions on the configuration of RMON En...

Page 1786: ...og entry number Available in any view RMON Configuration Example Network requirements Agent is connected to a configuration terminal through its console port and to a remote NMS across the Internet Create an entry in the RMON Ethernet statistics table to gather statistics on GigabitEthernet 1 0 1 and enable logging after received bytes exceed the specified threshold Figure 1 1 Network diagram for ...

Page 1787: ...ysname rmon event 1 log owner 1 rmon Configure an alarm group to sample received bytes on GigabitEthernet 1 0 1 When the received bytes exceed the upper or below the lower limit logging is enabled Sysname rmon alarm 1 1 3 6 1 2 1 16 1 1 1 4 1 10 delta rising threshold 1000 1 falling threshold 100 1 owner 1 rmon Sysname display rmon alarm 1 Alarm table 1 owned by 1 rmon is VALID Samples type delta ...

Page 1788: ...ries 1 4 Configuring the MAC Learning Limit 1 4 Displaying and Maintaining MAC Address Table Management 1 5 MAC Address Table Management Configuration Example 1 5 2 MAC Information Configuration 2 1 Overview 2 1 Introduction to MAC Information 2 1 How MAC Information Works 2 1 Configuring MAC Information 2 1 Enabling MAC Information Globally 2 1 Enabling MAC Information on an Interface 2 2 Configu...

Page 1789: ... in this table indicates the MAC address of a connected device ID of the interface to which this device is connected and ID of the VLAN to which the interface belongs When forwarding a frame the device looks up the MAC address table according to the destination MAC address of the frame to rapidly determine the egress port thus reducing broadcasts How a MAC Address Table Entry is Generated A MAC ad...

Page 1790: ...s into the MAC address table of the device to bind specific user devices to the port thus preventing hackers from stealing data using forged MAC addresses Manually configured MAC address table entries have a higher priority than dynamically learned ones Types of MAC Address Table Entries A MAC address table may contain the following types of entries z Static entries which are manually configured a...

Page 1791: ...y or remove entries in the MAC address table globally To do Use the command Remarks Enter system view system view mac address blackhole mac address vlan vlan id Add modify a MAC address entry mac address dynamic static mac address interface interface type interface number vlan vlan id Required Follow these steps to add modify or remove entries in the MAC address table on an interface To do Use the...

Page 1792: ...ong aging interval may cause the MAC address table to retain outdated entries and fail to accommodate the latest network changes a short interval may result in removal of valid entries and hence unnecessary broadcasts which may affect device performance Follow these steps to configure the aging timer for dynamic MAC address entries To do Use the command Remarks Enter system view system view Config...

Page 1793: ...id count Display MAC address table information display mac address mac address vlan vlan id dynamic static interface interface type interface number vlan vlan id count Display the aging timer for dynamic MAC address entries display mac address aging time Display MAC address statistics display mac address statistics Available in any view MAC Address Table Management Configuration Example Network re...

Page 1794: ...1 6 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME s 000f e235 dc71 1 Config static GigabitEthernet 1 0 1 NOAGED 1 mac address es found ...

Page 1795: ...ation Works When a new MAC address is learned or an existing MAC address is deleted on a device the device writes related information about the MAC address to the buffer area used to store user information When the timer set for sending MAC address monitoring Syslog or Trap messages expires or when the buffer is used up the device sends the Syslog or Trap messages to the monitor end immediately Co...

Page 1796: ...ng the Interval for Sending Syslog or Trap Messages To prevent Syslog or Trap messages being sent too frequently and thus affecting system performance you can set the interval for sending Syslog or Trap messages Follow these steps to set the interval for sending Syslog or Trap messages To do Use the command Remarks Enter system view system view Set the interval for sending Syslog or Trap messages ...

Page 1797: ...etwork requirements z Host A is connected to a remote server Server through Device z Enable MAC Information on GigabitEthernet 1 0 1 on Device Device sends MAC address change information using Syslog messages to Host B through GigabitEthernet 1 0 3 Host B analyzes and displays the Syslog messages Figure 2 1 Network diagram for MAC Information configuration Configuration procedure 1 Configure Devic...

Page 1798: ...thernet1 0 1 mac address information enable added Device GigabitEthernet1 0 1 mac address information enable deleted Device GigabitEthernet1 0 1 quit Set the MAC Information queue length to 100 Device mac address information queue length 100 Set the interval for sending Syslog or Trap messages to 20 seconds Device mac address information interval 20 ...

Page 1799: ...and Debugging 1 1 Ping 1 1 Introduction 1 1 Configuring Ping 1 1 Ping Configuration Example 1 2 Tracert 1 4 Introduction 1 4 Configuring Tracert 1 4 System Debugging 1 5 Introduction to System Debugging 1 5 Configuring System Debugging 1 6 Ping and Tracert Configuration Example 1 6 ...

Page 1800: ... the destination device 2 The source device determines whether the destination is reachable based on whether it receives an ICMP echo reply if the destination is reachable the source device determines the link quality based on the numbers of ICMP echo requests sent and replies received determines the distance between the source and destination based on the round trip time of ping packets Configuri...

Page 1801: ...m Device A to Device C Figure 1 1 Ping network diagram Configuration procedure Use the ping command to display whether an available route exists between Device A and Device C DeviceA ping 1 1 2 2 PING 1 1 2 2 56 data bytes press CTRL_C to break Reply from 1 1 2 2 bytes 56 Sequence 1 ttl 254 time 205 ms Reply from 1 1 2 2 bytes 56 Sequence 2 ttl 254 time 1 ms Reply from 1 1 2 2 bytes 56 Sequence 3 ...

Page 1802: ...tatistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 11 53 ms The principle of ping r is as shown in Figure 1 1 1 The source Device A sends an ICMP echo request with the RR option being empty to the destination Device C 2 The intermediate device Device B adds the IP address 1 1 2 1 of its outbound interface to the RR option of the ICMP echo request and for...

Page 1803: ...es the packet responds by sending a TTL expired ICMP error message to the source with its IP address 1 1 1 2 encapsulated In this way the source device can get the address 1 1 1 2 of the first Layer 3 device 3 The source device sends a packet with a TTL value of 2 to the destination device 4 The second hop Device C responds with a TTL expired ICMP error message which gives the source device the ad...

Page 1804: ...ny view System Debugging Introduction to System Debugging The device provides various debugging functions For the majority of protocols and features supported the system provides corresponding debugging information to help users diagnose errors The following two switches control the display of debugging information z Protocol debugging switch which controls protocol specific debugging information ...

Page 1805: ...al monitor Optional The terminal monitoring on the console is enabled by default and that on the monitoring terminal is disabled by default Available in user view Enable the terminal display of debugging information terminal debugging Required Disabled by default Available in user view Enable debugging for a specified module debugging all timeout time module name option Required Disabled by defaul...

Page 1806: ...DeviceA ip ttl expires enable DeviceA ip unreachables enable DeviceA tracert 1 1 2 2 traceroute to 1 1 2 2 1 1 2 2 30 hops max 40 bytes packet press CTRL_C to bre ak 1 1 1 1 2 14 ms 10 ms 20 ms 2 3 4 5 DeviceA The above output shows that no available route exists between Device A and Device C an available router exists between Device A and Device B an error occurred on the connection between Devic...

Page 1807: ...stem Information to a Log Host 1 8 Outputting System Information to the Trap Buffer 1 9 Outputting System Information to the Log Buffer 1 10 Outputting System Information to the SNMP Module 1 11 Configuring Synchronous Information Output 1 11 Disabling a Port from Generating Link Up Down Logging Information 1 12 Displaying and Maintaining Information Center 1 13 Information Center Configuration Ex...

Page 1808: ...odule z Outputs the above information to different information channels according to the user defined output rules z Outputs the information to different destinations based on the information channel to destination associations To sum up information center assigns the log trap and debugging information to the ten information channels according to the eight severity levels and then outputs the info...

Page 1809: ...system information The system supports six information output destinations including the console monitor terminal monitor log buffer log host trap buffer and SNMP module The specific destinations supported vary with devices The system supports ten channels The six channels 0 through 5 are configured with channel names output rules and are associated with output destinations by default The channel ...

Page 1810: ...put destination the output information type and the output information level as shown in Table 1 3 which indicates that by default and in terms of all modules z Log information with severity level equal to or higher than informational is allowed to be output to the log host log information with severity level equal to or higher than warning is allowed to be output to the console monitor terminal a...

Page 1811: ...buffer SNMP the system information is in the following format timestamp sysname module level digest content For example a monitor terminal connects to the device When a terminal logs in to the device the log information in the following format is displayed on the monitor terminal Jun 26 17 08 35 809 2008 Sysname SHELL 4 LOGIN VTY login from 1 1 1 1 z If the output destination is the log host the s...

Page 1812: ...dify the system name Refer to Basic System Configuration Commands in the System Volume for details This field is a preamble used to identify a vendor It is displayed only when the output destination is log host nn This field is a version identifier of syslog It is displayed only when the output destination is log host module The module field represents the name of the module that generates system ...

Page 1813: ...ng System Information to the SNMP Module Optional Configuring Synchronous Information Output Optional Outputting System Information to the Console Outputting system information to the console To do Use the command Remarks Enter system view system view Enable information center info center enable Optional Enabled by default Name the channel with a specified channel number info center channel channe...

Page 1814: ...ed by default Enable the display of log information on the console terminal logging Optional Enabled by default Enable the display of trap information on the console terminal trapping Optional Enabled by default Outputting System Information to a Monitor Terminal System information can also be output to a monitor terminal which is a user terminal that has login connections through the AUX VTY user...

Page 1815: ...erminal Follow these steps to enable the display of system information on a monitor terminal To do Use the command Remarks Enable the monitoring of system information on a monitor terminal terminal monitor Required Enabled on the console and disabled on the monitor terminal by default Enable the display of debugging information on a monitor terminal terminal debugging Required Disabled by default ...

Page 1816: ...primary IP address of this interface is the source IP address of the log information Configure the format of the time stamp for system information output to the log host info center timestamp loghost date no year date none Optional date by default Outputting System Information to the Trap Buffer The trap buffer receives the trap information only and discards the log and debugging information even ...

Page 1817: ...tion center info center enable Optional Enabled by default Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default channel names Configure the channel through which system information can be output to the log buffer and specify the buffer size info center logbuffer channel channel number channel name size buffers...

Page 1818: ...module info center snmp channel channel number channel name Optional By default system information is output to the SNMP module through channel 5 known as snmpagent Configure the output rules of the system information info center source module name default channel channel number channel name debug level severity state state log level severity state state trap level severity state state Optional Re...

Page 1819: ...on in some cases for example z You only concern the states of some of the ports In this case you can use this function to disable the other ports from generating link up down logging information z The state of a port is not stable and therefore redundant logging information will be generated In this case you can use this function to disable the port from generating link up down logging information...

Page 1820: ...splay the configuration of the log file display logfile summary Available in any view Display the state of the trap buffer and the trap information recorded display trapbuffer reverse size buffersize Available in any view Reset the log buffer reset logbuffer Available in user view Reset the trap buffer reset trapbuffer Available in user view Information Center Configuration Examples Outputting Log...

Page 1821: ...ational to be output to the log host Note that the source modules allowed to output information depend on the device model Sysname info center source arp channel loghost log level informational state on Sysname info center source ip channel loghost log level informational state on 2 Configure the log host The following configurations were performed on SunOS 4 0 which has similar configurations to ...

Page 1822: ...d r After the above configurations the system will be able to record log information into the log file Outputting Log Information to a Linux Log Host Network requirements z Send log information to a Linux log host with an IP address of 1 2 0 1 16 z Log information with severity higher than informational will be output to the log host z All modules can output log information Figure 1 2 Network diag...

Page 1823: ...conf and add the following contents Device configuration messages local5 info var log Device info log In the above configuration local5 is the name of the logging facility used by the log host to receive logs info is the information level The Linux system will record the log information with severity level equal to or higher than informational to file var log Device info log Be aware of the follow...

Page 1824: ...put of log trap and debugging information of all modules on channel console Sysname info center source default channel console debug state off log state off trap state off As the default system configurations for different channels are different you need to disable the output of log trap and debugging information of all modules on the specified channel console in this example first and then config...

Page 1825: ... terminal monitor Current terminal monitor is on Sysname terminal logging Current terminal logging is on After the above configuration takes effect if the specified module generates log information the information center automatically sends the log information to the console which then displays the information ...

Page 1826: ...oE Interfaces Through a PoE Configuration File 1 3 Configuring PoE Power Management 1 4 Configuring PD Power Management 1 4 Configuring the PoE Monitoring Function 1 5 Configuring a Power Alarm Threshold for the PSE 1 6 Upgrading PSE Processing Software Online 1 6 Configuring a PD Disconnection Detection Mode 1 6 Enabling the PSE to Detect Nonstandard PDs 1 7 Displaying and Maintaining PoE 1 7 PoE...

Page 1827: ...net interfaces through twisted pair cables Advantages z Reliable Power is supplied in a centralized way so that it is very convenient to provide a backup power supply z Easy to connect A network terminal requires only one Ethernet cable but no external power supply z Standard In compliance with IEEE 802 3af and a globally uniform power interface is adopted z Promising It can be applied to IP telep...

Page 1828: ...etect Nonstandard PDs Optional z When the PoE power or PSE fails you cannot configure PoE z Turning off of the PoE power during the startup of the device might result in the failure to restore the PoE configuration Configuring the PoE Interface You can configure a PoE interface in either of the following two ways z Adopting the command line z Configuring a PoE configuration file and applying the f...

Page 1829: ... interface poe pd description string Optional By default no description for the PD connected to the PoE interface is available Configuring PoE Interfaces Through a PoE Configuration File A PoE configuration file is used to configure at the same time multiple PoE interfaces with the same attributes to simplify operations This configuration method is a supplement to the command line configuration Co...

Page 1830: ...nfiguration file z If you have configured a PoE interface through the command line you cannot configure it through a PoE configuration file again If you want to reconfigure the interface through a PoE configuration file you must first remove the command line configuration on the PoE interface z You must use the same mode command line or PoE configuration file to configure the poe max power max pow...

Page 1831: ... interface will preempt the power of other PoE interfaces with a lower priority level In the latter case the PoE interfaces whose power is preempted will be powered off but their configurations will remain unchanged When you change the priority of a PoE interface from critical to a lower level the PDs connecting to other PoE interfaces will have an opportunity of being powered Configuration prereq...

Page 1832: ...rocessing software in full mode to restore the PSE function Online PSE processing software upgrade may be unexpectedly interrupted for example an error results in device reboot If you fail to upgrade the PSE processing software in full mode after reboot you can power off the device and restart it before upgrading it again After upgrade restart the device manually to make the original PoE configura...

Page 1833: ...tween ID module and member ID of all PSEs display poe device Display the power state and information of the specified PoE interface display poe interface interface type interface number Display the power information of a PoE interface s display poe interface power interface type interface number Display the information of PSE display poe pse pse id Display the power state and information of all Po...

Page 1834: ...w Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 poe enable Sysname GigabitEthernet1 0 1 quit Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 poe enable Sysname GigabitEthernet1 0 2 quit Sysname interface GigabitEthernet 1 0 11 Sysname GigabitEthernet1 0 11 poe enable Sysname GigabitEthernet1 0 11 quit Sysname interface GigabitEthernet 1 0 12 Sysname Giga...

Page 1835: ...E interface fails Analysis z Some configurations in the PoE configuration file are already configured z Some configurations in the PoE configuration file do not meet the configuration requirements of the PoE interface z Another PoE configuration file is already applied to the PoE interface Solution z In the first case you can solve the problem by removing the original configurations of those confi...

Page 1836: ...stallation Task List 1 6 Configuring the Patch File Location 1 6 Loading a Patch File 1 6 Activating Patches 1 7 Confirm Running Patches 1 7 One Step Patch Uninstallation 1 8 Step by Step Patch Uninstallation 1 8 Step by Step Patch Uninstallation Task List 1 8 Stop Running Patches 1 8 Deleting Patches 1 8 Displaying and Maintaining Hotfix 1 9 Hotfix Configuration Examples 1 9 Hotfix Configuration ...

Page 1837: ... they will be numbered as 1 2 and 3 respectively Incremental patch Patches in a patch file are all incremental patches An incremental patch means that the patch is dependent on the previous patch units For example if a patch file has three patch units patch 3 can be running only after patch 1 and 2 take effect You cannot run patch 3 separately Common patch and temporary patch Patches fall into two...

Page 1838: ...s turn to the ACTIVE state Figure 1 1 Relationship between patch state changes and command actions Information about patch states is saved in file patchstate on the flash It is recommended not to operate this file IDLE state Patches in the IDLE state are not loaded You cannot install or run the patches as shown in Figure 1 2 suppose the memory patch area can load up to eight patches The patches th...

Page 1839: ...ate At this time the patch states in the system are as shown in Figure 1 3 The patches that are in the DEACTIVE state will be still in the DEACTIVE state after system reboot Figure 1 3 A patch file is loaded to the memory patch area ACTIVE state Patches in the ACTIVE state are those that have run temporarily in the system and will become DEACTIVE after system reboot For the seven patches in Figure...

Page 1840: ...s of the system are as shown in Figure 1 5 Figure 1 5 Patches are running The patches that are in the RUNNING state will be still in the RUNNING state after system reboot Hotfix Configuration Task List Task Remarks One Step Patch Installation Install patches Step by Step Patch Installation Use either approach The step by step patch installation allows you to control the patch status One Step Patch...

Page 1841: ...atch name for device Table 1 1 Default patch names for device Product PATCH FLAG Default patch name 4800G PATCH XXX patch_xxx bin The loading and installation are performed on all member devices Before these operations save the same patch files to the root directories in the storage media of all member devices One Step Patch Installation You can use the patch install command to install patches in ...

Page 1842: ... patch file location patch location patch location Optional flash by default z The directory specified by the patch location argument must exist on each member device If one member device does not have such directory the system cannot locate the patch file on the member device z The patch install command changes patch file location specified with the patch location command to the directory specifi...

Page 1843: ...is of some problem you can reboot the device to deactivate the patch so as to avoid a series of running faults resulting from patch error Follow the steps below to activate patches To do Use the command Remarks Enter system view system view Activate the specified patches patch active patch number slot slot number Required Confirm Running Patches After you confirm the running of a patch the patch s...

Page 1844: ...u stop running a patch the patch state becomes DEACTIVE and the system runs in the way before it is installed with the patch Follow the steps below to stop running patches To do Use the command Remarks Enter system view system view Stop running the specified patches patch deactive patch number slot slot number Required Deleting Patches Deleting patches only removes the patches from the memory patc...

Page 1845: ...fix configuration Configuration procedure 1 Configure TFTP Server Note that the configuration varies depending on server type and the configuration procedure is omitted z Enable the TFTP server function z Save the patch file patch_xxx bin to the directory of the TFTP server 2 Configure Device Make sure the free flash space of the device is big enough to store the patch file Before upgrading the so...

Page 1846: ...onfiguration procedure 1 Configure the TFTP server Note that the configuration varies depending on server type and the configuration procedure is omitted z Enable the TFTP server function z Save the patch file patch_xxx bin to the directory of TFTP server 2 Configure Device Make sure the free flash space of the device is big enough to store the patch files Before upgrading the software use the sav...

Page 1847: ...ce patch install flash Patches will be installed Continue Y N y Do you want to continue running patches after reboot Y N y Installing patches Installation completed and patches will continue to run after reboot ...

Page 1848: ...ng a Voice Test 1 15 Configuring a DLSw Test 1 17 Configuring the Collaboration Function 1 18 Configuring Trap Delivery 1 19 Configuring the NQA Statistics Function 1 20 Configuring Optional Parameters Common to an NQA Test Group 1 20 Scheduling an NQA Test Group 1 22 Displaying and Maintaining NQA 1 23 NQA Configuration Examples 1 23 ICMP Echo Test Configuration Example 1 23 DHCP Test Configurati...

Page 1849: ...ansfer rate With the NQA test results you can 1 Know network performance in time and then take corresponding measures 2 Diagnose and locate network faults Features of NQA Supporting multiple test types Ping can use only the Internet Control Message Protocol ICMP to test the reachability of the destination host and the roundtrip time of a packet to the destination As an enhancement to the Ping tool...

Page 1850: ...ration is implemented Take static routing as an example You have configured a static route with the next hop 192 168 0 88 If 192 168 0 88 is reachable the static route is valid if 192 168 0 88 is unreachable the static route is invalid With the collaboration between NQA Track module and application modules real time monitoring of reachability of the static route can be implemented 2 Monitor reacha...

Page 1851: ...test one probe means to carry out a corresponding function z For an ICMP echo or UDP echo test one packet is sent in one probe z For an SNMP test three packets are sent in one probe NQA client and server NQA client is the device initiating an NQA test and the NQA test group is created on the NQA client NQA server processes the test packets sent from the NQA client as shown in Figure 1 2 The NQA se...

Page 1852: ...ke the following configurations on the NQA client 1 Enable the NQA client 2 Create a test group and configure test parameters according to the test type The test parameters may vary with test types 3 Start the NQA test After the test you can view test results using the display or debug commands Complete these tasks to configure NQA client Task Remarks Enabling the NQA Client Required Creating an N...

Page 1853: ...er tcp connect udp echo ip address port number Required The IP address and port number must be consistent with those configured on the NQA client and must be different from those of an existing listening service Enabling the NQA Client Configurations on the NQA client take effect only when the NQA client is enabled Follow these steps to enable the NQA client To do Use the command Remarks Enter sys...

Page 1854: ...echo Required Configure the destination address for a test operation destination ip ip address Required By default no destination IP address is configured for a test operation Configure the size of probe packets sent data size size Optional 100 bytes by default Configure the filler string of a probe packet sent data fill string Optional By default the filler string of a probe packet is the hexadec...

Page 1855: ...f a DHCP server on the network as well as the time necessary for the DHCP server to respond to a client request and assign an IP address to the client Configuration prerequisites Before performing a DHCP test you need to configure the DHCP server If the NQA DHCP client and the DHCP server are not in the same network segment you need to configure a DHCP relay For the configuration of DHCP server an...

Page 1856: ... example you need to configure the username and password used to log onto the FTP server For the FTP server configuration see File System Management Configuration in the System Volume Configuring an FTP test Follow these steps to configure an FTP test To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Configure the test type as ...

Page 1857: ... the get command the device does not save the files obtained from the FTP server z When you execute the get command the FTP test cannot succeed if a file named file name does not exist on the FTP server z When you execute the get command please use a file with a smaller size as a big file may result in test failure because of timeout or may affect other services because of occupying too much netwo...

Page 1858: ...e for the HTTP is get that is obtaining data from the HTTP server Configure the website that an HTTP test visits url url Required Configure the HTTP version used in the HTTP test http version v1 0 Optional By default HTTP 1 0 is used in an HTTP test Configure common optional parameters See Configuring Optional Parameters Common to an NQA Test Group Optional The TCP port number for the HTTP server ...

Page 1859: ...er system view system view Enter NQA test group view nqa entry admin name operation tag Configure the test type as UDP jitter and enter test type view type udp jitter Required Configure the destination address for a test operation destination ip ip address Required By default no destination IP address is configured for a test operation The destination IP address must be consistent with that of the...

Page 1860: ...parameters See Configuring Optional Parameters Common to an NQA Test Group Optional The number of probes made in a UDP jitter test depends on the probe count command while the number of probe packets sent in each probe depends on the configuration of the probe packet number command Configuring an SNMP Test An SNMP query test is used to test the time the NQA client takes to send an SNMP query packe...

Page 1861: ...etween the client and the specified port on the NQA server and the setup time for the connection thus judge the availability and performance of the services provided on the specified port on the server Configuration prerequisites A TCP test requires cooperation between the NQA server and the NQA client The TCP listening function needs to be configured on the NQA server before the TCP test For the ...

Page 1862: ...connectivity and roundtrip time of a UDP echo packet from the client to the specified UDP port on the NQA server Configuration prerequisites A UDP echo test requires cooperation between the NQA server and the NQA client The UDP listening function needs to be configured on the NQA server before the UDP echo test For the configuration of the UDP listening function see Configuring the NQA Server Conf...

Page 1863: ... an interface on the device and the interface must be up Otherwise the test will fail Configure common optional parameters See Configuring Optional Parameters Common to an NQA Test Group Optional Configuring a Voice Test It is recommended not to perform an NQA UDP jitter test on known ports namely ports from 1 to 1023 Otherwise the NQA test will fail or the corresponding services of these ports wi...

Page 1864: ...d when you evaluate the voice quality Configuration prerequisites A voice test requires cooperation between the NQA server and the NQA client Before a voice test make sure that the UDP listening function is configured on the NQA server For the configuration of UDP listening function see Configuring the NQA Server Configuring a voice test Follow these steps to configure a voice test To do Use the c...

Page 1865: ...1 µ law codec type and is 32 bytes for G 729 A law codec type Configure the filler string of a probe packet sent data fill string Optional By default the filler string of a probe packet is the hexadecimal number 00010203040506070809 Configure the number of packets sent in a voice probe probe packet number packet number Optional 1000 by default Configure the interval for sending packets in a voice ...

Page 1866: ... be up Otherwise the test will fail Configure common optional parameters See Configuring Optional Parameters Common to an NQA Test Group Optional Configuring the Collaboration Function Collaboration is implemented by establishing collaboration objects to monitor the detection results of the current test group If the number of consecutive probe failures reaches the threshold the configured action i...

Page 1867: ...the snmp agent target host command create an NQA test group and configure related parameters For the introduction to the snmp agent target host command see SNMP Commands in the System Volume Configuring trap delivery Follow these steps to configure trap delivery To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Enter test type ...

Page 1868: ...function To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Enter test type view of the test group type dlsw ftp http icmp echo snmp tcp udp echo udp jitter voice Configure the interval for collecting the statistics of the test results statistics interval interval Optional 60 minutes by default Configure the maximum number of st...

Page 1869: ...robes in an NQA test probe count times Optional By default one probe is performed in a test Only one probe can be made in one voice test Therefore this command is not available in a voice test Configure the NQA probe timeout time probe timeout timeout Optional By default the timeout time is 3000 milliseconds This parameter is not available for a UDP jitter test Configure the maximum number of hist...

Page 1870: ... use the display clock command to view the current system time Configuration prerequisites Before scheduling an NQA test group make sure z Required test parameters corresponding to a test type have been configured z For the test which needs the cooperation with the NQA server configuration on the NQA server has been completed Scheduling an NQA test group Follow these steps to schedule an NQA test ...

Page 1871: ...undtrip time of packets Figure 1 3 Network diagram for ICMP echo tests Configuration procedure Create an ICMP echo test group and configure related test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type icmp echo DeviceA nqa admin test icmp echo destination ip 10 2 2 2 Configure optional parameters DeviceA nqa admin test icmp echo probe count 10 DeviceA nqa ad...

Page 1872: ...nse Status Time 370 3 Succeeded 2007 08 23 15 00 01 2 369 3 Succeeded 2007 08 23 15 00 01 2 368 3 Succeeded 2007 08 23 15 00 01 2 367 5 Succeeded 2007 08 23 15 00 01 2 366 3 Succeeded 2007 08 23 15 00 01 2 365 3 Succeeded 2007 08 23 15 00 01 2 364 3 Succeeded 2007 08 23 15 00 01 1 363 2 Succeeded 2007 08 23 15 00 01 1 362 3 Succeeded 2007 08 23 15 00 01 1 361 2 Succeeded 2007 08 23 15 00 01 1 DHCP...

Page 1873: ...ures due to timeout 0 Failures due to disconnect 0 Failures due to no connection 0 Failures due to sequence error 0 Failures due to internal error 0 Failures due to other errors 0 Packet s arrived late 0 Display the history of DHCP tests SwitchA display nqa history admin test NQA entry admin admin tag test history record s Index Response Status Time 1 624 Succeeded 2007 11 22 09 56 03 2 FTP Test C...

Page 1874: ... tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 173 173 173 Square Sum of round trip time 29929 Last succeeded probe time 2007 11 22 10 07 28 6 Extended results Packet lost in test 0 Failures due to timeout 0 Failures due to disconnect 0 Failures due to no connection 0 Failures due to sequence error 0 Failures d...

Page 1875: ...eA undo nqa schedule admin test Display results of the last HTTP test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 64 64 64 Square Sum of round trip time 4096 Last succeeded probe time 2007 11 22 10 12 47 9 Extended results Packet lost in test 0 Failu...

Page 1876: ... admin test udp jitter destination ip 10 2 2 2 DeviceA nqa admin test udp jitter destination port 9000 DeviceA nqa admin test udp jitter frequency 1000 DeviceA nqa admin test udp jitter quit Enable UDP jitter test DeviceA nqa schedule admin test start time now lifetime forever Disable UDP jitter test after the test begins for a period of time DeviceA undo nqa schedule admin test Display the result...

Page 1877: ...D delay 15 Max DS delay 16 Min SD delay 7 Min DS delay 7 Number of SD delay 10 Number of DS delay 10 Sum of SD delay 78 Sum of DS delay 85 Square sum of SD delay 666 Square sum of DS delay 787 SD lost packet s 0 DS lost packet s 0 Lost packet s for unknown reason 0 Display the statistics of UDP jitter tests DeviceA display nqa statistics admin test NQA entry admin admin tag test test statistics NO...

Page 1878: ...f DS delay 3891 Square sum of SD delay 45987 Square sum of DS delay 49393 SD lost packet s 0 DS lost packet s 0 Lost packet s for unknown reason 0 The display nqa history command cannot show you the results of UDP jitter tests Therefore to know the result of a UDP jitter test you are recommended to use the display nqa result command to view the probe results of the latest NQA test or use the displ...

Page 1879: ...dmin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 50 50 50 Square Sum of round trip time 2500 Last succeeded probe time 2007 11 22 10 24 41 1 Extended results Packet lost in test 0 Failures due to timeout 0 Failures due to disconnect 0 Failures due to no connection 0 Failures due to ...

Page 1880: ...ceA nqa schedule admin test start time now lifetime forever Disable TCP test after the test begins for a period of time DeviceA undo nqa schedule admin test Display results of the last TCP test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 13 13 13 Squ...

Page 1881: ...elated test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type udp echo DeviceA nqa admin test udp echo destination ip 10 2 2 2 DeviceA nqa admin test udp echo destination port 8000 DeviceA nqa admin test udp echo quit Enable UDP echo test DeviceA nqa schedule admin test start time now lifetime forever Disable UDP echo test after the test begins for a period of...

Page 1882: ...s Configuration procedure 1 Configure Device B Enable the NQA server and configure the listening IP address as 10 2 2 2 and port number as 9000 DeviceB system view DeviceB nqa server enable DeviceB nqa server udp echo 10 2 2 2 9000 2 Configure Device A Create a voice test group and configure related test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type voice ...

Page 1883: ...verage 6 Positive SD square sum 54127 Positive DS square sum 1691967 Min negative SD 1 Min negative DS 1 Max negative SD 203 Max negative DS 1297 Negative SD number 255 Negative DS number 259 Negative SD sum 759 Negative DS sum 1796 Negative SD average 2 Negative DS average 6 Negative SD square sum 53655 Negative DS square sum 1691776 One way results Max SD delay 343 Max DS delay 985 Min SD delay ...

Page 1884: ...negative DS 1297 Negative SD number 1028 Negative DS number 1022 Negative SD sum 1028 Negative DS sum 1022 Negative SD average 4 Negative DS average 5 Negative SD square sum 495901 Negative DS square sum 5419 One way results Max SD delay 359 Max DS delay 985 Min SD delay 0 Min DS delay 0 Number of SD delay 4 Number of DS delay 4 Sum of SD delay 1390 Sum of DS delay 1079 Square sum of SD delay 4832...

Page 1885: ...do nqa schedule admin test Display the result of the last DLSw test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 19 19 19 Square Sum of round trip time 361 Last succeeded probe time 2007 11 22 10 40 27 7 Extended results Packet lost in test 0 Failures...

Page 1886: ... NQA test group Create an NQA test group with the administrator name being admin and operation tag being test SwitchA nqa entry admin test Configure the test type of the NQA test group as ICMP echo SwitchA nqa admin test type icmp echo Configure the destination IP address of the ICMP echo test operation as 10 2 1 1 SwitchA nqa admin test icmp echo destination ip 10 2 1 1 Configure the interval bet...

Page 1887: ... 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The above information shows that the static route with the next hop 10 2 1 1 is active and the status of the track entry is positive The static route configuration works Remove the IP address of VLAN interface 3 on Switch B SwitchB system view SwitchB interface vlan interface 3 SwitchB Vlan interface3 undo ip address On Switch A display information about ...

Page 1888: ... 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The above information shows that the next hop 10 2 1 1 of the static route is not reachable and the status of the track entry is negative The static route does not work ...

Page 1889: ... Source Interface for NTP Messages 1 10 Disabling an Interface from Receiving NTP Messages 1 11 Configuring the Maximum Number of Dynamic Sessions Allowed 1 11 Configuring Access Control Rights 1 11 Configuration Prerequisites 1 12 Configuration Procedure 1 12 Configuring NTP Authentication 1 12 Configuration Prerequisites 1 12 Configuration Procedure 1 13 Displaying and Maintaining NTP 1 14 NTP C...

Page 1890: ...s within a network by changing the system clock on each station because this is a huge amount of workload and cannot guarantee the clock precision NTP however allows quick clock synchronization within the entire network while it ensures a high clock precision NTP is used when all devices within the network must be consistent in timekeeping for example z In analysis of the log information and debug...

Page 1891: ...1 00 01 am 10 00 00 am NTP message 10 00 00 am 11 00 01 am 11 00 02 am NTP message NTP message NTP message received at 10 00 03 am 1 3 2 4 The process of system clock synchronization is as follows z Device A sends Device B an NTP message which is timestamped when it leaves Device A The time stamp is 10 00 00 am T1 z When this NTP message arrives at Device B it is timestamped by Device B The timest...

Page 1892: ...ate timestamp 64 bits 1 4 Main fields are described as follows z LI 2 bit leap indicator When set to 11 it warns of an alarm condition clock unsynchronized when set to any other value it is not to be processed by NTP z VN 3 bit version number indicating the version of NTP The latest version is version 3 z Mode a 3 bit code indicating the work mode of NTP This field can be set to these values 0 res...

Page 1893: ...s z Client server mode z Symmetric peers mode z Broadcast mode z Multicast mode You can select operation modes of NTP as needed In case that the IP address of the NTP server or peer is unknown and many devices in the network need to be synchronized you can adopt the broadcast or multicast mode while in the client server and symmetric peers modes a device is synchronized from the specified server o...

Page 1894: ...essage the client sends a request Clock synchronization message exchange Mode 3 and Mode 4 Periodically broadcasts clock synchronization messages Mode 5 Calculates the network delay between client and the server and enters the broadcast client mode Periodically broadcasts clock synchronization messages Mode 5 Receives broadcast messages and synchronizes its local clock In the broadcast mode a serv...

Page 1895: ... client mode and 4 server mode to calculate the network delay between client and the server Then the client enters the multicast client mode and continues listening to multicast messages and synchronizes its local clock based on the received multicast messages In symmetric peers mode broadcast mode and multicast mode the client or the symmetric active peer and the server the symmetric passive peer...

Page 1896: ...the client server mode for example when you carry out a command to synchronize the time to a server the system will create a static association and the server will just respond passively upon the receipt of a message rather than creating an association static or dynamic In the symmetric mode static associations will be created at the symmetric active peer side and dynamic associations will be crea...

Page 1897: ... device To do Use the command Remarks Enter system view system view Specify a symmetric passive peer for the device ntp service unicast peer vpn instance vpn instance name ip address peer name authentication keyid keyid priority source interface interface type interface number version number Required No symmetric passive peer is specified by default z In the symmetric mode you should use any NTP c...

Page 1898: ...umber Required Enter the interface used to receive NTP broadcast messages Configure the device to work in the NTP broadcast client mode ntp service broadcast client Required Configuring the broadcast server To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enter the interface used to send NTP broadcast messages Configure the ...

Page 1899: ... synchronized z You can configure up to 1024 multicast clients among which 128 can take effect at the same time Configuring Optional Parameters of NTP Specifying the Source Interface for NTP Messages If you specify the source interface for NTP messages the device sets the source IP address of the NTP messages as the primary IP address of the specified interface when sending the NTP messages When t...

Page 1900: ...ynamic Sessions Allowed To do Use the command Remarks Enter system view system view Configure the maximum number of dynamic sessions allowed to be established locally ntp service max dynamic sessions number Required 100 by default Configuring Access Control Rights With the following command you can configure the NTP service access control right to the local device There are four access control rig...

Page 1901: ...hanism provides only a minimum degree of security protection for the system running NTP A more secure method is identity authentication Configuring NTP Authentication The NTP authentication feature should be enabled for a system running NTP in a network where there is a high security demand This feature enhances the network security by means of client server key authentication which prohibits a cl...

Page 1902: ...ntication for a client To do Use the command Remarks Enter system view system view Enable NTP authentication ntp service authentication enable Required Disabled by default Configure an NTP authentication key ntp service authentication keyid keyid authentication mode md5 value Required No NTP authentication key by default Configure the key as a trusted key ntp service reliable authentication keyid ...

Page 1903: ...d Associate the specified key with an NTP server Multicast server mode ntp service multicast server authentication keyid keyid Required You can associate a non existing key with an NTP server To enable NTP authentication you must configure the key and specify it as a trusted key after associating the key with the NTP server The procedure of configuring NTP authentication on a server is the same as...

Page 1904: ...set 0 0000 ms Root delay 0 00 ms Root dispersion 0 00 ms Peer dispersion 0 00 ms Reference time 00 00 00 000 UTC Jan 1 1900 00000000 00000000 Specify Switch A as the NTP server of Switch B so that Switch B is synchronized to Switch A SwitchB system view SwitchB ntp service unicast server 1 0 1 11 View the NTP status of Switch B after clock synchronization SwitchB display ntp service status Clock s...

Page 1905: ...metric passive peer Figure 1 8 Network diagram for NTP symmetric peers mode configuration Switch A Switch B Switch C 3 0 1 31 24 3 0 1 32 24 3 0 1 33 24 Configuration procedure 1 Configuration on Switch B Specify Switch A as the NTP server of Switch B SwitchB system view SwitchB ntp service unicast server 3 0 1 31 2 Configuration on Switch C after Switch B is synchronized to Switch A Specify the l...

Page 1906: ...ce stra reach poll now offset delay disper 245 3 0 1 31 127 127 1 0 2 15 64 24 10535 0 19 6 14 5 1234 3 0 1 33 LOCL 1 14 64 27 77 0 16 0 14 8 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 2 Configuring NTP Broadcast Mode Network requirements z The local clock of Switch C is to be used as the master clock with a stratum level of 2 z Switch C works in the ...

Page 1907: ...annot receive the broadcast messages from Switch C Switch D gets synchronized upon receiving a broadcast message from Switch C View the NTP status of Switch D after clock synchronization SwitchD Vlan interface2 display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 3 0 1 31 Nominal frequency 64 0000 Hz Actual frequency 64 0000 Hz Clock precision 2 7 Clock offset 0 ...

Page 1908: ...iguration on Switch C Configure Switch C to work in the multicast server mode and send multicast messages through VLAN interface 2 SwitchC system view SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service multicast server 2 Configuration on Switch D Configure Switch D to work in the multicast client mode and receive multicast messages on VLAN interface 2 SwitchD system view Switch...

Page 1909: ...erent subnets you must enable the multicast functions on Switch B before Switch A can receive multicast messages from Switch C Enable IP multicast routing and IGMP SwitchB system view SwitchB multicast routing enable SwitchB interface vlan interface 2 SwitchB Vlan interface2 pim dm SwitchB Vlan interface2 quit SwitchB vlan 3 SwitchB vlan3 port gigabitethernet 1 0 1 SwitchB vlan3 quit SwitchB inter...

Page 1910: ... disper 1234 3 0 1 31 127 127 1 0 2 255 64 26 16 0 40 0 16 6 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 Refer to IGMP Configuration in the IP Multicast volume for how to configure IGMP and PIM Configuring NTP Client Server Mode with Authentication Network requirements z The local clock of Switch A is to be used as the master clock with a stratum lev...

Page 1911: ...itchB display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 1 0 1 11 Nominal frequency 64 0000 Hz Actual frequency 64 0000 Hz Clock precision 2 7 Clock offset 0 0000 ms Root delay 31 00 ms Root dispersion 1 05 ms Peer dispersion 7 81 ms Reference time 14 53 27 371 UTC Sep 19 2005 C6D94F67 5EF9DB22 As shown above Switch B has been synchronized to Switch A and the c...

Page 1912: ...ecify an authentication key SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service broadcast server authentication keyid 88 2 Configuration on Switch D Configure NTP authentication SwitchD system view SwitchD ntp service authentication enable SwitchD ntp service authentication keyid 88 authentication mode md5 123456 SwitchD ntp service reliable authentication keyid 88 Configure Swi...

Page 1913: ...As shown above Switch D has been synchronized to Switch C and the clock stratum level of Switch D is 4 while that of Switch C is 3 View the NTP session information of Switch D which shows that an association has been set up between Switch D and Switch C SwitchD Vlan interface2 display ntp service sessions source reference stra reach poll now offset delay disper 1234 3 0 1 31 127 127 1 0 3 254 64 6...

Page 1914: ...tween the Management Device and the Member Devices Within a Cluster 1 11 Configuring Cluster Management Protocol Packets 1 11 Cluster Member Management 1 12 Configuring the Member Devices 1 13 Enabling NDP 1 13 Enabling NTDP 1 13 Manually Collecting Topology Information 1 13 Enabling the Cluster Function 1 13 Deleting a Member Device from a Cluster 1 13 Configuring Access Between the Management De...

Page 1915: ...ing topology discovery and display function which is useful for network monitoring and debugging z Allowing simultaneous software upgrading and parameter configuration on multiple devices free of topology and distance limitations Roles in a Cluster The devices in a cluster play different roles according to their different functions and status You can specify the following three roles for the devic...

Page 1916: ...ment is implemented through HW Group Management Protocol version 2 HGMPv2 which consists of the following three protocols z Neighbor Discovery Protocol NDP z Neighbor Topology Discovery Protocol NTDP z Cluster A cluster configures and manages the devices in it through the above three protocols Cluster management involves topology information collection and the establishment and maintenance of a cl...

Page 1917: ...information of all its neighbors The information collected will be used by the management device or the network management software to implement required functions When a member device detects a change on its neighbors through its NDP table it informs the management device through handshake packets Then the management device triggers its NTDP to collect specific topology information so that its NT...

Page 1918: ...saves the state information of its member device and identifies it as Active And the member device also saves its state information and identifies itself as Active z After a cluster is created its management device and member devices begin to send handshake packets Upon receiving the handshake packets from the other side the management device or a member device simply remains its state as Active w...

Page 1919: ...the management VLAN cannot pass a port the device connected with the port cannot be added to the cluster Therefore if the ports including the cascade ports connecting the management device and the member candidate devices prohibit the packets from the management VLAN you can set the packets from the management VLAN to pass the ports on candidate devices with the management VLAN auto negotiation fu...

Page 1920: ...er Optional Configuring Cluster Management Protocol Packets Optional Configuring the Management Device Cluster Member Management Optional Enabling NDP Optional Enabling NTDP Optional Manually Collecting Topology Information Optional Enabling the Cluster Function Optional Configuring the Member Devices Deleting a Member Device from a Cluster Optional Configuring Access Between the Management Device...

Page 1921: ...ded to a cluster that is the entry with the destination address as the management device cannot be added to the routing table the candidate device will be added to and removed from the cluster repeatedly Configuring the Management Device Enabling NDP Globally and for Specific Ports For NDP to work normally you must enable NTDP both globally and on specific ports Follow these steps to enable NDP gl...

Page 1922: ...ackets otherwise the NDP table may become instable Enabling NTDP Globally and for Specific Ports For NTDP to work normally you must enable NTDP both globally and on specific ports Follow these steps to enable NTDP globally and for specific ports To do Use the command Remarks Enter system view system view Enable NTDP globally ntdp enable Optional Enabled by default interface interface type interfac...

Page 1923: ...l 3 by default Configure the interval to collect topology information ntdp timer interval time Optional 1 minute by default Configure the delay to forward topology collection request packets on the first port ntdp timer hop delay time Optional 200 ms by default Configure the port delay to forward topology collection request on other ports ntdp timer port delay time Optional 20 ms by default The tw...

Page 1924: ...a cluster in two ways manually and automatically With the latter you can establish a cluster according to the prompt information The system 1 Prompts you to enter a name for the cluster you want to establish 2 Lists all the candidate devices within your predefined hop count 3 Starts to automatically add them to the cluster You can press Ctrl C anytime during the adding process to exit the cluster ...

Page 1925: ... packets and the holdtime of a device on the management device This configuration applies to all member devices within the cluster For a member device in Connect state z If the management device does not receive handshake packets from a member device within the holdtime it changes the state of the member device to Disconnect When the communication is recovered the member device needs to be re adde...

Page 1926: ...by default Configure the interval to send MAC address negotiation broadcast packets cluster mac syn interval interval time Optional One minute by default When you configure the destination MAC address for cluster management protocol packets z If the interval for sending MAC address negotiation broadcast packets is 0 the system automatically sets it to 1 minute z If the interval for sending MAC add...

Page 1927: ...bling NDP Refer to Enabling NDP Globally and for Specific Ports Enabling NTDP Refer to Enabling NTDP Globally and for Specific Ports Manually Collecting Topology Information Refer to Manually Collecting Topology Information Enabling the Cluster Function Refer to Enabling the Cluster Function Deleting a Member Device from a Cluster To do Use the command Remarks Enter system view system view Enter c...

Page 1928: ...thentication is passed z When a candidate device is added to a cluster and becomes a member device its super password will be automatically synchronized to the management device Therefore after a cluster is established it is not recommended to modify the super password of any member including the management device and member devices of the cluster otherwise the switching may fail because of an aut...

Page 1929: ...included in the blacklist the MAC address and access port of the latter are also included in the blacklist The candidate devices in a blacklist can be added to a cluster only if the administrator manually removes them from the list The whitelist and blacklist are mutually exclusive A whitelist member cannot be a blacklist member and vice versa However a topology node can belong to neither the whit...

Page 1930: ...re an NM host for a cluster the member devices in the cluster send their Trap messages to the shared SNMP NM host through the management device If the port of an access NM device including FTP TFTP server NM host and log host does not allow the packets from the management VLAN to pass the NM device cannot manage the devices in a cluster through the management device In this case on the management ...

Page 1931: ... devices at one time simplifying the configuration process Follow these steps to configure the SNMP configuration synchronization function To do Use the command Remarks Enter system view system view Enter cluster view cluster Configure the SNMP community name shared by a cluster cluster snmp agent community read write community name mib view view name Required Configure the SNMPv3 group shared by ...

Page 1932: ...ronize the configurations to the member devices in the whitelist This operation is equal to performing the configurations on the member devices You need to enter your username and password when you log in to the devices including the management device and member devices in a cluster through Web Follow these steps to configure Web user accounts in batches To do Use the command Remarks Enter system ...

Page 1933: ...ay the current topology information or the topology path between two devices display cluster current topology mac address mac address to mac address mac address member id member number to member id member number Display members in a cluster display cluster members member number verbose Available in any view Clear NDP statistics reset ndp statistics interface interface list Available in user view C...

Page 1934: ...rnet 1 0 1 SwitchA GigabitEthernet1 0 1 ntdp enable SwitchA GigabitEthernet1 0 1 quit Enable the cluster function SwitchA cluster enable 2 Configure the member device Switch C As the configurations of the member devices are the same the configuration procedure of Switch C is omitted here 3 Configure the management device Switch B Enable NDP globally and for ports GigabitEthernet 1 0 2 and GigabitE...

Page 1935: ...witchB ntdp timer port delay 15 Configure the interval to collect topology information as 3 minutes SwitchB ntdp timer 3 Configure the management VLAN of the cluster as VLAN 10 SwitchB vlan 10 SwitchB vlan10 quit SwitchB management vlan 10 Configure ports GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 as Trunk ports and allow packets from the management VLAN to pass SwitchB interface gigabitether...

Page 1936: ...55 1 abc_0 SwitchB cluster tftp server 63 172 55 1 abc_0 SwitchB cluster logging host 69 172 55 4 abc_0 SwitchB cluster snmp host 69 172 55 4 Add the device whose MAC address is 00E0 FC01 0013 to the blacklist abc_0 SwitchB cluster black list add mac 00e0 fc01 0013 abc_0 SwitchB cluster quit Add port GigabitEthernet 1 0 1 to VLAN 2 and configure the IP address of VLAN interface 2 abc_0 SwitchB vla...

Page 1937: ...guring IRF Ports 1 12 Setting a Member ID for a Device 1 13 Specifying a Priority for an IRF Member 1 14 Specifying the Preservation Time of IRF Bridge MAC Address 1 14 Enabling Auto Upgrade of Boot Files 1 16 Setting the Delay Time for the Link Layer to Report a Link Down Event 1 16 Logging In to an IRF 1 17 Logging In to the Master 1 17 Logging In to a Slave 1 17 Displaying and Maintaining IRF 1...

Page 1938: ...ng the united device In an IRF every single device is an IRF member and plays one of the following two roles according to its function z Master A member device It is elected to manage the entire IRF An IRF has only one master at one time z Slave A member device It is managed by the master and operates as a backup of the master In an IRF except for the master all the other devices are the slaves Fo...

Page 1939: ...egated but also the physical links between the IRF system and the upper or lower layer devices can be aggregated and thus the reliability of the IRF system is increased through the link backup The IRF system comprises multiple member devices the master runs manages and maintains the IRF whereas the slaves process services as well as functioning as the backups When the master fails the IRF system e...

Page 1940: ... their physical locations on the rear panel of the Switch 4800G series With the rear panel facing you the physical IRF ports are numbered successively from left to right ports on the interface module in slot 1 are numbered 1 and 2 and ports on the interface module in slot 2 are numbered 3 and 4 as shown in Figure 1 2 which illustrates an example of inserting a CX4 dual port interface module Figure...

Page 1941: ...connection is more reliable than a bus connection The failure of one link in a ring connection does not affect the function and performance of the IRF whereas the failure of one link in a bus connection causes the split of the IRF You are recommended to connect at most four Switch 4800G series switches to form an IRF Correspondence between an IRF port and a physical IRF port The connection of IRF ...

Page 1942: ...e following examples to introduce correspondence between the IRF port and the physical IRF port s z When the dual port 10 GE SFP interface module is used the correspondence between the IRF port and the physical IRF port s is similar 1 IRF port correspondence for one interface module Figure 1 5 IRF port correspondence for one interface module When a dual port interface module is installed you need ...

Page 1943: ...must ensure that the serial number of the physical IRF port bound to IRF port 1 is smaller than that of the physical IRF port bound to IRF port 2 namely the physical IRF port bound to IRF port 2 should be located on the right side of the physical IRF port bound to IRF port 1 The two physical IRF ports bound to the IRF ports can be located either on one interface module or on different interface mo...

Page 1944: ...kets with the directly connected neighbors to collect topology of the entire IRF The hello packets carry topology information including IRF port connection states member IDs priorities and bridge MAC addresses Each member records its known topology information locally At the initiation of the collection the members record their own topology information When an IRF port of a member becomes up the m...

Page 1945: ... join the winner side as slaves z IRF split In an IRF the failure of IRF cables or power off of a member causes physical disconnection between two devices and the process is IRF split IRF Management Member ID An IRF uses member IDs to uniquely identify and manage member devices For a device that does not support IRF an interface is named GigabitEthernet 1 0 1 where the first number is always 1 for...

Page 1946: ...ght z Interface serial number is dependent on the number of interfaces supported by the device View the silkscreen on the interface card for the number of supported interfaces For example GigabitEthernet 1 0 1 is an interface on the independently operating device Sysname To set the link type of GigabitEthernet 1 0 1 to trunk perform the following steps Sysname system view Sysname interface gigabit...

Page 1947: ... Jul 14 2008 11 54 04 aa 20080714 cfg 30861 KB total 20956 KB free To access the file system of the master use the name of the storage device to access the file system of a slave use the name in the following format Member ID Storage device name For example 1 To access the test folder under the root directory of the flash on the master perform the following steps Master mkdir test Created dir flas...

Page 1948: ...on file of the master and are synchronized to each device in the IRF when you save the current configuration file of the master as the initial configuration file by using the save command all slaves execute the same saving operation to make the initial configuration files of all devices consistent Through the real time synchronization all devices in the IRF keep the same configuration file If the ...

Page 1949: ...ake take effect on the master and will be applied to the member devices in the IRF For easy fault location and device maintenance the Switch 4800G provides slave view where you can execute the display terminal and debug commands Complete the following tasks to configure IRF Task Remarks Configuring IRF Ports Required Setting a Member ID for a Device Optional Specifying a Priority for an IRF Member...

Page 1950: ...ember ID of a device defaults to 1 During the establishment of an IRF when the devices that form the IRF have duplicated member IDs the member ID of the master is decided first and then the member IDs of slaves are decided one by one according to their distances to the master that is the nearest slave gets the smallest available ID and the nearer slave gets the smaller available ID and so forth af...

Page 1951: ...2 will use the original port configurations of device 3 and device 3 will use those of device 2 Specifying a Priority for an IRF Member Each IRF member has a priority During the master election a member with the greatest priority will be elected as the master The priority of a device defaults to 1 You can modify the priority through command lines The greater the priority value the higher the prior...

Page 1952: ...dress occurs and thus causes flow interruption Therefore configure the preservation time IRF bridge MAC address according to your network status z Preserve for six minutes After the master leaves the bridge MAC address will not change within six minutes If the master does not come back after six minutes the IRF system will use the bridge MAC address of the newly elected master as that of the IRF z...

Page 1953: ...ences caused by the IRF establishment to the network you are recommended to ensure that the device and the IRF master have the same software version before adding a device into an IRF z After loading the master s boot file automatically a slave configures the file as the boot file for the next boot and reboots automatically z Because system boot file occupies large memory space to make the auto up...

Page 1954: ...l displays the master console However the device can redirect you to a specified slave device After you are redirected to a slave device the user access terminal displays the console of the slave device instead of that of the master device The system enters user view of the salve device and the command prompt is changed to Sysname member ID for example Sysname 2 What you have input on the access t...

Page 1955: ...e configuration takes effect after the reboot of the device display irf configuration Available in any view Display the master slave switchover states of IRF members display switchover state member id Available in any view IRF Configuration Examples IRF Connection Configuration Example Network requirements Three Switch 4800G series switches in an IRF form a bus connection Their member IDs are 1 2 ...

Page 1956: ...result in configuration change or loss Continue Y N y Switch2 irf member 1 irf port 1 port 2 Switch2 irf member 1 irf port 2 port 3 Configure Switch 3 Switch3 system view Switch3 irf member 1 renumber 3 Warning Renumbering the switch number may result in configuration change or loss Continue Y N y Switch3 irf member 1 irf port 2 port 3 2 Power off the three devices Connect them as shown in Figure ...

Page 1957: ...i Table of Contents 1 IPC Configuration 1 1 IPC Overview 1 1 Introduction to IPC 1 1 Enabling IPC Performance Statistics 1 2 Displaying and Maintaining IPC 1 3 ...

Page 1958: ...refore a distributed device corresponds to multiple nodes Therefore in actual application IPC is mainly applied on an IRF or distributed device it provides a reliable transmission mechanism between different devices and boards Link An IPC link is a connection between any two IPC nodes There is one and only one link between any two nodes for packet sending and receiving All IPC nodes are fully conn...

Page 1959: ...eate multiple multicast groups The creation and deletion of a multicast group and multicast group members depend on the application module z Mixcast namely both unicast and multicast are supported Enabling IPC Performance Statistics When IPC performance statistics is enabled the system collects statistics for packet sending and receiving of a node in a specified time range for example in the past ...

Page 1960: ...f a node display ipc multicast group node node id self node Display packet information of a node display ipc packet node node id self node Display link status information of a node display ipc link node node id self node Display IPC performance statistics information of a node display ipc performance node node id self node channel channel id Available in any view Clear IPC performance statistics i...

Page 1961: ...al Networking of Automatic Configuration 1 1 How Automatic Configuration Works 1 2 Work Flow of Automatic Configuration 1 2 Obtaining the IP Address of an Interface and Related Information Through DHCP 1 3 Obtaining the Configuration File from the TFTP Server 1 5 Executing the Configuration File 1 7 ...

Page 1962: ...configuration files on a specified server and the device can automatically obtain and execute the configuration files therefore greatly reducing the workload of administrators Typical Networking of Automatic Configuration Figure 1 1 Network diagram for automatic configuration As shown in Figure 1 1 the device implements automatic configuration with the cooperation of a DHCP server TFTP server and ...

Page 1963: ...eters such as an IP address and name of a TFTP server IP address of a DNS server and the configuration file name 2 After getting related parameters the device will send a TFTP request to obtain the configuration file from the specified TFTP server for system initialization If the client cannot get such parameters it performs system initialization without loading any configuration file z To impleme...

Page 1964: ...hen a device starts up without loading the configuration file the system automatically configures the first active interface if an active Layer 2 Ethernet interface exists this first interface is a virtual interface corresponding with the default VLAN of the device as obtaining its IP address through DHCP The device broadcasts a DHCP request through this interface The Option 55 field specifies the...

Page 1965: ... The DHCP server will select an address pool where an IP address is statically bound to the MAC address or ID of the client and assign the statically bound IP address and other configuration parameters to the client You can configure an address allocation mode as needed z Different devices with the same configuration file You can configure dynamic address allocation on the DHCP server to assign IP...

Page 1966: ...d z The configuration file specified by the Option 67 or file field in the DHCP response z The intermediate file with the file name as network cfg used to save the mapping between the IP address and the host name The mapping is defined in the following format ip host hostname ip address For example the intermediate file can include the following ip host host1 101 101 101 101 ip host host2 101 101 ...

Page 1967: ... its host name first and then requests the configuration file corresponding with the host name The device can obtain its host name in two steps obtaining the intermediate file from the TFTP server and then searching in the intermediated file for its host name corresponding with the IP address of the device if fails the device obtains the host name from the DNS server z If the device fails to obtai...

Page 1968: ...if the device performs the automatic configuration and the TFTP server are not in the same segment because broadcasts can only be transmitted in a segment For the detailed description of the UDP Helper function refer to UDP Helper Configuration in the IP Services Volume Executing the Configuration File Upon successfully obtaining the configuration file the device removes the temporary configuratio...

Reviews:

No comments

Related manuals for 4500G PWR 24-Port

D-Link DSS-16+ Reference Manual preview
DSS-16+
Brand: D-Link Pages: 2
hager EMN005 User Instructions preview
EMN005
Brand: hager Pages: 2
hager HIC4 A Series Quick Start preview
HIC4 A Series
Brand: hager Pages: 4
hager EGN100 Manual preview
EGN100
Brand: hager Pages: 2
3onedata TNS5800-8GP16GT-P24VDC Quick Installation Manual preview
TNS5800-8GP16GT-P24VDC
Brand: 3onedata Pages: 3
Santon D1-G/H-T Installation Manual preview
D1-G/H-T
Brand: Santon Pages: 16
Maiwe MIEN2206 User Manual preview
MIEN2206
Brand: Maiwe Pages: 14
G-Force Power Switch G0021 Instruction Manual preview
Power Switch G0021
Brand: G-Force Pages: 2
Audio Authority Ascentic MH10-ARC User Manual preview
Ascentic MH10-ARC
Brand: Audio Authority Pages: 5
Black Box KV0416A Specifications preview
KV0416A
Brand: Black Box Pages: 3
Qlogic SANbox 5802V Interface Manual preview
SANbox 5802V
Brand: Qlogic Pages: 412
Star Progetti SW3500 Manual Instruction preview
SW3500
Brand: Star Progetti Pages: 6
socomec SIRCO MOT PV UL Instruction Manual preview
SIRCO MOT PV UL
Brand: socomec Pages: 20
SEKURYX CK4-HPD404C User Manual preview
CK4-HPD404C
Brand: SEKURYX Pages: 13
DeviceWell HDS9326 User Manual preview
HDS9326
Brand: DeviceWell Pages: 32
xpr TBS Manual preview
TBS
Brand: xpr Pages: 12
Quintum Tenor AS Product Manual preview
Tenor AS
Brand: Quintum Pages: 125
S&C AS-1A Instructions For Installation Manual preview
AS-1A
Brand: S&C Pages: 23

Brands by name

Popular brands

Load more brands