manualshive.com logo in svg

Huawei Quidway S3500 Series, Operation Manual, Page: 527 / 671

Share
Download
Huawei Quidway S3500 Series Operation Manual Download Page 527

Operation Manual - Security 
Quidway S3500 Series Ethernet Switches 

Chapter 4  EAD Configuration

 

Huawei Technologies Proprietary 

4-2 

Client

Authentication server

Security policy server

Virus patch server

 

Figure 4-1 

EAD network application 

After a user client passes the authentication, the security client (software installed on 
the client PC) checks the security condition of the user client and interacts with the 
security policy server. If its security condition is unqualified, the security policy server 
delivers an ACL packet to let the switch only allow the user client to access the virus 
patch server.  

When the user client is installed with the virus patches and its security condition 
becomes qualified, the security condition information is then sent to the security policy 
server, which delivers an ACL packet to let the switch enable the access right of the 
user client. The user client can then access more network resources.  

4.3  EAD Configuration Tasks 

Table 4-1 

EAD configuration tasks 

Configuration step 

Command 

Description 

Enter system view 

system-view

 

–– 

Enter RADIUS scheme 
view 

radius scheme

 

radius-scheme-name

 

–– 

Configure IP address for 
the security policy server

session-control-server

 

ip-address

 

In a RADIUS scheme, 
you can configure up to 
eight security policy 
servers with different IP 
addresses.  

 

Summary of Contents for Quidway S3500 Series

Page 1: ...ng Started 2 Port 3 VLAN 4 Network Protocol 5 Routing Protocol 6 Multicast 7 QoS ACL 8 Integrated Management 9 STP 10 Security 11 Reliability 12 System Management 13 Auto Detecting 14 Appendix Quidway S3500 Series Ethernet Switches Operation Manual ...

Page 2: ...u purchase the products from the sales agent of Huawei Technologies Co Ltd please contact our sales agent If you purchase the products from Huawei Technologies Co Ltd directly Please feel free to contact our local office customer care center or company headquarters Huawei Technologies Co Ltd Address Administration Building Huawei Technologies Co Ltd Bantian Longgang District Shenzhen P R China Pos...

Page 3: ...bridge Tellwin Inmedia VRP DOPRA iTELLIN HUAWEI OptiX C C08iNET NETENGINE OptiX iSite U SYS iMUSE OpenEye Lansway SmartAX infoX and TopEng are trademarks of Huawei Technologies Co Ltd All other trademarks and trade names mentioned in this manual are the property of their respective holders Notice The information in this manual is subject to change without notice Every effort has been made in the p...

Page 4: ...3526E Ethernet Switch Installation Manual It provides information for the system installation Quidway S3526 FM FS Ethernet Switches Installation Manual It provides information for the system installation Quidway S3552 Ethernet Switch Installation Manual It provides information for the system installation Quidway S3526C S3526E FM S3526E FS Ethernet Switches Installation Manual It provides informati...

Page 5: ...oS ACL configuration z Integrated Management This module introduces integrated configuration z STP This module introduces STP configuration z Security This module introduces 802 1X AAA RADIUS HABP and system guard configuration z Reliability This module introduces VRRP configuration z System Management This module introduces system management and maintenance of Ethernet Switch including file syste...

Page 6: ...aces and separated by vertical bars One is selected x y Optional alternative items are grouped in square brackets and separated by vertical bars One or none is selected x y Alternative items are grouped in braces and separated by vertical bars A minimum of one or a maximum of all can be selected x y Optional alternative items are grouped in square brackets and separated by vertical bars Many or no...

Page 7: ... pressed in turn V Mouse operation Action Description Select Press and hold the primary mouse button left mouse button by default Click Select and release the primary mouse button without moving the pointer Double Click Press the primary mouse button twice continuously and quickly without moving the pointer Drag Press and hold the primary mouse button and move the pointer to a certain position VI ...

Page 8: ...Huawei Technologies Proprietary HUAWEI Quidway S3500 Series Ethernet Switches Operation Manual Getting Started ...

Page 9: ...mand Line Interface 3 1 3 1 Command Line Interface 3 1 3 2 Command Line View 3 1 3 3 Features and Functions of Command Line 3 6 3 3 1 Online Help of Command Line 3 6 3 3 2 Displaying Characteristics of Command Line 3 8 3 3 3 History Command of Command Line 3 8 3 3 4 Common Command Line Error Messages 3 9 3 3 5 Editing Characteristics of Command Line 3 9 Chapter 4 User Interface Configuration 4 1 4...

Page 10: ...ule slots The only difference between S3526 FS S3526E FS and S3526 FM S3526E FM Ethernet switches is the fixed optical port attribute S3526 FS S3526E FS Ethernet switches provide 12 100M single mode optical ports while S3526 FM S3526E FM Ethernet switches provide 12 100M multi mode optical ports Each of them provides 4 extension module slots and 1 Console port S3552G Ethernet Switch provides 48 fi...

Page 11: ...3526E S3526E FM S3526E FS and S3526C in S3500 series switches Supports port isolation in VLAN Only applies to S3552G S3552P S3528G S3528P S3552F S3526E S3526E FM S3526E FS and S3526C in S3500 series switches STP protocol Supports Spanning Tree Protocol STP Rapid Spanning Tree Protocol RSTP compliant with IEEE 802 1D IEEE802 1w Standard Only applies to S3526 S3526 FS S3526 FM S3526E S3526E FS S3526...

Page 12: ...e Supports Routing Information Protocol RIP V1 v2 Supports Open Shortest Path First OSPF Supports Border Gateway Protocol BGP Supports IP routing policy ARP Supports ARP Support Gratuitous ARP Only applies to S3552G S3552P S3528G S3528P S3552F S3526E S3526E FM S3526E FS and S3526C in S3500 series switches DHCP Supports Dynamic Host Configuration Protocol DHCP Relay Supports DHCP Server Only applie...

Page 13: ...ion Supports bandwidth control Supports priority Supports queues of different priority on the port Queue scheduling supports Strict Priority Queuing SP Weighted Round Robin WRR Delay bounded WRR only S3526E S3526E FM S3526E FS S3526C support the WRR with the maximum delay Management and Maintenance Supports command line interface configuration Supports configuration via Console port Supports remot...

Page 14: ... a PC or a terminal to the Console port of the switch with the Console cable Console port RS 232 Serial port Console cable Figure 2 1 Setting up the local configuration environment via the Console port Step 2 Run terminal emulator such as Terminal on Windows 3X or the Hyper Terminal on Windows 9X on the Computer Set the terminal communication parameters as follows Set the baud rate to 9600 databit...

Page 15: ...nnection Figure 2 4 Setting communication parameters Step 3 The switch is powered on Display self test information of the switch and prompt you to press Enter to show the command line prompt such as Quidway Step 4 Input a command to configure the switch or view the operation state Input a for an immediate help For details of specific commands refer to the following chapters ...

Page 16: ... Note By default the password is required for authenticating the Telnet user to log in the switch If a user logs in via the Telnet without password he will see the prompt Login password has not been set Quidway system view Quidway user interface vty 0 Quidway ui vty0 set authentication password simple xxxx xxxx is the preset login password of Telnet user Step 2 To set up the configuration environm...

Page 17: ... specific commands refer to the following chapters Note z When configuring the switch via Telnet do not modify the IP address of it unless necessary for the modification might cut the Telnet connection z By default when a Telnet user passes the password authentication to log on to the switch he can access the commands at Level 0 2 2 2 Telneting a Switch through another Switch After a user has logg...

Page 18: ...nt Quidway telnet xxxx xxxx can be the hostname or IP address of the Telnet Server If it is the hostname you need to use the ip host command to specify Step 4 Enter the preset login password and you will see the prompt such Quidway If the prompt All user interfaces are used please try later appears it indicates that too many users are connected to the switch through the Telnet at this moment In th...

Page 19: ...orce DSR to be high level ATEQ1 W Bar the modem to send command response or execution result and save the configurations After the configuration key in the AT V command to verify the Modem settings Note z The Modem configuration commands and outputs may be different according to different Modems For details refer to the User Manual of the Modem z It is recommended that the transmission rate on the...

Page 20: ...number of the Modem connected to the switch See the two figures below Figure 2 9 Setting the dialed number Figure 2 10 Dialing on the remote PC Step 5 Enter the preset login password on the remote terminal emulator and wait for the prompt such as Quidway Then you can configure and manage the switch Enter to get the immediate help For details of specific commands refer to the following chapters Not...

Page 21: ...TP service for the users to upload and download files z Provide the function similar to Doskey to execute a history command z The command line interpreter searches for target not fully matching the keywords It is ok for you to key in the whole keyword or part of it as long as it is unique and not ambiguous 3 2 Command Line View Quidway series switches provide hierarchy protection for the command l...

Page 22: ...and User ID authentication is performed when users at lower level switch to users at higher level In other words user password of the higher level is needed Suppose the user has set the super password level level simple cipher password For the sake of confidentiality on the screen the user cannot see the password that he entered Only when correct password is input for three times can the user swit...

Page 23: ...w z User defined ACL view z Conform level view z WRED index view z RADIUS server group view z ISP domain view The following table describes the function features of different views and the ways to enter or quit Table 3 1 Function feature of command view Comman d view Function Prompt Command to enter Command to exit User view Show the basic information about operation and statistics Quidway Enter r...

Page 24: ...n system view quit returns to system view return returns to user view Local use r view Configure local user parameters Quidway luser user1 Key in local user user1 in system view quit returns to system view return returns to user view User interface view Configure user interface parameters Quidway ui0 Key in user interface 0 in system view quit returns to system view return returns to user view FTP...

Page 25: ... system view return returns to user view OSPF view Configure OSPF parameters Quidway ospf 1 Key in ospf in system view quit returns to system view return returns to user view OSPF area view Configure OSPF area parameters Quidway ospf area 0 0 0 1 Key in area 1 in OSPF view quit returns to OSPF view return returns to user view BGP view Configure BGP parameters Quidway bgp Key in bgp 100 in system v...

Page 26: ...ping table Quidway conf orm level 0 Key in qos conform level 0 in system view quit returns to system view return returns to user view WRED index view Configure WRED parameters Quidway wred 0 Key in wred 0 in system view quit returns to system view return returns to user view RADIUS server group view Configure radius parameters Quidway radiu s 1 Key in radius scheme 1 in system view quit returns to...

Page 27: ...ironment 3 Input a command with a separated by a space If this position is for parameters all the parameters and their brief descriptions will be listed Quidway interface vlan 1 4094 VLAN interface number Quidway interface vlan 1 cr cr indicates no parameter in this position The next command line repeats the command you can press Enter to execute it directly 4 Input a character string with a then ...

Page 28: ...e Command line interface provides the function similar to that of DosKey The commands entered by users can be automatically saved by the command line interface and you can invoke and execute them at any time later History command buffer is defaulted as 10 That is the command line interface can store 10 history commands for each user The operations are shown in the table below Table 3 3 Retrieving ...

Page 29: ...d The input command is incomplete Too many parameters Enter too many parameters Ambiguous command The parameters entered are not specific 3 3 5 Editing Characteristics of Command Line Command line interface provides the basic command editing function and supports to edit multiple lines A command cannot longer than 256 characters See the table below Table 3 5 Editing functions Key Function Common k...

Page 30: ...yping the incomplete key word and the system will execute the partial help If the key word matching the typed one is unique the system will replace the typed one with the complete key word and display it in a new line if there is not a matched key word or the matched key word is not unique the system will do no modification but display the originally typed word in a new line ...

Page 31: ... switch via the Console port A switch can only have one AUX user interface z VTY user interface VTY user interface is used to telnet the switch A switch can have up to five VTY user interface Note For Quidway series switches AUX port and Console port are the same one There is only the type of AUX user interface User interface is numbered in the following two ways absolute number and relative numbe...

Page 32: ...configuration in system view Table 4 1 Entering user interface view Operation Command Enter a single user interface view or multi user interface views user interface type first number last number 4 2 2 Configuring the User Interface Supported Protocol The following command is used for setting the supported protocol by the current user interface You can log in switch only through the supported prot...

Page 33: ... Console Port The following commands can be used for configuring the attributes of the AUX Console port including speed flow control parity stop bit and data bit Perform the following configurations in user interface AUX user interface only view I Configuring the transmission speed on AUX Console port Table 4 3 Configuring the transmission speed on AUX Console port Operation Command Configure the ...

Page 34: ...V Configuring the data bit of AUX Console port Table 4 7 Configuring the data bit of AUX Console port Operation Command Configure the data bit of AUX Console port databits 7 8 Restore the default data bit of AUX Console port undo databits By default AUX Console port supports 8 data bits 4 2 4 Configuring the Terminal Attributes The following commands can be used for configuring the terminal attrib...

Page 35: ...se this command on the user interface via which you log in z You will be asked to confirm before using undo shell on any legal user interface II Configuring idle timeout Table 4 9 Configuring idle timeout Operation Command Configure idle timeout idle timeout minutes seconds Restore the default idle timeout undo idle timeout By default idle timeout is enabled and set to 10 minutes on all the user i...

Page 36: ...tory command buffer size Operation Command Set the history command buffer size history command max size value Restore the default history command buffer size undo history command max size By default the size of the history command buffer is 10 that is 10 history commands can be saved 4 2 5 Managing Users The management of users includes the setting of user logon authentication method level of comm...

Page 37: ...o set authentication password Configure for password authentication when a user logs in through a VTY 0 user interface and set the password to huawei Quidway user interface vty 0 Quidway ui vty0 authentication mode password Quidway ui vty0 set authentication password simple huawei 2 Perform local or remote authentication of username and password to the user interface Using authentication mode sche...

Page 38: ...ecified user For S3552 series S3528 series S3526E series and S3526C service type ftp ftp directory directory lan access ssh telnet level level Cancel the service type of the specified user For S3552 series S3528 series S3526E series and S3526C undo service type ftp ftp directory lan access ssh telnet level level Set a service type for the specified user For S3526 S3526 FM and S3526 FS service type...

Page 39: ...A RADIUS authentication the commands they can use are determined by the user level settings For example if a use is set to level 3 and the command level on the VTY 0 user interface is level 1 he or she can only use the commands of level 3 or lower when logging into the switch from the VTY 0 user interface z For the users using RSA public key authentication the commands they can use are determined ...

Page 40: ...ured to be run automatically it will be automatically executed when you log in again This command is usually used to automatically execute telnet command on the terminal which will connect the user to a designated device automatically Perform the following configuration in user interface view Table 4 19 Configuring to automatically run the command Operation Command Configure to automatically run t...

Page 41: ...execute display command in any view to display the running of the user interface configuration and to verify the effect of the configuration Execute free command in user view to clear a user in a specified user interface Table 4 20 Displaying and debugging user interface Operation Command Clear a user in a specified user interface free user interface type number Display the user application inform...

Page 42: ...Huawei Technologies Proprietary HUAWEI Quidway S3500 Series Ethernet Switches Operation Manual Port ...

Page 43: ... 1 2 11 Set the Default VLAN ID for the Ethernet Port 1 7 1 2 12 Set the VLAN VPN Feature 1 8 1 2 13 Set loopback detection for the Ethernet port 1 9 1 2 14 Set the Time Interval of Calculating Port Statistics Information 1 10 1 2 15 Port Traffic Threshold Configuration 1 10 1 3 Display and Debug Ethernet Port 1 12 1 4 Ethernet Port Configuration Example 1 13 1 5 Ethernet Port Troubleshooting 1 13...

Page 44: ...lots in the front panel support 6 port 10 100Base T module 6 port 100Base FX single mode module and 6 port 100Base FX multi mode module The two extended module slots in the rear panel support 1000Base SX 1000Base LX 1000Base T 1000Base ZX 1000Base LX GL module and stack module S3552G Ethernet Switch provides 48 fixed 10 100Base TX Ethernet ports and four GBIC interface modules S3552P Ethernet Swit...

Page 45: ... S3526E S3526C Ethernet switches can operate in 1000M full duplex 100M half duplex full duplex and 10M half duplex full duplex modes The configurations of these Ethernet ports are basically the same which will be described in the following sections 1 2 Ethernet Port Configuration Ethernet port configuration includes z Enter Ethernet port view z Enable Disable Ethernet port z Set description charac...

Page 46: ...wn Enable an Ethernet port undo shutdown By default the port is enabled 1 2 3 Set Description Character String for Ethernet Port To distinguish the Ethernet ports you can use the following command to make some necessary descriptions Perform the following configuration in Ethernet port view Table 1 3 Set description character string for Ethernet port Operation Command Set description character stri...

Page 47: ...gotiation mode However if the speed has been set to 1000Mbps the duplex mode can only be set to full full duplex or auto auto negotiation The port defaults the auto auto negotiation mode 1 2 5 Set Speed on the Ethernet Port You can use the following command to set the speed on the Ethernet port If the speed is set to auto negotiation mode the local and peer ports will automatically negotiate about...

Page 48: ...e default type of the cable connected to the Ethernet port undo mdi Note that the settings only take effect on 10 100Base T and 1000Base T ports By default the cable type is auto auto recognized That is the system can automatically recognize the type of cable connecting to the port 1 2 7 Enable Disable Flow Control for Ethernet Port After enabling flow control in both the local and the peer switch...

Page 49: ...atio undo broadcast suppression By default 100 broadcast traffic is allowed to pass through that is no broadcast suppression will be performed 1 2 9 Set link type for Ethernet port Ethernet port can operate in three different link types access hybrid and trunk types The access port carries one VLAN only used for connecting to the user s computer The trunk port can belong to more than one VLAN and ...

Page 50: ...st tagged untagged Add the current trunk port to specified VLANs port trunk permit vlan vlan_id_list all Remove the current access port from to a specified VLAN undo port access vlan Remove the current hybrid port from to specified VLANs undo port hybrid vlan vlan_id_list Remove the current trunk port from specified VLANs undo port trunk permit vlan vlan_id_list all Note that the access port shall...

Page 51: ... vlan you cannot modify the default VLAN ID until the mapping relationship has been removed z To guarantee the proper packet transmission the default VLAN ID of local hybrid port or Trunk port should be identical with that of the hybrid port or Trunk port on the peer switch By default the VLAN of hybrid port and trunk port is VLAN 1 and that of the access port is the VLAN to which it belongs 1 2 1...

Page 52: ...the port loopback detection and setting detection interval for the external loopback condition of each port If there is a loopback port found the switch will put it under control Perform the following configuration in corresponding view Table 1 13 Set loopback detection for the Ethernet port Operation Command Enable loopback detection on the port System view Ethernet port view loopback detection e...

Page 53: ...iguring a time interval When calculating port statistics information the switch calculates the average port speed during the time interval Perform the following configuration in Ethernet port view Table 1 14 Set the time interval of calculating port statistics information Operation Command Set the time interval of calculating port statistics information flow interval interval Restore the default t...

Page 54: ...essages Note The prompt character for Ethernet port view may vary with specific configuration II Port Traffic Threshold Configuration Example 1 Configuration requirements z The traffic threshold on the Ethernet0 1 port is 5000pps and the detection interval is 10 seconds z The system disables the port and sends trap messages when actual traffic on the port exceeds the specified threshold 2 Configur...

Page 55: ...o clear the statistics information of the port Table 1 16 Display and debug Ethernet port Operation Command Configure to perform loopback test on the Ethernet port loopback external internal Display the information of the cable test virtual cable test Display all the information of the port display interface interface_type interface_type interface_num interface_name Display hybrid port or trunk po...

Page 56: ...ration procedure The following configurations are used for Switch A Please configure Switch B in the similar way Enter the Ethernet port view of Ethernet0 18 Quidway interface ethernet0 18 Set the Ethernet0 18 as a trunk port and allows VLAN 2 6 through 50 and 100 to pass through Quidway Ethernet0 18 port link type trunk Quidway Ethernet0 18 port trunk permit vlan 2 6 to 50 100 Create the VLAN 100...

Page 57: ... of eight ports The starting port of an aggregated group can only be Ethernet0 1 Ethernet0 9 Ethernet1 5 or Gigabitethernet3 1 and the port numbers in a group and on the same slot must be consecutive If a group contains the ports on two slots those on the same slots and slot numbers must be consecutive and the starting port must be the first port on the second slot An S3552G S3552P S3528G S3528P S...

Page 58: ...te 2 3 Display and Debug Link Aggregation After the above configuration execute display command in any view to display the running of the link aggregation configuration and to verify the effect of the configuration Table 2 2 Display the information of the link aggregation Operation Command Display the information of the link aggregation display link aggregation master_port_num 2 4 Link Aggregation...

Page 59: ... ports Ethernet0 2 Ethernet0 3 Mode both 2 5 Ethernet Link Aggregation Troubleshooting Fault You might see the prompt of configuration failure when configuring link aggregation Troubleshooting I For S3526 S3526 FM S3526 FS Ethernet Switches take the following steps z Check the input parameter and see whether the starting number of Ethernet port is smaller than the end number If yes take the next s...

Page 60: ... the input parameter and see whether the starting number of Ethernet port is smaller than the end number If yes take the next step z Check whether the Ethernet ports that are in the configured range belong to any other existing link aggregations If not take the next step z Check whether the ports to be aggregated operate in the same speed and full duplex mode If yes take the next step z Check if t...

Page 61: ...N resources 3 2 Port Isolation Configuration Port isolation configuration includes z Configuring port L2 isolation z Configuring uplink port 3 2 1 Configuring Port L2 Isolation When port L2 isolation is configured L2 forwarding becomes unavailable between the ports in the VLAN Perform the following configuration in VLAN view Table 3 1 Configuring port L2 isolation Operation Command Enable port L2 ...

Page 62: ...link port to common isolated port before deleting it from the VLAN z If a Trunk port is set as uplink port then you are recommended to set that all VLAN are allowed to pass through the Trunk port and that it is the only uplink port in that VLAN z You cannot enable port isolation and link aggregation concurrently on a port 3 3 Port Isolation Configuration Example I Networking requirement Community ...

Page 63: ...Operation Manual Port Quidway S3500 Series Ethernet Switches Chapter 3 Port Isolation Configuration Huawei Technologies Proprietary 3 3 Quidway Ethernet0 1 port isolate uplink port vlan 1 ...

Page 64: ...Huawei Technologies Proprietary HUAWEI Quidway S3500 Series Ethernet Switches Operation Manual VLAN ...

Page 65: ... 1 5 1 3 2 Create Delete the Association Between an Port and a Protocol Based VLAN 1 6 1 4 Display and Debug VLAN 1 6 1 5 VLAN Configuration Example 1 7 Chapter 2 Isolate User Vlan Configuration 2 1 2 1 Isolate user vlan Overview 2 1 2 2 Configure isolate user vlan 2 1 2 2 1 Configure isolate user vlan 2 1 2 2 2 Configure Secondary VLAN 2 2 2 2 3 Configure to Map isolate user vlan to Secondary VLA...

Page 66: ...etary ii Chapter 4 Super VLAN 4 1 4 1 Overview of Super VLAN 4 1 4 2 Super VLAN Configuration 4 1 4 2 1 Configuring a Super VLAN 4 1 4 2 2 Configuring a Sub VLAN 4 2 4 2 3 Configuring the Mapping between Super a VLAN and a Sub VLAN 4 2 4 3 Displaying Super VLAN 4 3 4 4 Super VLAN Configuration Example 4 3 ...

Page 67: ...raffic saving device investment simplifying network management and improving security 1 2 VLAN Common Configuration To configure a VLAN first create a VLAN according to the requirements Main VLAN configuration includes z Enable Disable VLAN feature S3526E S3526C switches support in S3500 series switches z Create Delete a VLAN z Add Ethernet ports to a VLAN z Set Delete VLAN or VLAN interface descr...

Page 68: ...em view Table 1 2 Create Delete a VLAN Operation Command Create a VLAN and enter the VLAN view vlan vlan_id Delete the specified VLAN undo vlan vlan_id to vlan_id all If the VLAN to be created exists enter the VLAN view directly Otherwise create the VLAN first and then enter the VLAN view vlan_id specifies the VLAN ID Note that the default VLAN namely VLAN 1 cannot be deleted 1 2 3 Add Ethernet Po...

Page 69: ...or VLAN interface description string Restore the default description of current VLAN or VLAN interface undo description By default VLAN description character string is VLAN ID of the VLAN e g VLAN 0001 VLAN interface description character string is the VLAN interface name e g Vlan interface1 Interface 1 2 5 Name the current VLAN You can use the following command to name the current VLAN Perform th...

Page 70: ...he IP address and mask You can use the following command to set or delete the IP address and mask for the VLAN interface Generally it is enough to configure one IP address for an interface You can also configure 10 IP addresses for an interface so that it can be connected to several subnets Among these IP addresses one is the primary IP address and all others are secondary Perform the following co...

Page 71: ...rface is enabled 1 3 Protocol Based VLAN Configuration Note Currently only Quidway S3552G S3552P S3528G S3528P S3552F Ethernet Switches support the protocol based VLAN configuration Protocol based VLAN configuration includes z Create Delete a VLAN protocol type z Create Delete the association between an port and a protocol based VLAN 1 3 1 Create Delete a VLAN Protocol Type You can use the followi...

Page 72: ...te that the port must be a Hybrid port and it must belong to that protocol based VLAN 1 4 Display and Debug VLAN After the above configuration execute display command in any view to display the running of the VLAN configuration and to verify the effect of the configuration Table 1 11 Display and debug VLAN Operation Command Display the related information about VLAN interface display interface vla...

Page 73: ...et 0 4 to VLAN3 II Networking diagram VLAN3 Switch E0 3 E0 2 VLAN2 VLAN3 E0 4 E0 1 Switch VLAN3 Switch E0 3 E0 2 VLAN2 VLAN3 E0 4 E0 1 Switch Figure 1 1 VLAN configuration example III Configuration procedure Create VLAN 2 and enters its view Quidway vlan 2 Add Ethernet 0 1 and Ethernet 0 2 to VLAN2 Quidway vlan2 port ethernet 0 1 to ethernet 0 2 Create VLAN 3 and enters its view Quidway vlan2 vlan...

Page 74: ...ignores those Secondary VLANs thereby streamlining the configuration and saving the VLAN source You can use isolate user vlan to implement the isolation of the Layer 2 packets through assigning a Secondary VLAN for each user which only includes the ports and the Uplink ports connected to the user You can put the ports connected to different users into one Secondary VLAN to implement the Layer 2 pa...

Page 75: ... you cannot configure a Trunk port on the Ethernet switch already configured with the isolate user vlan and vise versa In addition the Uplink port has to be added into the isolate user vlan 2 2 2 Configure Secondary VLAN You can use the following commands to create a Secondary VLAN and add new ports to it Create a secondary VLAN in system view and add new ports to it in VLAN view Table 2 2 Configu...

Page 76: ...remove a VLAN You can perform these operations after removing the mapping relationship Without the specified secondary secondary_vlan_numlist parameter the undo isolate user vlan command will remove the mapping relationship between the specified isolate user vlan and all the Secondary VLANs Otherwise the relationship between the specified isolate user vlan and the specified Secondary VLAN will be ...

Page 77: ... carries one VLAN VLAN 5 and VLAN 6 respectively II Networking diagram Switch C vlan 5 vlan 6 vlan 3 Switch A E1 1 E0 3 E0 4 E1 1 Switch B E0 1 E0 2 vlan 2 vlan 4 vlan 3 Figure 2 1 isolate user vlan configuration example III Configuration procedure Hereafter only listed the configuration procedure of the Switch B and Switch C Configure Switch B Configure isolate user vlan Quidway vlan 5 Quidway vl...

Page 78: ...3 Configure Switch C Configure isolate user vlan Quidway vlan 6 Quidway vlan6 isolate user vlan enable Quidway vlan6 port ethernet1 1 Configure Secondary VLAN Quidway vlan6 vlan 3 Quidway vlan3 port ethernet0 3 Quidway vlan3 vlan 4 Quidway vlan4 port ethernet0 4 Configure the isolate user vlan to Map the Secondary VLAN Quidway vlan4 quit Quidway isolate user vlan 6 secondary 3 to 4 ...

Page 79: ...remove the attribute information of other GARP members according to the received declarations withdrawal declarations GARP members exchange information through sending messages There mainly are 3 types of GARP messages including Join Leave and LeaveAll When a GARP participant wants to register its attribute information on other switches it will send Join message outward When it wants to remove som...

Page 80: ...rt the Leave timer If Join Message is not received again before the Leave timer expires the GARP attribute values will be removed LeaveAll timer will be started as soon as the GARP participant is enabled LeaveAll message will be sent upon timeout so that other GARP participants will remove all the attribute values of this participant Then Leaveall timer is restarted and a new cycle begins When the...

Page 81: ...e display command in any view to display the running of GARP configuration and to verify the effect of the configuration Execute reset command in user view to reset the configuration of GARP Execute debugging command in user view to debug the configuration of GARP Table 3 2 Display and debug GARP Operation Command Display GARP statistics information display garp statistics interface interface list...

Page 82: ...802 1Q standard Quidway Series Ethernet Switches fully support the GARP compliant with the IEEE standards Main GVRP configuration includes z Enable Disable global GVRP z Enable Disable port GVRP z Set GVRP registration type In the above mentioned configuration tasks GVRP should be enabled globally before it is enabled on the port Configuration of GVRP registration type can only take effect after t...

Page 83: ...ing GVRP will also add this VLAN item to the local GVRP database one link table for GVRP maintenance However GVRP cannot learn dynamic VLAN through this port The learned dynamic VLAN from other ports of the local switch will not be able to send statements to outside through this port z When an Ethernet port is set to be in Forbidden registration mode all the VLANs except VLAN1 will be logged out a...

Page 84: ... packet event 3 2 6 GVRP Configuration Example I Networking requirements To dynamically register and update VLAN information among switches GVRP needs to be enabled on the switches II Networking diagram E0 10 Switch A Switch B E0 11 E0 10 Switch A Switch B E0 11 Figure 3 1 GVRP configuration example III Configuration procedure Configure Switch A Enable GVRP globally Quidway gvrp Set Ethernet0 10 a...

Page 85: ...ologies Proprietary 3 7 Enable GVRP globally Quidway gvrp Set Ethernet0 11 as a Trunk port and allows all the VLANs to pass through Quidway interface ethernet0 11 Quidway Ethernet0 11 port link type trunk Quidway Ethernet0 11 port trunk permit vlan all Enable GVRP on the Trunk port Quidway Ethernet0 11 gvrp ...

Page 86: ...the sub VLAN Layer 2 isolation is implemented between sub VLANs When users in different sub VLANs want Layer 3 communication they use the IP address of the super VLAN as their gateway address IP address resources are saved since multiple VLANs share one IP address ARP proxy enables Layer 3 interworking between sub VLANs and their interworking with other networks by forwarding and handling ARP requ...

Page 87: ...nfiguring a Sub VLAN You can configure a sub VLAN just as configuring a general VLAN See Chapter 1 VLAN Configuration for details Perform the following configuration in the specified views Table 4 2 Configure a sub VLAN Operation Command Create a sub VLAN and enter the corresponding view system view vlan vlan id Delete a sub VALN system view undo vlan vlan id to vlan id all Add an Ethernet port fo...

Page 88: ...r you can remove the mapping between the specific super VLAN and all sub VLANs associated to it If choosing the parameter you can remove the mapping between the specific super VLAN and the specific sub VLAN 4 3 Displaying Super VLAN Use the display supervlan command to view the super VLAN configuration Table 4 4 Display super VLAN configuration Operation Command Display the mapping between super V...

Page 89: ...n 2 Quidway vlan2 port ethernet0 1 ethernet0 2 Quidway vlan2 vlan 3 Quidway vlan3 port ethernet0 3 ethernet0 4 Quidway vlan3 vlan 5 Quidway vlan5 port ethernet0 5 ethernet0 6 Quidway vlan5 vlan 10 Quidway vlan10 subvlan 2 3 5 Quidway vlan10 interface vlan 10 Quidway Vlan interface10 ip address 10 110 1 1 255 255 255 0 Note The ARP proxy feature is enabled by default and you are not allowed to disa...

Page 90: ...Huawei Technologies Proprietary HUAWEI Quidway S3500 Series Ethernet Switches Operation Manual Network Protocol ...

Page 91: ...ARP Timed Probing Function 2 2 2 2 3 Configure the Dynamic ARP Aging Timer 2 3 2 2 4 Configure ARP Source Address Suppression 2 3 2 2 5 Enabling Disabling ARP the Checking Function of ARP Entry 2 4 2 3 Gratuitous ARP Configuration 2 5 2 3 1 Gratuitous ARP Overview 2 5 2 3 2 Configuration Tasks 2 6 2 3 3 Configuration Example 2 6 2 4 Display and debug ARP 2 6 Chapter 3 Proxy ARP 3 1 3 1 Introductio...

Page 92: ...sses Forbidden in Automatic Allocation 5 10 5 3 4 Configure IP Address Lease Duration for a DHCP Address Pool 5 10 5 3 5 Configure DHCP Client Domain Name 5 11 5 3 6 Configure DNS Server Addresses for DHCP Clients 5 13 5 3 7 Configure NetBIOS Server Addresses for DHCP Clients 5 14 5 3 8 Define NetBIOS Node Type of DHCP Clients 5 15 5 3 9 Configure a DHCP Option 5 17 5 3 10 Configure IP Addresses o...

Page 93: ...OOTP Client 7 2 Chapter 8 Access Management Configuration 8 1 8 1 Access Management Overview 8 1 8 2 Configure Access Management 8 2 8 2 1 Enable Access Management Function 8 2 8 2 2 Configure the Access IP Address Pool Based on the Physical Port 8 2 8 2 3 Configure Layer 2 Isolation between Ports 8 3 8 2 4 Configuring Port Isolation on a Per VLAN Basis 8 3 8 2 5 Configure Port IP Address and MAC ...

Page 94: ...31 0 1 0 1 1 0 1 1 1 0 1 1 1 1 0 net id net id net id Multicast address Reserved address host id host id host id Class A Class B Class C Class D Class E Figure 1 1 Five classes of IP address Where Class A Class B and Class C are unicast addresses while Class D addresses are multicast ones and class E addresses are reserved for special applications in future The first three types are commonly used ...

Page 95: ...rved for self loop test and the packets sent to this address will not be output to the line The packets are processed internally and regarded as input packets B 128 0 0 0 to 191 255 2 55 255 128 0 0 0 to 191 254 0 0 Host ID with all the digits being 0 indicates that the IP address is the network address and is used for network routing Host ID with all the digits being 1 indicates the broadcast add...

Page 96: ... small networks Each small network is called a subnet For example for the Class B network address 138 38 0 0 the mask 255 255 224 0 can be used to divide the network into 8 subnets 138 38 0 0 138 38 32 0 138 38 64 0 138 38 96 0 138 38 128 0 138 38 160 0 138 38 192 0 and 138 38 224 0 Refer to the following figure Each subnet can contain more than 8000 hosts 10001010 00100110 000 00000 00000000 Clas...

Page 97: ...scussed in the subsequent chapters The IP address configuration includes z Configuring the Hostname and Host IP Address z Configuring the IP Address of the VLAN Interface 1 2 1 Configure Hostname and Host IP Address Perform the following configuration in System view Table 1 2 Configure the host name and the corresponding IP address Operation Command Configure the hostname and the corresponding IP ...

Page 98: ...ew to display the IP addresses configured on interfaces of the network device and to verify the effect of the configuration Table 1 4 Display and debug IP address Operation Command Display all hosts on the network and the corresponding IP addresses display ip host Display the configurations of each interface display ip interface interface type interface number 1 4 IP Address Configuration Example ...

Page 99: ...ration of the Ethernet Switch Use display arp command to view the ARP entry table that the Switch maintains z Troubleshooting First check which VLAN includes the port of the switch used to connect to the host Check whether the VLAN has been configured with the VLAN interface Then check whether the IP address of the VLAN interface and the host are on the same network segment z If the configuration ...

Page 100: ...hosts on the same network segment Host A and Host B The IP address of Host A is IP_A and the IP address of Host B is IP_B Host A will transmit messages to Host B Host A checks its own ARP mapping table first to make sure whether there are corresponding ARP entries of IP_B in the table If the corresponding MAC address is detected Host A will use the MAC address in the ARP mapping table to encapsula...

Page 101: ...wing configuration in System view Table 2 1 Manually add delete static ARP mapping Entries Operation Command Manually add a static ARP mapping entry arp static ip address mac address vlan id interface type interface number interface name Manually delete a static ARP mapping entry undo arp ip address Static ARP map entry will be always valid as long as Ethernet switch works normally But if the VLAN...

Page 102: ...configuration the system provides the following commands to assign dynamic ARP aging period When the system learns a dynamic ARP entry its aging period is based on the current value configured Perform the following configuration in system view Table 2 3 Configure the dynamic ARP aging timer Operation Command Configure the dynamic ARP aging timer arp timer aging aging time restore the default dynam...

Page 103: ...umber of source IP addresses to be depressed is 16 and the number of ARP requests within the 5 second interval is 10 Notes that S3526 S3526 FM S3526 FS S3526E S3526E FM S3526E FS S3526C switches not support this configuration in S3500 series switches 2 2 5 Enabling Disabling ARP the Checking Function of ARP Entry You can use the following command to control the device whether to learn the ARP entr...

Page 104: ...vice receives a gratuitous ARP packet with its corresponding ARP entry existing in the cache of the device the sending hardware address such as Ethernet address in the gratuitous ARP packet needs to update the content in the cache The device must do this every time it receives a gratuitous ARP packet Characteristics of gratuitous ARP packets z The source and destination IP addresses carried by the...

Page 105: ...tion 2 3 3 Configuration Example I Network requirements Enable gratuitous ARP packet sending and learning on the switch Quidway A II Configuration procedure QuidwayA system view QuidwayA arp send gratuitous enable QuidwayA gratuitous arp learning enable 2 4 Display and debug ARP After the above configuration execute display command in any view to display the running of the ARP configuration and to...

Page 106: ...ion information display arp source suppression Reset ARP mapping table reset arp dynamic static interface interface type interface number interface name Enable ARP information debugging debugging arp packet Disable ARP information debugging undo debugging arp packet Note that display arp probe interface vlan interface vlan id command is supported by S3526 S3526 FM S3526 FS switches ...

Page 107: ...ich connects the two networks and has the ARP proxy function and thus realized the layer 3 internetworking between layer 2 isolated ports 3 2 ARP Proxy Configuration ARP proxy configuration includes the enabling and disabling of the proxy ARP 3 2 1 Enabling Disabling ARP Proxy Perform the following configuration in VLAN interface view Table 3 1 Enabling disabling ARP proxy Operation Command Enabli...

Page 108: ...in client server structure with DHCP client dynamic requesting configuration information while DHCP server returning configuration information base on the specific policies A typical DHCP application often contains a DHCP server and several clients desktop and laptop PCs See the following figure LAN DHCP Server DHCP Client DHCP Client DHCP Client DHCP Client Figure 3 1 Typical DHCP application To ...

Page 109: ...hen DHCP client logs into the network for a second time its communication with the DHCP server includes these stages z When the DHCP client logs into the network at the first time then at later login the client only needs to broadcast the DHCP_Request message containing the IP address obtained last time other than the DHCP_Dsicover message z After the reception of the DHCP_Request message the DHCP...

Page 110: ...IP address using DHCP ip address dhcp alloc Remove the configuration undo ip address dhcp alloc By default the VLAN interface does not obtain IP address using DHCP 3 7 Displaying and Debugging DHCP Client Configuration After the above configuration execute display command in any view to display the running of the DHCP Client configuration and to verify the effect of the configuration Execute debug...

Page 111: ...rotocol the DHCP Client can dynamically request configuration information and the DHCP Server can configure the information for the Client conveniently In the early days the DHCP was only suitable for the case when the DHCP Client and DHCP Server locate on the same subnet and could not work across the network segments If the early DHCP is used to dynamically configure the host each subnet should b...

Page 112: ...e dynamic configuration of DHCP Client 4 2 Configure DHCP Relay DHCP relay configuration includes z Configure IP Address of a DHCP Server z Configure Corresponding DHCP Server Group of the VLAN Interface z Configure the Address Table Entry z Enable Disable DHCP security features z Enable Disable DHCP pseudo server detection 4 2 1 Configure IP Address of a DHCP Server Perform the following configur...

Page 113: ... with fixed IP address in the VLAN configured with DHCP Relay pass the address validity check of DHCP security feature you must add a static address entry which indicates the correspondence between an IP address and an MAC address If another illegal user configures a static IP address which is in conflict with the fixed IP address of a valid user the switch with DHCP Relay function enabled can ide...

Page 114: ...er detection enabled switch will record the information of the DHCP servers such as their IP addresses so that the administrator can discover the DHCP pseudo servers Perform the following configuration in system view Table 4 5 Enable Disable DHCP pseudo server detection Operation Command Enable DHCP pseudo server detection dhcp server detect Disable DHCP pseudo server detection undo dhcp server de...

Page 115: ... enabled DHCP Client can get IP address and other configuration information from DHCP Server II Networking diagram Ethernet Ethernet Internet DHCP client DHCP client Switch DHCP Relay 10 110 0 0 DHCP Server 202 38 1 2 10 110 1 1 202 38 0 0 202 38 1 1 Figure 4 2 Networking diagram of configuring DHCP relay III Configuration procedure Configure the group number of DHCP Server as 1 and the IP address...

Page 116: ...ver to make sure that the DHCP Server can correctly find the route of the network segment the user is on If the ping execution fails check if the default gateway of the DHCP Server has been configured as the address of the VLAN interface that it locates on z If there is no problem found in the last two steps use the display dhcp server groupNo command to view what packet has been received If you o...

Page 117: ...kground dynamic host configuration protocol DHCP was introduced DHCP operates in Client Server model where the DHCP client dynamically requests the DHCP server for configuration information and the DHCP server returns the configuration information an IP address for example based on the adopted policy A typical DHCP application network usually comprises a DHCP server and multiple clients such as PC...

Page 118: ...DHCP_Discover message sent by the client z A new address allocated from the DHCP server s pool of available addresses This address is the one found first in the address pool z If the DHCP server does not find an available address it looks up the expired leased IP addresses and then conflicting IP addresses to find a valid one for assignment If the attempt fails the server reports error 3 Following...

Page 119: ...e for the DHCP client to log into the network it undergoes the following stages in order to set up a connection with a DHCP server z When the DHCP client logs into the network again after the first successful login it only needs to broadcast a DHCP_Request message containing the IP address assigned to it the last time instead of sending a DHCP_Discover message z Upon the receipt of the DHCP_Reques...

Page 120: ...HCP Relay work on this principle z In the startup and DHCP initialization DHCP Client advertises configuration request messages to the local network z If there is a DHCP Server in the local network you can initiate DHCP configuration directly with DHCP Relay unnecessary z Otherwise when a device with DHCP Relay enabled which is connected with the local network receives the messages it will make ne...

Page 121: ...e how to handle DHCP messages on the current VLAN interface Table 5 2 Define DHCP message handling method on the current VLAN interface Operation Command Send DHCP messages to the local DHCP server where addresses are to be allocated from a global address pool dhcp select global Send DHCP messages to the local DHCP server where addresses are to be allocated from the appropriate VLAN interface addr...

Page 122: ...pseudo DHCP server refers to an unauthorized DHCP server Such a server can communicate with a client requesting for IP address and allocate an incorrect IP address to the client thus preventing it from accessing the network With the function of pseudo DHCP server detection enabled the switch can record DHCP server information such as IP address thus allowing administrators discover and deal with p...

Page 123: ...a DHCP request from a DHCP client the DHCP server selects an appropriate address pool according to the configuration picks out a free IP address and sends it back along with other related parameters address lease for example A DHCP server can have multiple address pools and at present support up to 128 global address pools Address pools on DHCP servers are in tree structure with the natural segmen...

Page 124: ...n use both except that the address range of the pool is the IP address segment connected to the VLAN interface when dynamic allocation applies Dynamic address allocation requires an address range for allocation whereas static address bindings can be regarded as a special DHCP address pool containing only the bindings I Configure static address binding for a global DHCP address pool Some DHCP clien...

Page 125: ...ddress binding for the VLAN interface address pool Operation Command Configure a static address binding in the current VLAN interface address pool dhcp server static bind ip address ip address mac address mac address Delete the static address binding in the current VLAN interface address pool undo dhcp server static bind ip address ip address mac address mac address By default no static address bi...

Page 126: ...e IP addresses in use such as IP addresses of gateway and FTP server to avoid address conflict resulted from allocating one IP address to two hosts Perform the following configuration in system view Table 5 9 Configure IP addresses forbidden in automatic allocation Operation Command Configure IP addresses forbidden in automatic allocation dhcp server forbidden ip low ip address high ip address Can...

Page 127: ...ur minute minute unlimited Restore the IP address lease duration for the DHCP address pool on the current interface to the default undo dhcp server expired III Configure lease duration for multiple VLAN interface DHCP address pools Perform the following configuration in system view Table 5 12 Configure IP address lease duration for multiple VLAN interface DHCP address pools Operation Command Confi...

Page 128: ...rrent VLAN interface Operation Command Configure domain name to be allocated to the clients using the DHCP address pool on the current VLAN interface dhcp server domain name domain name Delete the domain name configuration of the DHCP address pool on the current VLAN interface undo dhcp server domain name III Configure client domain name in multiple VLAN interface DHCP address pools Perform the fo...

Page 129: ...ress pool Perform the following configuration in DHCP address pool view Table 5 16 Assign DNS server addresses to the global DHCP address pool Operation Command Assign DNS server addresses to the global DHCP address pool dns list ip address ip address Remove one or all DNS server addresses from the global DHCP address pool undo dns list ip address all II Configure DNS server addresses in the VLAN ...

Page 130: ... the previous one 5 3 7 Configure NetBIOS Server Addresses for DHCP Clients For a client running a Microsoft operating system Windows Internet Naming Service WINS server can resolve its hostname to IP address if the client communicates through the NetBIOS protocol Therefore the setting of WINS is required on most clients installed with Windows Each DHCP address pool by far can contain up to eight ...

Page 131: ...nterfaces dhcp server nbns list ip address ip address interface vlan interface vlan_id to vlan interface vlan_id all Remove one or all NetBIOS server addresses from DHCP address pools on multiple VLAN interfaces undo dhcp server nbns list ip address all interface vlan interface vlan_id to vlan interface vlan_id all By default no NetBIOS server address is assigned to any global or VLAN interface ad...

Page 132: ...figure NetBIOS node type of clients in the DHCP address pool on the current VLAN interface Operation Command Configure NetBIOS node type of clients in the DHCP address pool on the current VLAN interface dhcp server netbios type b node h node m node p node Delete the configuration of the NetBIOS node type of clients in the DHCP address pool on the current VLAN interface undo dhcp server netbios typ...

Page 133: ...nfigure a DHCP option for the global DHCP address pool option code ascii ascii string hex hex string ip address ip address ip address Delete a DHCP option of the global DHCP address pool undo option code II Configure a DHCP option for the DHCP address pool on the current VLAN interface Perform the following configuration in VLAN interface view Table 5 26 Configure a DHCP option for the DHCP addres...

Page 134: ... contain up to eight egress gateway addresses Perform the following configuration in DHCP address pool view Table 5 28 Configure a list of egress gateway addresses for DHCP clients Operation Command Configure IP addresses of egress gateways for DHCP clients gateway list ip address ip address Remove IP address of one or all egress gateways for clients undo gateway list ip address all By default no ...

Page 135: ...by sending ping packets whereas DHCP clients by sending ARP packets 5 4 DHCP Relay Configuration DHCP Relay configuration includes z Configure the DHCP servers to which the received packets are relayed z Distribute load among DHCP servers z Release client IP addresses through DHCP Relay z Configure address map entry for security check z Enable Disable the DHCP security feature on VLAN interface z ...

Page 136: ...ver address to which the specified multiple VLAN interfaces relays packets ip relay address ip address interface vlan interface vlan_id to vlan interface vlan_id all Remove one or all the DHCP server addresses to which the specified multiple VLAN interfaces relay packets undo ip relay address ip address all interface vlan interface vlan_id to vlan interface vlan_id all 5 4 2 Distribute Load among ...

Page 137: ...ase request from the DHCP relay the DHCP server releases the IP address from the IP in use address pool and moves it to the lease expired queue Normally this address will experience some time before participating in allocation again For the client however this address is not released and will be used until its lease really expires 5 4 4 Configure Address Map Entry for Security Check To make the va...

Page 138: ...nterface dhcp relay security address check enable Disable the DHCP security feature on the VLAN interface dhcp relay security address check disable By default the switch disables DHCP security features function 5 4 6 Activating Deactivating DHCP Relay Dynamic Entries This configuration task is to activate deactivate the dynamic IP MAC address mapping entries generated by the DHCP relay Only when t...

Page 139: ...m passing through the DHCP security check address check no matched enable Allow unknown machines to pass through the DHCP security check address check no matched disable By default unknown machines are inhibited from passing through the DHCP security check This configuration takes effect only when the DHCP security feature is enabled on the VLAN interface 5 5 Display and Debug DHCP After the above...

Page 140: ...me Clear statistics about address conflicts reset dhcp server conflict ip ip address all Clear statistics related to DHCP servers reset dhcp server statistics Clear statistics related to DHCP relay reset dhcp relay statistics Disable Enable DHCP server debugging undo debugging dhcp server all error event packet Disable Enable DHCP relay debugging undo debugging dhcp relay error event packet client...

Page 141: ...lients on the same subnet III Configuration procedure Enable the DHCP service Quidway dhcp enable Configure IP addresses forbidden in automatic address allocation including addresses of DNS server NetBIOS server and egress gateway Quidway dhcp server forbidden ip 10 1 1 2 Quidway dhcp server forbidden ip 10 1 1 4 Quidway dhcp server forbidden ip 10 1 1 254 Quidway dhcp server forbidden ip 10 1 1 1...

Page 142: ...the switch with DHCP Relay enabled DHCP Client can get IP address and other configuration information from DHCP Server Configure an IP address pool on the DHCP Server and assign the network segment 10 110 0 0 to the pool for allocating IP addresses to the DHCP clients on this segment In addition configure a route for the DHCP Server to reach the segment 10 110 0 0 II Networking diagram Ethernet Et...

Page 143: ... host using the IP address by pinging the address at relatively long intervals for several times z If such a host exists forbid the IP address in automatic allocation by using the dhcp server forbidden ip command At the client you can release the current dynamic IP address by executing the ipconfig release_all command in DOS or winipcfg Release in GUI and then request a new one by executing the ip...

Page 144: ...sses to the clients DHCP server transmits DHCPACK packets After receiving the packets the client can obtain an IP address The IP address requested through DHCPREQUEST is the same as that assigned through DHCPACK So snooping DHCPACK is another way to know the clients IP addresses In addition pseudo DHCP servers in the network may cause users to get incorrect IP addresses To guarantee that users can...

Page 145: ...nooping trust Optional By default no port is set as trusted S3526E S3526E FM S3526E FS S3526C support Display the association table recorded by DHCP snooping display dhcp snooping Optional any view Display the enable status of DHCP snooping and information about the trusted port display dhcp snooping trust Optional any view S3526E S3526E FM S3526E FS S3526C support Caution You must first disable D...

Page 146: ...ping DHCP Server DHCP Client DHCP Client DHCP Client Ethernet DHCP Client DHCP Client DHCP Client Ethernet DHCP Client SwitchA DHCP Snooping DHCP Server DHCP Client DHCP Client DHCP Client Ethernet Ethernet DHCP Client SwitchA DHCP Snooping DHCP Server Ethernet0 2 Figure 6 1 Network diagram for DHCP snooping configuration III Configuration procedure Note You cannot enable DHCP relay on SwitchA z C...

Page 147: ...quest message the server returns the BOOTP Response message BOOTP client then can obtain the allocated IP address from the received response message The BOOTP message is based on UDP so retransmission mechanism in the event of timeout is used to guarantee its reliable transmission BOOTP client also starts a retransmission timer when it sends the request message to the server If the timer expires b...

Page 148: ...tp alloc By default the VLAN interface cannot use BOOTP to get IP address 7 3 Displaying and Debugging BOOTP Client After the above configuration execute display command in any view to display the running of the BOOTP client configuration and to verify the effect of the configuration Execute debugging command in user view to debug BOOTP client Table 7 2 Displaying and debugging BOOTP client Operat...

Page 149: ...many users are connected to the switch the ports allocated to different enterprises need to belong to the same VLAN in the light of cost Every enterprise is allocated to the fixed IP address range simultaneously Only those IP addresses in the fixed IP address range can be accessed to external networks from the port Different enterprises should be isolated considering security All these requirement...

Page 150: ...52F in S3500 series switches z Configure port IP address and MAC address binding Only for S3526E S3526E FM S3526E FS S3526C in S3500 series switches z Enable Disable access management trap 8 2 1 Enable Access Management Function You can use the following command to enable access management function Only after the access management function is enabled globally will the access management features IP...

Page 151: ... between Ports You can use the following command to set Layer 2 isolation on a port so as to prevent the packets from being forwarded on Layer 2 between the specified port and some other ports group Perform the following configuration in Ethernet interface view Table 8 3 Configure Layer 2 isolation between ports Operation Command Configure Layer 2 isolation between ports am isolate interface list ...

Page 152: ...gure a port as an uplink port port isolate uplink port vlan vlan id Cancel the configuration undo port isolate uplink port vlan vlan id By default no uplink port is configured Note that z S3552G S3552P S3528G S3528P S3552F in S3500 series switches support this configuration z Only after the layer 2 port isolation is enabled can you configure one uplink port If no uplink port is set configure a VLA...

Page 153: ... set z IP MAC binding binding the packet s source IP address and its source MAC address If the packet s source IP address and its specified IP is the same then the packet is relayed only when its source MAC address is the specified MAC address Likewise if the packet s source MAC is the same as the specified MAC address then the packet is relayed only when its source IP address is the same as the s...

Page 154: ...play the current configurations of access management on the ports and to verify the effect of the configuration Table 8 8 Display current configuration of access management Operation Command Display current configuration of access management display am interface list Display Port IP address and MAC address binding display am user bind interface interface name interface type interface number mac ad...

Page 155: ... Configuration procedure Enable access management globally Quidway am enable Configures the IP address pool for access management on port 1 Quidway Ethernet0 1 am ip pool 202 10 20 1 20 Configures Layer 2 isolation between port 1 and port 2 Quidway Ethernet0 1 am isolate ethernet0 2 Configures the IP address pool for access management on port 2 Quidway Ethernet0 2 am ip pool 202 10 20 21 30 ...

Page 156: ...n will be terminated The timeout of finwait timer ranges 76 to 3600 seconds and it is 675 seconds by default z The receiving sending buffer size of connection oriented Socket is in the range from 1 to 32K bytes and is 8K bytes by default Perform the following configuration in System view Table 9 1 Configuring TCP attributes Operation Command Configure timout time for the synwait timer in TCP tcp t...

Page 157: ...rent system display ip socket socktype sock type task id socket id Display the summary of the Forwarding Information Base display fib Reset IP statistics information reset ip statistics Reset TCP statistics information reset tcp statistics 9 3 Troubleshoot IP Performance Fault IP layer protocol works normally but TCP and UDP cannot work normally In the event of such a fault you can enable the corr...

Page 158: ...ietary 9 3 Quidway debugging tcp packet Then the TCP packets received or sent can be checked in real time Specific packet formats include TCP output packet Source IP address 202 38 160 1 Source port 1024 Destination IP Address 202 38 160 1 Destination port 4296 Sequence number 4185089 Ack number 0 Flag SYN Packet length 60 Data offset 10 ...

Page 159: ...Huawei Technologies Proprietary HUAWEI Quidway S3500 Series Ethernet Switches Operation Manual Routing Protocol ...

Page 160: ...figuring the Default Preference Of Static Routes 2 3 2 3 Displaying and Debugging Static Route 2 4 2 4 Typical Static Route Configuration Example 2 4 2 5 Static Route Fault Diagnosis and Troubleshooting 2 5 Chapter 3 RIP Configuration 3 1 3 1 Brief Introduction to RIP 3 1 3 2 RIP Configuration 3 2 3 2 1 Enabling RIP and Entering RIP view 3 2 3 2 2 Enabling RIP on Specified network 3 3 3 2 3 Config...

Page 161: ...n 4 10 4 2 10 Setting a dead timer for the neighboring routers 4 10 4 2 11 Configuring an Interval required for sending LSU packets 4 11 4 2 12 Setting an Interval for LSA Retransmission between Neighboring Routers 4 11 4 2 13 Setting a Shortest Path First SPF Calculation Interval for OSPF 4 12 4 2 14 Configuring STUB Area of OSPF 4 12 4 2 15 Configuring NSSA of OSPF 4 13 4 2 16 Configuring the Ro...

Page 162: ...7 Configuring BGP Route Summarization 5 13 5 2 8 Configuring BGP Route Filtering 5 14 5 2 9 Configuring BGP route dampening 5 15 5 2 10 Configuring BGP Timer 5 16 5 2 11 Configuring the local preference 5 16 5 2 12 Configuring MED for AS 5 17 5 2 13 Comparing the MED Routing Metrics from the Peers in Different ASs 5 17 5 2 14 Configuring BGP Community 5 18 5 2 15 Configuring BGP Route Reflector 5 ...

Page 163: ...ation Example 6 9 6 4 1 Configuring to Filter the Received Routing Information 6 9 6 5 Routing Policy Fault Diagnosis and Troubleshooting 6 10 Chapter 7 Route Capacity Configuration 7 1 7 1 Route Capacity Configuration Overview 7 1 7 1 1 Introduction 7 1 7 1 2 Route Capacity Limitation Implemented by S3500 Series Ethernet Switches 7 1 7 2 Route Capacity Configuration 7 1 7 2 1 Setting the lower li...

Page 164: ... router It works in this way hop by hop and the last router in the path is responsible for submitting the packet to the destination host to complete the IP packet forwarding and the routing across network segments In a network the router regards a path for sending a packet as a logical route unit and calls it a Hop For example in the figure below a packet sent from Host A to Host C a packet should...

Page 165: ...route segments 1 1 2 Route Selection through the Routing Table The key for a router to forward packets is the routing table Each router saves a routing table in its memory and each entry of this table specifies the physical port of the router through which the packet is sent to a subnet or a host Therefore it can reach the next router in via a particular path or reach a destination host via direct...

Page 166: ...nt optimal route According to different destinations the routes can be divided into the following z Subnet route The destination is a subnet z Host route The destination is a host In addition according to whether the network of the destination host is directly connected to the router there are the following types of routes z Direct route The router is directly connected to the network where the de...

Page 167: ...the dynamic routes as detected by the routing protocol The static routes and the routes learned or configured by different routing protocols can also be shared with each other 1 2 1 Routing protocols and the preferences of the corresponding routes Different routing protocols as well as the static configuration may generate different routes to the same destination but not all these routes are optim...

Page 168: ...estination with a higher precedence the multiple routes will be adopted by IP which will forward the packets to the destination via these paths so as to implement load sharing For the same destination a specified routing protocol may find multiple different routes If the routing protocol has the highest precedence among all active routing protocols these multiple routes will be regarded as current...

Page 169: ...ence the router will choose the main route to send data This process is the automatic switchover from the backup route to the main route 1 2 3 Routes Shared between Routing Protocols As the algorithms of various routing protocols are different different protocols may generate different routes thus bringing about the problem of how to resolve the differences when different routes are generated by d...

Page 170: ...on will be discarded and the originating host will be informed destination unreachable z Blackhole route If a static route to a destination has the blackhole attribute the outgoing interface of this route is the Null 0 interface regardless of the next hop address and any IP packets addressed to this destination are dropped without notifying the source host The attributes reject and blackhole are u...

Page 171: ...e interface number gateway address preference value reject blackhole Delete a static route undo ip route static ip address mask mask length interface type interface number gateway address preference value The parameters are explained as follows z IP address and mask The IP address and mask are in a dotted decimal format As 1 s in the 32 bit mask is required to be consecutive the dotted decimal mas...

Page 172: ...a default route Operation Command Configure a default route ip route static 0 0 0 0 0 0 0 0 0 interface type interface number gateway address preference value reject blackhole Delete a default route undo ip route static 0 0 0 0 0 0 0 0 0 interface type interface number gateway address preference value The meanings of parameters in the command are the same as those of the static route 2 2 3 Configu...

Page 173: ...fied address range display ip routing table ip_address1 mask1 ip_address2 mask2 verbose View the route filtered through specified basic access control list ACL display ip routing table acl acl number acl name verbose View the route information that through specified ip prefix list display ip routing table ip prefix ip prefix name verbose View the routing information found by the specified protocol...

Page 174: ...Switch B Switch B ip route static 1 1 2 0 255 255 255 0 1 1 3 1 Switch B ip route static 1 1 5 0 255 255 255 0 1 1 3 1 Switch B ip route static 1 1 1 0 255 255 255 0 1 1 3 1 Configure the static route for Ethernet Switch C Switch C ip route static 1 1 1 0 255 255 255 0 1 1 2 1 Switch C ip route static 1 1 4 0 255 255 255 0 1 1 3 2 Configure the default gateway of the Host A to be 1 1 5 2 Configure...

Page 175: ...oute Configuration Huawei Technologies Proprietary 2 6 Troubleshooting z Use the display ip routing table protocol static command to view whether the corresponding static route is correctly configured z Use the display ip routing table command to view whether the corresponding route is valid ...

Page 176: ...l finally remove the routes of the network neighbor from the routing table To improve the performances and avoid route loop RIP supports Split Horizon Poison Reverse and allows importing the routes discovered by other routing protocols Each router running RIP manages a route database which contains routing entries to all the reachable destinations in the network These routing entries contain the f...

Page 177: ...of the campus networks and the regional networks that are simple yet extensive For larger and more complicated networks RIP is not recommended 3 2 RIP Configuration In the configuration tasks only after RIP is enabled can other functional features be configured But the configuration of the interface related functional features is not restricted by the limit of whether RIP has been enabled It shoul...

Page 178: ...bled you should also specify its operating network segment for RIP only operates on the interface on the specified network For an interface that is not on the specified network RIP does not receive or send routes on it nor forwards its interface route as if this interface does not exist at all network address is the address of the enabled or disabled network and it can also be configured as the IP...

Page 179: ...mitting packets in the multicast mode is that the hosts not operating RIP in the same network can avoid receiving RIP broadcast packets In addition this mode can also make the hosts running RIP 1 avoid incorrectly receiving and processing the routes with subnet mask in RIP 2 When an interface is running RIP 2 broadcast the RIP 1 packets can also be received Perform the following configuration in I...

Page 180: ...Perform the following configuration in Interface view Table 3 6 Specifying the operating state of the interface Operation Command Enable the interface to run RIP rip work Disable the interface to run RIP undo rip work Enable the interface to receive RIP update packet rip input Disable the interface to receive RIP update packet undo rip input Enable the interface to send RIP update packet rip outpu...

Page 181: ... sent to the outside i e other network Route aggregation can be performed to reduce the routing traffic on the network as well as to reduce the size of the routing table RIP 1 only sends the route with natural mask that is it always sends routes in the route aggregation form RIP 2 supports subnet mask and classless interdomain routing To advertise all the subnet routes the route aggregation functi...

Page 182: ...entication of RIP 2 packet undo rip authentication mode The usual packet format follows RFC1723 and nonstandard follows RFC2082 3 2 10 Configuring Split Horizon Split horizon means that the route received via an interface will not be sent via this interface again The split horizon is necessary for reducing routing loop But in some special cases split horizon must be disabled so as to get correct a...

Page 183: ...et it to the default cost specified by the default cost parameter Perform the following configurations in RIP view Table 3 12 Configuring default cost for the imported route Operation Command Configure default cost for the imported route default cost value Restore the default cost of the imported route undo default cost By default the cost value for the RIP imported route is 1 3 2 13 Setting the R...

Page 184: ... route when the interface sends an RIP packet rip metricout value Disable the additional routing metric of the route when the interface sends an RIP packet undo rip metricout By default the additional routing metric added to the route when RIP sends the packet is 1 The additional routing metric when RIP receives the packet is 0 by default Note The metricout configuration takes effect only on the R...

Page 185: ...ributed by RIP Table 3 16 Configuring RIP to filter the distributed routes Operation Command Configure RIP to filter the distributed routing information filter policy acl number ip prefix ip prefix name route policy route policy name export routing protocol Cancel the RIP filtering of the routing information undo filter policy acl number ip prefix ip prefix name route policy route policy name expo...

Page 186: ...sable the RIP debugging information undo debugging rip packet Enable the debugging of RIP receiving packet debugging rip receive Disable the debugging of RIP receiving packet undo debugging rip receive Enable the debugging of RIP sending packet debugging rip send Disable the debugging of RIP sending packet undo debugging rip send Reset the system configuration parameters of RIP reset 3 4 Typical R...

Page 187: ...55 10 1 0 24 Interface address 196 38 165 1 24 SwitchA SwitchB SwitchC Figure 3 1 RIP configuration networking 3 4 3 Configuration procedure Note The following configuration only shows the operations related to RIP Before performing the following configuration please make sure the Ethernet link layer can work normally 1 Configure Switch A Configure RIP Switch A rip Switch A rip network 110 11 2 0 ...

Page 188: ...ot receive the update packets when the physical connection to the peer routing device is normal Troubleshooting RIP does not operate on the corresponding interface for example the undo rip work command is executed or this interface is not enabled through the network command The peer routing device is configured to be in the multicast mode for example the rip version 2 multicast command is executed...

Page 189: ...rk bandwidth consumption z Equal cost multi route Support multiple equal cost routes to a destination z Routing hierarchy OSPF has a four level routing hierarchy It prioritizes the routes to be intra area inter area external type 1 and external type 2 routes z Authentication It supports the interface based packet authentication so as to guarantee the security of the route calculation z Multicast t...

Page 190: ...ork is reduced OSPF supports interface based packet authentication to guarantee the security of route calculation Also it transmits and receives packets by IP multicast 4 1 3 OSPF Packets OSPF uses five types of packets z Hello packet It is the commonest packet which is periodically sent by a router to its neighbor It contains the values of some timers DR BDR and the known neighbor z Database Desc...

Page 191: ...he segment z Backup Designated Router BDR If the DR fails for some faults a new DR must be elected and synchronized with the other routers on the segment This process will take a relatively long time during which the route calculation is incorrect To shorten the process BDR is brought forth in OSPF In fact BDR is a backup for DR DR and BDR are elected in the meantime The adjacencies are also estab...

Page 192: ...route of an area the ABR summarizes multiple OSPF routes into an LSA and sends it outside the area according to the configuration of summary 4 2 OSPF Configuration In various configurations you must first enable OSPF specify the interface and area ID before configuring other functions But the configuration of the functions related to the interface is not restricted by whether the OSPF is enabled o...

Page 193: ...oute z Setting OSPF Route Preference z Configuring OSPF Route Filtering z Configuring to Fill the MTU Field When an Interface Transmits DD Packets z Disabling the Interface to Send OSPF Packets z Configuring OSPF and Network Management System z Resetting the OSPF Process 4 2 1 Enabling OSPF and Enter OSPF View Perform the following configurations in system view Table 4 1 Enabling OSPF process Oper...

Page 194: ...n in OSPF Area view Table 4 3 Specifying interface Operation Command Specify interface to run OSPF network ip address ip mask Disable OSPF on the interface undo network ip address ip mask You must specify the segment to which the OSPF will be applied after enabling the OSPF ip mask IP address wildcard shielded text similar to the complement of the IP address mask 4 2 4 Configuring Router ID Router...

Page 195: ... the polling interval to specify the interval of sending polling hello packets before the adjacency of the neighboring routers is formed Configure the interface type to nonbroadcast on a broadcast network without multi access capability Configure the interface type to p2mp if not all the routers are directly accessible on an NBMA network Change the interface type to p2p if the router has only one ...

Page 196: ...ol of on the VLAN interface is 10 4 2 7 Setting the Interface Priority for DR Election The priority of the router interface determines the qualification of the interface in DR election and the router of higher priority will be considered first if there is a collision in the election DR is not designated manually instead it is elected by all the routers on the segment Routers with the priorities 0 ...

Page 197: ...to become the DR even if it has the highest priority z DR is based on the router interface in a certain segment Maybe a router is a DR on one interface but can be a BDR or DROther on the other interface z DR election is only required for the broadcast or NBMA interfaces For the p2p or p2mp interfaces DR election is not required Perform the following configuration in Interface view Table 4 7 Settin...

Page 198: ... should be kept The hello interval value is in inverse proportion to the route convergence rate and network load Perform the following configuration in Interface view Table 4 9 Setting the Interval of Hello Packet Transmission Operation Command Set the hello interval of the interface ospf timer hello seconds Restore the default hello of the interface undo ospf timer hello Set the poll interval on ...

Page 199: ... Setting the parameter like this mainly considers the time duration that the interface requires for transmitting the packet The user can configure the interval of sending LSU message Obviously more attention should be paid on this item over low speed network Perform the following configuration in Interface view Table 4 11 Configuring an Interval required for sending LSU packets Operation Command C...

Page 200: ...l as affect the operation efficiency of the router Adjusting the SPF calculation interval however can restrain the resource consumption due to frequent network changes Perform the following configuration in OSPF view Table 4 13 Setting the SPF calculation interval Operation Command Set the SPF calculation interval spf schedule interval seconds Restore the SPF calculation interval undo spf schedule...

Page 201: ...ort external routing by itself and advertise in the autonomous system not accepting external routing generated by other area in the autonomous system Actually NSSA area is one deformation of Stub area which can conditionally import AS external routing A new area NSSA Area and a new LSA NSSA LSA or called Type 7 LSA are added in the RFC1587 OSPF NSSA Option NSSA and Stub area are similar in many wa...

Page 202: ...ost Restore the default cost value of the route to the NSSA area undo default cost All the routers connected to the NSSA should use the nssa command to configure the area with the NSSA attribute The keyword default route advertise is used to generate the default type 7 LSAs When default route advertise is configured the default type 7 LSA route will be generated on the ABR even though no default r...

Page 203: ...arately advertised to other areas Only the route summary of the whole aggregate network will be advertised But if the range of the segment is restricted by the keyword not advertise the route summary of this segment will not be advertised This segment is represented by IP address and mask Route summarization can take effect only when it is configured on ABRs Perform the following configuration in ...

Page 204: ... 0 0 0 a virtual link must be created If the physical connectivity cannot be ensured due to the network topology restriction a virtual link can satisfy this requirement The virtual link refers to a logic channel set up through the area of a non backbone internal route between two ABRs Both ends of the logic channel should be ABRs and the connection can take effect only when both ends are configure...

Page 205: ...same authentication key To configure a simple text authentication key use the ospf authentication mode simple command And use the ospf authentication mode md5 command to configure the MD5 cipher text authentication key if the area is configured to support MD5 cipher text authentication mode Perform the following configuration in OSPF Area view Table 4 19 Configuring the OSPF Area to Support Packet...

Page 206: ...l route type 2 Intra area and inter area routes describe the internal AS topology whereas the external routes describes how to select the route to the destinations beyond the AS The external routes type 1 refer to the imported IGP routes such as static route and RIP Since these routes are more reliable the calculated cost of the external routes is the same as the cost of routes within the AS Also ...

Page 207: ...2 22 Configuring Parameters for OSPF to Import External Routes When the OSPF imports the routing information discovered by other routing protocols in the autonomous system some additional parameters need configuring such as default route cost and default tag of route distribution etc Route ID can be used to identify the protocol related information For example OSPF can use it to identify the AS nu...

Page 208: ...cond 4 2 23 Configuring OSPF to Import the Default Route The import route command cannot be used to import the default route Using the command as follows you can import the default route into the routing table Perform the following configuration in OSPF view Table 4 23 Configuring OSPF to Import the Default Route Operation Command Import the default route to OSPF default route advertise always cos...

Page 209: ...abling OSPF to filter the received routes Operation Command Disable to filter the received global routing information filter policy acl number ip prefix ip prefix name gateway prefix list name import Cancel to filter the received global routing information undo filter policy acl number ip prefix ip prefix name gateway prefix list name import II Configuring filtering the routes distributed by OSPF ...

Page 210: ...uters use the DD Database Description packets to describe their own LSDBs when synchronizing the databases You can manually specify an interface to fill in the MTU field in a DD packet when it transmits the packet The MTU should be set to the real MTU on the interface Perform the following configuration in Interface view Table 4 27 Configuring Whether the MTU Field will be Filled in when an Interf...

Page 211: ...stem NMS You can configure the switch to send multiple types of SNMP TRAP packets in case of OSPF anomalies In addition you can configure the switch to send SNMP TRAP packets when a specific process is abnormal by specifying the process ID Perform the following configuration in system view Table 4 29 Enabling disabling OSPF TRAP function Operation Command Enable OSPF TRAP function snmp agent trap ...

Page 212: ...SPF After the above configuration execute display command in any view to display the running of the OSPF configuration and to verify the effect of the configuration Execute debugging command in user view to debug the OSPF module Table 4 31 Displaying and debugging OSPF Operation Command Display the brief information of the OSPF routing process display ospf brief Display OSPF statistics display osp...

Page 213: ...owing figure Correctly make the configuration to enable Switch A and Switch C to be DR and BDR respectively The priority of Switch A is 100 which is the highest on the network so it is elected as the DR Switch C has the second highest priority so it is elected as the BDR The priority of Switch B is 0 which means that it cannot be elected as the DR And Switch D does not have a priority which takes ...

Page 214: ... C ospf Switch C ospf area 0 Switch C ospf area 0 0 0 0 network 196 1 1 0 0 0 0 255 Configure Switch D Switch D interface Vlan interface 1 Switch D Vlan interface1 ip address 196 1 1 4 255 255 255 0 Switch D router id 4 4 4 4 Switch D ospf Switch D ospf area 0 Switch D ospf area 0 0 0 0 network 196 1 1 0 0 0 0 255 On Switch A run display ospf peer to display the OSPF peers Please note that Switch ...

Page 215: ...witch A becomes the BDR with a priority of 100 To switch off and restart all of the switches will bring about a new round of DR BDR selection 4 4 2 Configuring OSPF Virtual Link I Networking requirements In the following figure Area 2 and Area 0 are not directly connected Area 1 is required to be taken as transit area for connecting Area 2 and Area 0 Correctly configure a virtual link between Swit...

Page 216: ...an interface 1 Switch C Vlan interface1 ip address 152 1 1 1 255 255 255 0 Switch C interface Vlan interface 2 Switch C Vlan interface2 ip address 197 1 1 1 255 255 255 0 Switch C router id 3 3 3 3 Switch C ospf Switch C ospf area 1 Switch C ospf area 0 0 0 1 network 197 1 1 0 0 0 0 255 Switch C ospf area 0 0 0 1 vlink peer 2 2 2 2 Switch C ospf area 0 0 0 1 quit Switch C ospf area 2 Switch C ospf...

Page 217: ...r times the value of the hello timer z If the network type is NBMA the peer must be manually specified using the peer ip address command z If the network type is broadcast or NBMA there must be at least one interface with a priority greater than zero z If an area is set as the STUB area to which the routers are connected The area on these routers must be also set as the STUB area z The same interf...

Page 218: ... z The backbone area area 0 cannot be configured as the STUB area and the virtual link cannot pass through the STUB area That is if a virtual link has been set up between RTB and RTC neither area1 nor area0 can be configured as a stub area In the above figure only area 2 can be configured as stub area z Routers in the STUB area cannot redistribute the external routes z Backbone area must guarantee...

Page 219: ... transport layer protocol z When routes are updated BGP only transmits updated routes which greatly reduces bandwidth occupation by route propagation and can be applied to propagation of a great amount of routing information on the Internet z BGP 4 supports CIDR which is an important improvement to BGP 3 z In consideration of management and security users desire to perform control over outgoing an...

Page 220: ...fresh Capability for BGP 4 5 1 3 BGP Routing Mechanism On the first startup of the BGP system the BGP router exchanges routing information with its peers by transmitting the complete BGP routing table after that only update messages are exchanged In the operating of the system keepalive messages are received and transmitted to check the connections between various neighbors The router transmitting...

Page 221: ...ect the routes rooted from the router itself z First select the routes with the least AS paths z First select the routes with the lowest origin z First select the routes with the lowest MED value z First select the routes learned from EBGP z First select the routes advertised by the router with the lowest ID 5 1 4 BGP peer and peer group I Definition of peer and peer group A BGP speaker calls othe...

Page 222: ...le BGP local AS number should be specified After the enabling of BGP local router listens to BGP connection requests sent by adjacent routers To make the local router send BGP connection requests to adjacent routers refer to the configuration of the peer command When BGP is disabled all established BGP connections will be disconnected Perform the following configurations in system view Table 5 1 E...

Page 223: ... this command is not used to configure the AS number for a peer group each peer to be added to the peer group should have its AS number pre configured If the AS number is configured for a peer group all peers to be added to the group should be configured if configured the same AS numbers with the peer group II Create a peer group and add a member By default IBGP peers will be added into a default ...

Page 224: ...eer group name peer address enable disable a peer peer group undo peer group name peer address enable By default a peer or peer group is enabled IV Configuring description of a peer group Description of a peer group can be configured to facilitate learning the characteristics of the peer Table 5 5 Configuring description of a peer group Operation Command Configure description of a peer group peer ...

Page 225: ...ion Command Configure the route update message interval of a peer group peer peer address group name route update interval seconds Restore the default route update message interval of a peer group undo peer peer address group name route update interval By default the intervals at which route update messages are sent by an IBGP and EBGP peer group are 5 seconds and 30 seconds respectively 5 2 3 Con...

Page 226: ...n Command Configure a peer group to be a client of a route reflector peer peer address group name reflect client Cancel the configuration of making the peer group as the client of the BGP route reflector undo peer peer address group name reflect client For detailed information on route reflector refer to Configuring Route Reflector section of this manual III Configuring to send default route to a ...

Page 227: ...mbers while transmitting update messages Table 5 12 Removing private AS numbers while transmitting BGP update messages Operation Command Remove private AS numbers while transmitting BGP update messages peer peer address group name public as only Include private AS numbers while transmitting BGP update messages undo peer peer address group name public as only By default the private AS numbers are i...

Page 228: ... source interface of a route update packet peer peer address group name connect interface interface type interface name Use the best source interface undo peer peer address group name connect interface interface type interface name By default BGP carries out TCP connection with the optimal source interface IX Configuring BGP MD5 authentification password BGP uses TCP as its transport layer For the...

Page 229: ...ress group name route policy policy name import export By default no route policy is applied on peer group II Configuring route filtering policy based on IP ACL for a peer group Table 5 18 Configuring route filtering policy based on IP ACL for a peer group Operation Command Configure the route filtering policy based on IP ACL for a peer group peer peer address group name filter policy acl number i...

Page 230: ...ix prefixname import export By default route filtering based on address prefix list for a peer group is disabled 5 2 5 Configuring Networks for BGP Distribution Perform the following configurations in BGP view Table 5 21 Configuring Networks for BGP Distribution Operation Command Configure the local network route network ip address address mask route policy route policy name Remove the local netwo...

Page 231: ...achable the local BGP will add this BGP route into its routing table immediately after it learns the route rather than waiting till the IGP also learns the route Perform the following configurations in BGP view Table 5 23 Configuring not to syncronize with IGP Operation Command cancel the synchronization of BGP and IGP undo synchronization By default BGP doesn t synchronize with IGP Quidway S3500 ...

Page 232: ...he BGP will not perform local route aggregation 5 2 8 Configuring BGP Route Filtering I Configuring BGP to filter the received route information Perform the following configurations in BGP view The routes received by the BGP can be filtered and only those routes that meet the certain conditions will be received by the BGP Table 5 25 Configuring imported route filtering Operation Command Configure ...

Page 233: ...he import route command and the advertised BGP routes will be filtered For details please refer to the Configure Route Filtering part in the Routing Policy 5 2 9 Configuring BGP route dampening The main possible reason for unstable route is the intermittent disappearance and re emergence of the route that formerly existed in the routing table and this situation is called the flapping When the flap...

Page 234: ...wn Hold time and the one received in the message will be selected as the negotiated Hold Timer Then BGP will send a KeepAlive message and set a KeepAlive timer If the negotiation result is 0 no keepalive Message will be transmitted and whether the hold time has timed out will not be cared Perform the following configurations in BGP view Table 5 28 Configuring BGP Timer Operation Command Configure ...

Page 235: ...ED to determine the optimum route for entering the AS When a router running BGP gets routes with the same destination address but different next hops through different external peers it will select the route of the smallest MED as the optimum route provided that all the other conditions are the same Perform the following configurations in BGP view Table 5 30 Configuring an MED metric for the syste...

Page 236: ...ses which are called advanced community attributes You may define not only the basic community but also the advanced community attributes Community list is used to identify a community which falls into basic community list and advanced community list In addition a route can have more than one community attributes In a route the speaker of multiple community attributes can act according to one seve...

Page 237: ... and transmits it to Router C Router C is a route reflector with two peer clients Router A and Router B Router C reflects the update packet from client Router A to client Router B Under such configuration the peer session between Router A and Router B is actually eliminated because the route reflector will transfer the BGP information to Router B Router EBGP EBGP Route reflector Route reflected Ro...

Page 238: ...ute reflector Operation Command Configure the Cluster_ID of the route reflector reflector cluster id cluster id address Canceling the Cluster_ID of the route reflector undo reflector cluster id By default the router ID of the route reflector is used as the cluster ID III Two kinds of measures to avoid looping inside AS As route reflector is imported it is possible that path looping will be generat...

Page 239: ...ernal network does not need to know the status of internal sub ASs and the confederation ID is the AS number identifying the confederation as a whole Perform the following configurations in BGP view Table 5 35 Configuring confederation_ID Operation Command Configure confederation_ID confederation id as number Canceling confederation_ID undo confederation id By default the confederation_ID is not c...

Page 240: ...the configuration of ACL AS path list and Route policy I Defining the ACL Refer to Define ACL in QoS ACL Operation Manual and Command Manual II Defining the AS path list The routing information packet of the BGP includes an autonomous system path domain The as path list can be used to match with the autonomous system path domain of the BGP routing information so as to filter the routing informatio...

Page 241: ...y Configuration 5 2 18 Clearing BGP Connection After the user changes BGP policy or protocol configuration they must cut off the current connection so as to enable the new configuration Perform the following configuration in user view Table 5 39 Clearing BGP connection Operation Command Clear the connection between BGP and the specified peers reset bgp peer address flap info Clear all connections ...

Page 242: ...munity aa nn no export subconfed no advertise no export whole match Display the routing information allowed by the specified BGP community list display bgp routing table community list community list number whole match Display BGP dampened paths display bgp routing table dampened Display the routing information the specified BGP peer advertised or received display bgp routing table peer peer addre...

Page 243: ...ive receive send verbose Enable BGP Open debugging debugging bgp open receive send verbose Enable BGP packet debugging debugging bgp packet receive send verbose Enable BGP Update packet debugging debugging bgp route refresh receive send verbose Enable information debugging of BGP normal functions debugging bgp normal Enable BGP Update packet debugging debugging bgp update receive send verbose Rese...

Page 244: ...onfiguration procedure Configure Switch A Switch A bgp 1001 Switch A bgp confederation id 100 Switch A bgp confederation peer as 1002 1003 Switch A bgp peer 172 68 10 2 as number 1002 Switch A bgp peer 172 68 10 3 as number 1003 Configure Switch B Switch B bgp 1002 Switch B bgp confederation id 100 Switch B bgp confederation peer as 1001 1003 Switch B bgp peer 172 68 10 1 as number 1001 Switch B b...

Page 245: ... because Switch C reflects information to Switch D II Networking diagram IBGP IBGP EBGP Client Client Route reflector VLAN 4 194 1 1 1 24 VLAN 3 193 1 1 1 24 VLAN 3 193 1 1 2 24 VLAN 4 194 1 1 2 24 VLAN 2 192 1 1 2 24 VLAN 2 192 1 1 1 24 AS100 AS200 Network 1 0 0 0 VLAN 100 1 1 1 1 8 Switch A Switch B Switch C Switch D Figure 5 3 Networking diagram of configuring BGP route reflector III Configurat...

Page 246: ...lan Interface 4 Switch C Vlan interface4 ip address 194 1 1 1 255 255 255 0 Configure BGP peers and route reflector Switch C bgp 200 Switch C bgp peer 193 1 1 2 as number 200 Switch C bgp peer 193 1 1 2 reflect client Switch C bgp peer 194 1 1 2 as number 200 Switch C bgp peer 194 1 1 2 reflect client 4 Configure Switch D Configure VLAN 4 Switch D interface vlan interface 4 Switch D Vlan interface...

Page 247: ...VLAN 2 192 1 1 2 24 2 2 2 2 4 4 4 4 3 3 3 3 1 1 1 1 AS100 AS200 VLAN 4 194 1 1 1 24 VLAN 5 195 1 1 1 24 IBGP IBGP EBGP EBGP To network 1 0 0 0 To network 2 0 0 0 To network 4 0 0 0 To network 3 0 0 0 Switch A Switch B Switch C Switch D Figure 5 4 Networking diagram of configuring BGP routing III Configuration procedure 1 Configure Switch A Switch A interface Vlan interface 2 Switch A Vlan interfac...

Page 248: ...icy apply cost 100 Switch A route policy quit z Apply route policy set_med_50 to egress route update of Switch C 193 1 1 2 and apply route policy set_med_100 on the egress route of Switch B 192 1 1 2 Switch A bgp 100 Switch A bgp peer 193 1 1 2 route policy apply_med_50 export Switch A bgp peer 192 1 1 2 route policy apply_med_100 export 2 Configure Switch B Switch B interface vlan interface 2 Swi...

Page 249: ...0 Switch D ospf Switch D ospf area 0 Switch D ospf area 0 0 0 0 network 194 1 1 0 0 0 0 255 Switch D ospf area 0 0 0 0 network 195 1 1 0 0 0 0 255 Switch D ospf area 0 0 0 0 network 4 0 0 0 0 255 255 255 Switch D bgp 200 Switch D bgp undo synchronization Switch D bgp peer 195 1 1 2 as number 200 Switch D bgp peer 194 1 1 2 as number 200 To enable the configuration all BGP neighbors will be reset u...

Page 250: ...oting Fault 1 The neighborhood cannot be established The Established state cannot be entered Troubleshooting The establishment of BGP neighborhood needs the router able to establish TCP connection through port 179 and exchange Open packets correctly Perform the check according to the following steps z Check whether the configuration of the neighbor s AS number is correct z Check whether the neighb...

Page 251: ... be advertised correctly after importing route of IGP with the command network Troubleshooting Route imported by command network should be same as a route in current routing table which should include destination segment and mask Route covering large network segment cannot be imported For example route 10 1 1 0 24 can be imported while 10 0 0 0 8 may cause error ...

Page 252: ...five kinds of filters Route policy acl as path community list and ip prefix are provided to be called by the routing protocols The following sections introduce these filters respectively I Route policy Route map is used for matching some attributes in given routing information and the attributes of the information will be set if the conditions are satisfied A route map can comprise multiple nodes ...

Page 253: ... specify the match range of the network prefix forms and is identified with an index number The index number designates the matching check sequence in the ip prefix During the matching the router checks list items identified by the sequence number in the ascending order Once a single list item meets the condition it means that it has passed the ip prefix filtering and will not enter the testing of...

Page 254: ... defined node in the route policy to be in permit mode If a route satisfies all the if match clauses of the node it will pass the filtering of the node and the apply clauses for the node will be executed without taking the test of the next node If not however the route should take the test of the next node The deny argument specifies the matching mode for a defined node in the route policy to be i...

Page 255: ...match community basic community number whole match adv community number Cancel the matched community attribute of the BGP routing information undo if match community Match the destination address of the routing information if match acl acl number ip prefix ip prefix name Cancel the matched destination address of the routing information undo if match acl ip prefix Match the next hop interface of th...

Page 256: ... Thereby some attributes of the route can be modified Perform the following configurations in Route policy view Table 6 3 Defining apply clauses Operation Command Add the specified AS number before the as path series of the BGP routing information apply as path as number 1 as number 2 as number 3 Cancel the specified AS number added before the as path series of the BGP routing information undo app...

Page 257: ... then this value will be regarded as the MED value of the IGP route The preference configured with the apply cost type internal is lower than that configured with the apply cost command but higher than that configured with the default med command 6 2 4 Importing Routing Information Discovered by Other Routing Protocols A routing protocol can import the routes discovered by other routing protocols ...

Page 258: ...ex number permit deny During the matching the router checks list items identified by the index number in the ascending order If only one list item meets the condition it means that it has passed the ip prefix filtering will not enter the testing of the next list item Please note that if more than one ip prefix item are defined then the match mode of at least one list item should be the permit mode...

Page 259: ...distribution to filter the routing information not satisfying the conditions while distributing routes with the help of an ACL or address ip prefix Perform the following configuration in routing protocol view Table 6 7 Configuring to filter the distributed routes Operation Command Configure to filter the routes distributed by the protocol filter policy acl number ip prefix ip prefix name export ro...

Page 260: ...g Policy Configuration Example 6 4 1 Configuring to Filter the Received Routing Information I Networking requirements z Switch A communicates with Switch B running OSPF protocol z Import three static routes through enabling the OSPF protocol on the Switch A z The route filtering rules can be configured on Switch B to make the received three static routes partially visible and partially shielded It...

Page 261: ...outes Switch A ospf import route static Configure Switch B Configure the IP address of VLAN interface Switch B interface vlan interface 100 Switch B Vlan interface100 ip address 10 0 0 2 255 0 0 0 Configure the access control list Switch B acl number 2000 Switch B acl basic 2000 rule deny source 30 0 0 0 0 255 255 255 Switch B acl basic 2000 rule permit source any Enable OSPF protocol and specifie...

Page 262: ...en all the nodes of the Route policy are in the deny mode then all the routing information cannot pass the filtering of the Route policy The if match mode of at least one list item of the ip prefix should be the permit mode The list items of the deny mode can be firstly defined to rapidly filter the routing information not satisfying the requirement but if all the items are in the deny mode any ro...

Page 263: ... table and whether to keep connection with a routing protocol Note It should be noted that the default value meets the requirements normally The user is not recommended to modify the configuration to avoid improper configuration to avoid reducing of stability and availability of the system 7 1 2 Route Capacity Limitation Implemented by S3500 Series Ethernet Switches Usually the huge size of the ro...

Page 264: ...y memory safety safety value limit limit value Restore the lower limit and the safety value of the Ethernet switch memory to the default value undo memory safety limit The lower limit value set for the memory must be smaller than the safety value 7 2 2 Enabling Disabling the Ethernet switch to Recover the Disconnected Routing Protocol Automatically If memory automatic restoration function of a Eth...

Page 265: ...ging Route Capacity After the above configuration execute display command in any view to display the running of the Route capacity configuration Table 7 3 Displaying and debugging route capacity Operation Command Display the route capacity related memory information display memory Display the route capacity related memory setting and state information display memory limit ...

Page 266: ...Huawei Technologies Proprietary HUAWEI Quidway S3500 Series Ethernet Switches Operation Manual Multicast ...

Page 267: ...uration Example 2 2 Chapter 3 IGMP Snooping Configuration 3 1 3 1 IGMP Snooping Overview 3 1 3 1 1 IGMP Snooping Principle 3 1 3 1 2 Implement IGMP Snooping 3 2 3 2 Configure IGMP Snooping 3 4 3 2 1 Enable Disable IGMP Snooping 3 5 3 2 2 Configure Router Port Aging Time 3 5 3 2 3 Configure Maximum Response Time 3 6 3 2 4 Configure Aging Time of Multicast Group Member 3 6 3 2 5 Enabling Disabling t...

Page 268: ...e PIM DM 6 3 6 1 3 Configure the Interface Hello Message Interval 6 3 6 1 4 Entering PIM View 6 4 6 2 Display and Debug PIM DM 6 4 6 3 PIM DM Configuration Example 6 5 Chapter 7 PIM SM Configuration 7 1 7 1 PIM SM Overview 7 1 7 1 1 Introduction to PIM SM 7 1 7 1 2 PIM SM Operating Principle 7 1 7 1 3 Preparations before Configuring PIM SM 7 2 7 2 PIM SM Configuration 7 3 7 2 1 Enable Multicast 7 ...

Page 269: ...logies Proprietary iii 8 2 Adding Multicast MAC Address Entries 8 1 8 3 Multicast MAC Address Configuration Example 8 2 Chapter 9 Multicast VLAN 9 1 9 1 Introduction to Multicast VLAN 9 1 9 2 Multicast VLAN Configuration 9 1 9 2 1 Configuration Tasks 9 1 9 3 Multicast VLAN Configuration Example 9 3 ...

Page 270: ...tion to all users on the network No matter whether the users need the information they will receive it from the broadcast For example if the same information is required by 200 users on the network the traditional solution is to send the information 200 times respectively in unicast mode so that these users can receive the data they need In the broadcast mode the data is broadcast over the entire ...

Page 271: ...icast IP header and continue the multicast transmission This avoids the network architecture from changing greatly Multicast advantages z Enhanced efficiency Reduce network traffic and relieve server and CPU loads z Optimized performance Decrease traffic redundancy z Distributed applications Make multipoint applications possible 1 2 Multicast Addresses 1 2 1 IP Multicast Addresses The destination ...

Page 272: ...ble 1 1 Table 1 1 Ranges and meanings of Class D addresses Class D address range Meaning 224 0 0 0 224 0 0 255 Reserved multicast addresses addresses of permanent groups Address 224 0 0 0 is reserved The other addresses can be used by routing protocols 224 0 1 0 238 255 255 255 Multicast addresses available for users addresses of temporary groups They are valid in the entire network 239 0 0 0 239 ...

Page 273: ...e MAC address is the lower 23 bits of the multicast IP address 111 0XX XX 32 bits IP address 48 bits MAC address 5 bits not mapped Lower 23 bits directly mapped XXXXXXX X XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXX XX XXXXX XXX XXXXXXXX XXXXXXXX Figure 1 2 Mapping between the multicast IP address and the Ethernet MAC address Because only 23 bits of the last 28 bits in the IP multicast address are m...

Page 274: ...icast allows packets to be routed from the data source to the specified destination address which is impossible for multicast The multicast application sends the packets to a group of receivers with multicast addresses who want to receive the data but not only to one receiver with unicast address The multicast routing creates a loop free data transmission path from one data source to multiple rece...

Page 275: ... forwarding data to the RP When the data reaches the RP the multicast packets are replicated and sent to receivers along the path of the distribution tree Replicate only happens at the branches of the distribution tree This process can be automatically repeated until the packets reach the destination 1 4 IP Multicast Packet Forwarding In the multicast model the source host sends information to the...

Page 276: ...on from single point to multi point in IP networks and can save a large amount of network bandwidth and reduce network loads New value added services that take advantage of multicast can be delivered in the Internet information service area including direct broadcasting Web TV distance learning distance medicine net broadcasting station and real time audio video conferencing z Multimedia and strea...

Page 277: ...ving the message the switch adds the port to the multicast group and broadcasts the message throughout the VLAN thereby the multicast source in the VLAN knows the multicast member joined When the multicast source multicasts packets to its group the switch only forwards the packets to the ports connected to the members thereby implementing the Layer 2 multicast in VLAN The multicast information tra...

Page 278: ...bove configuration execute display command in any view to display the running of the GMRP configuration and to verify the effect of the configuration Execute debugging command in user view to debug GMRP configuration Table 2 3 Display and debug GMRP Operation Command Display GMRP statistics display gmrp statistics interface interface_list Display GMRP global status display gmrp status Enable GMRP ...

Page 279: ...ologies Proprietary 2 3 III Configuration procedure Configure LS_A Enable GMRP globally Quidway gmrp Enable GMRP on the port Quidway interface Ethernet 0 1 Quidway Ethernet0 1 gmrp Configure LS_B Enable GMRP globally Quidway gmrp Enable GMRP on the port Quidway interface Ethernet 0 1 Quidway Ethernet0 1 gmrp ...

Page 280: ...yer When receiving the IGMP messages transmitted between the host and router the Layer 2 Ethernet switch uses IGMP Snooping to analyze the information carried in the IGMP messages If the switch hears IGMP host report message from an IGMP host it will add the host to the corresponding multicast table If the switch hears IGMP leave message from an IGMP host it will remove the host from the correspon...

Page 281: ...hen IGMP Snooping runs the packets are not broadcast on Layer 2 See the following figure Internet Intranet Video stream VOD Server Layer 2 Ethernet Switch Video stream Multicast group member Non multicast group member Multicast router Video stream Video stream Video stream Non multicast group member Figure 3 2 Multicast packet transmission when IGMP Snooping runs 3 1 2 Implement IGMP Snooping I Re...

Page 282: ... message before the timer times out it transmits IGMP specific query message to the port z Maximum response time When the switch transmits IGMP specific query message to the multicast member port the Ethernet switch starts a response timer which times before the response to the query If the switch has not received any IGMP report message before the timer times out it will remove the port from the ...

Page 283: ...le and meanwhile creates an IP multicast group and adds the port received the report message to it If the corresponding MAC multicast group exists but does not contains the port received the report message the switch adds the port into the multicast group and starts the port aging timer And then the switch checks if the corresponding IP multicast group exists If it does not exist the switch create...

Page 284: ... Disable IGMP Snooping Operation Command Enable disable IGMP Snooping igmp snooping enable disable Restore the default setting undo igmp snooping IGMP Snooping and GMRP cannot run at the same time You can check if GMRP is running using the display gmrp status command in any view before enabling IGMP Snooping By default IGMP Snooping is disabled 3 2 2 Configure Router Port Aging Time This task is t...

Page 285: ...oup report message during the member port aging time it will transmit the specific query message to that port and starts a maximum response timer Perform the following configuration in system view Table 3 4 Configure aging time of the multicast member Operation Command Configure aging time of the multicast member igmp snooping host aging time seconds Restore the default setting undo igmp snooping ...

Page 286: ...rs in this group 3 2 6 Setting the maximum number of multicast groups permited on a port Perform the following configuration in Ethernet port view Table 3 6 Setting the maximum number of multicast groups permited on a port Operation Command Set the maximum number of multicast groups permited on a port igmp snooping group limit limit Restore the default value undo igmp snooping group limit By defau...

Page 287: ... port doesn t belong to the specified VLAN the filtering configured by this command will not take effect z Most devices just broadcast unknown multicast packets s o to prevent the case where multicast data flow is sent as unknown multicast packets to the filtered ports this function is generally configured in combination with the unknown multicast dropping function 3 3 Display and debug IGMP Snoop...

Page 288: ...Figure 3 4 IGMP Snooping configuration networking III Configuration procedure Display the status of GMRP Quidway display gmrp status Display the current status of IGMP Snooping when GMRP is disabled Quidway display igmp snooping configuration Enable IGMP Snooping if it is disabled Quidway igmp snooping enable 3 5 Troubleshoot IGMP Snooping Fault Multicast function cannot be implemented on the swit...

Page 289: ...nnel for help z Continue with diagnosis 3 if the second step is completed 3 Multicast forwarding table set up on the bottom layer is wrong z Enable IGMP Snooping group in user view and then input the command display igmp snooping group to check if MAC multicast forwarding table in the bottom layer and that created by IGMP Snooping is consistent You may also input the display mac vlan command in an...

Page 290: ...lticast configuration includes z Enable multicast 4 2 1 Enable Multicast Enable multicast first before enabling the multicast routing protocol Enabling multicast will automatically enable IGMP V2 on all interfaces Perform the following configuration in system view Table 4 1 Enable multicast Operation Command Enable multicast multicast routing enable Disable multicast undo multicast routing enable ...

Page 291: ...group address mask mask mask length source address mask mask mask length incoming interface interface type interface number register Display the multicast virtual interface information display multicast vif Enable multicast packet forwarding debugging debugging multicast forwarding Disable multicast packet forwarding debugging undo debugging multicast forwarding Enable multicast forwarding status ...

Page 292: ...s from the multicast router i e report the group membership to the router The router needs to send membership query messages periodically to discover whether hosts join the specified group on its subnets according to the received response messages When the router receives the report that hosts leave the group the router will send a group specific query IGMP Version 2 to discover whether no member ...

Page 293: ...he IP address of the multicast group The group address domain in the packet is also the IP address of the multicast group This prevents the hosts of members of other multicast groups from sending response messages IV Max response time The Max Response Time is added in IGMP Version 2 It is used to dynamically adjust the allowed maximum time for a host to response to the membership query message 5 2...

Page 294: ...blem When the interface receives IGMP query packet the router will respond thus ensuring that the network segment where the interface is connected can normally receive multicast packets For an ethernet switch you can configure a port in a VLAN interface to join a multicast group Perform the following configuration in VLAN interface view Table 5 2 Configure a router to join specified multicast grou...

Page 295: ..._ num interface_name to interface_type interface_ num interface_name Limit the range of allowed multicast groups on current interface Ethernet port view igmp group policy acl number vlan vlan_id Remove the filter set on the interface Ethernet port view undo igmp group policy vlan vlan_id By default no filter is configured that is all multicast groups are allowed on the interface 5 2 5 Configure th...

Page 296: ... Maximum Response Time for IGMP Query Message When a router receives a query message the host will set a timer for each multicast group it belongs to The value of the timer is randomly selected between 0 and the maximum response time When any timer becomes 0 the host will send the membership report message of the multicast group Setting the maximum response time reasonably can enable the host to r...

Page 297: ...mand in user view for the debugging of IGMP Table 5 7 Display and debug IGMP Operation Command Display the information about members of IGMP multicast groups display igmp group group address interface interface type interface number Display the IGMP configuration and running information about the interface display igmp interface interface type interface number Enable the IGMP information debugging...

Page 298: ...s will be discarded After this process an S G entry will be created in the PIM DM multicast domain If the downstream node has no multicast group members it will send a Prune message to the upstream nodes to inform the upstream node not to forward data to the downstream node Receiving the prune message the upstream node will remove the corresponding interface from the outgoing interface list corres...

Page 299: ... 1 Assert mechanism diagram When they detect such a case routers need to select a unique sender by using the assert mechanism Routers will send Assert packets to select the best path If two or more than two paths have the same priority and metric the path with a higher IP address will be the upstream neighbor of the S G entry which is responsible for forwarding the S G multicast packet IV Graft Wh...

Page 300: ...ng is enabled in system view Once enabled PIM DM on an interface PIM SM cannot be enabled on the same interface and vice versa 6 1 3 Configure the Interface Hello Message Interval After PIM is enabled on an interface it will send Hello messages periodically on the interface The interval at which Hello messages are sent can be modified according to the bandwidth and type of the network connected to...

Page 301: ...Command Display the PIM multicast routing table display pim routing table g group address mask mask length mask rp rp address mask mask length mask group address mask mask length mask source address mask mask length mask incoming interface interface type interface num interface name null dense mode sparse mode Display the PIM interface information display pim interface interface type interface num...

Page 302: ...ource RECEIVER 2 VLAN20 VLAN30 VLAN 10 Lanswitch3 Lanswitch1 RECEIVER 1 Lanswitch2 VLAN11 VLAN12 Multicast Source RECEIVER 2 VLAN20 VLAN30 VLAN 10 Figure 6 2 PIM DM configuration networking III Configuration procedure This section only introduces Lanswitch1 configuration procedure while Lanswitch2 and Lanswitch3 configuration procedures are similar Enable the multicast routing protocol Quidway mul...

Page 303: ...e10 pim dm Quidway vlan interface10 quit Quidway interface vlan interface 11 Quidway vlan interface11 ip address 2 2 2 2 255 255 0 0 Quidway vlan interface11 igmp enable Quidway vlan interface11 pim dm Quidway vlan interface11 quit Quidway interface vlan interface 12 Quidway vlan interface12 ip address 3 3 3 3 255 255 0 0 Quidway vlan interface12 igmp enable Quidway vlan interface12 pim dm ...

Page 304: ...a flow can switch over to the SPT Shortest Path Tree rooted on the source to reduce network delay PIM SM does not depend on the specified unicast routing protocol but uses the present unicast routing table to perform the RPF check Running PIM SM needs to configure candidate RPs and BSRs The BSR is responsible for collecting the information from the candidate RP and advertising the information 7 1 ...

Page 305: ...ing the multicast packet III SPT switchover When a multicast router detects that the multicast packet with the destination address of G from the RP is sent at a rate greater than the threshold the multicast router will send a join message to the node of a higher level toward the source S which results in switchover from the RPT to the SPT 7 1 3 Preparations before Configuring PIM SM I Configure ca...

Page 306: ... elected by BSR mechanism fails a static RP can be configured As the backup of dynamic RP static RP improves robustness and operability of the multicast network 7 2 PIM SM Configuration PIM SM configuration includes z Enable Multicast z Enable PIM SM z Configure the interface hello message interval z Configure the PIM SM domain border z Enter PIM view z Configure candidate BSRs z Configure candida...

Page 307: ...form the following configuration in VLAN interface view Table 7 2 Configure the interface hello message interval Operation Command Configure the interface hello message interval pim timer hello seconds Restore the interval to the default value undo pim timer hello By default the hello message interval is 30 seconds Users can configure the value according to different network environments This conf...

Page 308: ...uter is elected among candidate BSRs The BSR takes charge of collecting and advertising RP information The automatic election among candidate BSRs is described as follows One interface which has started PIM SM must be specified when configuring the router as the candidate BSR At first each candidate BSR considers itself as the BSR of the PIM SM domain and sends Bootstrap message by taking the IP a...

Page 309: ... by the multicast routing data is rooted at the RP There is a mapping from a multicast group to an RP A multicast group can be mapped to an RP Different groups can be mapped to one RP Perform the following configuration in PIM view Table 7 6 Configure candidate RPs Operation Command Configure a candidate RP c rp interface type interface number group policy acl number Remove the candidate RP config...

Page 310: ...onfigure RP to Filter the Register Messages Sent by DR In the PIM SM network the register message filtering mechanism can control which sources to send messages to which groups on the RP i e RP can filter the register messages sent by DR to accept specified messages only Perform the following configuration in PIM view Table 7 8 Configure RP to filter the register messages sent by DR Operation Comm...

Page 311: ...l number By default the threshold is 0 That is the last hop router initiates the switch to the shortest path tree upon the arrival of the first multicast data packet 7 3 Display and Debug PIM SM After the above configuration execute display command in any view to display the running of PIM SM configuration and to verify the effect of the configuration Execute debugging command in user view for the...

Page 312: ...ostA is the receiver in a multicast group IP address of the group is 225 0 0 1 HostB transmits the data destined for 225 0 0 1 and the LSWA receives the multicast data from HostB via LSWB II Networking diagram LSWD LSWB LSWC LSWA HostA HostB VLAN11 VLAN12 VLAN20 VLAN20 VLAN30 VLAN40 VLAN12 VLAN10 VLAN30 LSWD LSWB LSWC LSWA HostA HostB VLAN11 VLAN12 VLAN20 VLAN20 VLAN30 VLAN40 VLAN12 VLAN10 VLAN30 ...

Page 313: ...erface20 ip address 4 4 4 4 255 255 0 0 Quidway vlan interface20 pim sm Quidway vlan interface20 quit 2 Configure LSWB Enable PIM SM Quidway multicast routing enable Quidway vlan 20 Quidway vlan20 port ethernet 0 2 Quidway vlan20 quit Quidway interface vlan interface 20 Quidway vlan interface20 ip address 4 4 4 5 255 255 0 0 Quidway vlan interface20 pim sm Quidway vlan interface20 quit Quidway vla...

Page 314: ...Quidway pim quit Configure PIM domain boundary Quidway interface vlan interface 40 Quidway vlan interface40 pim bsr boundary After VLAN interface 40 is configured as PIM domain boundary the LSWD will be excluded from the local PIM domain and cannot receive the BSR information transmitted from LSWB any more 3 Configure LSWC Enable PIM SM Quidway multicast routing enable Quidway vlan 10 Quidway vlan...

Page 315: ...ce30 pim sm Quidway vlan interface30 quit 7 5 PIM Troubleshooting Fault The router fails to establish the multicast routing table Troubleshooting Follow the steps below Make sure that the unicast routes are correct before settling to the problem z PIM SM requires support from the RP and the BSR Use the display pim bsr info command to check for BSR information If none check for the unicast routes t...

Page 316: ...ddress entry Then the switch changes from dynamic multicast learning to static multicast learning and saves the time originally to handle multicast packets If you configure the switch not to forward unknown multicast packets enabling the unknown multicast blocked function the switch cannot forward some specific multicast packets such as VRRP packets You can enable to forward these types of packets...

Page 317: ...rned by the switch z To add a port to the multicast MAC address entry which is manually added you need first delete the entry and create it again and then add the specified port as the forwarding port of the entry 8 3 Multicast MAC Address Configuration Example I Network requirements Create a multicast MAC address entry on the switch z multicast address 0100 5e0a 0805 z forwarding port Ethernet 1 ...

Page 318: ...ke users in different VLANs share the same multicast VLAN After doing that multicast streams are transmitted only through the multicast VLAN and therefore the bandwidth is saved Additionally the absolute isolation between the multicast VLAN and the user VLANs guarantees the security of the network 9 2 Multicast VLAN Configuration 9 2 1 Configuration Tasks Though multicast VLAN is mainly implemente...

Page 319: ...tering the system view system view Enabling IGMP Snooping function in system view igmp snooping enable Required Entering a VLAN view vlan x x is a VLAN ID Enabling the IGMP Snooping function in the VLAN view igmp snooping enable Required Enabling the multicast VLAN function service type multicast Required Quitting the VLAN view quit Entering the Ethernet port view connected with the layer 3 switch...

Page 320: ...ments The devices and requirements are as follows Table 9 3 Devices and their requirements in the example Device Role Description Switch A Layer 3 switch The IP address of the VLAN 20 interface is 168 10 1 1 The port E1 0 1 belongs to VLAN 20 and is connected with the workstation VLAN 10 acts as a multicast VLAN The port E1 0 10 is connected with switch B Switch B Layer 2 switch VLAN 2 includes th...

Page 321: ...gure switch A as follows Configure the IP address of the VLAN 20 interface to 168 10 1 1 and enable the PIM DM protocol Switch A system view Switch A multicast routing enable Switch A vlan 20 Switch A vlan20 interface vlan interface 20 Switch A Vlan interface20 ip address 168 10 1 1 255 255 255 0 Switch A Vlan interface20 pim dm Switch A Vlan interface20 quit Configure VLAN 10 Switch A vlan 10 Swi...

Page 322: ...these VLANs Switch B interface Ethernet 1 0 10 Switch B Ethernet 1 0 10 port link type hybrid Switch B Ethernet 1 0 10 port hybrid vlan 2 3 10 tagged Switch B Ethernet 1 0 10 quit Define the type of the Ethernet 1 0 1 port to hybrid Then join the port to VLAN 2 and 10 with the untagged option for the port to transmit packets of these VLANs without carrying VLAN tag Finally set the default VLAN ID ...

Page 323: ...Huawei Technologies Proprietary HUAWEI Quidway S3500 Series Ethernet Switches Operation Manual QoS ACL ...

Page 324: ...17 1 4 1 Configuring the Time Range 1 18 1 4 2 Defining and Applying Flow Template 1 18 1 4 3 Defining ACL 1 20 1 4 4 Activating ACL 1 23 1 4 5 Displaying and Debugging ACL 1 24 1 5 ACL Configuration Example of S3526 1 25 1 5 1 Advanced ACL Configuration Example 1 25 1 5 2 Basic ACL Configuration Example 1 26 1 5 3 Link ACL Configuration Example 1 27 1 6 ACL Configuration Example of S3526E 1 28 1 ...

Page 325: ...ion 2 14 2 3 6 Configuring Priority Marking 2 14 2 3 7 Configuring Queue Scheduling 2 15 2 3 8 Configuring Traffic Mirroring 2 17 2 3 9 Configuring Traffic Statistics 2 18 2 3 10 Displaying and Debugging QoS 2 18 2 4 Configuring QoS of S3552 Series Switches 2 19 2 4 1 Configuring Service Group Allocation Rules 2 20 2 4 2 Configuring Traffic Policing 2 21 2 4 3 Configuring Traffic Shaping 2 23 2 4 ...

Page 326: ...he TELNET Users 3 1 3 2 1 Defining ACL 3 1 3 2 2 Calling ACL to Control TELNET Users 3 2 3 2 3 Configuration Example 3 2 3 3 Configuring ACL Control over the SNMP Users 3 3 3 3 1 Defining ACL 3 3 3 3 2 Calling ACL to Control SNMP Users 3 4 3 3 3 Configuration Example 3 5 3 4 Configuring ACL Control over the HTTP Users 3 5 3 4 1 Defining ACL 3 6 3 4 2 Calling ACL to Control HTTP Users 3 6 3 4 3 Con...

Page 327: ...I Case of filtering or classifying data transmitted by the hardware ACL can be used to filter or classify the data transmitted by the hardware of switch In this case the match order of ACL s sub rules is determined by the switch hardware The match order defined by the user can t be effective Due the chips installed the hardware match order of ACL s sub rule is different in different switch models ...

Page 328: ... first match the deny rule then permit rule The case includes ACL cited by QoS function ACL used for filter the packet transmitted by the hardware etc II Case of filtering or classifying data transmitted by the software ACL can be used to filter or classify the data treated by the software of switch In this case the match order of ACL s sub rules can be determined by the user There are two match o...

Page 329: ...he rule that is configured with any is listed in the end while others follow the configuration sequence For the advanced access control list comparing the source address wildcards first If they are the same then comparing the destination address wildcards For the same destination address wildcards comparing the ranges of port number the one with smaller range is listed ahead If the port numbers ar...

Page 330: ...CL Named Layer 2 ACL 64 per 100M port 512 per 1000M port The sub items of an ACL 0 to 127 Maximum sub items for all ACL sum of all ACL s sub items 1024 One rule can be delivered to hardware by multiple QoS functions which means the switch can perform many actions on a certain data stream No matter how many QoS functions use the rule the switch considers that only one rule is delivered to hardware ...

Page 331: ...ration in the system view Table 1 4 Setting the absolute time range Operation Command Set the absolute time range time range time name start time to end time days of the week from start time start date to end time end date from start time start date to end time end date Delete the absolute time range undo time range time name start time to end time days of the week from start time start date to en...

Page 332: ...les of the basic ACL are defined on the basis of the Layer 3 source IP address to analyze the data packets You can use the following command to define basic ACL Perform the following configuration in corresponding view Table 1 5 Defining the basic ACL Operation Command Enter basic ACL view from system view acl number acl number name acl name basic match order config auto add a sub item to the ACL ...

Page 333: ... to define advanced ACL Perform the following configuration in corresponding view Table 1 6 Defining the advanced ACL Operation Command Enter advanced ACL view from system view acl number acl number name acl name advanced match order config auto Add a sub item to the ACL from advanced ACL view rule rule id permit deny protocol source source addr wildcard any destination dest addr wildcard any sour...

Page 334: ...face num any egress destination vlan id dest mac addr interface interface name interface type interface num any time range name Delete a sub item from the ACL from Layer 2 ACL view undo rule rule id Delete one ACL or all the ACL from system view undo acl number acl number name acl name all Layer 2 ACL can be identified with numbers ranging from 4000 to 4999 The interface in the above command speci...

Page 335: ...ses or receive port the ones behind are the destination addresses or transmit port z MAC MAC stands for a Layer 2 ACL rule from source MAC address to destination MAC address such as rule 0 permit ingress 00e0 fc01 0101 1 egress 00e0 fc01 0102 1 time range huawei z PORT PORT stands for a Layer 2 ACL rule from received ethernet port to sent ethernet port such as rule 0 permit ingress interface ether...

Page 336: ...tion which user defined z For S3526 S3526 FM S3526 FS switches parameter icmp type is only supported when user defines advance ACL ICMP packet type and code the parameter type code in rule command can t be configured Otherwise the system will prompt the configuration is not available z The restrictions corresponding to each QoS function describe the ACL rule available in configuring this function ...

Page 337: ...ts of minute hour Date range is expressed in the units of minute hour date month and year The periodic time range is expressed in the day of the week You can use the following command to set the time range by performing the following configuration in the system view Table 1 11 Setting the absolute time range Operation Command Set the absolute time range time range time name start time to end time ...

Page 338: ...s sub rules will be effective Besides once the user specifies the match order of an ACL rule he cannot modify it later z The default matching order of ACL is config i e following the order as that configured by the user I Defining the basic ACL The rules of the basic ACL are defined on the basis of the Layer 3 source IP address to analyze the data packets You can use the following command to defin...

Page 339: ...r port1 port2 destination port operator port1 port2 icmp type type code established precedence precedence tos tos dscp dscp fragment time range name Delete a sub item from the ACL from advanced ACL view undo rule rule id source destination source port destination port icmp type precedence tos dscp fragment time range Delete one ACL or all the ACL from system view undo acl number acl number name ac...

Page 340: ...er 2 ACL view undo rule rule id Delete one ACL or all the ACL from system view undo acl number acl number name acl name all Layer 2 ACL can be identified with numbers ranging from 4000 to 4999 The interface in the above command specifies the Layer 2 interface such as the Ethernet port of a switch IV Defining the user defined ACL The user defined ACL matches any bytes in the first 64 bytes of the L...

Page 341: ... 26 XY IP header length and currently unused bit 58 K TOS field 27 Z Currently unused bits and flags bit 59 L IP packet length 28 a Window Size field 60 M ID number 30 b Others 62 N Flags field 32 The offsets listed in the above table are the field offsets in the SNAP tag 802 3 data frame In the user defined ACL you can use the rule mask and offset parameters to select any bytes from the first 64 ...

Page 342: ...me Delete a sub item from the ACL from user defined ACL view undo rule rule id Delete one ACL or all the ACL from system view undo acl number acl number name acl name all The self defined ACL are identified with the numbers ranging from 5000 to 5999 1 3 3 Activating ACL The defined ACL can be active after activated globally on the switch This function is used to activate the ACL filtering or class...

Page 343: ... of the time range display time range all name Display the detail information about the ACL display acl config all acl number acl name Display the information about the ACL running state display acl running packet filter all Clear ACL counters reset acl counter all acl number acl name The matched information of display acl config command specifies the rules treated by the switch s CPU The matched ...

Page 344: ...time start date to end time end date When the start time and end time are not configured it will be all the time for one day The end time shall be later than the start time When end time end date is not configured it will be all the time from now to the date which can be displayed by the system The end time shall be later than the start time 1 4 2 Defining and Applying Flow Template I Defining Flo...

Page 345: ...P head 0 bytes icmp code ICMP code field 1 byte icmp type ICMP type field 1 byte ip protocol Protocol field in IP packet header 1 byte sip Source IP field in IP packet header 4 bytes smac MAC field in Ethernet packet header 6 bytes sport Source port field 2 bytes tcp flag Flag field in TCP packet header 1 byte Note The numbers listed in the table are not the actual length of these elements in IP p...

Page 346: ...emplate to current port or current VLAN flow template user defined cancel the applied flow template on current port or current VLAN undo flow template user defined Applying the flow template has following limitation z The template includes user defined template and the template automatic created by switch z Switch only can have up to 2 templates z Switch can only have one user defined flow templat...

Page 347: ... as that configured by the user I Defining the basic ACL The rules of the basic ACL are defined on the basis of the Layer 3 source IP address to analyze the data packets You can use the following command to define basic ACL Perform the following configuration in corresponding view Table 1 23 Defining the basic ACL Operation Command Enter basic ACL view from system view acl number acl number name a...

Page 348: ... tos dscp dscp fragment time range name Delete a sub item from the ACL from advanced ACL view undo rule rule id source destination source port destination port icmp type precedence tos dscp fragment time range Delete one ACL or all the ACL from system view undo acl number acl number name acl name all The advanced ACL is identified with the numbers ranging from 3000 to 3999 Note that the port1 and ...

Page 349: ...e one ACL or all the ACL from system view undo acl number acl number name acl name all Layer 2 ACL can be identified with numbers ranging from 4000 to 4999 1 4 4 Activating ACL The defined ACL can be active after activated globally on the switch This function is used to activate the ACL filtering or classify the data transmitted by the hardware of switch You can use the following command to activa...

Page 350: ...le in Link ACL link group acl number acl name rule rule All rules in IP ACL and one rule in Link ACL ip group acl number acl name link group acl number acl name rule rule One rule in IP ACL and one rule in Link ACL ip group acl number acl name rule rule link group acl number acl name rule rule One rule in IP ACL and all rules in Link ACL ip group acl number acl name rule rule link group acl number...

Page 351: ...tion refer to the Command Manual 1 5 ACL Configuration Example of S3526 1 5 1 Advanced ACL Configuration Example I Networking requirements The interconnection between different departments on a company network is implemented through the 100M ports of the Ethernet Switch The payment query server of the Financial Dept is accessed via Ethernet1 1 at 129 110 1 2 It is required to properly configure th...

Page 352: ...match order config Define the rules for other department to access the payment server Quidway acl adv traffic of payserver rule 1 deny ip source any destination 129 110 1 2 0 0 0 0 time range huawei 3 Activate ACL Activate the ACL traffic of payserver Quidway packet filter ip group traffic of payserver 1 5 2 Basic ACL Configuration Example I Networking requirements Using basic ACL filter the packe...

Page 353: ...y source 10 1 1 1 0 time range huawei 3 Activate ACL Activate the ACL traffic of host Quidway packet filter ip group traffic of host 1 5 3 Link ACL Configuration Example I Networking requirements Using Link ACL filter the packet which source MAC address is 00e0 fc01 0101 and destination MAC address is 00e0 fc01 0303 during time range 8 00 18 00 every day II Networking diagram Switch 1 connect to R...

Page 354: ... 6 ACL Configuration Example of S3526E 1 6 1 Advanced ACL Configuration Example I Networking requirements The interconnection between different departments on a company network is implemented through the 100M ports of the Ethernet Switch The payment query server of the Financial Dept is accessed via Ethernet1 1 at 129 110 1 2 It is required to properly configure the ACL and limit the department ot...

Page 355: ...department to access the payment server Quidway acl adv traffic of payserver rule 1 deny ip source any destination 129 110 1 2 0 0 0 0 time range huawei Define the rules for the Office of President to access the payment server Quidway acl adv traffic of payserver rule 2 permit ip source 129 111 1 2 0 0 0 0 destination 129 110 1 2 0 0 0 0 3 Activate ACL Activate the ACL traffic of payserver Quidway...

Page 356: ... Define the rules for packet which source IP is 10 1 1 1 Quidway acl basic traffic of host rule 1 deny source 10 1 1 1 0 time range huawei 3 Activate ACL Activate the ACL traffic of host Quidway packet filter ip group traffic of host 1 6 3 Link ACL Configuration Example I Networking requirements Using Link ACL filter the packet which source MAC address is 00e0 fc01 0101 and destination MAC address...

Page 357: ... 0101 and destination MAC address is 00e0 fc01 0303 Quidway acl link traffic of link rule 1 deny ip ingress 00e0 fc01 0101 0 0 0 egress 00e0 fc01 0303 0 0 0 time range huawei 3 Activate ACL Activate the ACL traffic of link Quidway packet filter link group traffic of link 1 6 4 User defined ACL Configuration Example I Networking requirements Using user defined ACL filter the TCP packet during time ...

Page 358: ... Rules to Filter Packets I Networking requirements Filter the packets which source IP is 1 1 1 1 source MAC is 0 0 1 II Configuration procedure Note In the following configurations only the commands related to ACL configurations are listed 1 Define ACL Quidway acl number 4000 Quidway acl link 4000 rule deny ingress 0 0 1 0 0 0 Quidway acl link 4000 quit Quidway acl number 2000 Quidway acl basic 20...

Page 359: ...ation Huawei Technologies Proprietary 1 33 5 Display the ACL information Quidway Ethernet0 1 display current configuration interface ethernet0 1 interface Ethernet0 1 flow template user defined packet filter inbound ip group 2000 rule 0 packet filter inbound link group 4000 rule 0 return ...

Page 360: ...hnology Ethernet will become one of the major ways to access the common Internet users In order to implement the end to end QoS solution on the whole network it is inevitable to consider the question of how to guarantee the Ethernet QoS service This requires the Ethernet switching devices to apply the Ethernet QoS technology and deliver the QoS guarantee at different levels to different types of s...

Page 361: ...peration 2 1 4 Traffic Policing In order to deliver better service with the limited network resources QoS monitors the traffic of the specific user on the ingress so that it can make a better use of the assigned resource 2 1 5 Port Traffic Limit The port traffic limit is the port based traffic limit used for limiting the general speed of packet output on the port 2 1 6 Redirection You can specify ...

Page 362: ...ueue can guarantee the key service packets of higher priority are transmitted first while the packets of lower service priority are transmitted during the idling gap between transmitting the packets of higher service priorities The SP also has the drawback that when congestion occurs if there are many packets queuing in the higher priority queue it will require a long time to transmit these packet...

Page 363: ...figuration includes z Setting port priority z Configuring trust packet priority z Packet filter z Priority tag z Queue scheduling z Traffic mirroring z Traffic statistics S3526 has some restrictions on ACL configuration in implementing QOS function using traffic classification The restriction details are listed in the following table Table 2 1 ACL configuration restriction for QoS function on S352...

Page 364: ...s Priority tag traffic priority ip group acl number acl name rule rule link group acl number acl name rule rule local precedence pre value Priority tag function only supports using the ACL of permit operation The Layer 2 ACL supports using the rules of MAC MAC MAC PORT PORT PORT MAC ANY ANY MAC PORT ANY and ANY PORT The Layer 3 ACL supports using the rules of IP IP IP NET NET NET IP ANY ANY IP NET...

Page 365: ... is configure the same VLAN ID for the source and destination MAC addresses in defining ACL z For the rules of IP any any IP NET any and any NET S3526 does not support packet filtering of special protocols You can only configure protocol type as IP the value of the parameter protocol in rule command can only be IP in defining these types of rules in S3526 Otherwise error information will be return...

Page 366: ...arried by a packet with the port priority by default User can configure system trusting the packet 802 1p priority and not replacing the 802 1p priorities carried by the packets with the port priority Perform the following configuration in Ethernet port view Table 2 3 Configuring port priority replacement Operation Command Configure trust packet 802 1p priority priority trust Configure not trust p...

Page 367: ... ip group acl number acl name rule rule link group acl number acl name rule rule For details about the command refer to the Command Manual 2 2 4 Configuring Queue Scheduling Queue scheduling is commonly used to resolve the problem that multiple messages compete for resource when the network congestion happens The queue scheduling function put the packet to output queue of the port according to 802...

Page 368: ...able 2 8 The default COS Local precedence map COS Value Local Precedence 0 2 1 0 2 1 3 3 4 4 5 5 6 6 7 7 Using the following commands you can configure the maps Perform the following configuration in system view Table 2 9 Map configuration Operation Command Configure COS Local preced ence map qos cos local precedence map cos0 map local prec cos1 map local prec cos2 map local prec cos3 map local pr...

Page 369: ...le to the designated observing port to analyze and monitor the packets You can use the following command to configure the traffic mirroring Perform the following configuration in system view Table 2 11 Configuring traffic mirroring Operation Command Configure traffic mirroring mirrored to ip group acl number acl name rule rule link group acl number acl name rule rule interface interface name inter...

Page 370: ...ng of the QoS configuration and to verify the effect of the configuration Execute reset command in user view to clear the statistics of QoS module Table 2 13 Displaying and debugging QoS Operation Command Display the parameter settings of all the QoS actions display qos global all Display the mapping relationship between cos and local precedence display qos cos local precedence map Display the par...

Page 371: ...y when tag the packet If the packet has VLAN tag the system will not re tag the packet Perform the following configuration in Ethernet port view Table 2 14 Setting port priority Operation Command Set the port priority priority priority level Restore the default port priority undo priority The port of Ethernet Switch supports 8 priority levels You can configure the port priority at your requirement...

Page 372: ...raffic limit inbound user group acl number acl name rule rule ip group acl number acl name rule rule link group acl number acl name rule rule target rate exceed action Cancel the configuration of the flow based traffic limit undo traffic limit inbound user group acl number acl name rule rule ip group acl number acl name rule rule link group acl number acl name rule rule You have to define the corr...

Page 373: ...figuring redirection Operation Command Configure redirection traffic redirect user group acl number acl name rule rule ip group acl number acl name rule rule link group acl number acl name rule rule cpu interface interface name interface type interface num Cancel the redirection configuration undo traffic redirect user group acl number acl name rule rule ip group acl number acl name rule rule link...

Page 374: ...reference specified by cos in the traffic priority command You can tag the packets with different priorities at requirements on QoS policy The switch puts the packets into corresponding egress queues according to the 802 1p preference or the local preference specified by local precedence in the traffic priority command If both the 802 1p preference and local preference have been specified in the t...

Page 375: ... 3 1 4 5 2 6 7 3 Table 2 22 Relationship between Local precedence and output queue Local precedence Queue ID 0 1 0 2 3 1 4 5 2 6 7 3 I Configuring the mapping relationship between COS and local precedence By default the system provides the default COS Local precedence mapping relationship Table 2 23 Default CoS Local precedence mapping table CoS Value Local Precedence 0 2 1 0 2 1 3 3 4 4 5 5 6 6 7...

Page 376: ...ng configuration in system view Table 2 25 Configuring the queue scheduling algorithm Operation Command Configure the queue scheduling algorithm queue scheduler strict priority wrr queue1 weight queue2 weight queue3 weight queue4 weight wrr max delay queue1 weight queue2 weight queue3 weight queue4 weight maxdelay Restore the default queue scheduling algorithm undo queue scheduler Ethernet Switch ...

Page 377: ...ic statistics function is configured the user can use display qos global traffic statistic command to display the statistics information You can use the following command to configure traffic statistics Perform the following configuration in system view Table 2 27 Configuring traffic statistics Operation Command Configure traffic statistics traffic statistic user group acl number acl name rule rul...

Page 378: ...splay qos interface interface name interface type interface num traffic limit Display the port traffic limit display qos interface interface name interface type interface num line rate Display the settings of priority tag display qos global traffic priority Display the settings of redirection display qos global traffic redirect Display the information about the traffic display qos global traffic s...

Page 379: ...name link group acl number acl name rule rule One rule in IP ACL and one rule in Link ACL ip group acl number acl name rule rule link group acl number acl name rule rule One rule in IP ACL and all rules in Link ACL ip group acl number acl name rule rule link group acl number acl name 2 4 1 Configuring Service Group Allocation Rules QoS that applies on the switches is set up on the basis of service...

Page 380: ...cal prec CoS5 map local prec CoS6 map local prec CoS7 map local prec Restore the default CoS to local precedence map setting undo qos cos local precedence map By default the switches assign conform level and local precedence to received packets using the default map settings of the system II Assigning a default local precedence value to a port Perform the following configuration in Ethernet interf...

Page 381: ...rm level to service map setting in conform level view undo dscp dscp list Configure TC conform level to CoS map in conform level view local precedence CoS value0 CoS value1 CoS value2 CoS value3 CoS value4 CoS value5 CoS value6 CoS value7 Restore the default TC conform level to CoS map setting in conform level view undo local precedence By default the system provides default map settings II Config...

Page 382: ...approaches traffic shaping may cause extra latency while traffic policing does not You may configure traffic shaping using the command in the following table Perform the following configuration in Ethernet interface view Table 2 34 Configuring traffic shaping Operation Command Configure traffic shaping traffic shape queue queue id max rate burst size queue depth Disable traffic shaping undo traffi...

Page 383: ...ervice trust dscp dscp dscp value untrusted dscp dscp value cos cos value local precedence local precedence drop priority drop level Disable packet priority remarking undo traffic priority inbound acl rule Before you can configure packet priority remark you should define ACLs for this purpose and a DSCP conform level to service map For more information about the command and its negative form descr...

Page 384: ...In this approach output queues are assigned into WRR group 1 and WRR group 2 In the WRR scheduling approach all the queues are assigned into WRR group 1 by default 3 Combine SP and WRR by applying them on different queues at the same time In this approach the groups are scheduled by priority strictly and then the scheduling is performed in each group by scheduling algorithms Strict scheduling is a...

Page 385: ... Upon the receipt of a packet the switch assigns a conform level value to it This is also known as coloring packets Conform level can be set to 0 1 or 2 meaning red yellow or green When congestion occurs red packets are the first ones being dropped and green packets are the last ones You may configure congestion avoidance parameters and drop thresholds for each queue and conform level Two drop alg...

Page 386: ...w wred wred index Restore the default WRED setting in system view undo wred wred index Set WRED parameter values in WRED index view queue queue id green min threshhold green max threshhold green max prob yellow min threshhold yellow max threshhold yellow max prob red min threshhold red max threshhold red max prob exponent Restore the default WRED setting in WRED index view undo queue queue id Exit...

Page 387: ...Table 2 40 Configuring traffic mirroring Operation Command Configure traffic mirroring mirrored to inbound acl rule cpu monitor interface Disable traffic mirroring undo mirrored to inbound acl rule Note You must use the monitor port command to configure the monitoring port before you mirror data stream to specified port The switch only mirrors the packets received by the traffic when you use the m...

Page 388: ...t or ports undo mirroring port port list inbound outbound both Disable the configuration of the monitor port undo monitor port interface_name interface_type interface_num inbound outbound both When configuring port mirroring you must configure a monitor port prior to mirroring port or ports When disabling port mirroring you can disable the monitor port only after disabling all the mirroring ports ...

Page 389: ...tistic It provides statistic information of the forwarded packets matching the specified ACLs After completing the traffic statistic configuration you may execute the display qos interface traffic statistic command to display the statistic information You may configure traffic statistic using the commands described in the following table Perform the following configuration in Ethernet interface vi...

Page 390: ...interface name interface type interface num all Display traffic restraint settings display qos interface interface name interface type interface num traffic limit Display information of queue scheduling mode and related parameters display qos interface interface name interface type interface num queue scheduler Display traffic shaping information on a port display qos interface interface name inte...

Page 391: ... 2 Typical access control configuration example III Configuration procedure 1 Define a time range Set time range to the range 8 00 to 18 00 Quidway time range huawei 8 00 to 18 00 daily 2 Define a rule to be applied on the traffic between two PCs Access the view of the number based advanced ACL 3000 Quidway acl number 3000 Define traffic classification rule to be applied on the traffic from PC1 to...

Page 392: ... 129 110 1 2 In this scenario the traffic generated by each department for accessing the pay server cannot exceed 20 Mbps and this server cannot send out packets at an average speed greater than 20 Mbps Priority of the packets beyond the limitation will be set to 4 II Networking diagram Pay server 129 110 1 2 Switch E0 1 To Router Pay server 129 110 1 2 Switch E0 1 To Router Figure 2 3 QoS configu...

Page 393: ...fic Mirroring Configuration Example I Networking requirements Use a Server to monitor the communication traffic that two PCs generated between them in the time range 8 00 to 18 00 Suppose the IP addresses of these two PCs are respectively 1 1 1 1 and 2 2 2 2 and the Server is attached to the Ethernet0 8 port on the switch as shown in the following networking diagram II Networking diagram Server E0...

Page 394: ...Proprietary 2 35 Define a rule to filter in the traffic from PC2 to PC1 Quidway acl adv 3000 rule 0 permit ip source 2 2 2 2 0 0 0 0 destination 1 1 1 1 0 time range huawei 3 Monitor the communication traffic between PCs using Ethernet0 8 as the monitor port Quidway mirrored to ip group 3000 interface ethernet0 8 ...

Page 395: ...nnected user can log on to the device only if he can pass the password authentication This chapter mainly introduces how to configure the first level security control over these access measures that is how to configure to filter the logon users with ACL For detailed description about how to configure the first level security refer to getting started module of Operation Manual 3 2 Configuring ACL C...

Page 396: ... the defining process you can configure several rules for an ACL using the rule command repeatedly 3 2 2 Calling ACL to Control TELNET Users To control TELNET users with ACL you can call the defined ACL in user interface view You can use the following command to call an ACL Perform the following configuration in corresponding view Table 3 2 Calling ACL to control TELNET users Operation Command Ent...

Page 397: ... interface vty0 4 acl 2020 inbound 3 3 Configuring ACL Control over the SNMP Users Huawei Quidway Ethernet switch series support the remote management with the network management software The network management users can access the switch with SNMP Controlling such users with ACL can help filter the illegal NM users and prevent them from accessing the local switch Take the following steps to contr...

Page 398: ...up name authentication privacy read view read view write view write view notify view notify view acl acl list Call an ACL when configuring SNMP username snmp agent usm user v1 v2c user name group name acl acl list snmp agent usm user v3 user name group name authentication mode md5 sha auth password privacy mode des56 priv password acl acl list SNMP community name attribute is a feature of SNMP V1 ...

Page 399: ...it source 10 110 100 52 0 Quidway acl basic 2020 rule 2 permit source 10 110 100 46 0 Quidway acl basic 2020 quit Call the basic ACLs Quidway snmp agent community read huawei acl 2020 Quidway snmp agent group v2c huaweigroup acl 2020 Quidway snmp agent usm user v2c huaweiuser huaweigroup acl 2020 3 4 Configuring ACL Control over the HTTP Users Quidway Ethernet switch series support the remote mana...

Page 400: ...last section 3 4 2 Calling ACL to Control HTTP Users To control the WEB network management users with ACL call the defined ACL You can use the following commands to call an ACL Perform the following configuration in system view Table 3 4 Calling ACL to control HTTP users Operation Command Call an ACL to control the WEB NM users ip http acl acl number Cancel the ACL control function undo ip http ac...

Page 401: ...gies Proprietary 3 7 II Networking diagram Internet Switch Figure 3 3 Controlling WEB NM users with ACL III Configuration procedure Define the basic ACL Quidway acl number 2030 match order config Quidway acl basic 2030 rule 1 permit source 10 110 100 46 0 Quidway acl basic 2030 quit Call the basic ACL Quidway ip http acl 2030 ...

Page 402: ...Huawei Technologies Proprietary HUAWEI Quidway S3500 Series Ethernet Switches Operation Manual Integrated Management ...

Page 403: ...2 1 NDP Overview 2 4 2 2 2 Enable Disable System NDP 2 5 2 2 3 Enable Disable Port NDP 2 5 2 2 4 Set NDP Holdtime 2 6 2 2 5 Set NDP Timer 2 6 2 2 6 Display and Debug NDP 2 6 2 3 Configure NTDP 2 7 2 3 1 NTDP Overview 2 7 2 3 2 Enable Disable System NTDP 2 8 2 3 3 Enable Disable Port NTDP 2 8 2 3 4 Set Hop Number for Topology Collection 2 9 2 3 5 Set hop delay and port delay for Collected Device to...

Page 404: ...tically 2 14 2 4 8 Set Cluster Holdtime 2 15 2 4 9 Set Cluster Timer to Specify the Handshaking Message Interval 2 15 2 4 10 Configure Remote Control over the Member device 2 16 2 4 11 Configure the Cluster Server and Network Management and Log Hosts 2 16 2 4 12 Member Accessing 2 17 2 4 13 Display and Debug Cluster 2 18 2 5 HGMP V2 Configuration Example 2 18 ...

Page 405: ...are connected to the stack ports of the main switch to the stack The main switch will distribute usable IP address to the slave switch automatically as the switch joins the stack If a new switch is connected to the main switch via stack port the system will automatically add the new switch to the stack after the stack is established The connection of stack port automatically establishes the stack ...

Page 406: ... enables a stack with the following command the system will automatically add the switches connected to the main switch via stack ports to the stack After a stack has been enabled if the stack port is disconnected slave switch will exit the stack automatically Perform the following configuration in system view Table 1 2 Enable Disable a stack Operation Command Enable a stack stacking enable Disabl...

Page 407: ... stack state information on a slave switch display stacking When using this command on the main switch if the input parameter members is omitted you will find the displayed information indicating that the local switch is the main switch and also the number of switches in the stack Using the command with members you will find the member information of the stack including stack number of main slave ...

Page 408: ...king ip pool 129 10 1 1 5 Enable a stack on Switch A Quidway stacking enable Display stack information on the main switch Switch A stack_0 Quidway display stacking Main device for stack Total members 3 Display stack member information on the main switch Switch A stack_0 Quidway display stacking members Member number 0 Name stack_0 Quidway Device Switch A MAC Address 00e0 fc07 0bc0 Member status Cm...

Page 409: ...play stack information on the slave switch Switch B stack_1 Quidway display stacking Slave device for stack Member number 1 Main switch mac address 00e0 fc07 0bc0 Switch back to the main switch Switch A to perform the configuration stack_1 Quidway quit stack_0 Quidway Switch to the slave switch Switch C to perform the configuration stack_0 Quidway stacking 2 stack_2 Quidway Switch back to the main...

Page 410: ...tor device and several member devices compose a cluster The figure below illustrates a typical application of the cluster Administrator device Member device Member device Member device 69 110 1 1 Network management device Cluster 69 110 1 100 Candidate device network Figure 2 1 A cluster 2 1 2 Role of Switch The switches in a cluster have different status and functions and play different roles You...

Page 411: ... e r Command switch Member switch Candidate switch R e m o v e f r o m a c l u s t e r D e s i g n a t e d a s c o m m a n d s w i t c h Added to a cluster R e m o v e f r o m a c l u s t e r Administrator device Member device Candidate device R e m o v e f r o m a c l u s t e r D e s i g n a t e d a s a d m i n i s t r a t o r d e v i c e Added to a cluster R e m o v e f r o m a c l u s t e r Com...

Page 412: ...lement the configuration and management over multiple switches There is no need to login to each member device and perform configuration on their Console ports respectively z Providing topology discovery and displaying function which is useful for network displaying and debugging z Saving IP address z Performing software upgrade and parameter configuration to multiple switches simultaneously z Ind...

Page 413: ...supports different network layer protocols NDP is used for discovering the information of the directly connected neighbors including the device type software hardware version and connecting port of the adjacent devices It can also provide the information concerning device ID port address device capability and hardware platform etc All the devices supporting NDP maintain the NDP information table T...

Page 414: ...em NDP all the NDP information of the switch will be cleared and the switch will no longer process any NDP packets Perform the following configuration in system view Table 2 1 Enable Disable system NDP Operation Command Enable System NDP ndp enable interface port list Disable System NDP undo ndp enable interface port list By default System NDP is enabled 2 2 3 Enable Disable Port NDP You can set t...

Page 415: ...conds 2 2 5 Set NDP Timer The NDP information of the adjacent nodes shall be updated frequently to guarantee the timely updating for local information You can use the following command to decide how often the NDP information will be updated Perform the following configuration in System view Table 2 4 Set NDP timer Operation Command Set NDP timer ndp timer hello seconds Set the NDP timer back to th...

Page 416: ...he cluster management According to the adjacent table information provided by NDP NTDP transmits and forwards NTDP topology collection request to collect NDP information and neighboring connection information of every device in a certain network After collecting the information the administrator device or the network administrator can perform some functions accordingly When the NDP on the member d...

Page 417: ... the following configuration in system view Table 2 6 Enable Disable System NTDP Operation Command Enable System NTDP ntdp enable Disable System NTDP undo ntdp enable By default the System NTDP is enabled 2 3 3 Enable Disable Port NTDP You can use the following command to enable disable Port NTDP to decide to transmit receive and forward NTDP packet via which port After the system NTDP and port NT...

Page 418: ...e the default hop number for topology collection undo ntdp hop Note that the settings are only valid on the first switch transmitting the topology collection request The broader collection scope requires more memory of the topology collecting device Normally collection is launched by the administrator device in cluster function By default the topology information of the switches 3 hops away from t...

Page 419: ...3 6 Set Topology Collection Interval In order to learn the global topology changes in time it is necessary to periodically collect the topology information throughout the whole scope specified Perform the following configuration in system view Table 2 10 Set topology collection interval Operation Command Set topology collection interval ntdp timer interval in mins Restore the default topology coll...

Page 420: ...ations of cluster management including how to enable and set up a cluster how to configure public network IP address for administrator device how to add delete a cluster member and how to configure the handshaking interval etc There must be a unique administrator device configured for every cluster A cluster contains only one administrator device When creating a cluster you are supposed to designa...

Page 421: ...ble the cluster function on the member devices and Candidate devices 2 4 2 Enable Disable Cluster Function Enable the cluster function before using it Perform the following configuration in system view Table 2 13 Enable Disable cluster function Operation Command Enable cluster function cluster enable Disable cluster function undo cluster enable Above commands can be used on any device supporting t...

Page 422: ...istrator ip address ip mask ip mask length Restore the default IP address pool of the cluster undo ip pool Before setting up a cluster the user should configure a private IP address pool for the member devices of the cluster Note that the above configuration can only be performed on administrator device and must be configured before the cluster is build The IP address pool of an existing cluster c...

Page 423: ...umber to it automatically When a switch is added to a cluster the administrator will automatically set administrator s password as the switch s password 2 4 7 Set up a Cluster Automatically The system provides cluster auto setup function You can follow the prompts to setup a cluster step by step on an administrator capable device using the following command After auto build is executed the system ...

Page 424: ...y the Handshaking Message Interval The member devices and administrator device send handshake messages to communicate with each other in real time The administrator device monitors member states and link states inside the cluster through handshaking with members periodically After joining the cluster a member device starts handshaking with the administrator device regularly an administrator device...

Page 425: ...owever you can configure VLAN check on the administrator device to solve this problem After this task is conducted the configuration information will be contained in the cluster packets The member device will automatically add the port receiving such packets to VLAN1 if the port does not belong to it Thus the normal communication between an administrator device and member device is ensured You can...

Page 426: ... cluster logging host ip address Remove the logging host from the whole cluster undo logging host Configure the SNMP host for the whole cluster snmp host ip address Remove the SNMP host from the whole cluster undo snmp host Note that the above command can only be executed on the administrator device 2 4 12 Member Accessing A member device in a cluster can be managed through the administrator devic...

Page 427: ...luster configuration and to verify the effect of the configuration Table 2 24 Display and Debug Cluster Operation Command Display cluster state and statistics display cluster Display the information of Candidate devices display cluster candidates mac address H H H verbose Display the information about member devices display cluster members member num verbose 2 5 HGMP V2 Configuration Example I Net...

Page 428: ...he administrator device Enable global NDP on the device and port Ethernet0 1 and Ethernet0 2 Quidway ndp enable Quidway interface ethernet 0 1 Quidway Ethernet0 1 ndp enable Quidway Ethernet0 1 interface ethernet 0 2 Quidway Ethernet0 2 ndp enable Set to hold NDP information for 200 seconds Quidway ndp timer aging 200 Configure to sends NDP packet every 70 seconds Quidway ndp timer hello 70 Enable...

Page 429: ...55 255 248 Set up a cluster and give name to it Quidway cluster build huawei huawei_0 Quidway cluster Add the two connected switches into the cluster huawei_0 Quidway cluster add member 1 mac address 00e0 fc01 0011 huawei_0 Quidway cluster add member 17 mac address 00e0 fc01 0012 Set to hold the member information for 100 seconds huawei_0 Quidway cluster holdtime 100 huawei_0 Quidway cluster timer...

Page 430: ...on of the above configurations you can use the cluster switch to member num mac address H H H command to switch to the member device view to maintain and manage the member devices and use the cluster switch to administrator command to resume the administrator device view To reset a member device through the administrator device use the reboot member member num mac address H H H eraseflash command ...

Page 431: ...Huawei Technologies Proprietary HUAWEI Quidway S3500 Series Ethernet Switches Operation Manual STP ...

Page 432: ...the Max Transmission Speed on a Port 1 17 1 2 9 Configure a Port as an Edge Port 1 18 1 2 10 Configure the Path Cost of a Port 1 20 1 2 11 Configure the Priority of a Port 1 20 1 2 12 Configure the Port not to Connect with the Point to Point Link 1 21 1 2 13 Configure the mCheck Variable of a Port 1 23 1 2 14 Configure the Switch Security Function 1 24 1 2 15 Enable MSTP on the Device 1 26 1 2 16 ...

Page 433: ...P associates VLAN and the spanning tree and divides a switching network into several regions each of which has a spanning tree independent of one another MSTP prunes the network into a loopfree tree to avoid proliferation it also provides multiple redundant paths for data forwarding to implement the VLAN data forwarding load balance 1 1 1 MSTP Concepts There are 4 MST region in Figure 1 1 The conc...

Page 434: ...N1 map to instance 1 VLAN 2 map to instance 2 other VLAN map to instance 0 III IST Internal Spanning Tree IST The entire switching network has a Common and Internal Spanning Tree CIST An MSTP region has an Internal Spanning Tree IST which is a fragment of CIST For example every MST region in figure2 1 has an IST IV CST Common Spanning Tree CST Connects the spanning trees of all the MST region Taki...

Page 435: ...port Alternate port or BACKUP z The root port is the one through which the data are forwarded to the root z The designated port is the one through which the data are forwarded to the downstream network segment or switch z Master port is the port connecting the entire region to the Common Root Bridge and located on the shortest path between them z Alternate port is the backup of the master port Whe...

Page 436: ...alculation process of MSTI is same like RSTP In this way the packets of a VLAN travel along the corresponding MSTI inside the MST region and the CST between different regions Followed introduce the calculation process of one MSTI The fundamental of STP is that the switches exchange a special kind of protocol packet which is called configuration Bridge Protocol Data Units or BPDU in IEEE 802 1D to ...

Page 437: ...ustrated in the Figure 1 3 Switch A forwards data to Switch B via the port AP1 So to Switch B the designated switch is Switch A and the designated port is AP1 Also in the figure above Switch B and Switch C are connected to the LAN and Switch B forwards packets to LAN So the designated switch of LAN is Switch B and the designated port is BP2 Note AP1 AP2 BP1 BP2 CP1 and CP2 respectively delegate th...

Page 438: ...PDU of CP1 2 0 2 CP1 2 Select the optimum configuration BPDU Every switch transmits its configuration BPDU to others When a port receives a configuration BPDU with a lower priority than that of its own it will discard the message and keep the local BPDU unchanged When a higher priority configuration BPDU is received the local BPDU is updated And the optimum configuration BPDU will be elected throu...

Page 439: ...ted switch in the configuration BPDU of every port it regards itself as the root retains the configuration BPDU of each port and transmits configuration BPDU to others regularly thereafter By now the configuration BPDUs of the two ports are as follows Configuration BPDU of AP1 0 0 0 AP1 Configuration BPDU of AP2 0 0 0 AP2 Switch B BP1 receives the configuration BPDU from Switch A and finds that th...

Page 440: ...figuration BPDU will not be updated and retain 0 0 0 AP2 By comparison the configuration BPDU of CP2 is elected as the optimum one CP2 is elected as the root port whose BPDU will not change while CP1 will be blocked and retain its BPDU but it will not receive the data forwarded from Switch A until spanning tree calculation is triggered again by some changes For example the link from Switch B to C ...

Page 441: ...ransitional state mechanism is thus adopted to ensure the new configuration BPDU has been propagated throughout the network before the root port and designated port begin to send data again That is the root port and designated port should undergo a transitional state for a period of Forward Delay before they enter the forwarding state MSTP is compatible with STP and RSTP The MSTP switch can recogn...

Page 442: ...ues You can configure these parameters per the actual conditions or simply take the defaults For detail information refer to the task description or the Command Manual Note When GVRP and MSTP startup on the switch simultaneously GVRP packets will propagate along CIST which is a spanning tree instance In this case if you want to issue a certain VLAN through GVRP on the network you should make sure ...

Page 443: ...ame STI VLAN mapping tables of an MST region and the MST region revision level Configuring the related parameters especially the VLAN mapping table of the MST region will lead to the recalculation of spanning tree and network topology flapping To bate such flapping MSTP triggers to recalculate the spanning tree according to the configurations only if one of the following conditions is met z The us...

Page 444: ...ing tree stp instance instance id root secondary bridge diameter bridgenum hello time centi senconds Specify current switch not to be the primary or secondary root undo stp instance instance id root After a switch is configured as primary root switch or secondary root switch user can t modify the bridge priority of the switch You can configure the current switch as the primary or secondary root sw...

Page 445: ...ode MSTP and RSTP are compatible and they can recognize the packets of each other However STP cannot recognize MSTP packets To implement the compatibility MSTP provides two operation modes STP compatible mode and MSTP mode In STP compatible mode the switch sends STP packets via every port and serves as a region itself In MSTP mode the switch ports send MSTP or STP packets when connected to the STP...

Page 446: ...e priority for a switch Operation Command Configure the Bridge priority of the designated switch stp instance instance id priority priority Restore the default Bridge priority of the designated switch undo stp instance instance id priority priority When configuring the switch priority with the instance instance id parameter as 0 you are configuring the CIST priority of the switch Caution In the pr...

Page 447: ... by a series of switches Among these paths the one passing more switches than all others is the network diameter expressed as the number of passed switches You can use the following command to configure the diameter of the switching network Perform the following configuration in system view Table 1 8 Configure the switching network diameter Operation Command Configure the switching network diamete...

Page 448: ...throughout the network The switch sends Hello packet periodically at an interval specified by Hello Time to check if there is any link fault Max Age specifies when the configuration BPDU will expire The switch will discard the expired configuration BPDU You can use the following command to configure the time parameters for the switch Perform the following configuration in system view Table 1 9 Con...

Page 449: ...ng tree and mistake the congestion as link fault However if the Max Age is too long the network device may not be able to discover the link fault and recalculate the spanning tree in time which will weaken the auto adaptation capacity of the network The default value is recommended To avoid frequent network flapping the values of Hello Time Forward Delay and Maximum Age should guarantee the follow...

Page 450: ...th either of the above mentioned measures For more about the commands refer to the Command Manual This parameter only takes a relative value without units If it is set too large too many packets will be transmitted during every Hello Time and too many network resourced will be occupied The default value is recommended By default the max transmission speed on every Ethernet port of the switch is 3 ...

Page 451: ...rom blocking state to forwarding state without any delay In the case that BPDU protection has not been enabled on the switch the configured edge port will turn into non edge port again when it receives BPDU from other port In the case that BPDU protection is enabled the port will be disabled The configuration of this parameter takes effect on all the STIs In other words if a port is configured as ...

Page 452: ...iguration in Ethernet port view Table 1 15 Configure the Path Cost of a port Operation Command Configure the Path Cost of a port stp instance instance id cost cost Restore the default path cost of a port undo stp instance instance id cost You can configure the path cost of a port with either of the above mentioned measures For more about the commands refer to the Command Manual Upon the change of ...

Page 453: ...ority undo stp instance instance id port priority You can configure the port priority with either of the above mentioned measures For more about the commands refer to the Command Manual Upon the change of port priority MSTP will recalculate the port role and transit the state Generally a smaller value represents a higher priority If all the Ethernet ports of a switch are configured with the same p...

Page 454: ...1 19 Configure the port not to connect with the point to point link Operation Command Configure the port to connect with the point to point link stp point to point force true Configure the port not to connect with the point to point link stp point to point force false Configure MSTP to automatically detect if the port is directly connected with the point to point link stp point to point auto Confi...

Page 455: ...rates in either STP compatible or MSTP mode Suppose a port of an MSTP switch on a switching network is connected to an STP switch the port will automatically transit to operate in STP compatible mode However the port stays in STP compatible mode and cannot automatically transit back to MSTP mode when the STP switch is removed In this case you can perform mCheck operation to transit the port to MST...

Page 456: ...dth in network design In case of configuration error or malicious attack the legal primary root may receive the BPDU with a higher priority and then loose its place which causes network topology change errors Due to the illegal change the traffic supposed to travel over the high speed link may be pulled to the low speed link and congestion will occur on the network Root protection function is used...

Page 457: ...ection Restore the disabled Root protection state as defaulted from system view undo stp interface interface list root protection Configure switch Root protection from Ethernet port view stp root protection Restore the disabled Root protection state as defaulted from Ethernet port view undo stp root protection Configure switch loop protection function from Ethernet port view stp loop protection Re...

Page 458: ... a device stp disable Restore the disable state of MSTP as defaulted undo stp Only if MSTP has been enabled on the device will other MSTP configurations take effect By default MSTP is disabled 1 2 16 Enable Disable MSTP on a Port You can use the following command to enable disable MSTP on a port You may disable MSTP on some Ethernet ports of a switch to spare them from spanning tree calculation Th...

Page 459: ...command in any view to display the running of the MSTP configuration and to verify the effect of the configuration Execute reset command in user view to clear the statistics of MSTP module Execute debugging command in user view to debug the MSTP module Table 1 26 Display and Debug MSTP Operation Command Show the configuration information about the current port and the switch display stp instance i...

Page 460: ...m back to their original formats at the egress This is how transparent transmission is implemented on the operator s network Network B Network A Network Network B Network A Network Packet ingress egress device Packet ingress egress device Network B Network A Network Network B Network A Network Operator s Network User Packet ingress egress device Packet ingress egress device Network Network B Netwo...

Page 461: ...nd Enable VLAN VPN vlan vpn enable Disable VLAN VPN undo vlan vpn By default VLAN VPN is disabled on all ports Note In Ethernet port view VLAN VPN and STP are not compatible with each other and cannot function at the same time 2 3 BPDU Tunnel Configuration Example I Network requirements z The S3500 Series Ethernet Switches are used as the access devices of the operator s network that is Switch C a...

Page 462: ...DU Tunnel configuration III Configuration procedures 1 Configure Switch A Enable RSTP on the device Quidway stp enable Add port Ethernet 0 1 into VLAN 10 Quidway vlan 10 Quidway Vlan10 port Ethernet 0 1 2 Configure Switch B Enable RSTP on the device Quidway stp enable Add port Ethernet 0 1 into VLAN 10 Quidway vlan 10 Quidway Vlan10 port Ethernet 0 1 3 Configure Switch C Enable MSTP on the device ...

Page 463: ...net0 2 port trunk permit vlan all 4 Configure Switch D Enable MSTP on the device Quidway stp enable Enable BPDU Tunnel on the device Quidway vlan vpn tunnel Add port Ethernet 0 2 into VLAN 10 Quidway vlan 10 Quidway Vlan10 port Ethernet 3 0 2 First disable the STP protocol and then enable VLAN VPN on Ethernet0 2 Quidway interface Ethernet 0 2 Quidway Ethernet0 2 stp disable Quidway Ethernet0 2 vla...

Page 464: ...iguration settings This can be overcome by implementing digest snooping Digest snooping enables a switch to track and maintain configuration digests of other switches that are in the same domain by examining their BPDUs and insert corresponding configuration digests in its BPDUs destined for these switches through which switches of different type are capable of communicating with each other in a M...

Page 465: ...on display current configuration This command can be executed in any view Note z You must enable digest snooping on an interface first before enabling it globally z Digest snooping is unnecessay if the interconnected switches are from the same vendor z To enable digest snooping the interconneted switches must be configured with the same settings z To enable digest snooping all interfaces in a MSTP...

Page 466: ...Huawei Technologies Proprietary HUAWEI Quidway S3500 Series Ethernet Switches Operation Manual Security ...

Page 467: ...ng Disabling Guest VLAN 1 7 1 2 9 Setting 802 1x Re authentication 1 8 1 2 10 Setting 802 1x Client Version Authentication 1 10 1 2 11 Setting the Maximum Times of Authentication Request Message Retransmission 1 11 1 2 12 Configuring Timers 1 12 1 2 13 Enabling Disabling a Quiet Period Timer 1 13 1 3 Displaying and Debugging 802 1x 1 13 1 4 802 1x Configuration Example 1 14 Chapter 2 Portal Config...

Page 468: ...5 3 2 4 Setting Attributes of Local User 3 5 3 2 5 Disconnecting a User by Force 3 7 3 2 6 Configuring Dynamic VLAN with RADIUS Server 3 7 3 3 Configuring RADIUS Protocol 3 8 3 3 1 Creating Deleting a RADIUS scheme 3 9 3 3 2 Setting IP Address and Port Number of RADIUS Server 3 10 3 3 3 Setting RADIUS Packet Encryption Key 3 11 3 3 4 Setting Response Timeout Timer of RADIUS Server 3 12 3 3 5 Setti...

Page 469: ... EAD Overview 4 1 4 2 EAD Network Applications 4 1 4 3 EAD Configuration Tasks 4 2 4 4 EAD Configuration Example 4 3 Chapter 5 HABP Configuration 5 1 5 1 HABP Overview 5 1 5 2 HABP configuration 5 1 5 2 1 Configuring HABP Server 5 1 5 2 2 Configuring HABP Client 5 2 5 3 Displaying and Debugging HABP Attribute 5 2 Chapter 6 System guard Configuration 6 1 6 1 System guard Overview 6 1 6 2 System gua...

Page 470: ...t the user is physically disconnected 802 1x defines port based network access control protocol and only defines the point to point connection between the access device and the access port The port can be either physical or logical The typical application environment is as follows Each physical port of the LAN Switch only connects to one user workstation based on the physical port and the wireless...

Page 471: ...or Server System EAP protocol exchanges carried in higher layer protocol EAPoL Controlled Port Port unauthorized LAN Uncontrolled Port Services offered by Authenticators System Figure 1 1 802 1x system architecture 1 1 3 802 1x Authentication Process 802 1x configures EAP frame to carry the authentication information The Standard defines the following types of EAP frames z EAP Packet Authenticatio...

Page 472: ...becomes much securer and easier to manage 1 2 Configuring 802 1x The configuration tasks of 802 1x itself can be fulfilled in system view of the Ethernet switch When the global 802 1x is not enabled the user can configure the 802 1x state of the port The configured items will take effect after the global 802 1x is enabled Note When 802 1x is enabled on a port the max number of MAC address learning...

Page 473: ...rface interface list Disable the 802 1x undo dot1x interface interface list You can configure 802 1x on individual port before it is enabled globally The configuration will take effect right after 802 1x is enabled globally By default 802 1x authentication has not been enabled globally and on any port 1 2 2 Setting the Port Access Control Mode The following commands can be used for setting 802 1x ...

Page 474: ...dot1x port method interface interface list By default 802 1x authentication method on the port is macbased That is authentication is performed based on MAC addresses 1 2 4 Checking the Users that Log on the Switch via Proxy The following commands are used for checking the users that log on the switch via proxy Perform the following configurations in system view or Ethernet port view Table 1 4 Chec...

Page 475: ... in DHCP Environment If in DHCP environment the users configure static IP addresses you can set 802 1x to disable the switch to trigger the user ID authentication over them with the following command Perform the following configurations in system view Table 1 6 Setting the Authentication in DHCP Environment Operation Command Disable the switch to trigger the user ID authentication over the users w...

Page 476: ...hes support the PEAP EAP TLS and EAP MD5 authentication To enable any of the three you just need to enable the EAP authentication However the S3526 S3526 FM and S3526 FS switches support EAP MD5 authentication only Perform the following configurations in system view Table 1 7 Configuring the authentication method for 802 1x user Operation Command Configure authentication method for 802 1x user For...

Page 477: ...d authentication mode z A switch only can be configured with one Guest VLAN z Users who skip the authentication fail in the authentication or get offline belong to the Guest VLAN z Among S3500 series ethernet switches S3552G S3552P S3528G S3528P S3526E S3526E FM S3526E FS and S3526C support Guest VLAN and S3526 S3526 FM and S3526 FS don t If dot1x dhcp launch is configured on the switch the Guest ...

Page 478: ...t parameter cannot be specified and you can use command only to enable the feature on the current interface II Configuring 802 1x re authentication timeout timer The period of re authentication is decided by the following two modes 1 The switch takes the session timeout value in the access accept packet as the authentication period 2 The switch takes the value set by the user through the dot1x rea...

Page 479: ...k interface interface list By default 802 1x client version authentication is disabled on all ports In system view if the interface list parameter is not specified it means that to enable the 802 1x client version authentication feature on all interfaces if the interface list parameter is specified it means that to enable the feature on the specified interfaces In Ethernet port view the interface ...

Page 480: ...hentication Operation Command Configure parameters of the timer dot1x timer ver period ver period value Return to the defaults undo dot1x timer ver period By default ver period value is 1 second 1 2 11 Setting the Maximum Times of Authentication Request Message Retransmission The following commands are used for setting the maximum retransmission times of the authentication request message that the...

Page 481: ...dshake period value Handshake period The value ranges from 1 to 1024 in units of second and defaults to 15 quiet period Specify the quiet timer If an 802 1x user has not passed the authentication the Authenticator will keep quiet for a while which is specified by quiet period timer before launching the authentication again During the quiet period the Authenticator does not do anything related to 8...

Page 482: ...t the value is 3600 ver period Client version request timeout timer If the supplicant device failed to send the version response packet within the time set by this timer then the authenticator device will resend the version request packet ver period value Period set by the version request timeout timer ranging from 1 to 30 in seconds By default the value is 1 1 2 13 Enabling Disabling a Quiet Peri...

Page 483: ...ress All the supplicants belong to the default domain huawei163 net which can contain up to 30 users RADIUS authentication is performed first If there is no response from the RADIUS server local authentication will be performed For accounting if the RADIUS server fails to account the user will be disconnected In addition when the user is accessed the domain name does not follow the user name Norma...

Page 484: ...ticator Switch Figure 1 2 Enabling 802 1x and RADIUS to perform AAA on the supplicant III Configuration procedure Note The following examples concern most of the AAA RADIUS configuration commands For details refer to the chapter AAA and RADIUS Protocol Configuration The configurations of accessing user workstation and the RADIUS server are omitted Enable the 802 1x performance on the specified por...

Page 485: ...the RADIUS server Quidway radius radius1 timer realtime accounting 15 Configure the system to transmit the user name to the RADIUS server after removing the domain name Quidway radius radius1 user name format without domain Quidway radius radius1 quit Create the user domain huawei163 net and enters isp configuration mode Quidway domain huawei163 net Specify radius1 as the RADIUS scheme for the use...

Page 486: ...t only after authentication 2 1 2 Portal System Composition As shown in Figure 2 1 a Portal system consists of four basic factors authentication client access device Portal server and authentication accounting server Access device Authentication client Portal server Authentication server Authentication client Authentication client Access device Access device Authentication client Portal server Aut...

Page 487: ...ication and accounting The access device and the authentication accounting server communicate through the remote authentication dial in user service RADIUS protocol Note When you use Portal services no network address translation NAT devices can exist among authentication clients access devices Portal servers and authentication accounting servers 2 1 3 Procedures for Portal Authentication On the Q...

Page 488: ... Portal server and predefined free IP addresses When passing authentication the user can apply for public addresses for Internet access z Layer 3 Portal authentication Expands the direct authentication Therefore the user can access the Portal enabled switch across network segments Note z Direct authentication and re DHCP authentication need to check a user s MAC address for security Portal can onl...

Page 489: ...col ARP packets If finding abnormal handshake the switches can disconnect from the users PCs and notify the Portal servers of the abnormality 2 1 7 Portal Rate Limitation Portal rate limitation works together with the bandwidth restriction service provided by CAMS servers The bandwidth restriction service refers to the specified bandwidth available for Portal users when you configure the service a...

Page 490: ... Portal server is configured by default key string is Huawei port is 50 100 and url string is an IP address character string Configure Portal operating modes portal method direct redhcp layer3 Optional By default Portal operating mode is direct authentication Configure authentication network segments portal auth network network address net mask vlan vlan_id When configuring Portal operating mode a...

Page 491: ...fy the parameters for the Portal server until you cancel this Portal server z When Portal authentication is enabled the 802 1x protocol needs to be disabled globally z The name of the specified Portal server must exist z If in the operating mode of Layer 3 Portal authentication a default route should be configured on a Layer3 device between the portal user and the switch which can enable Portal an...

Page 492: ...1 2 16 VLAN 2 Internet Ethernet0 10 Figure 2 2 Network diagram for Portal direct authentication III Configuration procedure Note The following describes the configurations of the switch The configurations of the Portal server and RADIUS authentication accounting server are not described here 1 Configure a RADIUS scheme Create a RADIUS scheme named portal Quidway radius scheme portal Configure the ...

Page 493: ...s direct authentication Quidway portal method direct 4 Enable Portal authentication on the VLAN interface connecting to the user PC Configure VLAN 2 Quidway vlan 2 Quidway vlan2 port ethernet 0 1 ethernet 0 2 Quidway interface vlan interface 2 Quidway Vlan interface2 ip address 192 168 1 160 255 255 0 0 Quidway Vlan interface2 quit Configure VLAN 3 Quidway vlan 3 Quidway vlan3 port ethernet 0 3 Qu...

Page 494: ...procedure Note z The following describes the re DHCP authentication configuration For the configurations of the RADIUS scheme ISP domain and Portal server refer to section 2 2 3 Portal Direct Authentication Configuration Example z Create address pools on the DHCP Server 172 21 0 0 16 public network and 18 21 0 0 16 private network The detail configurations are not described here z In the operating...

Page 495: ...AN 2 User PC2 Gateway address 162 31 1 1 IP address 162 31 1 2 16 162 31 1 1 16 Ethernet 0 0 Ethernet0 6 Vlan interface 100 162 21 1 1 16 Ethernet 1 0 162 21 1 2 16 User PC1 Switch Portal server RADIUS Vlan interface 2 192 168 1 160 16 192 168 1 100 16 192 168 1 200 16 VLAN 2 User PC2 Gateway address 162 31 1 1 IP address 162 31 1 2 16 162 31 1 1 16 Ethernet 0 0 Ethernet0 6 Vlan interface 100 162 ...

Page 496: ...newp For its configuration refer to section 2 2 3 Portal Direct Authentication Configuration Example Quidway Vlan interface100 portal newp 2 3 Portal Authentication Free User and Free IP address Configurations Note Before configuring Portal authentication free users and free IP addresses you must complete Portal configuration tasks 2 3 1 Portal Authentication Free User and Free IP Address Configur...

Page 497: ... address of the VLAN interface must be in the same network segment In the direct authentication mode the IP address of an authentication free user and the IP address of the VLAN interface must be in the same network segment z The configuration takes effect only if the Portal is enabled for the VLAN where the authentication free user locates z Layer 3 Portal authentication does not support the conf...

Page 498: ...0E0 FC01 0101 Ethernet0 4 Vlan interface 4 192 166 1 1 16 VLAN 2 Vlan interface 2 192 168 1 160 16 Ethernet0 5 Switch User PC Portal server RADIUS 192 168 1 100 16 192 168 1 200 16 Switch User PC Portal server RADIUS authentication accounting server 192 168 1 100 16 192 168 1 200 16 Switch User PC Portal server RADIUS authentication accounting server 192 168 1 100 16 192 168 1 200 16 Internal serv...

Page 499: ...ption Enter the system view system view Configure Portal rate limitation and specify uplink port portal upload interface interface_type interface_num interface_name By default Portal rate limitation is disabled 2 4 2 Portal Rate limitation Configuration Example I Network requirements z Specify an uplink port with Portal rate limitation II Network diagram See Figure 2 2 III Configuration procedure ...

Page 500: ... Description Enter the system view Quidway system view Delete the Portal user with the specified IP address Quidway portal delete user ip address 2 5 2 Portal User Deletion Configuration Example I Network requirements z Delete the Portal user with IP address 172 31 1 2 II Configuration procedure Delete the user with IP address 172 31 1 2 Quidway portal delete user 172 31 1 2 ...

Page 501: ...pplying Client Server architecture in which client ends run as managed sources and the servers centralize and store user information AAA framework owns the good scalability and is easy to realize the control and centralized management of user information 3 1 2 RADIUS Protocol Overview As mentioned above AAA is a management framework so it can be implemented by some protocols RADIUS is such a proto...

Page 502: ...ration information like password etc to avoid being intercepted or stolen II RADIUS operation RADIUS server generally uses proxy function of the devices like access server to perform user authentication The operation process is as follows First the user send request message the client username and encrypted password is included in the message to RADIUS server Second the user will receive from RADI...

Page 503: ...uration tasks creating ISP domain is compulsory otherwise the supplicant attributes cannot be distinguished The other tasks are optional You can configure them at requirements 3 2 1 Creating Deleting ISP Domain What is Internet Service Provider ISP domain To make it simple ISP domain is a group of users belonging to the same ISP Generally for a username in the userid isp name format taking gw20010...

Page 504: ...3 2 2 Configuring Relevant Attributes of ISP Domain The relevant attributes of ISP domain include the adopted RADIUS scheme state and maximum number of supplicants Where z The adopted RADIUS scheme is the one used by all the users in the ISP domain The RADIUS scheme can be used for RADIUS authentication or accounting By default the default RADIUS scheme is used The command shall be used together w...

Page 505: ...ADIUS section of this chapter the state of domain is active there is no limit to the amount of supplicants and the idle cut function is disabled 3 2 3 Creating a Local User A local user is a group of users set on NAS The username is the unique identifier of a user A supplicant requesting network service may use local authentication only if its corresponding local user has been added onto NAS Perfo...

Page 506: ...rd display mode of all the accessing users must be in cipher text II Setting the attributes of local users Perform the following configurations in local user view Table 3 5 Setting Removing the attributes concerned with a specified user Operation Command Set a password for a specified user password simple cipher password Remove the password set for the specified user undo password Set the state of...

Page 507: ...ommand to serve for this purpose Perform the following configurations in system view Table 3 6 Disconnecting a user by force Operation Command Disconnect a user by force cut connection all access type dot1x portal domain domain name interface portnum ip ip address mac mac address radius scheme radius scheme name vlan vlanid ucibindex ucib index user name user name By default no online user will be...

Page 508: ...ith RADIUS server configuration includes z Configuring VLAN delivery mode z Configuring name of the delivered VLAN I Configuring VLAN delivery mode Perform the following configuration in ISP domain view Table 3 7 Configuring VLAN delivery mode Operation Command Configure VLAN delivery mode as integer vlan assignment mode integer Configure VLAN delivery mode as string vlan assignment mode string By...

Page 509: ...e selection of RADIUS accounting option z Setting a real time accounting interval z Setting maximum times of real time accounting request failing to be responded z Enabling Disabling stopping accounting request buffer z Setting the maximum retransmitting times of stopping accounting request z Configuring the User Re authentication at Reboot z Setting the Supported Type of RADIUS Server z Setting R...

Page 510: ...umbers However at least you have to set one group of IP address and UDP port number for each pair of primary second servers to ensure the normal AAA operation You can use the following commands to configure the IP address and port number for RADIUS servers Perform the following configurations in RADIUS scheme view Table 3 10 Setting IP Address and Port Number of RADIUS Server Operation Command Set...

Page 511: ...col uses different UDP ports to receive transmit authentication authorization and accounting packets you shall set two different ports accordingly Suggested by RFC2138 2139 authentication authorization port number is 1812 and accounting port number is 1813 However you may use values other than the suggested ones Especially for some earlier RADIUS Servers authentication authorization port number is...

Page 512: ...rver it has to retransmit the request to guarantee RADIUS service for the user You can use the following command to set response timeout timer of RADIUS server Perform the following configurations in RADIUS scheme view Table 3 12 Setting response timeout timer of RADIUS server Operation Command Set response timeout timer of RADIUS server timer seconds Restore the response timeout timer of RADIUS s...

Page 513: ... RADIUS accounting option accounting optional Disable the selection of RADIUS accounting option undo accounting optional The user configured with accounting optional command in RADIUS scheme will no longer send real time accounting update packet or offline accounting packet The accounting optional command in RADIUS scheme view is only effective on the accounting that uses this RADIUS scheme By def...

Page 514: ...onded RADIUS server usually checks if a user is online with timeout timer If the RADIUS server has not received the real time accounting packet from NAS for long it will consider that there is device failure and stop accounting Accordingly it is necessary to disconnect the user at NAS end and on RADIUS server synchronously when some unpredictable failure exists Quidway Series Switches support to s...

Page 515: ...discards the messages after transmitting for specified times The following command can be used for setting to save the message or not If save use the command to set the maximum retransmission times Perform the following configurations in RADIUS scheme view Table 3 18 Enabling Disabling stopping accounting request buffer Operation Command Enable stopping accounting request buffer stop accounting bu...

Page 516: ...are those with its concurrent online number set to 1 on the CAMS In the AAA solution implemented jointly by the switch and CAMS if the switch reboots after a user passes the authentication authorization and begins being accounted the switch prompts that the user has been online when the user logs into the switch before CAMS makes online detection Therefore the user cannot access network resources ...

Page 517: ...configuration tasks Table 3 20 User Re authentication at reboot configuration Item Command Description Enter system view system view Enter RADIUS scheme view radius scheme radius scheme name Enable user re authentication at reboot accounting on enable send times interval interval By default this feature is not enabled 3 3 12 Setting the Supported Type of RADIUS Server Quidway Series Switches suppo...

Page 518: ... the primary server to be active manually in order that NAS can communicate with it right after the troubleshooting When the primary and second servers are both active or block NAS will send the packets to the primary server only Perform the following configurations in RADIUS scheme view Table 3 22 Setting RADIUS server state Operation Command Set the state of primary RADIUS server state primary a...

Page 519: ...ISP domains according to the domain names However some earlier RADIUS servers reject the username including ISP domain name In this case you have to remove the domain name before sending the username to the RADIUS server The following command of switch decides whether the username to be sent to RADIUS server carries ISP domain name or not Perform the following configurations in RADIUS scheme view ...

Page 520: ...zation accounting servers to manage users is widely used in Quidway series switches Besides local authentication authorization service is also used in these products and it is called local RADIUS authentication server function i e realize basic RADIUS function on the switch Perform the following commands in system view to create delete local RADIUS authentication server Table 3 26 Creating Deletin...

Page 521: ...26 FS switches don t support ssh parameter display local user domain isp name idle cut disable enable service type telnet ftp lan access ssh state active block user name user name vlan vlan id Display the statistics of local RADIUS authentication server display local server statistics Display the configuration information of all the RADIUS schemes or a specified one display radius radius scheme na...

Page 522: ...cation at the remote server is similar to configuring FTP users The following description is based on Telnet users I Networking Requirements In the environment as illustrated in the following figure it is required to achieve through proper configuration that the RADIUS server authenticates the Telnet users to be registered One RADIUS server as authentication server is connected to the switch and t...

Page 523: ...ams primary authentication 10 110 91 164 1812 Quidway radius cams key authentication expert Quidway radius cams server type Huawei Quidway radius cams user name format without domain Configuration association between domain and RADIUS Quidway radius cams quit Quidway domain cams Quidway isp cams radius scheme cams 3 5 2 Configuring FTP Telnet User Authentication at Local RADIUS Server Local RADIUS...

Page 524: ...dius ias primary accounting 10 11 1 2 Quidway radius ias key authentication hello Quidway radius ias key accounting hello Quidway radius ias quit 2 Create ISP domain Quidway domain ias Quidway isp ias scheme radius scheme ias 3 Configure VLAN delivery mode as string Quidway isp ias vlan assignment mode string Quidway isp ias quit 4 Create a VLAN and specify its name Create a VLAN Quidway vlan 100 ...

Page 525: ...eck carefully and make sure that they are identical 5 There might be some communication fault between NAS and RADIUS server which can be discovered through pinging RADIUS from NAS So please ensure the normal communication between NAS and RADIUS z Fault two RADIUS packet cannot be transmitted to RADIUS server Troubleshooting 1 The communication lines on physical layer or link layer connecting NAS a...

Page 526: ...o implement security condition evaluation and dynamic access control on user devices When EAD solution is enabled the switch determines if a session control packet received is valid through its source IP address only the packets received from the authentication server and security policy server are considered valid The switch then dynamically adjusts the VLAN rate packet scheduling priority and AC...

Page 527: ...w the user client to access the virus patch server When the user client is installed with the virus patches and its security condition becomes qualified the security condition information is then sent to the security policy server which delivers an ACL packet to let the switch enable the access right of the user client The user client can then access more network resources 4 3 EAD Configuration Ta...

Page 528: ... EAD control on Telnet users The configuration tasks are as follows z Connect the RADIUS authentication server to the switch and configure its IP address as 10 110 91 164 z Set the encryption password for exchanging packets with the RADIUS server to expert z Configure the switch to forward packets to the RADIUS server after the user domain name is removed from the user name z Configure the securit...

Page 529: ...0 4 authentication mode scheme Configure a domain Quidway domain cams Quidway isp cams quit Configure a RADIUS scheme Quidway radius scheme cams Quidway radius cams primary authentication 10 110 91 164 1812 Quidway radius cams key authentication expert Quidway radius cams server type huawei Quidway radius cams user name format without domain Configure IP address for the security policy server Quid...

Page 530: ...e HABP includes HABP server and HABP client In general the server regularly sends HABP request packets to the client to collect the MAC addresses of the member switches while the client responds to the request packets and forwards them to the lower level switches HABP server is often enabled at the management switch while HABP client is at the member switches HABP attribute had better be enabled a...

Page 531: ... at the member switches Since the default HABP mode is client you only need to enable HABP attribute at a switch Please perform the following operations in system view Table 5 2 Configuring HABP client Operation Command Enable HABP attribute habp enable Restore HABP to the default value undo habp enable By default HABP attribute is disabled at a switch 5 3 Displaying and Debugging HABP Attribute A...

Page 532: ...ual Security Quidway S3500 Series Ethernet Switches Chapter 5 HABP Configuration Huawei Technologies Proprietary 5 3 Operation Command Enable HABP debugging debugging habp Disable HABP debugging undo debugging habp ...

Page 533: ...The switch applies the ACL automatically to force the host with this IP address affected host for short to log off And after a specified time the switch will recover normal forwarding of the affected host z For S3526E S3526E FM S3526E FS and S3526C If the packets from the host with the source IP address needs to be handled by the switch CPU the switch reduces the priority of the packets and drops ...

Page 534: ...system guard is enabled don t change the port priority and the mode of queue scheduling 6 2 2 Setting the max detection count of the affected hosts The following commands can be used to set the max detection count of the affected hosts This configuration takes effect only after the system guard function is enabled Perform the following configurations in system view Table 6 2 Setting the max detect...

Page 535: ...d record times threshold isolate time of system guard function system guard detect threshold IP record threshold record times threshold isolate time Restore IP record threshold record times threshold isolate time to the default values undo system guard detect threshold By default IP record threshold record times threshold isolate time of system guard function are 30 1 and 3 6 2 4 Enabling the Swit...

Page 536: ...the destination address in the packets undo system guard no learn dip enable 6 3 Displaying and Debugging System guard After the above configuration execute display command in any view to display the running of system guard configuration and to verify the effect of the configuration Table 6 5 Displaying and debugging system guard Operation Command Display the IP packets that the switch CPU receive...

Page 537: ...Huawei Technologies Proprietary HUAWEI Quidway S3500 Series Ethernet Switches Operation Manual Reliability ...

Page 538: ...2 3 Add Delete a Virtual IP Address 1 4 1 2 4 Configure the priority of switches in the virtual router 1 4 1 2 5 Configure Preemption and Delay for a Switch within a Virtual Router 1 5 1 2 6 Configure Authentication Type and Authentication Key 1 6 1 2 7 Configure VRRP Timer 1 7 1 2 8 Configure Switch to Track a Specified Interface 1 7 1 3 Display and Debug VRRP 1 8 1 4 VRRP Configuration Example 1...

Page 539: ... the default route to the Layer 3 Switch1 implementing communication between the host and the external network If Switch1 is down all the hosts on this segment taking Switch1 as the next hop on the default route will be disconnected to the external network Ethernet Switch Host 1 Host 2 Host 3 10 100 10 7 10 100 10 8 10 100 10 9 10 100 10 1 Network Figure 1 1 LAN Networking VRRP designed for LANs w...

Page 540: ...1 Therefore hosts within the network will communicate with the external network through this virtual router If a Master switch in the virtual group breaks down another BACKUP switch will function as the new Master switch to continue serving the host with routing to avoid interrupting the communication between the host and the external networks 1 2 Configure VRRP VRRP configuration includes z Enabl...

Page 541: ...is operation sets correspondence between the virtual lP address and the real virtual MAC address In the standard protocol of VRRP the virtual IP address of the backup group corresponds to the virtual MAC address as guarantees correct data forwarding in the sub net Due to the chips installed some switches support matching one IP address to multiple MAC addresses Huawei switches not only guarantee c...

Page 542: ...dress in the network segment where the virtual router resides or the IP address of an interface in the virtual router If the IP address is of the switch it can also be configured In this case the switch will be called an IP Address Owner When adding the first IP address to a virtual router the system will create a new virtual router accordingly When adding new address to this backup group thereaft...

Page 543: ...wn priority is higher than that of the current Master switch Accordingly the former Master switch will become the BACKUP switch Together with preemption settings a delay can also be set In this way a Backup will wait for a period of time before becoming a Master In an unstable network if the BACKUP switch has not received the packets from the Master switch punctually it will become the Master swit...

Page 544: ... illegal packet to be discarded In this case an authentication key not exceeding 8 characters should be configured In a totally unsafe network the authentication type can be set to md5 The switch will use the authentication type and MD5 algorithm provided by the Authentication Header to authenticate the VRRP packets In this case an authentication key not exceeding 16 characters should be configure...

Page 545: ...AN interface view Table 1 7 Configure VRRP timer Operation Command Configure VRRP timer vrrp vrid virtual router ID timer advertise adver interval Clear VRRP timer undo vrrp vrid virtual router ID timer advertise By default adver interval is configured to be 3 1 2 8 Configure Switch to Track a Specified Interface VRRP interface track function has expanded the backup function Backup is provided not...

Page 546: ...formation display vrrp interface vlan interface interface num virtual router ID Enable VRRP debugging debugging vrrp state packet Disable VRRP debugging undo debugging vrrp state packet You can enable VRRP debugging to display how it runs You can set the argument option to packet or state to debug the VRRP packet or VRRP state respectively By default the switch disables the debugging 1 4 VRRP Conf...

Page 547: ...igure switch B LSW_B vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 The virtual router can be used soon after configuration Host A can configure the default gateway as 202 38 160 111 Under normal conditions switch A functions as the gateway but when switch A is turned off or malfunctioning switch B will function as the gateway instead Configure preemption mode for switch A so that it can re...

Page 548: ...reduced 30 Configure switch B Create a virtual router LSW_B vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Set the authentication key for the virtual router LSW_B vlan interface2 vrrp authentication mode md5 switch Set Master to send VRRP packets every 5 seconds LSW_B vlan interface2 vrrp vrid 1 timer advertise 5 Under normal conditions switch A functions as the gateway but when the interfa...

Page 549: ...2 Set the priority for the virtual router LSW_B vlan interface2 vrrp vrid 2 priority 110 1 5 Troubleshoot VRRP As the configuration of VRRP is not very complicated almost all the malfunctions can be found through viewing the configuration and debugging information Here are some possible failures you might meet and the corresponding troubleshooting methods I Fault 1 frequent prompts of configuratio...

Page 550: ...attempt fails it indicates that there are other problems in existence If they can be pinged through it indicates that the problems are caused by inconsistent configuration For the configuration of the same VRRP virtual router complete consistence for the number of virtual IP addresses each virtual IP address timer duration and authentication type must be guaranteed III Fault 3 frequent switchover ...

Page 551: ...Huawei Technologies Proprietary HUAWEI Quidway S3500 Series Ethernet Switches Operation Manual System Management ...

Page 552: ...r Authentication and Authorization 1 6 1 3 4 Configure the Running Parameters of FTP Server 1 7 1 3 5 Display and Debug FTP Server 1 7 1 3 6 Introduction to FTP Client 1 8 1 3 7 FTP client configuration example 1 8 1 3 8 FTP server configuration example 1 10 1 4 TFTP 1 11 1 4 1 TFTP Overview 1 11 1 4 2 Configure the File Transmission Mode 1 12 1 4 3 Download Files by means of TFTP 1 12 1 4 4 Uploa...

Page 553: ...Configuration Information to Loghost 4 12 4 5 4 Sending the Configuration Information to Console terminal 4 15 4 5 5 Sending the Configuration Information to Telnet Terminal or Dumb Terminal 4 17 4 5 6 Sending the Configuration Information to Log Buffer 4 20 4 5 7 Sending the Configuration Information to Trap Buffer 4 22 4 5 8 Sending the Configuration Information to SNMP Network Management 4 24 4...

Page 554: ...y to from the Extended RMON Alarm Table 6 3 6 2 5 Add Delete an Entry to from the Statistics Table 6 4 6 3 Display and Debug RMON 6 4 6 4 RMON Configuration Example 6 4 Chapter 7 NTP Configuration 7 1 7 1 Brief Introduction to NTP 7 1 7 1 1 NTP Functions 7 1 7 1 2 Basic Operating Principle of NTP 7 1 7 2 NTP Configuration 7 3 7 2 1 Configure NTP Operating Mode 7 3 7 2 2 Configure NTP ID Authentica...

Page 555: ...Operation Manual System Management Quidway S3500 Series Ethernet Switches Table of Contents Huawei Technologies Proprietary iv 8 1 5 SSH Configuration Example 8 11 ...

Page 556: ...can be divided as follows z Directory operation z File operation z Storage device operation z Set the prompt mode of the file system 1 1 2 Directory Operation The file system can be used to create or delete a directory display the current working directory and display the information about the files or directories under a specified directory You can use the following commands to perform directory ...

Page 557: ...l dest Copy a file copy fileurl source fileurl dest Move a file move fileurl source fileurl dest Display the information about directories or files dir all file url 1 1 4 Storage Device Operation The file system can be used to format a specified memory device You can use the following commands to format a specified memory device Perform the following configuration in user view Table 1 3 Storage de...

Page 558: ...ile are arranged in the following order system configuration ethernet port configuration vlan interface configuration routing protocol configuration and so on z It ends with end The management over the configuration files includes z Display the Current configuration and Saved configuration of Ethernet Switch z Save the Current configuration z Erase configuration files from Flash Memory 1 2 2 Displ...

Page 559: ...figuration in the Flash Memory and the configurations will become the saved configuration when the system is powered on for the next time Perform the following configuration in user view Table 1 6 Save the current configuration Operation Command Save the current configuration save 1 2 4 Erase Configuration Files from Flash Memory The reset saved configuration command can be used to erase configura...

Page 560: ...used for transmitting files between a remote server and a local host The Ethernet switch provides the following FTP services z FTP server You can run FTP client program to log in the server and access the files on it z FTP client After connected to the server through running the terminal emulator or Telnet on a PC you can access the files on it using FTP command Switch PC Network Switch Switch PC ...

Page 561: ...FTP function is that the switch and PC are reachable 1 3 2 Enable Disable FTP Server You can use the following commands to enable disable the FTP server on the switch Perform the following configuration in system view Table 1 10 Enable Disable FTP Server Operation Command Enable the FTP server ftp server enable Disable the FTP server undo ftp server FTP server supports multiple users to access at ...

Page 562: ...lients who have passed the authentication and authorization successfully can access the FTP server 1 3 4 Configure the Running Parameters of FTP Server You can use the following commands to configure the connection timeout of the FTP server If the FTP server receives no service request from the FTP client for a period of time it will cut the connection to it thereby avoiding the illegal access fro...

Page 563: ...as no configuration functions The switch connects the FTP clients and the remote server and inputs the command from the clients for corresponding operations such as creating or deleting a directory 1 3 7 FTP client configuration example I Networking requirement The switch serves as FTP client and the remote PC as FTP server The configuration on FTP server Configure a FTP user named as switch with ...

Page 564: ...ser view to establish FTP connection then correct username and password to log into the FTP server Quidway ftp 2 2 2 2 Trying Press CTRL K to abort Connected 220 WFTPD 2 0 service by Texas Imperial Software ready for new user User none switch 331 Give me your password please Password 230 Logged in successfully ftp Type in the authorized directory of the FTP server ftp cd switch Use the put command...

Page 565: ...app is stored on the PC Using FTP the PC can upload the switch app from the remote FTP server and download the vrpcfg txt from the FTP server for backup purpose II Networking diagram Switch PC Network Switch Switch PC Network Figure 1 3 Networking for FTP configuration 1 Configure the switch Log into the switch locally through the Console port or remotely using Telnet Quidway Start FTP function an...

Page 566: ...tocol TFTP is a simple protocol for file transmission Compared with FTP another file transmission protocol TFTP has no complicated interactive access interface or authentication control and therefore it can be used when there is no complicated interaction between the clients and server TFTP is implemented on the basis of UDP TFTP transmission is originated from the client end To download a file th...

Page 567: ...TP server and set authorized TFTP directory 1 4 2 Configure the File Transmission Mode TFTP transmits files in two modes binary mode for program files and ASCII mode for text files You can use the following commands to configure the file transmission mode Perform the following configuration in system view Table 1 15 Configure the file transmission mode Operation Command Configure the file transmis...

Page 568: ... switch serves as TFTP client and the remote PC as TFTP server Authorized TFTP directory is set on the TFTP server The IP address of a VLAN interface on the switch is 1 1 1 1 and that of the PC is 2 2 2 2 The interface on the switch connecting the PC belong to the same VLAN The switch application switch app is stored on the PC Using TFTP the switch can download the switch app from the remote TFTP ...

Page 569: ...m view Quidway Configure IP address 1 1 1 1 for the VLAN interface ensure the port connecting the PC is also in this VALN VLAN 1 in this example Quidway interface vlan 1 Quidway vlan interface1 ip address 1 1 1 1 255 255 255 0 Quidway vlan interface1 quit Upload the vrpcfg txt to the TFTP server Quidway tftp put vrpcfg txt 1 1 1 2 vrpcfg txt Download the switch app from the TFTP server Quidway tft...

Page 570: ... the corresponding entry otherwise it will add the new MAC address and the corresponding forwarding port as a new entry to the table The system forwards the packets whose destination addresses can be found in the MAC address table directly through the hardware and broadcasts those packets whose addresses are not contained in the table The network device will respond after receiving a broadcast pac...

Page 571: ...1 Setting MAC address table entries Operation Command Add Modify an address entry mac address static dynamic hw addr interface interface name interface type interface num vlan vlan id Delete an address entry undo mac address static dynamic hw addr interface interface name interface type interface num vlan vlan id When deleting the dynamic address table entries the learned entries will be deleted s...

Page 572: ...et switch can learn new MAC addresses After received a packet destined some already learned MAC address the switch will forward it directly with the hardware instead of broadcasting But Too many MAC address items learned by a port will affect the switch operation performance User can control the MAC address items learned by a port through setting the max count of MAC address learned by a port If u...

Page 573: ... Operation Command Display the information in the address table display mac address mac addr vlan vlan id static dynamic interface interface name interface type interface num vlan vlan id count Display the aging time of dynamic address table entries display mac address aging time Enable the address table management debugging debugging mac address Disable the address table management debugging undo...

Page 574: ...e address aging time to 500s Quidway mac address timer aging 500 Display the MAC address configurations in any view the display information on S3526 Quidway display mac address interface ethernet 0 2 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME s 00 e0 fc 35 dc 71 1 Static Ethernet0 2 NOAGED 00 e0 fc 17 a7 d6 1 Learned Ethernet0 2 500 00 e0 fc 5e b1 fb 1 Learned Ethernet0 2 500 00 e0 fc 55 f1 16 1...

Page 575: ... Switches Chapter 2 MAC Address Table Management Huawei Technologies Proprietary 2 6 00 e0 fc 17 a7 d6 1 Learned Ethernet0 2 AGING 00 e0 fc 5e b1 fb 1 Learned Ethernet0 2 AGING 00 e0 fc 55 f1 16 1 Learned Ethernet0 2 AGING 4 mac address es found on port Ethernet0 2 ...

Page 576: ...nagement Configuration The device management configuration includes z Reboot Ethernet switch z Designate the APP adopted when booting the Ethernet switch next time z Upgrade BootROM 3 2 1 Reboot Ethernet Switch It would be necessary for users to reboot the Ethernet switch when failure occurs Perform the following configuration in user view Table 3 1 Reboot Ethernet switch Operation Command Reboot ...

Page 577: ...t Perform the following configuration in user view Table 3 4 Set temperature limit Operation Command Set temperature limit temperature limit slot num down value up value Restore temperature limit to default value undo temperature limit slot num 3 3 Display and Debug Device Management Configuration After the above configuration execute display command in any view to display the running of the Devic...

Page 578: ...ndo sysname 4 1 2 Set the System Clock Perform the operation of clock datetime command in the user view Table 4 2 Set the system clock Operation Command Set the system clock clock datetime HH MM SS YYYY MM DD 4 1 3 Set the Time Zone You can configure the name of the local time zone and the time difference between the local time and the standard Universal Time Coordinated UTC Perform the following ...

Page 579: ...m configuration information z Commands for displaying the system running state z Commands for displaying the system statistics information For the display commands related to each protocols and different ports refer to the relevant chapters The following display commands are used for displaying the system state and the statistics information Perform the following operations in any view Table 4 5 T...

Page 580: ...minal debugging switch controls the debugging output on a specified user screen The figure below illustrates the relationship between two switches 1 2 3 Protocol debugging switch ON ON OFF ON OFF 1 3 1 3 Screen output switch 1 3 Debugging information Figure 4 1 Debug output You can use the following commands to control the above mentioned debugging Perform the following operations in user view Tab...

Page 581: ... to locate the source of fault However each module has its corresponding display command which make it difficult for you to collect all the information needed In this case you can use display diagnostic information command You can perform the following operations in any view Table 4 7 display diagnostic information Operation Command display diagnostic information display diagnostic information 4 4...

Page 582: ...meout Re send the packet with TTL value as 2 and the second hop returns the TTL timeout message The process is carried over and over until the packet reaches the destination The purpose to carry out the process is to record the source address of each ICMP TTL timeout message so as to provide the route of an IP packet to the destination Perform the following operation in any view Table 4 9 The trac...

Page 583: ...information is send to loghost There is no character between priority and timestamp 2 Timestamp If the logging information is send to the log host the default format of timestamp is date and it can be changed to boot format or none format through the command info center timestamp log date boot none The date format of timestamp is mm dd hh mm ss yyyy mm is month field such as Jan Feb Mar Apr May Ju...

Page 584: ...een module name and severity 5 Severity Switch information falls into three categories log information debugging information and trap information The info center classifies every kind of information into 8 severity or urgent levels The log filtering rule is that the system prohibits outputting the information whose severity level is greater than the set threshold The more urgent the logging packet...

Page 585: ...ections of information The system assigns a channel in each output direction by default See the table below Table 4 12 Numbers and names of the channels for log output Output direction Channel number Default channel name Console 0 console Monitor 1 monitor Info center loghost 2 loghost Trap buffer 3 trapbuffer Logging buffer 4 logbuffer snmp 5 snmpagent Note The settings in the six directions are ...

Page 586: ...on description Enable info center By default info center is enabled Other configurations are valid only if the info center is enabled Set the information output direction to loghost The configuration about the loghost on the switch and that on loghost must be the same otherwise the information cannot be sent to the loghost correctly Switch Set information source You can define which modules and in...

Page 587: ...function You can view debugging information after enabling terminal display function 3 Sending the configuration information to monitor terminal Table 4 15 Sending the configuration information to monitor terminal Device Configuration Default value Configuration description Enable info center By default info center is enabled Other configurations are valid only if the info center is enabled Set th...

Page 588: ...and the time stamp format of information and so on You must turn on the switch of the corresponding module before defining output debugging information 5 Sending the configuration information to trap buffer Table 4 17 Sending the configuration information to trap buffer Device Configuration Default value Configuration description Enable info center By default info center is enabled Other configura...

Page 589: ...e Chapter 5 SNMP Configuration Network managemen t workstation The same as the SNMP configuration of the switch 7 Turn on off the information synchronization switch in Fabric Table 4 19 Turn on off the information synchronization switch in Fabric Device Configuration Default value Configuration description Enable info center By default info center is enabled Other configurations are valid only if ...

Page 590: ...erform the following operation in system view Table 4 21 Configuring to output information to loghost Operation Command Output information to loghost info center loghost host ip addr channel channel number channel name facility local number language chinese english Cancel the configuration of outputting information to loghost undo info center loghost host ip addr Note Ensure to enter the correct I...

Page 591: ...the channel that corresponds to loghost direction Every channel has been set with a default record whose module name is default and the module number is 0xffff0000 However for different channels the default record may have different default settings of log trap and debugging When there is no specific configuration record for a module in the channel use the default one Note If you want to view the ...

Page 592: ...info center enable Note Info center is enabled by default After info center is enabled system performances are affected when the system processes much information because of information classification and outputting 2 Configuring to output information to console terminal Perform the following operation in system view Table 4 25 Configuring to output information to console terminal Operation Comman...

Page 593: ...e channel that corresponds to Console direction Every channel has been set with a default record whose module name is default and the module number is 0xffff0000 However for different channels the default record may have different default settings of log trap and debugging When there is no specific configuration record for a module in the channel use the default one Note If you want to view the de...

Page 594: ...debugging Disable terminal display function of debugging information undo terminal debugging Enable terminal display function of log information terminal logging Disable terminal display function of log information undo terminal logging Enable terminal display function of trap information terminal trapping Disable terminal display function of trap information undo terminal trapping 4 5 5 Sending t...

Page 595: ...formation source Operation Command Define information source info center source modu name default channel channel number channel name log trap debug level severity state state Cancel the configuration of information source undo info center source modu name default channel channel number channel name modu name specifies the module name default represents all the modules level refers to the severity...

Page 596: ...nformation debugging information and the time stamp output format of trap information Perform the following operation in system view Table 4 32 Configuring the output format of time stamp Operation Command Configure the output format of the time stamp info center timestamp log trap debugging boot date none Output time stamp is disabled undo info center timestamp log trap debugging 4 Enabling termi...

Page 597: ...play function of log information undo terminal logging Enable terminal display function of trap information terminal trapping Disable terminal display function of trap information undo terminal trapping 4 5 6 Sending the Configuration Information to Log Buffer To send configuration information to log buffer follow the steps below 1 Enabling info center Perform the following operation in system vie...

Page 598: ...ormation source undo info center source modu name default channel channel number channel name modu name specifies the module name default represents all the modules level refers to the severity levels severity specifies the severity level of information The information with the level below it will not be output channel number specifies the channel number and channel name specifies the channel name...

Page 599: ...nfiguration information to trap buffer follow the steps below 1 Enabling info center Perform the following operation in system view Table 4 38 Enabling disabling info center Operation Command Enable info center info center enable Disable info center undo info center enable Note Info center is enabled by default After info center is enabled system performances are affected when the system processes...

Page 600: ...l of information The information with the level below it will not be output channel number specifies the channel number and channel name specifies the channel name When defining the information sent to trap buffer channel number or channel name must be set to the channel that corresponds to Console direction Every channel has been set with a default record whose module name is default and the modu...

Page 601: ...nfo center Operation Command Enable info center info center enable Disable info center undo info center enable Note Info center is enabled by default After info center is enabled system performances are affected when the system processes much information because of information classification and outputting 2 Configuring to output information to SNMP NM Perform the following operation in system vie...

Page 602: ... or channel name must be set to the channel that corresponds to Console direction Every channel has been set with a default record whose module name is default and the module number is 0xffff0000 However for different channels the default record may have different default settings of log trap and debugging When there is no specific configuration record for a module in the channel use the default o...

Page 603: ...l information to ensure the information coincidence within the Fabric The switch provides command line to turn on off the synchronization switch in every switch If the synchronization switch of a switch is turned off it does not send information to other switches but still receives information from others 1 Enable info center Perform the following operation in system view Table 4 46 Enable disable...

Page 604: ...statistics of info center Perform the following operation in user view The display command still can be performed in any view Table 4 48 Displaying and debugging info center Operation Command Display the content of information channel display channel channel number channel name Display configuration of system log and memory buffer display info center Clear information in memory buffer reset logbuf...

Page 605: ...nformation are ARP and IP Quidway info center loghost 202 38 1 10 facility local4 language english Quidway info center source arp channel loghost log level informational Quidway info center source ip channel loghost log level informational 2 Configuration on the loghost This configuration is performed on the loghost The following example is performed on SunOS 4 0 and the operation on Unix operatio...

Page 606: ...shment of information log file and the revision of etc syslog conf you should send a HUP signal to syslogd system daemon through the following command to make syslogd reread its configuration file etc syslog conf ps ae grep syslogd 147 kill HUP 147 After the above operation the switch system can record information in related log files Note To configure facility severity filter and the file syslog ...

Page 607: ...ity level threshold value as informational set the output language to English set all the modules are allowed output information Quidway info center loghost 202 38 1 10 facility local7 language english Quidway info center source default channel loghost log level informational 2 Configuration on the loghost This configuration is performed on the loghost Step 1 Perform the following command as the s...

Page 608: ...be output to the loghost correctly Step 3 After the establishment of information log file and the revision of etc syslog conf you should view the number of syslogd system daemon through the following command kill syslogd daemon and reuse r option the start syslogd in daemon ps ae grep syslogd 147 kill 9 147 syslogd r Note For Linux loghost you must ensure that syslogd daemon is started by r option...

Page 609: ...witch console PC Switch console PC Switch Figure 4 4 Schematic diagram of configuration III Configuration steps 1 Configuration on the switch Enabling info center Quidway info center enable Configure console terminal log output allow modules ARP and IP to output information the severity level is restricted within the range of emergencies to informational Quidway info center console channel console...

Page 610: ...erms of structure SNMP can be divided into two parts namely Network Management Station and Agent Network Management Station is the workstation for running the client program At present the commonly used NM platforms include Sun NetManager and IBM NetView Agent is the server software operated on network devices Network Management Station can send GetRequest GetNextRequest and SetRequest messages to...

Page 611: ...naged object B can be uniquely specified by a string of numbers 1 2 1 1 The number string is the Object Identifier of the managed object The current SNMP Agent of Ethernet switch supports SNMP V1 V2C and V3 The MIBs supported are listed in the following table Table 5 1 MIBs supported by the Ethernet Switch MIB attribute MIB content References MIB II based on TCP IP network device RFC1213 RFC1493 B...

Page 612: ...d with a character string which is called Community Name The various communities can have read only or read write access mode The community with read only authority can only query the device information whereas the community with read write authority can also configure the device You can use the following commands to set the community name Perform the following configuration in system view Table 5...

Page 613: ...vice to transmit trap message Perform the following configuration in system view Table 5 4 Enable Disable snmp agent to Send Trap Operation Command Enable to send trap snmp agent trap enable standard authentication coldstart linkdown linkup warmstart Disable to send trap undo snmp agent trap enable standard authentication coldstart linkdown linkup warmstart 5 3 4 Set the Destination Address of Tra...

Page 614: ...n The sysLocation is a management variable of the MIB system group used for specifying the location of managed devices You can use the following commands to set the sysLocation Perform the following configuration in system view Table 5 7 Set sysLocation Operation Command Set sysLocation snmp agent sys info location sysLocation Restore the default location of the Ethernet switch undo snmp agent sys...

Page 615: ...use the following commands to set or delete an SNMP group Perform the following configuration in system view Table 5 10 Set Delete an SNMP Group Operation Command Setting an SNMP group snmp agent group v1 v2c group name read view read view write view write view notify view notify view acl acl list snmp agent group v3 group name authentication privacy read view read view write view write view notif...

Page 616: ...groupname local engineid engine id 5 3 12 Create Update View Information or Deleting a View You can use the following commands to create update the information of views or delete a view Perform the following configuration in system view Table 5 13 Create Update view information or deleting a view Operation Command Create Update view information snmp agent mib view included excluded view name oid t...

Page 617: ...he configuration Execute debugging command in user view to debug SNMP configuration Table 5 16 Display and debug SNMP Operation Command Display the statistics information about SNMP packets display snmp agent statistics Display the engine ID of the active device display snmp agent local engineid remote engineid Display the group name the security mode the states for all types of views and the stor...

Page 618: ...ator ID contact and switch location and enabling the switch to sent trap packet II Networking diagram Ethernet NMS 129 102 0 1 129 102 149 23 Figure 5 2 SNMP configuration example III Configuration procedure Enter the system view Quidway system view Set the community name group name and user Quidway snmp agent sys info version all Quidway snmp agent community write public Quidway snmp agent mib in...

Page 619: ...k Management Station whose ip address is 129 102 149 23 The SNMP community is public Quidway snmp agent trap enable standard authentication Quidway snmp agent trap enable standard coldstart Quidway snmp agent trap enable standard linkup Quidway snmp agent trap enable standard linkdown Quidway snmp agent target host trap address udp domain 129 102 149 23 udp port 5000 params securityname public IV ...

Page 620: ...can reduce the communication traffic between the NMS and the agent thus facilitates an effective management over the large interconnected networks RMON allows multiple monitors It can collect data in two ways z One is to collect data with a special RMON probe NMS directly obtains the management information from the RMON probe and controls the network resource In this way it can obtain all the info...

Page 621: ... adding and deleting the alarm entries You can use the following commands to add delete an entry to from the alarm table Perform the following configuration in system view Table 6 1 Add Delete an entry to from the alarm table Operation Command Add an entry to the alarm table rmon alarm entry number alarm variable sampling time delta absolute rising threshold threshold value1 event entry1 falling t...

Page 622: ...m the history control table Operation Command Add an entry to the history control table rmon history entry number buckets number interval sampling interval owner text string Delete an entry from the history control table undo rmon history entry number 6 2 4 Add Delete an Entry to from the Extended RMON Alarm Table You can use the command to add delete an entry to from the extended RMON alarm table...

Page 623: ...istics entry number owner text string Delete an entry from the statistics table undo rmon statistics entry number 6 3 Display and Debug RMON After the above configuration execute display command in any view to display the running of the RMON configuration and to verify the effect of the configuration Table 6 6 Display and debug RMON Operation Command Display the RMON statistics display rmon statis...

Page 624: ...i rmon View the configurations in user view Quidway display rmon statistics Ethernet 2 1 Statistics entry 1 owned by huawei rmon is VALID Gathers statistics of interface Ethernet2 1 Received octets 270149 packets 1954 broadcast packets 1570 multicast packets 365 undersized packets 0 oversized packets 0 fragments packets 0 jabbers packets 0 CRC alignment errors 0 collisions 0 Dropped packet events ...

Page 625: ...etwork NTP ensures the consistency of the following applications z For the increment backup between the backup server and client NTP ensures the clock synchronization between the two systems z For multiple systems that coordinate to process a complex event NTP ensures them to reference the same clock and guarantee the right order of the event z Guarantee the normal operation of the inter system Re...

Page 626: ...ng principle of NTP In the figure above Ethernet Switch A and Ethernet Switch B are connected via the Ethernet port They have independent system clocks Before implement automatic clock synchronization on both switches we assume that z Before synchronizing the system clocks on Ethernet Switch A and B the clock on Ethernet Switch A is set to 10 00 00am and that on B is set to 11 00 00am z Ethernet S...

Page 627: ...ice z Set maximum local sessions 7 2 1 Configure NTP Operating Mode You can set the NTP operating mode of an Ethernet Switch according to its location in the network and the network structure For example you can set a remote server as the time server of the local equipment In this case the local Ethernet Switch works as an NTP client If you set a remote server as a peer of the local Ethernet Switc...

Page 628: ...NTP version number number ranges from 1 to 3 and defaults to 3 the authentication key ID keyid ranges from 0 to 4294967295 interface name or interface type interface number specifies the IP address of an interface from which the source IP address of the NTP packets sent from the local Ethernet Switch to the time server will be taken priority indicates the time server will be the first choice II Co...

Page 629: ...number Cancel NTP broadcast server mode undo ntp service broadcast server NTP version number number ranges from 1 to 3 and defaults to 3 the authentication key ID keyid ranges from 0 to 4294967295 This command can only be configured on the interface where the NTP broadcast packets will be transmitted IV Configure NTP Broadcast Client Mode Designate an interface on the local Ethernet Switch to rece...

Page 630: ...cast IP address defaults to 224 0 1 1 This command can only be configured on the interface where the NTP multicast packet will be transmitted VI Configure NTP Multicast Client Mode Designate an interface on the local Ethernet Switch to receive NTP multicast messages and operate in multicast client mode The local Ethernet Switch listens to the multicast from the server When it receives the first mu...

Page 631: ... NTP authentication key Perform the following configurations in system view Table 7 8 Configure NTP authentication key Operation Command Configure NTP authentication key ntp service authentication keyid number authentication mode md5 value Remove NTP authentication key undo ntp service authentication keyid number Key number number ranges from 1 to 4294967295 the key value contains 1 to 32 ASCII ch...

Page 632: ...ast peer command also designates a transmitting interface use the one designated by them 7 2 6 Set NTP Master Clock This configuration task is to set the external reference clock or the local clock as the NTP master clock Perform the following configurations in system view Table 7 11 Set the external reference clock or the local clock as the NTP master clock Operation Command Set the external refe...

Page 633: ...erform the following configurations in system view Table 7 13 Set authority to access a local Ethernet switch Operation Command Set authority to access a local Ethernet switch ntp service access query synchronization server peer acl number Cancel settings of the authority to access a local Ethernet switch undo ntp service access query synchronization server peer IP address ACL number is specified ...

Page 634: ...ify the configurations according to the outputs In user view you can use the debugging command to debug NTP Table 7 15 NTP display and debugging Operation Command Display the status of NTP service display ntp service status Display the status of sessions maintained by NTP service display ntp service sessions verbose Display the brief information about every NTP time server on the way from the loca...

Page 635: ...idway1 ntp service refclock master 2 Configure Ethernet Switch Quidway2 Enter system view Quidway2 system view Set Quidway1 as the NTP server Quidway2 ntp service unicast server 1 0 1 11 The above examples synchronized Quidway2 by Quidway1 Before the synchronization the Quidway2 is shown in the following status Quidway2 display ntp service status clock status unsynchronized clock stratum 16 refere...

Page 636: ... ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 LOCAL 0 3 377 64 16 0 4 0 0 0 9 note 1 source master 2 source peer 3 selected 4 candidate 5 configured II NTP peer configuration example 1 Network requirements On Quidway3 set local clock as the NTP master clock at stratum 2 On Quidway2 configure Quidway1 as the time server in server mode and set the loca...

Page 637: ... 3 synchronize Quidway4 by Quidway5 After synchronization Quidway4 status is shown as follows Quidway4 display ntp service status Clock status synchronized Clock stratum 2 Reference clock ID 3 0 1 31 Nominal frequency 60 0002 Hz Actual frequency 60 0002 Hz Clock precision 2 17 Clock offset 9 8258 ms Root delay 27 10 ms Root dispersion 49 29 ms Peer dispersion 10 94 ms Reference time 19 21 32 287 U...

Page 638: ...rface2 ntp service broadcast server Configure Ethernet Switch Quidway4 Enter system view Quidway4 system view Enter Vlan interface2 view Quidway4 interface vlan interface 2 Quidway4 Vlan Interface2 ntp service broadcast client Configure Ethernet Switch Quidway1 Enter system view Quidway1 system view Enter Vlan interface2 view Quidway1 interface vlan interface 2 Quidway1 Vlan Interface2 ntp service...

Page 639: ...stra reach poll now offset delay disper 12345 127 127 1 0 LOCAL 0 7 377 64 57 0 0 0 0 1 0 5 1 0 1 11 LOCAL 0 3 0 64 0 0 0 0 0 0 5 128 108 22 44 0 0 0 0 16 0 64 0 0 0 0 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured IV Configure NTP multicast mode 1 Network requirements Quidway3 sets the local clock as the master clock at stratum 2 and multicast packets from Vlan interfa...

Page 640: ...icast messages from Vlan interface2 Quidway3 multicast messages from Vlan interface2 Since Quidway1 and Quidway3 are not located on the same segments Quidway1 cannot receive the multicast packets from Quidway3 while Quidway4 is synchronized by Quidway3 after receiving the multicast packet V Configure authentication enabled NTP server mode 1 Network requirements Quidway1 sets the local clock as the...

Page 641: ... as reliable Quidway2 ntp service reliable authentication keyid 42 Qudiway2 ntp service unicast server 1 0 1 11 authentication keyid 42 The above examples synchronized Quidway2 by Quidway1 Since Quidway1 has not been enabled authentication it cannot synchronize Quidway2 And now let us do the following additional configurations on Quidway1 Enable authentication Quidway1 ntp service authentication e...

Page 642: ...ain text password interception when users log on to the switch remotely from an insecure network environment A switch can connect to multiple SSH clients SSH Client functions to enable SSH connections between users and the Ethernet switch or UNIX host that support SSH Server You can set up SSH channels for local connection See Figure 8 1 Currently the switch which runs SSH server supports SSH vers...

Page 643: ...e has been created and configured as no authentication authentication stage is skipped for this user Otherwise authentication process continues SSH supports two authentication types password authentication and RSA authentication In the first type the server compare the username and password received with those configured locally The user is allowed to log on to the switch if the usernames and pass...

Page 644: ...y SSH protocol for the system before enabling SSH Please perform the following configuration in VTY user interface view Table 8 1 Setting system protocols and link maximum Operation Command Set system protocol and link maximum protocol inbound all ssh telnet By default the system supports both Telnet and SSH protocols Caution If SSH protocol is specified to ensure a successful login you must confi...

Page 645: ...nd once with no further action required even after the system is rebooted III Configuring authentication type For a new user you must specify authentication type Otherwise he she cannot access the switch Please perform the following configurations in system view Table 8 3 Configuring authentication type Operation Command Configure authentication type ssh user username authentication type password ...

Page 646: ...nd Define SSH authentication timeout value ssh server timeout seconds Restore the default timeout value undo ssh server timeout By default the timeout value for SSH authentication is 60 seconds VI Defining SSH authentication retry value Setting SSH authentication retry value can effectively prevent malicious registration attempt Please perform the following configurations in system view Table 8 6 ...

Page 647: ...blic key with the public key code begin command You can key in blank space between characters since the system can remove the blank space automatically But the public key should be composed of hexadecimal characters Terminate public key editing and save the result with the public key code end command Validity check comes before saving the public key editing fails if the key contains invalid charac...

Page 648: ...rrently supports SSH Server 1 5 so you have to choose 1 5 or earlier version z Specifying RSA private key file If you specify RSA authentication for the SSH user you must specify RSA private key file The RSA key which includes the public key and private key are generated by the client software The former is configured in the server switch and the latter is in the client The following description t...

Page 649: ...rsion Click the left menu Category Connection SSH to enter the interface shown in following figure Figure 8 3 SSH client configuration interface 2 You can select 1 as shown in the figure IV Specifying RSA private key file If you want to enable RSA authentication you must specify RSA private key file which is not required for password authentication Click SSH Auth to enter the interface as shown in...

Page 650: ...Proprietary 8 9 Figure 8 4 SSH client configuration interface 3 Click the Browse button to enter the File Select interface Choose a desired file and click OK V Opening SSH connection Click the Open button to enter SSH client interface If it runs normally you are promoted to enter username and password See the following figure ...

Page 651: ...further to check configuration result Run the debugging command to debug the SSH Please perform the following configurations in any view Table 8 10 Display SSH information Operation Command Display host and server public keys display rsa local key pair public Display client RSA public key display rsa peer public key brief name keyname Display SSH state information and session display ssh server st...

Page 652: ...ce this operation is unnecessary z For password authentication mode Quidway user interface vty 0 4 Quidway ui vty0 4 authentication mode scheme Quidway ui vty0 4 protocol inbound ssh Quidway local user client001 Quidway luser client001 password simple huawei Quidway luser client001 service type ssh Quidway ssh user client001 authentication type password Select the default values for SSH authentica...

Page 653: ...A291ABDA704F5D93DC8FDF84C427463 Quidway key code 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 Quidway key code D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 Quidway key code 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC Quidway key code C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 Quidway key code BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 Quidway key code public key code end Quidway rsa p...

Page 654: ...Huawei Technologies Proprietary HUAWEI Quidway S3500 Series Ethernet Switches Operation Manual Auto Detecting ...

Page 655: ...ct Configuration Example 1 2 Chapter 2 Implementations of Auto Detect 2 1 2 1 Introduction 2 1 2 2 Implementations in Static Routing 2 1 2 2 1 Configuring Auto Detect for a Static Route 2 1 2 2 2 Implementation Example 2 2 2 3 Implementations in VRRP 2 3 2 3 1 Configuring Auto Detect for VRRP 2 3 2 3 2 Implementation Example 2 4 2 4 Implementations in VLAN Interface Backup 2 5 2 4 1 Configuring Au...

Page 656: ...he results of detecting groups which in turn enables you to locate network problems in time and take proper measures 1 1 1 Configuring Auto Detect Table 1 1 Configure auto detect Operation Command Remarks Enter system view Quidway system view Create a detecting group and enter its view Quidway detect group group number Required Configure an IP address of the interface to be detected in the detecti...

Page 657: ...nterfaces with an IP address of 10 1 1 4 and 192 168 2 2 z Specify to return reachable as the detecting result if one of the two interfaces can be successfully pinged that is specify the or keyword for the option command z Specify the detecting interval to 60 seconds maximum retries to 3 and the timeout time to 3 seconds II Network diagram 192 168 1 1 192 168 2 1 192 168 1 2 192 168 2 2 20 1 1 2 1...

Page 658: ...st 1 ip address 10 1 1 4 nexthop 192 168 1 2 Specify to detect the interface with an IP address of 192 168 2 2 and set the number of this operation to 1 Quidway detect group 10 detect list 2 ip address 192 168 2 2 Specify to return reachable as the detecting result if one of the two interfaces is detected to be reachable Quidway detect group 10 option or Set the detecting interval to 60 seconds Qu...

Page 659: ...plementations mentioned above simultaneously Note z Refer to the Routing Protocol part in this manual for more information about static routing z Refer to the Reliability part in this manual for more information about VRRP 2 2 Implementations in Static Routing By binding a detecting group to a static route you can control the validity of a static route according to auto detect results as follows z...

Page 660: ...nd Switch B z Enable the static route when the result of detecting group 8 is reachable II Network diagram 192 168 1 1 192 168 2 1 192 168 1 2 192 168 2 2 20 1 1 2 10 1 1 3 Ethernet 1 0 1 10 1 1 4 Ethernet 2 0 1 Switch A Switch B Switch C Switch D 192 168 1 1 24 192 168 2 1 24 192 168 1 2 24 192 168 2 2 24 20 1 1 2 24 10 1 1 3 24 Ethernet 1 0 1 10 1 1 4 24 Ethernet 2 0 1 Switch A Switch B Switch C...

Page 661: ...plementations in VRRP You can control priorities of VRRP backup groups according to auto detect results to enable automatic switch between the primary switch and the secondary switch as follows z Decrease the preference values of backup groups when the result of the detecting group is unreachable z Resume the preference values of backup groups when the result of the detecting group is reachable 2 ...

Page 662: ... from Switch D to Switch C the secondary link is enabled Network diagram 192 168 1 2 20 1 1 2 10 1 1 3 10 1 1 4 Switch C 192 168 1 1 24 192 168 1 2 24 192 168 1 3 24 20 1 1 3 24 10 1 1 3 24 Ethernet 1 0 1 10 1 1 4 24 Ethernet 2 0 1 Switch A Switch B Switch C Switch D VLAN 1 20 1 1 4 24 VLAN 1 VLAN 1 VLAN 1 192 168 1 2 20 1 1 2 10 1 1 3 10 1 1 4 Switch C 192 168 1 1 24 192 168 1 2 24 192 168 1 3 24...

Page 663: ...t Quidway D interface vlan interface 1 Quidway D vlan interface1 ip address 192 168 1 3 24 Enable VRRP on VLAN interface 1 and set a virtual IP address Quidway D vlan interface1 vrrp vrid 1 virtual ip 192 168 1 3 Set the backup group priority value of switch D to 100 Quidway D vlan interface1 vrrp vrid 1 priority 100 2 4 Implementations in VLAN Interface Backup Interface backup is a function used ...

Page 664: ... view Enter VALN interface view Quidway interface vlan interface vlan_id Enable auto detect to implement VLAN interface backup Quidway vlan interfaceX standby detect group group number Required but only needed on the secondary VALN interface Note z The prompts of interface views vary with the actual configurations z Refer to corresponding command manual for information about parameters listed in t...

Page 665: ...1 Switch A Switch B Switch C Switch D VLAN 1 VLAN 2 20 1 1 4 24 Figure 2 3 Network diagram for VLAN interface backup III Configuration procedure 1 Configure Switch C as follows Enter system view Quidway C system view Configure a static route to VLAN interface 1 on Switch A as the primary route with an IP address of 10 1 1 3 as the next hop Quidway C ip route static 192 168 1 1 24 10 1 1 3 Configur...

Page 666: ... detect group 10 Add an IP address in detecting group 10 to specify to detect the reachability to the interface with an IP address of 10 1 1 4 with the interface whose IP address is 192 168 1 2 as the next hop and set the detecting number to 1 Quidway A detect group 10 detect list 1 ip address 10 1 1 4 nexthop 192 168 1 2 Quidway A detect group 10 quit Specify to enable VLAN interface 2 when the r...

Page 667: ...Huawei Technologies Proprietary HUAWEI Quidway S3500 Series Ethernet Switches Operation Manual Appendix ...

Page 668: ...Operation Manual Appendix Quidway S3500 Series Ethernet Switches Table of Contents Huawei Technologies Proprietary i Table of Contents Appendix A Acronyms A 1 ...

Page 669: ...ystem Border Router B BDR Backup Designated Router C CAR Committed Access Rate CLI Command Line Interface CoS Class of Service D DHCP Dynamic Host Configuration Protocol DR Designated Router D V Distance Vector Routing Algorithm E EGP Exterior Gateway Protocol F FTP File Transfer Protocol G GARP Generic Attribute Registration Protocol GE Gigabit Ethernet GVRP GARP VLAN Registration Protocol GMRP G...

Page 670: ...on Base N NBMA Non Broadcast MultiAccess NIC Network Information Center NMS Network Management System NVRAM Nonvolatile RAM O OSPF Open Shortest Path First P PIM Protocol Independent Multicast PIM DM Protocol Independent Multicast Dense Mode PIM SM Protocol Independent Multicast Sparse Mode Q QoS Quality of Service R RIP Routing Information Protocol RMON Remote Network Monitoring RSTP Rapid Spanni...

Page 671: ...s Appendix A Acronyms Huawei Technologies Proprietary A 3 TFTP Trivial File Transfer Protocol ToS Type of Service TTL Time To Live U UDP User Datagram Protocol V VLAN Virtual LAN VOD Video On Demand VRRP Virtual Router Redundancy Protocol W WRR Weighted Round Robin ...

Reviews:

No comments