Huawei Quidway S5600 Operation Manual Download Page 579

Page: 579 / 991

Operation Manual – AAA & RADIUS & HWTACACS & EAD
Quidway S5600 Series Ethernet Switches-Release 1510

Chapter 2 EAD Configuration

Huawei Technologies Proprietary

2-2

After a client is authenticated by the authentication server, the security policy server

sends to the switch an isolation ACL that limits client access rights. Meanwhile, the

security software in the client checks the security conditions of the client and sends the

conditions to the security policy server. If the client security conditions are not compliant

with the defined security specifications, the client is limited to some specific resources,

for example, virus patch server. If the client security conditions are compliant with the

defined security specifications, the security policy will distribute to the switch a safe

ACL that grants the client more access rights.

Note:

The system does not support the scenario that the security policy server issues

QoS-Profile and isolation ACL at the same time.

2.3 EAD Configuration

The EAD configuration includes the following:

Configuring the attributes, such as the user name, user type, and password for

access users. If local authentication is performed, you need to configure these

attributes on the switch; if remote authentication is performed, you need to

configure these attributes on AAA sever.

Configuring RADIUS scheme.

Configuring IP address for the security policy server.

Associating domain with RADIUS scheme.

EAD is implemented typically in RADIUS scheme.

This section mainly describes configuration of IP address for the security policy server.

For other related information, refer to Chapter 1 “AAA & RADIUS & HWTACACS

Configuration”.

Table 2-1

EAD configuration

Operation

Command

Description

Enter system view

system-view

—

Enter RADIUS scheme
view

radius scheme

radius-scheme-name

—

Summary of Contents for Quidway S5600

Page 1: ...Huawei Technologies Proprietary HUAWEI Quidway S5600 Series Ethernet Switches Operation Manual Release 1510 ...

Page 2: ...d service If you purchase the products from the sales agent of Huawei Technologies Co Ltd please contact our sales agent If you purchase the products from Huawei Technologies Co Ltd directly Please feel free to contact our local office customer care center or company headquarters Huawei Technologies Co Ltd Address Administration Building Huawei Technologies Co Ltd Bantian Longgang District Shenzhe...

Page 3: ...bridge Tellwin Inmedia VRP DOPRA iTELLIN HUAWEI OptiX C C08iNET NETENGINE OptiX iSite U SYS iMUSE OpenEye Lansway SmartAX infoX and TopEng are trademarks of Huawei Technologies Co Ltd All other trademarks and trade names mentioned in this manual are the property of their respective holders Notice The information in this manual is subject to change without notice Every effort has been made in the p...

Page 4: ...mmands Organization Quidway S5600 Series Ethernet Switches Operation Manual consists of the following parts z 0 Product Overview Introduces the characteristics and implementations of the Ethernet switch z 1 CLI Introduces the command hierarchy command view and CLI features of the Ethernet switch z 2 Login Introduces the ways to log into an Ethernet switch z 3 Configuration File Management Introduc...

Page 5: ...ted configuration z 13 DLDP Introduces DLDP and the related configuration z 14 MAC Address Table Introduces MAC address forwarding table and the related configuration z 15 Auto Detect Introduces auto detect and the related configuration z 16 MSTP Introduces STP and the related configuration z 17 Routing Protocol Introduces the routing protocol related configurations including static route configur...

Page 6: ... the related configuration z 28 IRF Fabric Introduces IRF fabric related configuration z 29 Cluster Introduces the configuration to form clusters using HGMP V2 z 30 PoE PoE Profile Introduces PoE PoE profile and the related configuration z 31 UDP Helper Introduces UDP Helper and the related configuration z 32 SNMP RMON Introduces the configuration to manage network devices through SNMP and RMON z ...

Page 7: ... z 42 Appendix A Acronyms Lists the acronyms used in this manual Intended Audience The manual is intended for the following readers z Network engineers z Network administrators z Customers who are familiar with network fundamentals Conventions The manual uses the following conventions I General conventions Convention Description Arial Normal paragraphs are in Arial Boldface Headings are in Boldfac...

Page 8: ...g with the sign is comments III GUI conventions Convention Description Boldface Button names and menu items are in Boldface For example click OK Multi level menus are in bold and separated by forward slashes For example select the File Create Folder menu IV Keyboard operation Format Description Key Press the key with the key name inside angle brackets For example Enter Tab Backspace or A Key1 Key2...

Page 9: ... the primary mouse button and move the pointer to a certain position VI Symbols Eye catching symbols are also used in the manual to highlight the points worthy of special attention during the operation They are defined as follows Caution Warning Danger Means reader be extremely careful during the operation Note Comment Tip Knowhow Thought Means a complementary description ...

Page 10: ...uawei 3Com Website 1 1 1 3 Software Release Notes 1 2 Chapter 2 Documentation and Software Version 2 1 2 1 Software Version for the Manual 2 1 2 2 Document List 2 2 Chapter 3 Product Overview 3 1 3 1 Preface 3 1 3 2 Switch Models 3 1 3 3 Software Features 3 2 Chapter 4 Networking Applications 4 1 4 1 Application in Small Middle Scaled Enterprise Networks 4 1 4 2 Application in Large Scaled Campus ...

Page 11: ... a convenient way through the reader interface The contents in the manual are subject to update on an irregular basis due to product version upgrade or some other reasons Therefore the contents in the CD ROM may not be the latest version This manual serves the purpose of user guide only Unless otherwise noted all the information in the document set does not claim or imply any warranty For the late...

Page 12: ...ease 1510 Chapter 1 Obtaining the Documentation Huawei Technologies Proprietary 1 2 1 3 Software Release Notes With software upgrade new software features may be added You can acquire the information about the newly added software features through software release notes ...

Page 13: ...lease0035 Release1510 has seven new features additionally as shown in Table 2 2 Table 2 1 Newly added features in Release1510 and ESS1508 New features supported in both Release1510 and ESS1508 Related part Configuring the interval to generate port statistics 09 Port Basic Configuration Newly added port security mode autolearn 12 Port Security Port Binding Standard MSTP STP Compliance 16 MSTP Unkno...

Page 14: ...TACACS EAD Opening closing UDP port 1645 for LOCALSERVER authentication and UDP port 1646 for LOCALSERVER accounting 20 AAA RADIUS HWTACACS EAD Opening closing DHCP TCP port 67 and 68 for DHCP server client relay 24 DHCP Opening closing cluster UDP port 40000 30 Cluster Opening closing UDP port 161 for SNMP agent and UDP port 1024 for SNMP trap Client 32 SNMP RMON Opening closing a TCP UD P port O...

Page 15: ...ies Table 3 1 Models in the S5600 series Model Power supply Available service port Service port Combo port Console port Quidway S5624P AC and DC dual input power supply PSL130 AD 24 24 x 10 100 100 0Base T electrical ports 4 x 1000 Mbps SFP Combo ports 1 Quidway S5624P PWR AC DC input external PoE power supply PSL480 AD2 4P 24 24 x 10 100 100 0Base T electrical ports 4 x 1000 Mbps SFP Combo ports ...

Page 16: ...h through an Ethernet port by using Telnet or SSH z Logging into a switch through the Console port by using modem z Logging into a switch through Web or NMS 3 Configuration File Management z Saving restoring and deleting the configuration file 4 VLAN z IEEE 802 1Q compliant VLAN z Port based VLAN z Protocol based VLAN 5 IP Address and Performance Configuration z Configuring an IP address for a swi...

Page 17: ...otocol BGP z Routing policy 18 Multicast z Internet group management protocol snooping IGMP Snooping z Internet group management protocol IGMP z Protocol independent multicast dense mode PIM DM z Protocol independent multicast sparse mode PIM SM 19 802 1x z 802 1X authentication z Guest VLAN z Huawei authentication bypass protocol HABP 20 AAA RADIUS H WTACACS EAD z Authentication authorization and...

Page 18: ... Helper z Forwarding UDP broadcast packets by using UDP Helper 32 SNMP RMON z Simple network management protocol SNMP v3 compatible with SNMP v1 v2 z Remote monitoring RMON 33 NTP z Network time protocol NTP 34 SSH Terminal Service z Secure shell SSH z Secure FTP SFTP 35 File System Management z File system management z Configuration file backup and restoration z FTP TFTP lighting 36 FTP and TFTP ...

Page 19: ...eration Manual Overview Quidway S5600 Series Ethernet Switches Release 1510 Chapter 3 Product Overview Huawei Technologies Proprietary 3 5 Part Features 40 HWPing z HWPing 41 DNS z Domain Name System DNS ...

Page 20: ...rs to the networks of other branches or the headquarters When the branches or enterprises grow in scale the S5600 series also provide seamless growth through IRF Core Aggregation Access 5600 3900 Figure 4 1 Application in small middle scaled enterprise branches 4 2 Application in Large Scaled Campus Networks The S5600 series can also be used as aggregation devices in large scaled enterprise networ...

Page 21: ...ew Quidway S5600 Series Ethernet Switches Release 1510 Chapter 4 Networking Applications 4 2 Core Aggregation Access 6500 5600 3900 Core Aggregation Access 6500 5600 3900 Figure 4 2 Application in large scaled campus networks ...

Page 22: ...verview 1 1 1 1 Introduction to the CLI 1 1 1 2 Command Level Command View 1 1 1 2 1 Switching between User Levels 1 2 1 2 2 Configuring the Level of a Specific Command in a Specific View 1 3 1 2 3 CLI Views 1 3 1 3 CLI Features 1 9 1 3 1 Online Help 1 9 1 3 2 Terminal Display 1 10 1 3 3 Command History 1 11 1 3 4 Error Messages 1 12 1 3 5 Command Edit 1 12 ...

Page 23: ... Commands fall into four levels visit monitor system and manage z Visit level Commands at this level are mainly used to diagnose network and change the language mode of user interface and cannot be saved in configuration files For example the ping tracert and language mode commands are at this level z Monitor level Commands at this level are mainly used to maintain the system and diagnose service ...

Page 24: ... only when a user switches from a lower user level to a higher user level II Switching to another user level Table 1 2 lists operations to switch to another user level Table 1 2 Switch to another user level Operation Command Description Switch to the user level identified by the level argument super level Required Execute this command in user view If a password for switching to the user level iden...

Page 25: ...a specific view command privilege level level view view command Required Use this command with caution to prevent inconvenience on maintenance and operation 1 2 3 CLI Views CLI views are designed for different configuration tasks They are interrelated You will enter user view once you log into a switch successfully where you can perform operations such as displaying operation status and statistica...

Page 26: ...r method Quit method User view Display operation status and statistical information Quidway Enter user view once logging into the switch Execute the quit command in user view to log out of the switch System view Configure system parameters Quidway Execute the system view command in user view Execute the quit or return command to return to user view Ethernet port view Configure Ethernet port parame...

Page 27: ...e the quit command to return to system view Execute the return command to return to user view Local user view Configure local user parameters Quidway lus er user1 Execute the local user user1 command in system view Execute the quit command to return to system view Execute the return command to return to user view User interface view Configure user interface parameters Quidway ui0 Execute the user ...

Page 28: ...it command to return to system view Execute the return command to return to user view PIM view Configure PIM parameters Quidway pi m Execute the pim command in system view If multicast routing is not enabled you should use the multicast routing enabl e command first Execute the quit command to return to system view Execute the return command to return to user view RIP view Configure RIP parameters...

Page 29: ... return to user view Public key editing view Edit RSA public keys of SSH users Quidway rsa key code Execute the public key co de begin command in public key view Execute the public key code end command to return to public key view Basic ACL view Define rules for a basic ACL ACLs with their IDs ranging from 2000 to 2999 are basic ACLs Quidway acl basic 2000 Execute the acl number 2000 command in sy...

Page 30: ...ommand in system view Execute the quit command to return to system view Execute the return command to return to user view ISP domain view Configure parameters for an ISP domain Quidway isp huawei163 net Execute the domain huawei163 net command in system view Execute the quit command to return to system view Execute the return command to return to user view HWPING view Configure HWPing parameters Q...

Page 31: ... CLI Features 1 3 1 Online Help CLI provides two types of online help complete online help and partial online help They assist you with your configuration I Complete online help Enter a character in any view on your terminal to display all the commands available in the view and their brief descriptions The following takes user view as an example Quidway User view commands backup Backup current con...

Page 32: ...terface 1 cr The string cr means no argument is available in the position occupied by the character You can execute the command without providing any other information II Partial online help Enter a string followed directly by a character on your terminal to display all the commands beginning with the string For example Quidway pi ping Enter a command a space and a string followed by a character o...

Page 33: ...nds for each user Table 1 6 lists history command related operations Table 1 6 Access history commands Operation Operation Description Display history commands Execute the display history command command This command displays valid history commands Recall the previous history command Press the up arrow key or Ctrl P This operation recalls the previous history command if available Recall the next h...

Page 34: ...command The parameters entered are ambiguous Wrong parameter found at position The parameter labeled by is unrecognizable 1 3 5 Command Edit The CLI provides basic command edit functions and supports multi line editing The maximum number of characters a command can contain is 256 Table 1 8 lists the CLI edit operations Table 1 8 Edit operations Press To A common key Insert the character the key re...

Page 35: ...ncomplete keyword and the Tab key if the input keyword uniquely identifies an existing keyword the system completes the keyword and displays the command on the next line if the input keyword matches more than one keyword one different keyword is displayed on a new line each time you press the Tab key if the input keyword matches no keyword the system displays your original input on a new line with...

Page 36: ...2 5 Console Port Login Configuration with Authentication Mode Being Password 2 9 2 5 1 Configuration Procedure 2 9 2 5 2 Configuration Example 2 11 2 6 Console Port Login Configuration with Authentication Mode Being Scheme 2 13 2 6 1 Configuration Procedure 2 13 2 6 2 Configuration Example 2 15 Chapter 3 Logging in through Telnet 3 1 3 1 Introduction 3 1 3 1 1 Common Configuration 3 1 3 1 2 Telnet...

Page 37: ...ess for Telnet Service Packets 7 1 7 1 Configuring Source IP Address for Telnet Service Packets 7 1 7 2 Displaying Source IP Address Configuration 7 2 Chapter 8 User Control 8 1 8 1 Introduction 8 1 8 2 Controlling Telnet Users 8 1 8 2 1 Prerequisites 8 1 8 2 2 Controlling Telnet Users by Source IP Addresses 8 1 8 2 3 Controlling Telnet Users by Source and Destination IP Addresses 8 2 8 2 4 Contro...

Page 38: ...terfaces S5600 series Ethernet switch supports two types of user interfaces AUX and VTY Table 1 1 Description on user interface User interface Applicable user Port used Description AUX Users logging in through the Console port Console port Each switch can accommodate one AUX user VTY Telnet users and SSH users Ethernet port Each switch can accommodate up to five VTY users Note The AUX port and the...

Page 39: ...by default Specify to send messages to all user interfaces a specified user interface send all number type number Optional Execute this command in user view Disconnect a specified user interface free user interface type number Optional Execute this command in user view Enter system view system view Enter user interface view user interface type first number last number Set the command that is autom...

Page 40: ...echnologies Proprietary 1 3 Caution The auto execute command command may cause you unable to perform common configuration in the user interface so use it with caution Before executing the auto execute command command and save your configuration make sure you can log into the switch in other modes and cancel the configuration ...

Page 41: ...s of a Console port Table 2 1 The default settings of a Console port Setting Default Baud rate 9 600 bps Flow control None Check mode Parity None Stop bits 1 Data bits 8 After logging into a switch you can perform configuration for AUX users Refer to section 2 3 Console Port Login Configuration for more 2 2 Logging in through the Console Port Following are the procedures to connect to a switch thr...

Page 42: ...nologies Proprietary 2 2 the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally the parameters of a terminal are configured as those listed in Table 2 1 And the type of the terminal is set to VT100 Figure 2 2 Create a connection Figure 2 3 Specify the port used to establish the connection ...

Page 43: ...essfully completes POST power on self test The prompt such as Quidway appears after you press the Enter key 4 You can then configure the switch or check the information about the switch by executing the corresponding commands You can also acquire help by type the character The commands available on a switch are described in the command manuals 2 3 Console Port Login Configuration 2 3 1 Common Conf...

Page 44: ...logging into the AUX user interface Make terminal services available Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can contain Optional By default the screen can contain up to 24 lines Set history command buffer size Optional By default the history command buffer can contain up to 10 commands Terminal configuration Set the tim...

Page 45: ... authenticatio n or RADIUS authenticatio n AAA configuration specifies whether to perform local authentication or RADIUS authentication Optional Local authentication is performed by default Refer to the AAA RADIUS HWTACAC S EAD module for more Configure user name and password Configure user names and passwords for local RADIUS users Required z The user name and password of a local user are configu...

Page 46: ...t is 9 600 bps Set the check mode parity even mark none odd space Optional By default the check mode of a Console port is set to none that is no check bit Set the stop bits stopbits 1 1 5 2 Optional The stop bits of a Console port is 1 Configure the Console port Set the data bits databits 7 8 Optional The default data bits of a Console port is 8 Configure the command level available to users loggi...

Page 47: ...unction Note that the command level available to users logging into a switch depends on both the authentication mode none command and the user privilege level level command as listed in the following table Table 2 5 Determine the command level A Scenario Authentication mode User type Command Command level The user privilege level level command not executed Level 3 None authentication mode none Use...

Page 48: ... user interface view Quidway user interface aux 0 Specify not to authenticate users logging in through the Console port Quidway ui aux0 authentication mode none Specify commands of level 2 are available to users logging into the AUX user interface Quidway ui aux0 user privilege level 2 Set the baud rate of the Console port to 19 200 bps Quidway ui aux0 speed 19200 Set the maximum number of lines t...

Page 49: ... authenticated Set the local password set authentication password cipher simple password Required Set the baud rate speed speed value Optional The default baud rate of an AUX port also the Console port is 9 600 bps Set the check mode parity even mark none odd space Optional By default the check mode of a Console port is set to none that is no check bit Set the stop bits stopbits 1 1 5 2 Optional T...

Page 50: ...nutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Note that the level the commands of which are available to users logging into a switch dep...

Page 51: ... are available to users logging into the AUX user interface z The baud rate of the Console port is 19 200 bps z The screen can contain up to 30 lines z The history command buffer can store up to 20 commands z The timeout time of the AUX user interface is 6 minutes II Network diagram Figure 2 6 Network diagram for AUX user interface configuration with the authentication mode being password III Conf...

Page 52: ...ers logging into the AUX user interface Quidway ui aux0 user privilege level 2 Set the baud rate of the Console port to 19 200 bps Quidway ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 Quidway ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Quidway ui aux0 history command max size 20 Set the timeout time of t...

Page 53: ...he local AAA scheme is applied If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to the AAA RADIUS HWTACAC S EAD module for more z Configu...

Page 54: ...al The default stop bits of a Console port is 1 Configure the Console port Set the data bits databits 7 8 Optional The default data bits of a Console port is 8 Configure the command level available to users logging into the user interface user privilege level level Optional By default commands of level 3 are available to users logging into the AUX user interface Make terminal services available to...

Page 55: ...evel Scenario Authentication mode User type Command Command level The service type terminal command does not specify the available command level Level 0 The default command level of local users is level 0 authentication mode scheme command au thorization Users logging into the Console port and pass AAA RADI US or local authenticati on The service type terminal command specifies the available comma...

Page 56: ...e 2 7 Network diagram for AUX user interface configuration with the authentication mode being scheme III Configuration procedure Enter system view Quidway system view Create a local user named guest and enter local user view Quidway local user guest Set the authentication password to 123456 in plain text Quidway luser guest password simple 123456 Set the service type to Terminal with the user leve...

Page 57: ... interface Quidway ui aux0 user privilege level 2 Set the baud rate of the Console port to 19 200 bps Quidway ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 Quidway ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Quidway ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 mi...

Page 58: ...e configured Refer to Table 3 2 and Table 3 3 Telnet is running Telnet terminal The IP address of the management VLAN of the switch is available 3 1 1 Common Configuration Table 3 2 lists the common Telnet configuration Table 3 2 Common Telnet configuration Configuration Description Configure the command level available to users logging into the VTY user interface Optional By default commands of l...

Page 59: ...common configuration Perform common Telnet configuration Optional Refer to Table 3 2 Configure the password Configure the password for local authentication Required Password Perform common configuration Perform common Telnet configuration Optional Refer to Table 3 2 Specify to perform local authentication or RADIUS authentication AAA configuration specifies whether to perform local authentication ...

Page 60: ...ssword and the corresponding password has been set TCP 23 will be enabled and TCP 22 will be disabled z If the authentication mode is scheme there are three scenarios when the supported protocol is specified as telnet TCP 23 will be enabled when the supported protocol is specified as ssh TCP 22 will be enabled when the supported protocol is specified as all both the TCP 23 and TCP 22 port will be ...

Page 61: ...ional By default the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set the history command buffer size history command max size value Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time of the VTY user interface idle tim...

Page 62: ...level argument 3 2 2 Configuration Example I Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging into VTY 0 Do not authenticate users logging into VTY 0 Commands of level 2 are available to users logging into VTY 0 Telnet protocol is supported The screen can contain up to 30 lines The history command buffer can contai...

Page 63: ...an contain to 30 Quidway ui vty0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Quidway ui vty0 history command max size 20 Set the timeout time to 6 minutes Quidway ui vty0 idle timeout 6 3 3 Telnet Configuration with Authentication Mode Being Password 3 3 1 Configuration Procedure Table 3 6 Telnet configuration with the authentication mode being pa...

Page 64: ...ault the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set the history command buffer size history command max size value Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time of the user interface idle timeout minutes sec...

Page 65: ... I Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging into VTY 0 z Authenticate users logging into VTY 0 using the local password z Set the local password to 123456 in plain text z Commands of level 2 are available to users logging into VTY 0 z Telnet protocol is supported z The screen can contain up to 30 lines z Th...

Page 66: ...d to 123456 in plain text Quidway ui vty0 set authentication password simple 123456 Specify commands of level 2 are available to users logging into VTY 0 Quidway ui vty0 user privilege level 2 Configure Telnet protocol is supported Quidway ui vty0 protocol inbound telnet Set the maximum number of lines the screen can contain to 30 Quidway ui vty0 screen length 30 Set the maximum number of commands...

Page 67: ... If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to the AAA RADIUS HWTACA CS EAD module for more z Configure the user name and password ...

Page 68: ...l are supported by default Make terminal services available shell Optional Terminal services are available in all use interfaces by default Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set history command buf...

Page 69: ...d is not executed and the service type command specifies the available command level Determined by the service typ e command The user privilege level level command is executed and the service type command does not specify the available command level Level 0 VTY users that are AAA RADIUS authenticated or locally authenticated The user privilege level level command is executed and the service type c...

Page 70: ...ommand does not specify the available command level Level 0 VTY users that are authenticated in the password mode of SSH The user privilege level level command is executed and the service type command specifies the available command level Determined by the service typ e command Note Refer to the corresponding modules in this manual for information about AAA RADIUS and SSH 3 4 2 Configuration Examp...

Page 71: ...er local user view Quidway local user guest Set the authentication password of the local user to 123456 in plain text Quidway luser guest password simple 123456 Set the service type to Telnet Quidway luser guest service type telnet level 2 Enter VTY 0 user interface view Quidway user interface vty 0 Configure to authenticate users logging into VTY 0 in the scheme mode Quidway ui vty0 authenticatio...

Page 72: ... in VLAN interface view after you log in through the Console port z Connect the serial port of your PC terminal to the Console port of the switch as shown in Figure 3 4 Console port RS 232 port Configuration cable Console port RS 232 port Configuration cable Figure 3 4 Diagram for establishing connection to a Console port z Launch a terminal emulation utility such as Terminal in Windows 3 X or Hyp...

Page 73: ...dress Set the IP address of the management VLAN interface to 202 38 160 92 with the mask set 255 255 255 0 Quidway Vlan interface1 ip address 202 38 160 92 255 255 255 0 2 Perform Telnet related configuration on the switch Refer to section 3 2 Telnet Configuration with Authentication Mode Being None section 3 3 Telnet Configuration with Authentication Mode Being Password and section 3 4 Telnet Con...

Page 74: ... as shown in Figure 3 7 Figure 3 7 Launch Telnet 5 Enter the password when the Telnet window displays Login authentication and prompts for login password The CLI prompt such as Quidway appears if the password is correct If all VTY user interfaces of the switch are in use you will fail to establish the connection and receive the message that says All user interfaces are used please try later A Quid...

Page 75: ...lneting to a switch labeled as Telnet client you can Telnet to another switch labeled as Telnet server by executing the telnet command and then to configure the later Telnet client PC Telnet server Telnet client PC Telnet server Figure 3 8 Network diagram for Telneting to another switch from the current switch 1 Perform Telnet related configuration on the switch operating as the Telnet server Refe...

Page 76: ...et Huawei Technologies Proprietary 3 19 5 Step 5 After successfully Telneting to the switch you can configure the switch or display the information about the switch by executing corresponding commands You can also type at any time for help Refer to the following chapters for the information about the commands ...

Page 77: ... 4 1 Requirements for logging into a switch using a modem Item Requirement The PC can communicate with the modem connected to it The modem is properly connected to PSTN Administrator side The telephone number of the switch side is available The modem is connected to the Console port of the switch properly The modem is properly configured The modem is properly connected to PSTN and a telephone set ...

Page 78: ... AUX user interface The corresponding configuration on the switch is the same as those when logging into the switch locally through its Console port except that z When you log in through the Console port using a modem the baud rate of the Console port is usually set to a value lower than the transmission speed of the modem Otherwise packets may get lost z Other settings of the Console port such as...

Page 79: ...th Authentication Mode Being Scheme for more 2 Perform the following configuration to the modem directly connected to the switch AT F Restore the factory settings ATS0 1 Configure to answer automatically after the first ring AT D Ignore DTR signal AT K0 Disable flow control AT R1 Ignore RTS signal AT S0 Set DSR to high level by force ATEQ1 W Disable the modem from returning command response and th...

Page 80: ...m Telephone line Modem Serial cable Telephone number 82882285 Console port PSTN PC Figure 4 1 Establish the connection by using modems 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 4 2 and Figure 4 3 Note that you need to set the telephone number to that of the modem directly connected to the switc...

Page 81: ... password is correct the prompt such as Quidway appears You can then configure or manage the switch You can also enter the character at anytime for help Refer to the following chapters for information about the configuration commands Note If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Refer to the CLI module for information about...

Page 82: ... logging into a switch through the Web based network management system Item Requirement The management VLAN of the switch is configured The route between the switch and the network management terminal is available Refer to the Management VLAN Configuration module for more Switch The user name and password for logging into the Web based network management system are configured IE is available PC op...

Page 83: ...ty check set to none and flow control set to none z Turn on the switch and press Enter as prompted The prompt such as Quidway appears as shown in Figure 5 2 Figure 5 2 The terminal window z Perform the following operations in the terminal window to assign an IP address to the management VLAN interface of the switch Enter system view Quidway system view Enter management VLAN interface view Quidway ...

Page 84: ...e a static route from the switch to the gateway assuming that the IP address of the gateway is 192 168 0 50 Quidway ip route static ip address 0 0 0 0 255 255 255 255 192 168 0 50 3 Establish an HTTP connection between your PC and the switch as shown in the following figure PC HTTP Connection Sw itch PC HTTP Connection PC HTTP Connection Sw itch PC HTTP connection PC HTTP Connection Sw itch PC HTT...

Page 85: ...p You can shut down or start up the Web server Table 5 2 Shut down start up Web server Operation Command Description Shut down the Web server ip http shutdown Required Execute this command in system view Start the Web server undo ip http shutdown Required Execute this command in system view The Web server is started by default Note To improve security and avoid malicious attack to the unused SOCKE...

Page 86: ...ase 1510 Chapter 5 Logging in through Web based Network Management System Huawei Technologies Proprietary 5 5 Caution After the Web file is upgraded you need to reboot and then specify the new Web file in the Boot menu Otherwise you cannot use the Web Server normally ...

Page 87: ...pplied between the NMS and the agent To log into a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 6 1 Requirements for logging into a switch through an NMS Item Requirement The management VLAN of the switch is configured The route between the NMS and the switch is available Refer to the Management VLAN Configuration module for more Switch The b...

Page 88: ...ption Specify a source IP address for the Telnet client telnet remote server source ip ip address Optional Specify a source interface for the Telnet client telnet remote server source interface interface type interface number Optional II Configuration in system view Table 7 2 Configure a source IP address for service packets in system view Operation Command Description Specify a source IP address ...

Page 89: ...ice z The interface specified exists 7 2 Displaying Source IP Address Configuration Execute the display command in any view to display the operation state after the above configurations You can verify the configuration effect through the displayed information Table 7 3 Display the source IP address configuration Operation Command Display the source IP address configured for the Telnet client displ...

Page 90: ...ddress Through Layer 2 ACL Section 8 2 4 Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACL Section 8 3 Controlling Network Management Users by Source IP Addresses By source IP addresses Through basic ACL Section 8 4 Controlling Web Users by Source IP Address WEB Disconnect Web users by force By executing commands in CLI Section 8 4 3 Disconnecting a Web...

Page 91: ...control Telnet users by source IP addresses acl acl number inbound outbound Required The inbound keyword specifies to filter the users trying to Telnet to the current switch The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch 8 2 3 Controlling Telnet Users by Source and Destination IP Addresses Controlling Telnet users by source and destination...

Page 92: ... interface view user interface type first number last number Apply the ACL to control Telnet users by specified source and destination IP addresses acl acl number inbound outbound Required The inbound keyword specifies to filter the users trying to Telnet to the current switch The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch 8 2 4 Controllin...

Page 93: ...nterface view user interface type first number last number Apply the ACL to control Telnet users by specified source MAC addresses acl acl number inbound outbound Required The inbound keyword specifies to filter the users trying to Telnet to the current switch The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch 8 2 5 Configuration Example I Net...

Page 94: ... network management users by source IP addresses z Defining an ACL z Applying the ACL to control users accessing the switch through SNMP 8 3 1 Prerequisites The controlling policy against network management users is determined including the source IP addresses to be controlled and the controlling actions permitting or denying 8 3 2 Controlling Network Management Users by Source IP Addresses Contro...

Page 95: ...t the authentication mode and the encryption mode are configured as none for the group Apply the ACL while configuring the SNMP user name snmp agent group v1 v2c group name read view read view write view write view notify view notify view acl acl number snmp agent group v3 group name authentication privacy read view read view write view write view notify view notify view acl acl number Optional No...

Page 96: ...110 100 46 are permitted to access the switch II Network diagram Internet Sw itch Internet Sw itch Figure 8 2 Network diagram for controlling SNMP users using ACLs III Configuration procedure Define a basic ACL Quidway system view Quidway acl number 2000 match order config Quidway acl basic 2000 rule 1 permit source 10 110 100 52 0 Quidway acl basic 2000 rule 2 permit source 10 110 100 46 0 Quidwa...

Page 97: ...2000 to 2999 Table 8 6 Control Web users by source IP addresses Operation Command Description Enter system view system view Create a basic ACL or enter basic ACL view acl number acl number match order config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule rule id permit deny source sour addr sour wildcard any time range time name fragment...

Page 98: ... switch II Network diagram Internet Sw itch Internet Sw itch Figure 8 3 Network diagram for controlling Web users using ACLs III Configuration procedure Define a basic ACL Quidway system view Quidway acl number 2030 match order config Quidway acl basic 2030 rule 1 permit source 10 110 100 46 0 Quidway acl basic 2030 rule 2 deny source any Apply the ACL to only permit the Web users sourced from the...

Page 99: ...dway S5600 Series Ethernet Switches Release 1510 Table of Contents Huawei Technologies Proprietary i Table of Contents Chapter 1 Configuration File Management 1 1 1 1 Introduction to Configuration File 1 1 1 2 Configuration File Related Operations 1 1 ...

Page 100: ... The content of a configuration files is a series of commands z Only the non default configuration parameters are saved z The commands are grouped into sections by command view The commands that are of the same command view are grouped into one section Sections are separated by empty lines or comment lines A line is a comment line if it starts with the character z The sections are listed in this o...

Page 101: ...ion file to be used in the next startup startup saved configuration cfgfile backup main Optional By default the switch uses the main configuration file in the next startup Specify that the switch starts without loading the configuration file undo startup saved configuration unit unit id Optional Display the primary configuration file display saved configuration unit unit id by linenum Display the ...

Page 102: ...ded You can save the current configuration files in one of the following two ways z If the safely keyword is not provided the system saves the configuration files in the fast mode In this mode the configuration files are saved fast However the configuration files will be lost if the device is restarted or the power is off when the configuration files are being saved z If the safely keyword is prov...

Page 103: ... 1 3 4 Encapsulation Formats 1 6 1 3 5 Implementation of Protocol Based VLAN 1 6 Chapter 2 VLAN Configuration 2 1 2 1 VLAN Configuration 2 1 2 1 1 Basic VLAN Configuration 2 1 2 1 2 Basic VLAN Interface Configuration 2 1 2 1 3 Displaying VLAN Configuration 2 2 2 2 Configuring a Port Based VLAN 2 3 2 2 1 Configuring a Port Based VLAN 2 3 2 2 2 Protocol based VLAN Configuration Example 2 3 2 3 Confi...

Page 104: ...d port of the packet In this case a host in the network receives a lot of packets whose destination is not the host itself Thus plenty of bandwidth resources are wasted causing potential serious security problems The traditional way to isolate broadcast domains is to use routers However routers are expensive and provide few ports so they cannot subnet the network particularly The virtual local are...

Page 105: ...o the source MAC address and Type refers to the protocol type of the packet IEEE 802 1Q protocol defines that a 4 byte VLAN tag is encapsulated after the destination MAC address and source MAC address to show the information about VLAN TPID Prioity CFI VLAN ID VLAN Tag DA SA Type TPID Prioity CFI VLAN ID TPID Prioity CFI VLAN ID TPID Prioity CFI VLAN ID DA SA Type TPID Prioity CFI VLAN ID TPID Pri...

Page 106: ...ased VLAN technology introduces the simplest way to classify VLANs You can isolate the hosts and divide them into different virtual workgroups through assigning the ports on the device connecting to hosts to different VLANs This way is easy to implement and manage and it is applicable to hosts with relatively fixed positions 1 3 Protocol Based VLAN 1 3 1 Introduction to Protocol Based VLAN Protoco...

Page 107: ... encapsulation is in the range of 0x0000 to 0x05DC Whereas the type field in Ethernet II encapsulation is in the range of 0x0600 to 0xFFFF The switch identifies whether a packet is an Ethernet II packet or an 802 3 packet according to the ranges of the two fields II Encapsulation formats of 802 3 packets 802 3 packets are encapsulated in the following three formats z 802 3 raw encapsulation only t...

Page 108: ... standard packets OUI 3 PID 2 DSAP 1 SSAP 1 Control 1 DA SA 12 Length 2 DATA OUI 3 PID 2 DSAP 1 SSAP 1 Control 1 DA SA 12 Length 2 DATA Figure 1 8 802 3 SNAP encapsulation format In 802 3 SNAP encapsulation format the values of the DSAP field and the SSAP field are always AA and the value of the control field is always 3 The switch differentiates between 802 3 LLC encapsulation and 802 3 SNAP enca...

Page 109: ...tch dsap and ssap value Match type Other values snap llc snap llc snap llc Receive packets Type length field 0x600 0 to 0x05DC 0x600 0x600 0x600 0x05DC to 0x0600 Invalid packets that cannot be matched 802 3 encapsulation 802 3 encapsulation Control field Invalid packets that cannot be matched Value is 3 Value is not 3 snap llc Raw encapsulation snap llc snap llc snap llc snap llc Raw encapsulation...

Page 110: ...pecific fields as the matching criteria After configuring the protocol template you must add a port to the protocol based VLAN and associate this port with the protocol template This port will add VLAN tags to the packets based on protocol types The port in the protocol based VLAN must be connected to a client However a common client cannot process VLAN tagged packets In order that the client can ...

Page 111: ...n vlan id Required The vlan id argument ranges from 1 to 4 094 Assign a name for the current VLAN name text Optional By default the name of a VLAN is its VLAN ID Specify the description string of the current VLAN description text Optional By default the description string of a VLAN is its VLAN ID Caution When you use the vlan command to create VLANs if the destination VLAN is an existing dynamic V...

Page 112: ...enabling disabling states of the Ethernet ports belonging to this VLAN By default a VLAN interface is enabled In this scenario a VLAN interface s status is determined by the status of its Ethernet ports that is if all the Ethernet ports of the VLAN interface are down the VLAN interface is down disabled if one or more Ethernet ports of the VLAN interface are up the VLAN interface is up enabled If a...

Page 113: ...red By default all the ports belong to the default VLAN Caution The commands above are effective for access ports only If you want to add trunk ports or hybrid ports to a VLAN you can use the port trunk permit vlan command or the port hybrid vlan command only in Ethernet port view For the configuration procedure refer to the section Port Basic Configuration Operation in Quidway S5600 Series Ethern...

Page 114: ...e Create VLAN 2 and enter its view Quidway system view Quidway vlan 2 Specify the description string of VLAN 2 as home Quidway vlan2 description home Add GigabitEthernet1 0 1 and GigabitEthernet1 0 2 ports to VLAN 2 Quidway vlan2 port GigabitEthernet1 0 1 GigabitEthernet1 0 2 Create VLAN 3 and enter its view Quidway vlan2 quit Quidway vlan 3 Add GigabitEthernet1 0 3 and GigabitEthernet1 0 4 ports ...

Page 115: ... raw keywords match the same type of packets the ipx raw keyword takes precedence over the mode llc dsap ff ssap ff keyword and a packet will not be further matched if it does not match the ipx raw keyword therefore the protocol vlan mode llc dsap ff ssap ff command takes no effect z Packet encapsulation type is snap instead of llc if the values of the dsap id and ssap id arguments are both AA z W...

Page 116: ...t Basic Configuration in this manual 2 3 3 Displaying Protocol Based VLAN Configuration After the configuration above you can execute the display command in any view to display the running status so as to verify the configuration Table 2 7 Display VLAN configuration Operation Command Description Display the information about the protocol based VLAN display vlan vlan id to vlan id all static dynami...

Page 117: ...to be tagged with the tag of VLAN 5 and be transmitted in VLAN 5 2 Configuration procedure Create VLAN 5 and enter its view Quidway system view Quidway vlan 5 Quidway vlan5 Configure the protocol index to be 1 and the associated protocol to be IP Quidway vlan5 protocol vlan 1 ip Enter GigabitEthernet1 0 5 port view Quidway vlan5 quit Quidway interface GigabitEthernet 1 0 5 Configure the port to be...

Page 118: ...Configuring an IP Address 1 4 1 3 Configuring an IP Address for a VLAN Interface 1 4 1 4 Displaying IP Address Configuration 1 5 1 5 IP Address Configuration Example 1 5 1 6 Troubleshooting 1 6 Chapter 2 IP Performance Configuration 2 1 2 1 IP Performance Configuration 2 1 2 1 1 Introduction to IP Performance Configuration 2 1 2 1 2 Introduction to FIB 2 1 2 1 3 Configuring TCP Attributes 2 1 2 1 ...

Page 119: ...st id host id host id Class A Class B Class C Class D Class E net id Network ID host id Host ID 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 0 1 0 1 1 0 1 1 1 0 1 1 1 1 0 net id net id net id Multicast address Reserved address host id host id host id Class A Class B Class C Class D Class E net id Network ID host id Host ID Figure 1 1 Five classes of IP addr...

Page 120: ...but cannot be used as a destination address z All the IP addresses in the format of 127 X Y Z are reserved for loopback test and the packets sent to these addresses will not be output to lines instead they are processed internally and regarded as incoming packets B 128 0 0 0 to 191 255 255 25 5 128 0 0 0 to 191 254 0 0 z An IP address with all 0s host ID is a network address and is used for networ...

Page 121: ...The mask divides the IP address into two parts subnet address and host address In an IP address the part corresponding to the 1 bits in the mask is the subnet address and the part corresponding to the remaining 0 bits in the mask is the host address If there is no subnet division the subnet mask uses the default value and the length of 1s in the mask is equal to the net id length Therefore for IP ...

Page 122: ...Figure 1 2 Subnet division of the IP address 1 2 Configuring an IP Address For a VLAN interface an IP address can be obtained in one of the three ways z Manually configured by using the IP address configuration command z Allocated by the BOOTP server z Allocated by the DHCP server The three methods are mutually exclusive and the use of a new method will result in the IP address obtained by the old...

Page 123: ...he VLAN interface 1 4 Displaying IP Address Configuration After the above configuration you can execute the display command in any view to display the operating status and configuration on the interface to verify your configuration Table 1 3 Display IP address configuration Operation Command Description View VLAN interface information display ip interface brief interface type interface number inte...

Page 124: ...m troubleshooting as follows z Check the configuration of the switch and then use the display arp command to check whether the host has an corresponding ARP entry in the ARP table maintained by the Switch z Check the VLAN that includes the switch port connecting the host Check whether the VLAN has been configured with the VLAN interface Then check whether the IP addresses of the VLAN interface and...

Page 125: ... the FIN_WAIT_2 state If no FIN packet is received before the timer times out the TCP connection will be terminated The timeout of the finwait timer ranges from 76 to 3 600 seconds and is 675 seconds by default z The connection oriented socket receive send buffer size ranges from 1 to 32 KB and is 8 KB by default 2 1 2 Introduction to FIB Every switch stores a forwarding information base FIB FIB i...

Page 126: ...and Forwarding Broadcast packets include full net broadcast packets and direct connected broadcast packets A direct connected broadcast packet is a packet whose destination IP address is the network broadcast address of a subnet but source IP address is not in the subnet segment You can use the following commands to set whether to receive or forward direct connected broadcast packets Table 2 2 Con...

Page 127: ...tistics display icmp statistics View the current socket information of the system display ip socket socktype sock type task id socket id View the summary of the forwarding information base FIB display fib View the FIB entries matching the destination IP address display fib ip_address1 mask1 mask length1 ip_address2 mask2 mask length2 longer longer View the FIB entries filtering through a specific ...

Page 128: ...play the IP performance and check whether the PC runs normally z Use the terminal debugging command to enable debugging information to be output to the console z Use the debugging udp packet command to enable the UDP debugging to trace UDP packets Quidway terminal debugging Quidway debugging udp packet The UDP packets are shown in the following format UDP output packet Source IP address 202 38 160...

Page 129: ...P Address and Performance Confiugration Quidway S5600 Series Ethernet Switches Release 1510 Chapter 2 IP Performance Configuration Huawei Technologies Proprietary 2 5 Ack number 0 Flag SYN Packet length 60 Data offset 10 ...

Page 130: ...e 1 1 1 2 Management VLAN Configuration 1 2 1 2 1 Prerequisites 1 2 1 2 2 Configuring the Management VLAN 1 2 1 2 3 Configuration Example 1 3 1 3 Displaying Management VLAN Configuration 1 4 Chapter 2 DHCP BOOTP Client Configuration 2 1 2 1 Introduction to DHCP Client 2 1 2 2 Introduction to BOOTP Client 2 3 2 3 DHCP BOOTP Client Configuration 2 4 2 3 1 Prerequisites 2 4 2 3 2 Configuring a DHCP B...

Page 131: ...ay overwrites the one obtained in the previously configured way and the overwritten IP address is then released For example if you assign an IP address to a VLAN interface by using the corresponding commands and then apply for another IP address through BOOTP using the ip address bootp alloc command the former IP address will be removed and the final IP address of the VLAN interface is the one obt...

Page 132: ...e the management VLAN management vlan vlan id Required By default VLAN 1 operates as the management VLAN Add a default VLAN ip route static 0 0 0 0 0 0 0 0 Null null interface number next hop preference preference value reject blackhole detect group detect group id description text Required Create the management VLAN interface and enter VLAN interface view interface vlan interface vlan id Required...

Page 133: ...t provided in the management vlan vlan id command is consistent with that of the management VLAN z Shutting down or bringing up a management VLAN interface has no effect on the up down status of the Ethernet ports in the management VLAN 1 2 3 Configuration Example I Network requirements The administrator wants to manage the switch QuidwayA remotely through Telnet The requirements are as follows Qu...

Page 134: ...play the information about a management VLAN interface display interface vlan interface vlan id Display summary information about the routing table display ip routing table Display detailed information about the routing table display ip routing table verbose Display the routes leading to a specified IP address display ip routing table ip address mask longer match verbose Display the routes leading...

Page 135: ...or the number of the computers exceeds that of the available IP addresses The dynamic host configuration protocol DHCP is developed to meet these requirements It adopts the client server model The DHCP client requests configuration information from the DHCP server dynamically and the DHCP server returns corresponding configuration information based on policies A typical DHCP implementation usually...

Page 136: ... a DHCP client and a DHCP server To obtain valid dynamic IP addresses a DHCP client exchanges different information with the DHCP server in different phases Usually the following three modes are involved 1 The DHCP client accesses the network for the first time In this case the DHCP client goes through the following four phases to establish connections with the DHCP server z Discovery The DHCP cli...

Page 137: ...o another DHCP client the DHCP server responds with a DHCP_NAK packet which enables the DHCP client to request for a new IP address by sending a DHCP_Discover packet once again 3 The DHCP client extends the lease of an IP address IP addresses assigned dynamically are only valid for a specified period of time and the DHCP servers reclaim their assigned IP addresses at the expiration of these period...

Page 138: ... VLAN corresponding to the VLAN ID As VLAN 1 is the default VLAN you do not need to create it if you configure VLAN 1 to be the management VLAN 2 3 2 Configuring a DHCP BOOTP Client Table 2 1 Configure DHCP BOOTP client Operation Command Description Enter system view system view Required Configure a specified VLAN to be the management VLAN management vlan vlan id Required By default VLAN 1 operate...

Page 139: ...VLAN 10 interface and enter VLAN interface view QuidwayA interface vlan interface 10 Configure the management VLAN interface to obtain an IP address through DHCP QuidwayA Vlan interface10 ip address dhcp alloc QuidwayA Vlan interface10 quit Configure a default route QuidwayA ip route static 0 0 0 0 0 0 0 0 1 1 1 2 2 4 Displaying DHCP BOOTP Client Table 2 2 Display DHCP BOOTP client Operation Comma...

Page 140: ...to Voice Stream 1 2 1 1 2 Supporting Information of Voice VLAN on Various Ports 1 2 1 2 Voice VLAN Configuration 1 4 1 2 1 Configuration Prerequisites 1 4 1 2 2 Configuring a Voice VLAN to Operate in Automatic Mode 1 4 1 2 3 Configuring a voice VLAN to operate in manual mode 1 5 1 3 Voice VLAN Configuration Displaying 1 7 1 4 Voice VLAN Configuration Example 1 8 1 4 1 Voice VLAN Configuration Exam...

Page 141: ...ss If the source MAC addresses of packets comply with the organizationally unique identifier OUI addresses configured by the system the packets are determined as voice packets and transmitted in voice VLAN You can configure an OUI address for voice packets or specify to use the default OUI address Note An OUI address is a globally unique identifier assigned to a vendor by IEEE You can determine wh...

Page 142: ...ports can not be added into or removed from the voice VLAN through manual configurations z In manual mode you need to execute related configuration commands to add a voice port to the voice VLAN or remove a voice port from the voice VLAN II Processing mode of tag packets sent by IP voice devices For tag packets sent by the IP voice devices processing modes in the two modes are the same that is a p...

Page 143: ... voice stream Hybrid Not supported because the default VLAN of the port must be a voice VLAN and the access port is in the voice VLAN To do so you can also add the port to the voice VLAN manually Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN And the access port permits the packets of the default VLAN Tag voice stream Hybrid Supported Mak...

Page 144: ...ice VLAN Configuration 1 2 1 Configuration Prerequisites z Create the corresponding VLAN before configuring a voice VLAN z VLAN 1 is the default VLAN and do not need to be created But VLAN 1 does not support the voice VLAN function 1 2 2 Configuring a Voice VLAN to Operate in Automatic Mode Table 1 3 Configure a voice VLAN to operate in automatic mode Operation Command Description Enter system vie...

Page 145: ...ction requires the Hybrid port to untag the packets refer to the VLAN part of the manual for detail therefore you must not configure a VLAN as both a voice VLAN and a protocol VLAN z You cannot configure the default VLAN as a voice VLAN for a port working in the automatic mode Otherwise the system will prompt that you cannot perform the configuration Note When the voice VLAN is working normally if...

Page 146: ...AN port interface list Enter port view interface interface type interface num Add the port to the voice VLAN port trunk permit vlan vlan id port hybrid vlan vlan id tagged untagged Required Add a port in manua l mode to the voice VLAN Trunk or Hybrid port Configure the voice VLAN to be the default VLAN of the port port trunk pvid vlan vlan id port hybrid pvid vlan vlan id Optional Refer to Table 1...

Page 147: ...ed as a voice VLAN z When the number of ACL applied to a port reaches to its upper limit the voice VLAN function can not be enabled for this port You can use the display voice vlan error info command to locate such ports z When a voice VLAN operates in the security mode the devices in it only permit packets whose source addresses are the voice OUI addresses that can be identified Packets whose sou...

Page 148: ... 4 Voice VLAN Configuration Example 1 4 1 Voice VLAN Configuration Example Automatic Mode I Network requirements z Create VLAN 2 and configure it as a voice VLAN z Configure GigabitEthernet1 0 1 port as a Trunk port with VLAN 6 as the default port z GigabitEthernet1 0 1 port can be added to removed from the voice VLAN automatically according to the type of the data stream that reaches the port II ...

Page 149: ...II Configuration procedure Create VLAN 3 Quidway system view Quidway vlan 3 Quidway vlan3 quit Configure GigabitEthernet1 0 3 port to be a Trunk port and add it to VLAN 3 Quidway interface GigabitEthernet1 0 3 Quidway GigabitEthernet1 0 3 port link type trunk Quidway GigabitEthernet1 0 3 port trunk permit vlan 3 Enable the voice VLAN function for the port and configure the port to operate in manua...

Page 150: ...iguration Huawei Technologies Proprietary 1 10 Voice Vlan aging time 1440 minutes Current voice vlan enabled port mode PORT MODE GigabitEthernet1 0 3 MANUAL Remove GigabitEthernet1 0 3 port from the voice VLAN Quidway interface GigabitEthernet1 0 3 Quidway GigabitEthernet1 0 3 undo port trunk permit vlan 3 ...

Page 151: ... 1 Introduction to GVRP 1 1 1 1 1 GVRP Mechanism 1 1 1 1 2 GVRP Packet Format 1 3 1 1 3 Protocol Specifications 1 4 1 2 GVRP Configuration 1 4 1 2 1 Configuration Prerequisite 1 4 1 2 2 Configuration Procedure 1 4 1 3 Displaying and Maintaining GVRP 1 6 1 4 GVRP Configuration Example 1 6 1 4 1 Network requirements 1 6 1 4 2 Network diagram 1 7 1 4 3 Configuration procedure 1 7 ...

Page 152: ...tch also propagates the local VLAN registration information to other switches so that all the switching devices in the same switched network can have the same VLAN information The VLAN registration information includes not only the static registration information configured locally but also the dynamic registration information which is received from other switches 1 1 1 GVRP Mechanism I GARP Timer...

Page 153: ...ster all the attribute information on this entity After that the entity restarts the LeaveAll timer to begin a new cycle II GVRP port registration mode GVRP has the following three port registration modes Normal Fixed and Forbidden z Normal In this mode a port can dynamically register deregister a VLAN and propagate the dynamic static VLAN information z Fixed In this mode a port cannot register de...

Page 154: ...describes the fields of a GVRP packet Table 1 1 Description of GVRP packet fields Field Description Value Protocol ID Protocol ID 1 Message Each message consists of two parts Attribute Type and Attribute List Attribute Type Defined by the specific GARP application The attribute type of GVRP is 0x01 Attribute List It contains multiple attributes Attribute Each general attribute consists of three pa...

Page 155: ...iguration tasks include configuring the timers enabling GVRP and configuring the GVRP port registration mode 1 2 1 Configuration Prerequisite The port on which GVRP will be enabled must be set to a trunk port 1 2 2 Configuration Procedure Table 1 2 Configuration procedure Operation Command Description Enter system view system view Configure the LeaveAll timer garp timer leaveall timer value Option...

Page 156: ...vary depending on the timeout values you set for other timers If you want to set the timeout time of a timer to a value out of the current range you can set the timeout time of the associated timer to another value to change the timeout range of this timer The following table describes the relations between the timers Table 1 3 Relations between the timers Timer Lower threshold Upper threshold Hol...

Page 157: ...iguration you can use the display commands in any view to display the configuration information and operating status of GVRP GARP and thus verify your configuration You can use the reset command in user view to clear GARP statistics Table 1 4 Display and maintain GVRP Operation Command Description Display GARP statistics display garp statistics interface interface list Display the settings of the ...

Page 158: ...ets of all the VLANs Quidway interface GigabitEthernet1 0 1 Quidway GigabitEthernet1 0 1 port link type trunk Quidway GigabitEthernet1 0 1 port trunk permit vlan all Enable GVRP on the trunk port Quidway GigabitEthernet1 0 1 gvrp GVRP is enabled on port GigabitEthernet1 0 1 z Configure switch B Enable GVRP globally Quidway system view Quidway gvrp GVRP is enabled globally Configure port GigabitEth...

Page 159: ...raffic on individual Ports 1 5 1 2 3 Enabling Flow Control on a Port 1 5 1 2 4 Configuring Access Port Attribute 1 6 1 2 5 Configuring Hybrid Port Attribute 1 6 1 2 6 Configuring Trunk Port Attribute 1 7 1 2 7 Copying the Configuration of a Port to Other Ports 1 7 1 2 8 Configuring Loopback Detection for an Ethernet Port 1 8 1 2 9 Configuring the Ethernet Port to Run Loopback Test 1 9 1 2 10 Enabl...

Page 160: ...and four SFP combo ports S5624F 24 x 1000 Mbps SFP ports and four electrical combo ports S5648P S5648P PWR 48 x 10 100 1000 Mbps electrical ports and four SFP combo ports 10 100 1000BASE TX 1000Base SX SFP 1000Base LX SFP 1000Base LH SFP 1000Base T SFP 10GBase LR XENPAK 10GBase ER XENPAK 10GBase CX4 XENPAK 10GBase LR XFP 10GBase ER XFP Each Combo optical port corresponds to an Ethernet electrical ...

Page 161: ...lows the packets of multiple VLANs to be sent without tags but a trunk port only allows the packets of the default VLAN to be sent without tags You can configure all the three types of ports on the same device However note that you cannot directly switch a port between trunk and hybrid and you must set the port as access before the switching For example to change a trunk port to hybrid you must fi...

Page 162: ...N ID receive the packet z If the VLAN ID is not the default VLAN ID but is one of the VLAN IDs allowed to pass through the port receive the packet z If the VLAN ID is neither the default VLAN ID nor one of the VLAN IDs allowed to pass through the port discard the packet z If the VLAN ID is just the default VLAN ID deprive the tag and send the packet z If the VLAN ID is not the default VLAN ID depr...

Page 163: ... By default the port is enabled Use the shutdown command to disable the port Set the description of the Ethernet port description text Optional By default no description is defined for the port Set the duplex mode of the Ethernet port duplex auto full half Optional By default the duplex mode of the port is auto auto negotiation Set the speed of the Ethernet port speed speed value auto Optional By ...

Page 164: ... Limit broadcast traffic received on the current port broadcast suppression ratio pps max pps Optional By default the switch does not suppress broadcast traffic Limit multicast traffic received on the current port multicast suppression ratio pps max pps Optional By default the switch does not suppress multicast traffic Limit unknown unicast traffic received on the current port unicast suppression ...

Page 165: ...rt view interface interface type interface number Set the link type of the port to access port link type access Optional By default the link type of a port is access Add the current access port to a specified VLAN port access vlan vlan id Optional 1 2 5 Configuring Hybrid Port Attribute Table 1 8 Configure hybrid port attribute Operation Command Remarks Enter system view system view Enter Ethernet...

Page 166: ... ID for the trunk port port trunk pvid vlan vlan id Optional If no default VLAN ID is set for a trunk port VLAN 1 system default VLAN is used as the default VLAN of the port Add the current trunk port to a specified VLAN port trunk permit vlan vlan id list all Optional 1 2 7 Copying the Configuration of a Port to Other Ports To make some other ports have the same configuration as that of a specifi...

Page 167: ...ber aggregation group source agg id destination interface list aggregation group destination agg id aggregation group destination agg id Required Note z If you specify a source aggregation group ID the system will use the port with the smallest port number in the aggregation group as the source z If you specify a destination aggregation group ID the configuration of the source port will be copied ...

Page 168: ...ction control enable Optional By default loopback port control is not enabled Configure the system to run loopback detection on all VLANs for the trunk and hybrid ports loopback detection per vlan enable Optional By default the system runs loopback detection only on the default VLAN for the trunk and hybrid ports Display port loopback detection information display loopback detection Optional You c...

Page 169: ... established in the switching chip to locate the chip failure which is related to the port After you use the shutdown command on a port the port cannot run loopback test You cannot use the speed duplex mdi and shutdown commands on the ports running loopback test Some ports do not support loopback test and corresponding prompts will be given when you perform loopback test on them 1 2 10 Enabling th...

Page 170: ...alysis on the traffic flow passing through the port during the specified interval and displays the average rates in the interval For example if you set this interval to 100 seconds the displayed information is as follows Last 100 seconds input 0 packets sec 0 bytes sec Last 100 seconds output 0 packets sec 0 bytes sec Table 1 14 Set the interval to perform statistical analysis on port traffic Oper...

Page 171: ...tion Command Remarks Display port configuration information display interface interface type interface type interface number Display information about a specified optical port display transceiver information interface interface type interface number Display the enable disable status of port loopback detection display loopback detection Display brief information about port configuration display bri...

Page 172: ...0 1 n Figure 1 1 Network diagram for Ethernet port configuratio III Configuration procedure Note z Only the configuration for Switch A is listed below The configuration for Switch B is similar to that of Switch A z This example supposes that VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 have been created Enter Ethernet port view of GigabitEthernet1 0 1 Quidway system view System View return to User V...

Page 173: ...es Proprietary 1 14 1 4 Troubleshooting Ethernet Port Configuration Symptom Fail to configure the default VLAN ID of a port Solution Take the following steps z Use the display interface or display port command to check if the port is a trunk port or a hybrid port If not configure it to a trunk port or a hybrid port z Configure the default VLAN ID ...

Page 174: ... 1 1 3 Operation Key 1 2 1 1 4 Manual Aggregation Group 1 2 1 1 5 Static LACP Aggregation Group 1 3 1 1 6 Dynamic LACP Aggregation Group 1 4 1 1 7 Aggregation Group Categories 1 6 1 2 Link Aggregation Configuration 1 7 1 2 1 Configuring a Manual Aggregation Group 1 8 1 2 2 Configuring a Static LACP Aggregation Group 1 9 1 2 3 Configuring a Dynamic LACP Aggregation Group 1 10 1 3 Displaying and Mai...

Page 175: ...r associated settings z STP configuration including STP status enabled or disabled link attribute point to point or not STP priority maximum transmission speed loop prevention status root protection status edge port or not z QoS configuration including traffic limiting priority marking default 802 1p priority traffic monitor traffic redirection traffic statistics and so on z VLAN configuration inc...

Page 176: ...ic aggregation port is zero by default 4 The member ports in a dynamic aggregation group must have the same operation key 1 1 4 Manual Aggregation Group I Introduction to manual aggregation group A manual aggregation group is manually created All its member ports are manually added and can be manually removed it inhibits the system from automatically adding removing ports to from it Each manual ag...

Page 177: ... ports also including initially DOWN port you want to add to a manual aggregation group After aggregation the smallest numbered selected port is the master port of the aggregation group and the other selected ports are the member ports of the aggregation group Note For an aggregation group z When the rate or duplex mode of a port in the aggregation group changes packet loss may occur on this port ...

Page 178: ...in the following order full duplex high speed full duplex low speed half duplex high speed half duplex low speed z The system sets the following ports to unselected state ports that are not connect to the same peer device as that of the master port and ports that are connected to the same peer device as that of the master port but their peer ports are in aggregation groups different from the group...

Page 179: ... selected ports in an aggregation group Therefore if the number of the member ports that can be set as selected ports in an aggregation group exceeds the maximum number supported by the device the system will negotiate with its peer end to determine the states of the member ports according to the port IDs of the preferred device that is the device with smaller system ID The following is the negoti...

Page 180: ...nd the ports with inferior port IDs will be set to unselected state The port ID consists of two byte port priority and two byte port number that is port ID port priority port number When two port IDs are compared the port priorities are compared first and the port numbers are compared if the port priorities are the same The port with smaller port ID is considered as the preferred one 1 1 7 Aggrega...

Page 181: ... ports while the former does not z For two aggregation groups of the same kind the one that might gain higher speed if resources were allocated to it has higher priority than the other one If the two groups can gain the same speed the one with smaller master port number has higher priority than the other one When an aggregation group of higher priority appears the aggregation groups of lower prior...

Page 182: ...d to the aggregation group z Ports where the IP MAC address binding is configured cannot be added to an aggregation group z Port security enabled ports cannot be added to an aggregation group 1 2 1 Configuring a Manual Aggregation Group You can create a manual aggregation group or remove an existing manual aggregation group after that all the member ports in the group are removed from the ports Yo...

Page 183: ...regation group 1 2 2 Configuring a Static LACP Aggregation Group You can create a static LACP aggregation group or remove an existing static aggregation group after that the system will re aggregate the original member ports in the group to form one or more dynamic aggregation groups You can manually add remove a port to from a static aggregation group and a port can only be manually added removed...

Page 184: ... LACP aggregation group is automatically created by the system based on LACP enabled ports The adding and removing of ports to from a dynamic aggregation group are automatically accomplished by LACP You need to enable LACP on the ports whom you want to participate in dynamic aggregation of the system because only when LACP is enabled on those ports at both ends can the two parties reach agreement ...

Page 185: ...rify your configuration Execute the reset command in user view to clear LACP statistics on ports Table 1 4 Display and maintain link aggregation configuration Operation Command Description Display summary information of all aggregation groups display link aggregation summary Display detailed information of a specific aggregation group or all aggregation groups display link aggregation verbose agg ...

Page 186: ... configuration on Switch A you must perform the similar configuration on Switch B to implement link aggregation 1 Adopting manual aggregation mode Create manual aggregation group 1 Quidway system view Quidway link aggregation group 1 mode manual Add GigabitEthernet1 0 1 through GigabitEthernet1 0 3 to aggregation group 1 Quidway interface GigabitEthernet1 0 1 Quidway GigabitEthernet1 0 1 port link...

Page 187: ... port link aggregation group 1 3 Adopting dynamic LACP aggregation mode Enable LACP on GigabitEthernet1 0 1 through GigabitEthernet1 0 3 Quidway system view Quidway interface GigabitEthernet1 0 1 Quidway GigabitEthernet1 0 1 lacp enable Quidway GigabitEthernet1 0 1 interface GigabitEthernet1 0 2 Quidway GigabitEthernet1 0 2 lacp enable Quidway GigabitEthernet1 0 2 interface GigabitEthernet1 0 3 Qu...

Page 188: ... 1510 Table of Contents Huawei Technologies Proprietary i Table of Contents Chapter 1 Port Isolation Configuration 1 1 1 1 Port Isolation Overview 1 1 1 2 Port Isolation Configuration 1 1 1 3 Displaying Port Isolation Configuration 1 2 1 4 Port Isolation Configuration Example 1 2 ...

Page 189: ...accommodate is not limited Note The port isolation function is independent of VLAN configuration 1 2 Port Isolation Configuration Table 1 1 lists the operations to add an Ethernet port to an isolation group to isolate Layer 2 data between each port in the isolation group Table 1 1 Configure port isolation Operation Command Description Enter system view system view Enter Ethernet port view interfac...

Page 190: ...splay the information about the Ethernet ports added to the isolation group display isolate port You can execute the display command in any view 1 4 Port Isolation Configuration Example I Network requirements z PC 2 PC 3 and PC 4 are connected to GigabitEthernet1 0 2 GigabitEthernet1 0 3 and GigabitEthernet1 0 4 ports z The switch connects to the Internet through GigabitEthernet1 0 1 port z It is ...

Page 191: ...th Ctrl Z Quidway interface GigabitEthernet1 0 2 Quidway GigabitEthernet1 0 2 port isolate Quidway GigabitEthernet1 0 2 quit Quidway interface GigabitEthernet1 0 3 Quidway GigabitEthernet1 0 3 port isolate Quidway GigabitEthernet1 0 3 quit Quidway interface GigabitEthernet1 0 4 Quidway GigabitEthernet1 0 4 port isolate Quidway GigabitEthernet1 0 4 quit Quidway Display the information about the por...

Page 192: ...rity Features 1 1 1 1 3 Port Security Modes 1 1 1 2 Port Security Configuration 1 4 1 2 1 Configuring Basic Port Security Attribute 1 4 1 2 2 Configuring Security MAC 1 6 1 3 Displaying Port Security Configuration 1 7 1 4 Port Security Configuration Example 1 8 Chapter 2 Port Binding Configuration 2 1 2 1 Introduction to Port Binding 2 1 2 1 1 Port Binding Overview 2 1 2 1 2 Configuring Port Bindi...

Page 193: ... workload and greatly enhances system security and manageability 1 1 2 Port Security Features The following port security features are provided 1 NTK Need to know By means of checking the destination MAC addresses in the outbound packets of a given port NTK can ensure that only authenticated devices can receive the data packets and thus prevent data from being intercepted 2 Intrusion Protection By...

Page 194: ...hat configured with the port security max mac count command After this new Security MAC address cannot be added Only the packets whose source MAC address is the Security MAC address can pass the port secure In this mode the system is disabled from learning MAC addresses from this port Only the packets whose original MAC addresses are the configured static MAC addresses can pass the port In the aut...

Page 195: ...xisting dynamic authenticated MAC address entries on the port mac auth entication In this mode MAC address based authentication is performed for access users userlogin secure o r mac In this mode the two kinds of authentication in mac authentication and userlogin secure modes can be performed simultaneously If both kinds of authentication succeed the userlogin secure mode takes precedence over the...

Page 196: ... security enable Required Set OUI value for user authentication port security oui OUI value index index value Optional Enable the sending of type specific trap messages port security trap addresslearned intrusion dot1xlogon dot1xlogoff dot1xlogfailure ralmlogon ralmlogoff ralmlogfailure Optional By default sending of trap messages is disabled Enter Ethernet port view interface interface type inter...

Page 197: ...t the authorization information delivered by the server is applied on the port Return to system view quit Set the timer for temporarily disabling a port port security timer disableport timer Optional Defaults to 20 seconds Note The time set by the port security timer disableport timer command is the same as the time set for temporarily disabling a port while executing the port security intrusion m...

Page 198: ...n of Port Security feature and can be configured by the command or MIB manually Before adding Security MAC you may configure the port security mode to autolearn and then the MAC address learning method will change z Original dynamic MAC address will be deleted z If the maximum Security MAC number is not reached maximum the new MAC address learned by the port will be added as Security MAC z If the ...

Page 199: ...n command cannot be configured with the following features at the same time z Static and black hole MAC address z Voice VLAN feature z 802 1x feature z port link aggregation z configuration of mirroring reflect port 2 The port security max mac count count value command cannot be configured with the mac address max mac count count 1 3 Displaying Port Security Configuration After the above mentioned...

Page 200: ...tch B PC1 MAC 0001 0002 0003 Switch A Switch B Switch A Switch B PC1 MAC 0001 0002 0003 Switch A Switch B Switch A Switch B GE1 0 1 PC1 MAC 0001 0002 0003 Switch A Switch B Switch A Switch B PC1 MAC 0001 0002 0003 Switch A Switch B Switch A Switch B PC1 MAC 0001 0002 0003 Figure 1 1 Network diagram for port security configuration III Configuration procedure Configure switch A as follows Enter syst...

Page 201: ...2 1 2 Configuring Port Binding Table 2 1 Configure port binding Operation Command Description Enter system view system view Bind the legal MAC addresses and IP addresses to specific port am user bind mac addr mac address ip addr ip address interface interface type interface number Optional Enter Ethernet port view interface interface type interface number Bind the legal MAC addresses and IP addres...

Page 202: ...C1 PC2 PC1 PC2 PC1 PC2 IP Address 10 12 1 1 Switch A Switch B PC1 PC2 MAC 0001 0002 0003 PC1 PC2 PC1 PC2 PC1 PC2 IP Address 10 12 1 1 Switch A Switch B PC1 PC2 MAC 0001 0002 0003 PC1 PC2 PC1 PC2 PC1 PC2 IP Address 10 12 1 1 Switch A Switch B GE1 0 1 PC1 PC2 MAC 0001 0002 0003 PC1 PC2 PC1 PC2 PC1 PC2 IP Address 10 12 1 1 Switch A Switch B PC1 PC2 MAC 0001 0002 0003 PC1 PC2 PC1 PC2 PC1 PC2 IP Addres...

Page 203: ... Technologies Proprietary i Table of Contents Chapter 1 DLDP Configuration 1 1 1 1 DLDP Overview 1 1 1 1 1 DLDP Fundamentals 1 2 1 1 2 Precautions During DLDP Configuration 1 6 1 2 DLDP Configuration 1 7 1 2 1 DLDP Configuration Tasks 1 7 1 2 2 Resetting DLDP Status 1 8 1 3 DLDP Network Example 1 9 ...

Page 204: ... or a fiber which is disconnected The cross connected fibers in Figure 1 1 refer to optical fibers which are connected inversely The air core lines in Figure 1 2 refer to a fiber which is not connected or a fiber which is disconnected Unidirectional links can cause many problems such as spanning tree topology loop Device Link Detection Protocol DLDP can detect the link status of the optical fiber ...

Page 205: ...gical unidirectional links and to prevent the failure of other protocols such as Spanning Tree Protocol STP z Even if the links of both ends can normally operate individually on the physical layer DLDP can detect at the link layer whether these links are connected correctly and packets can be exchanged normally between the two ends This detection cannot be implemented by the auto negotiation mecha...

Page 206: ...he related DLDP neighbor information remains and the Delaydown timer is triggered II DLDP timers DLDP works with the following timers Table 1 2 DLDP timers Timer Description Advertisement sending timer Interval of sending advertisement packets which can be configured with a command line By default the interval is 10 seconds Probe sending timer The interval is 0 5 second In probe status DLDP sends ...

Page 207: ... and totally eight packets continuously to the neighbor If no echo packet is received from the neighbor when the Enhanced timer expires the local end is set to unidirectional communication status and the state machine turns into disable status DLDP outputs log and tracking information and sends flush packets Depending on the user defined DLDP down mode DLDP disables the local port automatically or...

Page 208: ...to the peer device and analyses and processes DLDP packets received from the peer device DLDP in different status sends different packets Table 1 4 Types of packets sent by DLDP DLDP status Packet types Active Advertisement packets including those with or without RSY tags Advertisement Advertisement packets Probe Probe packets 2 DLDP analyzes and processes received packets as follows z In authenti...

Page 209: ... when no echo packet is received from the neighbor No Echo packet received from the neighbor Processing procedure In normal mode no echo packet is received when the echo waiting timer expires In enhanced mode no echo packet is received when the enhanced timer expires DLDP turns into disable status It outputs log and tracking information sends flush packets Depending on the user defined DLDP down m...

Page 210: ...able DLDP globally dldp enable Enter Ethernet port view interface interface type interface number interface name Enable DLDP Enable DLDP on a port Enable DLDP on a port dldp enable Required By default DLDP is disabled Set the authentication mode and password dldp authentication mode none simple simple password md5 md5 password Optional By default the authentication mode is none Set the interval of...

Page 211: ...lly on all optical ports of the switch this command is only valid for existing optical ports on the device however it is not valid for those added subsequently z DLDP can operate normally only when the same authentication mode and password are set for local and peer ports z When the DLDP protocol works in normal mode the system can identify only one type of unidirectional links cross connected fib...

Page 212: ...us of the system dldp reset Enter Ethernet port view interface interface type interface number Reset the DLDP status of a port dldp reset Optional Caution This command only applies to the ports in DLDP down status 1 3 DLDP Network Example I Network requirements As shown in Figure 1 3 z Switch A and Switch B are connected through two pairs of fibers Both of them support DLDP z Suppose the fibers be...

Page 213: ...ayA interface gigabitethernet 1 0 50 QuidwayA GigabitEthernet1 0 50 duplex full QuidwayA GigabitEthernet1 0 50 speed 1000 QuidwayA GigabitEthernet1 0 50 quit QuidwayA interface gigabitethernet 1 0 51 QuidwayA GigabitEthernet1 0 51 duplex full QuidwayA GigabitEthernet1 0 51 speed 1000 QuidwayA GigabitEthernet1 0 51 quit Enable DLDP globally QuidwayA dldp enable Set the interval of sending DLDP pack...

Page 214: ...ate the other end is in the inactive state z If the device operates in the enhance DLDP mode the end that receives optical signals is in the disable state the other end is in the inactive state Restore the ports taken down by DLDP QuidwayA dldp reset 2 Configure Switch B The configuration of Switch B is the same to that of Switch A Note z For DLDP to detect fiber disconnection in one direction you...

Page 215: ...ntries in a MAC Address Table 1 3 1 2 Configuring MAC Address Table Management 1 4 1 2 1 Configuration Overview 1 4 1 2 2 Configuring a MAC Address Entry 1 4 1 2 3 Setting the Aging Time of MAC Address Entries 1 5 1 2 4 Setting the Maximum Number of MAC Addresses a Port Can Learn 1 6 1 3 Displaying and Maintaining MAC Address Table Configuration 1 6 1 4 Configuration Example 1 7 1 4 1 Network requ...

Page 216: ...llowing fields z Destination MAC address z ID of the VLAN which a port belongs to z Forwarding port number Upon receiving a packet a switch queries its MAC address table for the forwarding port number according to the destination MAC address carried in the packet and then forwards the packet through the port The dynamic address entries not configured manually in the MAC address table are learned b...

Page 217: ... to the switch this indicates the packet has been sent to the destination device The MAC address of the device is carried in the packet The switch adds the new MAC address to the MAC address table through address learning After that the switch can directly forward other packets destined for the same network device by using the newly added MAC address entry z If the destination device does not resp...

Page 218: ...tries can reduce broadcast packets remarkably and are suitable for networks where network devices seldom change z Dynamic MAC address entry This type of MAC address entries age out after the configured aging time They are generated by the MAC address learning mechanism or configured manually z Blackhole MAC address entry This type of MAC address entries are configured manually A switch discards th...

Page 219: ...dresses a Port Can Learn 1 2 2 Configuring a MAC Address Entry You can add modify or remove one MAC address entry remove all MAC address entries unicast MAC addresses only concerning a specific port or remove specific type of MAC address entries dynamic or static MAC address entries You can add a MAC address entry in either system view or Ethernet port view I Adding a MAC address entry in system v...

Page 220: ...aging time properly helps implement effective MAC address aging The aging time that is too long or too short results in a large amount of broadcast packets wandering across the network and decreases the performance of the switch z If the aging time is too long excessive invalid MAC address entries maintained by the switch may fill up the MAC address table This prevents the MAC address table from v...

Page 221: ...ddress table can dynamically maintains When the number of the MAC address entries learnt from a port reaches the set value the port stops learning MAC addresses Table 1 6 Set the maximum number of MAC addresses a port can learn Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Set the maximum number of MAC addresses the p...

Page 222: ...elongs to VLAN 1 1 4 2 Network diagram Console port Network port Switch Internet Console port Network port Switch Internet Figure 1 2 Network diagram for MAC address table configuration 1 4 3 Configuration procedure Enter system view Quidway system view Quidway Add a MAC address with the VLAN ports and states specified Quidway mac address static 00e0 fc35 dc71 interface GigabitEthernet 1 0 2 vlan ...

Page 223: ...anagement Huawei Technologies Proprietary 1 8 00 e0 fc 35 dc 71 1 Static GigabitEthernet1 0 2 NOAGED 00 e0 fc 17 a7 d6 1 Learned GigabitEthernet1 0 2 AGING 00 e0 fc 5e b1 fb 1 Learned GigabitEthernet1 0 2 AGING 00 e0 fc 55 f1 16 1 Learned GigabitEthernet1 0 2 AGING 4 mac address es found on port GigabitEthernet1 0 2 ...

Page 224: ...to Detect Configuration Example 1 2 Chapter 2 Auto Detect Implementation 2 1 2 1 Introduction 2 1 2 2 Auto Detect Implementation in Static Routing 2 1 2 2 1 Configuring the Auto Detect Function for a Static Route 2 1 2 2 2 Configuration Example 2 2 2 3 Auto Detect Implementation in VRRP 2 3 2 3 1 Configuring the Auto Detect Function for VRRP 2 3 2 3 2 Configuration Example 2 3 2 4 Auto Detect Impl...

Page 225: ...nction Operation Command Description Enter system view system view Create a detecting group and enter detecting group view detect group group number Required Add an IP address to be detected to the detecting group detect list list number ip address ip address nexthop ip address Required Specify how the detecting result is generated option and or Optional By default the and keyword is specified Set...

Page 226: ...is reachable that is specify the or keyword for the option command z Set the detecting interval to 60 seconds the maximum number of retries to 3 and the timeout time to 3 seconds II Network diagram SwitchA SwitchB SwitchC Switc hD 192 168 1 1 24 192 168 1 2 24 192 168 2 2 24 20 1 1 2 24 SwitchA SwitchB SwitchC Switc hD VLA N2 GE 1 0 1 SwitchA SwitchB SwitchC Switc hD 192 168 2 1 24 10 1 1 3 24 10 ...

Page 227: ...etect list 2 ip address 192 168 2 2 Specify to return reachable as the detecting result if one of the two IP addresses is reachable Quidway detect group 10 option or Set the detecting interval to 60 seconds Quidway detect group 10 timer loop 60 Set the maximum number of retries during a detecting operation to 3 Quidway detect group 10 retry 3 Set the detecting timeout time to 3 seconds Quidway det...

Page 228: ...col chapter of this manual for information about static routing z Refer to the VRRP chapter of this manual for information about VRRP 2 2 Auto Detect Implementation in Static Routing By binding a detecting group to a static route you can control the validity of a static route according to auto detect results as follows z Enable the static route when the result of the detecting group is reachable z...

Page 229: ... number set to 1 z Configure a static route between Switch A and Switch B z Enable the static route when the result of detecting group 8 is reachable II Network diagram SwitchA SwitchB SwitchC SwitchD 192 168 1 1 24 192 168 1 2 24 192 168 2 2 24 20 1 1 2 24 SwitchA SwitchB SwitchC SwitchD VLAN2 GE1 0 1 SwitchA SwitchB SwitchC SwitchD 192 168 2 1 24 10 1 1 3 24 10 1 1 4 24 GE1 0 2 SwitchA SwitchB S...

Page 230: ... 192 168 1 o Detect Implementation in VRRP You can control the priorities of VRRP backup groups according to auto detect results able automatic switch b z Decrease the priority of a VRRP backup group when the result of the detecting group is unreachabl group is reachable Note You need to create the detecting group and perform VRRP related configurations efore the following operations b Table 2 2 u...

Page 231: ... A Switch B Switch C Switch D VLA N 1 VLAN 1 VLAN 1 VLAN 1 GE 1 0 1 GE1 0 2 10 1 1 4 24 20 1 1 4 24 r implementing the auto detect function in VRRP III Configuration procedure etect group 9 ting the detect ip address 10 1 1 4 yB Vlan interface1 ip address 192 168 1 2 24 the backup 2 168 1 10 to decrease the priority i e1 vrrp vrid 1 priority 110 rack detect group 9 reduced 20 Figure 2 2 Network di...

Page 232: ...N interfaces by using the auto detect function For two VLAN interfaces configured with the same destination device you can configure them to be the primary interface and the seco latter is enabled automatically when the primary fails so as to ensure the connectivity is case the auto detect function is implemented as follows z In normal situations that is when the result of the detecting group is r...

Page 233: ...face to be the primary interface which is enabled when the result of detecting group 10 is reachable Configure VLAN 2 interface to be the secondary interface which is enabled when the result of the detecting group is unreachable z Make sure the ro 192 168 1 2 192 168 2 2 20 1 1 2 10 1 1 3 Switch A Switch B Switch C Switch D 192 168 1 2 24 192 168 2 2 24 20 1 1 3 24 10 1 1 3 24 10 1 1 4 24 Switch A...

Page 234: ...LAN interface 1 on Switch A a the IP address of 10 1 1 3 24 as the next hop QuidwayC ip route static 192 168 1 1 24 10 Configure a static route to VLAN interface 2 on Switch A with the IP address of 20 1 QuidwayC ip route z Configure Switch A Enter system view QuidwayA system view Assign an IP address to VLAN 1 interface QuidwayA interface vlan interface 1 QuidwayA Vlan inte Add port GigabitEthern...

Page 235: ...figuration 1 16 1 2 9 MSTP Time related Configuration 1 16 1 2 10 Timeout Time Factor Configuration 1 19 1 2 11 Maximum Transmitting Speed Configuration 1 19 1 2 12 Edge Port Configuration 1 20 1 2 13 Point to point Link Related Configuration 1 22 1 2 14 MSTP Configuration 1 24 1 3 Leaf Node Configuration 1 25 1 3 1 Prerequisites 1 26 1 3 2 MST Region Configuration 1 26 1 3 3 MSTP Operation Mode C...

Page 236: ...revention Configuration 1 36 1 5 7 BPDU Packets Drop Configuration 1 36 1 6 Digest Snooping Configuration 1 36 1 6 1 Introduction 1 36 1 6 2 Digest Snooping Configuration 1 37 1 7 Rapid Transition Configuration 1 38 1 7 1 Introduction 1 38 1 7 2 Rapid Transition Configuration 1 40 1 8 BPDU Tunnel Configuration 1 41 1 8 1 Introduction 1 41 1 8 2 BPDU Tunnel Configuration 1 42 1 9 MSTP Displaying an...

Page 237: ...warded endlessly in the ring network Besides this MSTP can also provide multiple redundant paths for packet forwarding and balances the forwarding loads of different VLANs MSTP is compatible with both STP and RSTP It overcomes the drawback of STP and RSTP It not only enables spanning trees to converge rapidly but also enables packets of different VLANs to be forwarded along their respective paths ...

Page 238: ...hysically interconnected MSTP enabled switches and the corresponding network segments connected to these switches These switches have the same region name the same VLAN to spanning tree mapping configuration and the same MSTP revision level A switched network can contain multiple MST regions You can group multiple switches into one MST region by using the corresponding MSTP configuration commands ...

Page 239: ... the network If you regard each MST region in the network as a switch then the CST is the spanning tree generated by STP or RSTP running on the switches In Figure 1 1 the lines in red depict the CST VI CIST A CIST is the spanning tree in a switched network that connects all switches in the network It comprises the ISTs and the CST In Figure 1 1 the ISTs in the MST regions and the CST connecting th...

Page 240: ...case the switch blocks one of the two ports The blocked port is a backup port In Figure 1 2 switch A B C and D form an MST region Port 1 and port 2 on switch A connect upstream to the common root Port 5 and port 6 on switch C form a loop Port 3 and port 4 on switch D connect downstream to other MST regions This figure shows the roles these ports play Note z A port can play different roles in diffe...

Page 241: ...ing trees The only difference is that the configuration BPDUs for MSTP carry the MSTP configuration information on the switches I Generating the CIST Through configuration BPDU comparing the switch that is of the highest priority in the network is chosen as the root of the CIST In each MST region an IST is figured out by MSTP At the same time MSTP regards each MST region as a switch to figure out ...

Page 242: ...ured out as follows z Determining the root bridge The root bridge is selected by configuration BPDU comparing The switch with the smallest root ID is chosen as the root bridge z Determining the root port For each switch in a network the port through which the configuration BPDU with the highest priority is received is chosen as the root port of the switch z Determining the designated port First th...

Page 243: ...d configurations about root bridges Table 1 2 Root bridge configuration Operation Remarks Related section MSTP configuration Required To prevent network topology jitter caused by other related configurations you are recommended to enable MSTP after other related configurations are performed Section 1 2 14 MSTP Configuration MST region configuration Required Section 1 2 2 MST Region Configuration R...

Page 244: ...2 11 Maximum Transmitting Speed Configuration Edge port configuration Optional Section 1 2 12 Edge Port Configuration Point to point link related configuration Optional Section 1 2 13 Point to point Link Related Configuration Note In a network that contains switches with both GVRP and MSTP employed GVRP packets are forwarded along the CIST If you want to broadcast packets of a specific VLAN throug...

Page 245: ...nfiguration of the MST region manually active region configuration Required Display the configuration of the current MST region check region configuration Optional Display the currently valid configuration of the MST region display stp region configuration You can execute this command in any view Configuring MST region related parameters especially the VLAN mapping table results in spanning trees ...

Page 246: ...on active region configuration Verify the above configuration Quidway mst region check region configuration Admin configuration Format selector 0 Region name info Revision level 1 Instance Vlans Mapped 0 11 to 19 31 to 4094 1 1 to 10 2 20 to 30 1 2 3 Root Bridge Secondary Root Bridge Configuration MSTP can automatically choose a switch as a root bridge You can also manually specify the current swi...

Page 247: ...command specify the current switch as the root bridge or the secondary root bridge of the CIST A switch can play different roles in different spanning tree instances That is it can be the root bridges in a spanning tree instance and be a secondary root bridge in another spanning tree instance at the same time But in one spanning tree instance a switch cannot be the root bridge and the secondary ro...

Page 248: ...configured as the root bridge or a secondary root bridge its priority cannot be modified III Configuration example Configure the current switch as the root bridge of spanning tree instance 1 and a secondary root bridge of spanning tree instance 2 Quidway system view Quidway stp instance 1 root primary Quidway stp instance 2 root secondary 1 2 4 Bridge Priority Configuration Root bridges are select...

Page 249: ...t automatically determines the format of the packets to be transmitted according to that of the received MSTP packets If the format of the received packets changes repeatedly MSTP will shut down the corresponding port to prevent network storm A port shut down in this way can only be enabled again by the network administrator z With the MSTP packet format set to legacy the port only processes and t...

Page 250: ... the switch are STP packets If the switched network contains STP enabled switches you can configure the current MSTP enabled switch to operate in this mode by using the stp mode stp command z RSTP compatible mode In this mode the protocol packets sent out of the ports of the switch are RSTP packets If the switched network contains RSTP enabled switches you can configure the current MSTP enabled sw...

Page 251: ...hat are beyond the maximum hops from participating in spanning tree generation and thus limits the size of an MST region With such a mechanism the maximum hops configured on the switch operating as the root bridge of the IST or an MSTI in a MST region becomes the network diameter of the spanning tree which limits the size of the spanning tree in the current MST region The switches that are not roo...

Page 252: ...tched network A MSTP enabled switch adjusts its Hello time Forward delay and Max age settings accordingly The network diameter setting only applies to CIST it is invalid for MSTIs II Configuration example Configure the network diameter of the switched network to 6 Quidway system view Quidway stp bridge diameter 6 1 2 9 MSTP Time related Configuration You can configure three MSTP time related param...

Page 253: ...figuration BPDU is obsolete Obsolete configuration BPDUs will be discarded I Configuration procedure Table 1 11 Configure MSTP time related parameters Operation Command Description Enter system view system view Configure the Forward delay parameter stp timer forward delay centiseconds Required The Forward delay parameter defaults to 1 500 centiseconds 15 seconds Configure the Hello time parameter ...

Page 254: ...recommended z As for the Max age parameter if it is too small network congestions may be falsely regarded as link problems which results in spanning trees being frequently regenerated If it is too large link problems may be unable to be found in time which in turn handicaps spanning trees being regenerated in time and makes the network less adaptive The default is recommended As for the configurat...

Page 255: ...or to a larger number to avoid this Normally the timeout time can be four or more times of the Hello time For a steady network the timeout time can be five to seven times of the Hello time I Configuration procedure Table 1 12 Configure timeout time factor Operation Command Description Enter system view system view Configure the timeout time factor for the switch stp timer factor number Required Th...

Page 256: ... the maximum transmitting speed stp transmit limit packetnum Required The maximum transmitting speed of all Ethernet ports on a switch defaults to 10 As the maximum transmitting speed parameter determines the number of the configuration BPDUs transmitted in each Hello time set it to a proper value to avoid MSTP from occupying too many network resources The default is recommended III Configuration ...

Page 257: ...ports II Configuration procedure in Ethernet port view Table 1 16 Configure a port as an edge port in Ethernet port view Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Configure the port as an edge port stp edged port enable Required By default all the Ethernet ports of a switch are non edge ports On a switch with BPDU...

Page 258: ... whether or not the link connected to a port is a point to point link in one of the following two ways I Configuration procedure in system view Table 1 17 Specify whether or not the links connected to the specified ports are point to point links in system view Operation Command Description Enter system view system view Specify whether or not the links connected to the specified ports are point to ...

Page 259: ...onnected to the port is not a point to point link The auto keyword specifies to automatically determine whether or not the link connected to the port is a point to point link Note Among aggregated ports you can only configure the links of master ports as point to point links If an auto negotiating port operates in full duplex mode after negotiation you can configure the link of the port as a point...

Page 260: ...all ports after you enable MSTP in system view To enable a switch to operate more flexibly you can disable MSTP on specific ports As MSTP disabled ports do not participate in spanning tree generation this operation saves CPU resources Table 1 20 Disable MSTP in Ethernet port view Operation Command Description Enter system view system view Enable MSTP stp enable Required MSTP is disabled by default...

Page 261: ...ble 1 21 Leaf node configuration Operation Remarks Related section MSTP configuration Required To prevent network topology jitter caused by other related configurations you are recommended to enable MSTP after performing other configurations Section 1 2 14 MSTP Configuration MST region configuration Required Section 1 2 2 MST Region Configuration MSTP operation mode configuration Optional Section ...

Page 262: ...status root branch or leaf of each switch in each spanning tree instance is determined 1 3 2 MST Region Configuration Refer to section 1 2 2 MST Region Configuration 1 3 3 MSTP Operation Mode Configuration Refer to section 1 2 6 MSTP Operation Mode Configuration 1 3 4 Timeout Time Factor Configuration Refer to section 1 2 10 Timeout Time Factor Configuration 1 3 5 Maximum Transmitting Speed Config...

Page 263: ... system view Specify the standard to be used to calculate the default path costs of the links connected to the ports of the switch stp pathcost standard dot1d 1998 dot1t legacy Optional By default the IEEE 802 1t standard is used to calculate the default path costs Table 1 23 Transmission speeds and the corresponding path costs Transm ission speed Operation mode half full duplex 802 1D 1998 IEEE 8...

Page 264: ...the path cost of an aggregated link Path cost 200 000 link transmission speed Where the link transmission speed is the sum of the speeds of the unblocked ports on the aggregated link which is measured in 100 Kbps II Configuring the path costs of ports Table 1 24 Configure the path cost for specified ports in system view Operation Command Description Enter system view system view Configure the path...

Page 265: ...ee instance 1 to the default one calculated with the IEEE 802 1D 1998 standard z Configure in system view Quidway system view Quidway undo stp interface GigabitEthernet1 0 1 instance 1 cost Quidway stp pathcost standard dot1d 1998 z Configure in Ethernet port view Quidway system view Quidway interface GigabitEthernet1 0 1 Quidway GigabitEthernet1 0 1 undo stp instance 1 cost Quidway GigabitEtherne...

Page 266: ...the port stp instance instance id port priority priority Required The default port priority is 128 Changing port priority of a port may change the role of the port and put the port into state transition A smaller port priority value indicates a higher possibility for the port to become the root port If all the ports of a switch have the same port priority value the port priorities are determined b...

Page 267: ...n the STP compatible mode In this case you can force the port to transit to the MSTP mode by performing the mCheck operation on the port Similarly a port on an RSTP enabled switch operating as an upstream switch transits to the STP compatible mode when it has an STP enabled switch connected to it When the STP enabled downstream switch is then replaced by an MSTP enabled switch the port cannot auto...

Page 268: ...tion The following protection functions are available on an MSTP enabled switch BPDU protection root protection loop prevention and TC BPDU attack prevention I BPDU protection Normally the access ports of the devices operating on the access layer directly connect to terminals such as PCs or file servers These ports are usually configured as edge ports to achieve rapid transition But they resume no...

Page 269: ...ocked ports by receiving and processing BPDUs from the upstream switch These BPDUs may get lost because of network congestions and link failures If a switch does not receive BPDUs from the upstream switch for certain period the switch selects a new root port the original root port becomes a designated port and the blocked ports transit to forwarding state This may cause loops in the network The lo...

Page 270: ...n Operation Command Description Enter system view system view Enable the BPDU protection function stp bpdu protection Required The BPDU protection function is disabled by default II Configuration example Enable the BPDU protection function Quidway system view Quidway stp bpdu protection 1 5 4 Root Protection Configuration I Configuration Procedure Table 1 31 Enable the root protection function in ...

Page 271: ...ay system view Quidway stp interface GigabitEthernet1 0 1 root protection z Configure in Ethernet port view Quidway system view Quidway interface GigabitEthernet1 0 1 Quidway GigabitEthernet1 0 1 stp root protection 1 5 5 Loop Prevention Configuration I Configuration Procedure Table 1 33 Enable the loop prevention function on a port Operation Command Description Enter system view system view Enter...

Page 272: ...ets Drop Configuration Table 1 35 BPDU packets drop configuration procedure Operation Command Description Enter system view system view Enter Ethernet port view interface interface name Enable the BPDU packets drop function in Ethernet port view bpdu drop any Required Enable the BPDU packets drop function on GigabitEthernet1 0 1 Quidway system view Quidway interface GigabitEthernet 1 0 1 Quidway G...

Page 273: ...n the BPDUs to be send to the partner s switch In this way the S5600 series switches can interwork with the partners switches in the same MST region 1 6 2 Digest Snooping Configuration Configure the digest snooping feature on a switch to enable it to interwork with other switches that adopt proprietary protocols to calculate configuration digests in the same MST region through MSTIs I Prerequisite...

Page 274: ... With the digest snooping feature is enabled the VLAN to MSTI mapping cannot be modified z The digest snooping feature is not applicable on MST region edge ports 1 7 Rapid Transition Configuration 1 7 1 Introduction Designated ports on switches adopting RSTP or MSTP use the following two types of packets to implement rapid transition z Proposal packets Packets sent by designated ports to request r...

Page 275: ...kets to upstream switch Designated port change to Forw arding state Send agreement packets Root port blocks other non edge ports Designated port Root port Upstream sw itch Dow nstream switch Send proposal packets to request rapid transition Send agreement packets Root port changes to Forw arding state and sends agreement packets to upstream switch Designated port change to Forw arding state Send a...

Page 276: ...s connected to a partner s switch The former operates as the downstream switch and the latter operates as the upstream switch The network operates normally The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports Port 1 is a designated port The downstream switch is running MSTP Port 2 is the root port P...

Page 277: ... rapid transition feature can be enabled on root ports or alternate ports only z If you configure the rapid transition feature on the designated port the feature does not take effect on the port 1 8 BPDU Tunnel Configuration 1 8 1 Introduction The BPDU Tunnel function enables BPDUs to be transparently transmitted between geographically dispersed user networks through specified VLAN VPNs in operato...

Page 278: ...twork hierarchy 1 8 2 BPDU Tunnel Configuration Table 1 39 Configure the BPDU Tunnel function Operation Command Description Enter system view system view Enable MSTP globally stp enable Enable the BPDU Tunnel function globally vlan vpn tunnel Required Enter Ethernet port view interface interface type interface number Make sure that you enter the Ethernet port view of the port for which you want to...

Page 279: ...formation about the current switch display stp instance instance id interface interface list slot slot number brief Display region configuration display stp region configuration Clear MSTP related statistics reset stp interface interface list 1 10 MSTP Implementation Example I Network requirements Implement MSTP in the network shown in Figure 1 7 to enable packets of different VLANs to be forwarde...

Page 280: ...it shown in Figure 1 7 means the corresponding link permits packets of specific VLANs III Configuration procedure z Configure Switch A Enter MST region view Quidway system view Quidway stp region configuration Configure the MST region Quidway mst region region name example Quidway mst region instance 1 vlan 10 Quidway mst region instance 3 vlan 30 Quidway mst region instance 4 vlan 40 Quidway mst ...

Page 281: ...region configuration Configure the MST region Quidway mst region region name example Quidway mst region instance 1 vlan 10 Quidway mst region instance 3 vlan 30 Quidway mst region instance 4 vlan 40 Quidway mst region revision level 0 Activate the settings of the MST region Quidway mst region active region configuration Specify Switch C as the root bridge of spanning tree instance 4 Quidway stp in...

Page 282: ... switch and are enabled with the BPDU Tunnel function Thereby transparent transmission is realized between the user s network and the operator s network II Network diagram Switch C Switch A E 0 1 Switch D Switch B E 1 0 2 E 0 1 E 1 0 1 Switch C Switch A E 1 0 1 E 0 1 Switch D Switch B E 0 1 E 1 0 2 Switch C Switch A E 0 1 Switch D Switch B E 1 0 2 E 0 1 E 1 0 1 Switch C Switch A E 1 0 1 E 0 1 Swit...

Page 283: ...interface GigabitEthernet 1 0 1 Quidway GigabitEthernet1 0 1 port access vlan 10 Quidway GigabitEthernet1 0 1 stp disable Quidway GigabitEthernet1 0 1 vlan vpn enable Quidway GigabitEthernet1 0 1 quit Configure port Ethternet1 0 2 as a trunk port Quidway interface GigabitEthernet 1 0 2 Quidway GigabitEthernet1 0 2 port link type trunk Add the trunk port to all VLANs Quidway GigabitEthernet1 0 2 po...

Page 284: ... port access vlan 10 Quidway GigabitEthernet1 0 2 stp disable Quidway GigabitEthernet1 0 2 vlan vpn enable Quidway GigabitEthernet1 0 2 quit Configure port GigabitEthernet1 0 1 as a trunk port Quidway interface GigabitEthernet 1 0 1 Quidway GigabitEthernet1 0 1 port link type trunk Add the trunk port to all VLANs Quidway GigabitEthernet1 0 1 port trunk permit vlan all ...

Page 285: ...2 1 Configuration Prerequisites 2 2 2 2 2 Configuring a Static Route 2 2 2 3 Displaying the Routing Table 2 3 2 4 Static Route Configuration Example 2 3 2 5 Troubleshooting a Static Route 2 5 Chapter 3 RIP Configuration 3 1 3 1 RIP Overview 3 1 3 1 1 Basic Concepts 3 1 3 1 2 RIP Startup and Operation 3 2 3 2 Introduction to RIP Configuration Tasks 3 2 3 3 Basic RIP Configuration 3 3 3 3 1 Configur...

Page 286: ...figuration Prerequisites 4 15 4 6 2 Configuring OSPF Route Summary 4 15 4 6 3 Configuring OSPF to Filter Received Routes 4 16 4 6 4 Configuring the Cost for Sending Packets on an OSPF Interface 4 17 4 6 5 Setting OSPF Route Priority 4 17 4 6 6 Configuring the Maximum Number of OSPF Equal Cost Routes 4 18 4 6 7 Configuring OSPF to Import External Routes 4 18 4 7 OSPF Network Adjustment and Optimiza...

Page 287: ...tising 5 21 5 4 5 Configuring Related ACLs 5 22 5 4 6 Configuring the BGP Route Advertising Policy 5 23 5 4 7 Configuring BGP Route Receiving Policy 5 24 5 4 8 Configuring BGP IGP Route Synchronization 5 25 5 4 9 Configuring BGP Route Dampening 5 26 5 5 Configuring BGP Route Attributes 5 26 5 5 1 Configuration Prerequisites 5 26 5 5 2 Configuring BGP Route Attributes 5 27 5 6 Adjusting and Optimiz...

Page 288: ...ements 6 4 6 4 ip prefix Configuration 6 7 6 4 1 Configuration Prerequisites 6 7 6 4 2 Configuring an ip prefix list 6 7 6 5 AS Path List Configuration 6 8 6 6 Community List Configuration 6 8 6 7 Displaying IP Routing Policy 6 9 6 8 IP Routing Policy Configuration Example 6 9 6 8 1 Configuring IP Routing Policy Information 6 9 6 9 Troubleshooting IP Routing Policy 6 12 Chapter 7 Route Capacity Co...

Page 289: ...net As a router receives a packet it selects an appropriate route through a network according to the destination address of the packet and forwards the packet to the next router The last router on the route is responsible for delivering the packet to the destination host A route segment is a common physical network interconnecting two nodes which are deemed adjacent on the Internet That is two rou...

Page 290: ...et is similar to that in a conventional network Routing through the shortest route is not always the most ideal way For example routing across three high speed LAN route segments may be much faster than routing across two low speed WAN route segments 1 1 2 Route Selection through the Routing Table The key for a router to forward packets is the routing table Each router maintains a routing table Ea...

Page 291: ...hese routes may be discovered by different routing protocols or be manually configured static routes The one with the highest preference the smallest numerical value will be selected as the current optimal route According to different destinations routes fall into the following categories z Subnet route The destination is a subnet z Host route The destination is a host In addition according to whe...

Page 292: ... 0 3 16 0 0 1 16 0 0 2 13 0 0 3 15 0 0 1 15 0 0 2 14 0 0 1 14 0 0 2 13 0 0 2 13 0 0 1 12 0 0 1 12 0 0 2 12 0 0 3 Routing table of router R8 Destination network 10 0 0 0 Next hop Interf ace 10 0 0 1 2 11 0 0 0 11 0 0 1 1 12 0 0 0 11 0 0 2 1 11 0 0 2 13 0 0 0 13 0 0 4 3 14 0 0 0 13 0 0 2 3 15 0 0 0 13 0 0 2 3 16 0 0 0 10 0 0 2 2 Figure 1 2 Routing table The Quidway S5600 Series Ethernet Switches her...

Page 293: ...re equal When there is no route with a higher preference to the same destination the multiple routes will be adopted Then the packets destined for the same destination will be forwarded through these routes in turn to implement traffic sharing II Route backup The S5600 series support route backup When the main route fails the system automatically switches to a backup route to improve network relia...

Page 294: ...thms of various routing protocols are different different routing protocols may discover different routes This brings about the problem of how to share the discovered routes between routing protocols The S5600 series can import with the import route command the routes discovered by one routing protocol to another routing protocol Each protocol has its own route redistribution mechanism For detaile...

Page 295: ...tined for this destination will be discarded and the source hosts will be informed of the unreachability of the destination z Blackhole route route with blackhole attribute If a static route destined for a destination has the blackhole attribute the outgoing interface of this route is the Null 0 interface regardless of the next hop address and all the IP packets addressed to this destination will ...

Page 296: ...Enter system view system view Add a static route ip route static ip address mask mask length interface type interface number next hop preference value reject blackhole description text detect group group number Required By default the system can obtain the route to the subnet directly connected to the router Delete all static routes delete static routes all Optional This command deletes all static...

Page 297: ...g table ip address mask longer match verbose Display the routes in a specified address range display ip routing table ip address1 mask1 ip address2 mask2 verbose Display the routes discovered by a specified protocol display ip routing table protocol protocol inactive verbose Display the tree structured routing table information display ip routing table radix Display the statistics of the routing t...

Page 298: ...on make sure that the Ethernet link layer works normally and the IP addresses of the VLAN interfaces have been configured correctly Configure static routes on SwitchA SwitchA ip route static 1 1 3 0 255 255 255 0 1 1 2 2 SwitchA ip route static 1 1 4 0 255 255 255 0 1 1 2 2 SwitchA ip route static 1 1 5 0 255 255 255 0 1 1 2 2 Configure static routes on SwitchB SwitchB ip route static 1 1 2 0 255 ...

Page 299: ...the figure can interconnect with each other 2 5 Troubleshooting a Static Route Symptom The switch is not configured with a dynamic routing protocol Both the physical status and the link layer protocol status of an interface are UP but IP packets cannot be normally forwarded on the interface Solution Perform the following procedure Use the display ip routing table protocol static command to view wh...

Page 300: ...e To improve performance and avoid routing loop RIP supports split horizon Besides RIP can import routes from other routing protocols II RIP routing database Each router running RIP manages a routing database which contains routing entries to all the reachable destinations in the internetwork Each routing entry contains the following information z Destination address IP address of a host or networ...

Page 301: ... receiving the update triggering packet the neighbor sends the packet to all its neighbors After a series of update triggering processes each router can get and keep the updated routing information z By default RIP sends its routing table to its neighbors every 30 seconds Upon receiving the packets the neighbors maintain their own routing tables and select optimal routes and then advertise update ...

Page 302: ... Configuring RIP Route Control Configuring RIP to import routes from another protocol Optional 3 4 2 VII Configuring RIP timers Optional 3 5 2 I Configuring split horizon Optional 3 5 2 II Configuring RIP 1 packet zero field check Optional 3 5 2 III Setting RIP 2 packet authentication mode Optional 3 5 2 IV RIP Network Adjustment and Optimization Configuring a RIP neighbor Optional 3 5 2 V Display...

Page 303: ...gment only when it is enabled on the interface When RIP is disabled on an interface it does not operate on the interface that is it neither receives sends routes on the interface nor forwards its interface route Therefore after RIP is enabled globally you must also specify its operating network segments to enable it on the corresponding interfaces z The network 0 0 0 0 command is used to enable RI...

Page 304: ... implementation it may be needed to control RIP routing information more accurately to accommodate complex network environments By performing the configuration described in the following sections you can z Control route selection by adjusting additional routing metrics on interfaces running RIP z Reduce the size of the routing table by setting route summary and disabling the receiving of host rout...

Page 305: ...n value Optional By default the additional routing metric added for incoming routes on an interface is 0 Set the additional routing metric to be added for outgoing RIP routes on this interface rip metricout value Optional By default the additional routing metric added for outgoing routes on an interface is 1 Note The rip metricout command takes effect only on the RIP routes learnt by the router an...

Page 306: ...the receiving of host route Operation Command Description Enter system view system view Enter RIP view rip Disable the receiving of host routes undo host route Optional By default the router receives host routes IV Configuring RIP to filter or advertise the received routes The route filtering function provided by a router enables you to configure inbound outbound filter policy by specifying an ACL...

Page 307: ... and the routes being filtered out will neither be added to the routing table nor be advertised to any neighbors z The filter policy export command filters all the routes to be advertised including the routes imported by using the import route command as well as RIP routes learned from neighbors z The filter policy export command without the routing protocol argument filters all the routes to be a...

Page 308: ...col import route protocol process id cost value allow ibgp route policy route policy name Optional The allow ibgp parameter is used only for importing BGP routes The process id parameter is used only for importing OSPF routes 3 5 RIP Network Adjustment and Optimization In some special network environments some RIP features need to be configured and RIP network performance needs to be adjusted and ...

Page 309: ...update timer timeout timeout timer Optional By default Update timer value is 30 seconds and Timeout timer value is 180 seconds Note When configuring the values of RIP timers you should take network performance into consideration and perform consistent configuration on all routers running RIP to avoid unnecessary network traffic and network route oscillation II Configuring split horizon Table 3 13 ...

Page 310: ...RIP 1 zero field check is performed on incoming packets those RIP 1 packets with nonzero value in a zero filed will not be processed further As a RIP 2 packet has no zero fields this configuration is invalid for RIP 2 IV Setting RIP 2 packet authentication mode RIP 2 supports two authentication modes simple authentication and MD5 authentication Simple authentication cannot provide complete securit...

Page 311: ...rts the packet format defined in RFC 2082 V Configuring a RIP neighbor Table 3 16 Configure a RIP neighbor Operation Command Description Enter system view system view Enter RIP view rip Configure a RIP neighbor peer ip address Required To make RIP works on a link that does not support broadcast multicast packets you must manually configure the RIP neighbor Normally RIP uses broadcast or multicast ...

Page 312: ... shown in Figure 3 1 SwitchC is connected to subnet 117 102 0 0 through an Ethernet port SwitchA and SwitchB are connected to networks 155 10 1 0 and 196 38 165 0 respectively through Ethernet ports SwitchC SwitchA and SwitchB are interconnected through Ethernet 110 11 2 0 It is required to configure RIP correctly to ensure the interworking between the networks connected to SwitchC SwitchA and Swi...

Page 313: ...rip network 196 38 165 0 SwitchB rip network 110 11 2 0 3 Configure SwitchC Configure RIP SwitchC system view SwitchC rip network 117 102 0 0 SwitchC rip network 110 11 2 0 3 8 Troubleshooting RIP Configuration Symptom The layer 3 switch cannot receive any RIP update packet when the physical connection between the switch and the peer routing device is normal Solution RIP is not enabled on the corr...

Page 314: ...nto different areas for convenient management so that routing information transmitted between the areas is abstracted further thereby reducing network bandwidth consumption z Equivalent route OSPF supports multiple equivalent routes to the same destination z Routing hierarchy OSPF has a four level routing hierarchy It prioritizes the routes as intra area inter area external type 1 and external typ...

Page 315: ... 4 III DR and BDR OSPF supports interface based packet authentication to guarantee the security of route calculation In addition it transmits and receives packets in multicast 224 0 0 5 and 224 0 0 6 4 1 3 Basic OSPF Concepts I Router ID To run OSPF a router must have a router ID If no router ID is configured the system will automatically select an IP address from the IP addresses of the current i...

Page 316: ...ea and virtual link Backbone Area With OSPF area partition not all areas are equal One of the areas is different from any other area Its area ID is 0 and it is usually called the backbone area Virtual link Since all areas must be connected to the backbone area the concept virtual link is introduced to maintain logical connectivity between the backbone area and any other area physically separated f...

Page 317: ...link layer protocol to P2MP A P2MP network must be compulsorily changed from another network type The common practice is to change an NBMA network into a P2MP network In a P2MP network protocol packets are sent in multicast 224 0 0 5 z Point to point P2P If PPP or HDLC is adopted OSPF defaults the network type to P2P In a P2P network protocol packets are sent in multicast 224 0 0 5 II Principles f...

Page 318: ...waste bandwidth To solve this problem DR is defined in OSPF so that all routers send information to the DR only and the DR broadcasts the network link states in the network If the DR fails a new DR must be elected and synchronized with the other routers on the network The process takes quite a long time in the process route calculation is incorrect To shorten the process BDR is introduced in OSPF ...

Page 319: ...ity will be preferred If their priorities are the same the one with greater router ID will be preferred A router whose DR priority is 0 can neither be elected as the DR nor be elected as the BDR Note the following points z DR election is required for broadcast or NBMA interfaces but is not required for P2P or P2MP interfaces z DR is based on the router interfaces in a certain segment A router may ...

Page 320: ...t LSAck packets are used to acknowledge received LSU packets An LSAck contains the HEAD s of LSA s to be acknowledged one LSAck packet can acknowledge multiple LSAs 4 1 6 LSA Types I Five basic LSA types As described in the preceding sections LSAs are the primary source for OSPF to calculate and maintain routes RFC 2328 defines five types of LSAs z Router LSA Type 1 LSAs generated by every router ...

Page 321: ...a z OSPF multi process Multiple OSPF processes can be run on a router z Sharing discovered routing information with other dynamic routing protocols At present OSPF supports importing the routes of other dynamic routing protocols such as RIP and static routes as OSPF external routes into the AS to which the router belongs In addition OSPF supports advertising the routing information it discovered t...

Page 322: ...PF Interface Optional 4 6 4 Setting OSPF Route Priority Optional 4 6 5 Configuring the Maximum Number of OSPF Equal Cost Routes Optional 4 6 6 OSPF Route Control Configuring OSPF to Import External Routes Optional 4 6 7 Configuring OSPF Timers Optional 4 7 2 Configuring the LSA transmission delay Optional 4 7 3 Configuring the SPF Calculation Interval Optional 4 7 4 Disabling OSPF Packet Transmiss...

Page 323: ...figure router IDs manually make sure each router ID is uniquely used by one router in the AS A common practice is to set the router ID to the IP address of an interface on the router z Enabling OSPF VRP versatile routing platform supports multiple OSPF processes To enable multiple OSPF processes on a router you need to specify different process IDs OSPF process ID is only locally significant it do...

Page 324: ...PF multi instance is unique That is the ID of OSPF multi instance must be different from any in use process ID z One segment can belong to only one area and you must specify each OSPF interface to belong to a particular area 4 4 OSPF Area Attribute Configuration Area partition in OSPF reduces the number of LSAs in the network and enhances OSPF scalability To further reduce routing table size and t...

Page 325: ...ion Command Description Enter system view system view Enter OSPF view ospf process id router id router id Enter OSPF area view area area id Configure the current area to be a stub area stub no summary Optional By default no area is configured as a stub area Configure an area to be an NSSA area nssa default route advert ise no import route no summary Optional By default no area is configured as an ...

Page 326: ...the network type forcibly Configure the interface type as P2MP if not all the routers are directly accessible on an NBMA network Change the interface type to P2P if the router has only one peer on the NBMA network In addition when configuring a broadcast network or NBMA network you can also specify DR priority for each interface to control the DR BDR selection in the network Thus the router with h...

Page 327: ...if the interfaces are on the same network segment 4 5 3 Setting an NBMA Neighbor Some special configurations need to be done on an NBMA network Since an NBMA interface cannot discover the adjacent router by broadcasting Hello packets you must manually specify the IP address of the adjacent router for the interface and whether the adjacent router has the right to vote Table 4 5 Set NBMA neighbor Op...

Page 328: ...ter will believe that the neighbor has no right to vote and sends no Hello packet to it This configuration can reduce the number of Hello packets on the network during the election of DR and BDR However if the local router is already a DR or BDR it will send Hello packets to the neighbor whose DR priority is 0 to establish the neighboring relationship 4 6 OSPF Route Control Perform the following c...

Page 329: ...led on an ABR Table 4 8 Configure ASBR route summary Operation Command Description Enter system view system view Enter OSPF view ospf process id router id router id Enable ASBR route summary asbr summary ip address mask not advertise tag value Required This command takes effect only when it is configured on an ASBR By default summary of imported routes is disabled 4 6 3 Configuring OSPF to Filter ...

Page 330: ...ace interface type interface number Configure the cost for sending packets on an OSPF interface ospf cost value Optional By default OSPF calculates the cost for sending packets on an interface according to the current baud rate on the interface For a VLAN interface on the switch this value is fixed at 10 4 6 5 Setting OSPF Route Priority Since multiple dynamic routing protocols may be running on o...

Page 331: ...path number value Optional 4 6 7 Configuring OSPF to Import External Routes Table 4 13 Configure OSPF to import external routes Operation Command Description Enter system view system view Enter OSPF view ospf process id router id router id Enable OSPF to import routes of other protocols import route protocol cost value type value tag value route policy route policy name Required By default OSPF do...

Page 332: ...t route To import the default route you must use the default route advertise command z The filtering of advertised routes by OSPF means that OSPF only converts the external routes meeting the filter criteria into Type 5 or Type 7 LSAs and advertises them z When enabling OSPF to import external routes you can also configure the defaults of some additional parameters such as cost number of routes ta...

Page 333: ...nterval is in inverse proportion to route convergence speed and network load The dead time on an interface must be at least four times of the Hello interval on the same interface After a router sends an LSA to a neighbor it waits for an acknowledgement packet from the neighbor If the router receives no acknowledgement packet from the neighbor within the retransmission interval it retransmits the L...

Page 334: ...er on the interface ospf timer retransmit interval Optional By default this interval is five seconds Note z Default Hello and Dead timer values will be restored once the network type is changed z Do not set an LSA retransmission interval that is too short Otherwise unnecessary retransmission will occur LSA retransmission interval must be greater than the round trip time of a packet between two rou...

Page 335: ... negative affection caused by frequent network changes Table 4 16 Set the SPF calculation interval Operation Command Description Enter system view system view Enter OSPF view ospf process id router id router id Set the SPF calculation interval spf schedule interval interval Optional By default the SPF calculation interval is five seconds 4 7 5 Disabling OSPF Packet Transmission on an Interface To ...

Page 336: ...lationship can be established on the interface This enhances OSPF networking adaptability thus reducing the consumption of system resources 4 7 6 Configuring OSPF Authentication Table 4 18 Configure OSPF authentication Operation Command Description Enter system view system view Enter OSPF view ospf process id router id router id Enter OSPF area view area area id Configure the authentication mode o...

Page 337: ...nsmitting DD packets After the following configuration the actual MTU value of the interface is filled in the Interface MTU field of the DD packets Table 4 19 Configure to fill the MTU field when an interface transmits DD packets Operation Command Description Enter system view system view Enter Ethernet interface view interface interface type interface number Enable the interface to fill in the MT...

Page 338: ...ange iftxretransmit lsdbapproachoverflow lsdboverflow maxagelsa nbrstatechange originatelsa vifauthfail vifcfgerror virifrxbadpkt virifstatechange viriftxretransmit virnbrstatechange Optional You can configure OSPF to send diversified SNMP TRAP messages and specify a certain OSPF process to send SNMP TRAP messages by process ID 4 8 Displaying OSPF Configuration After the above configuration you ca...

Page 339: ...xthop Display OSPF routing table display ospf process id routing Display OSPF virtual links display ospf process id vlink Display OSPF request list display ospf process id request queue Display OSPF retransmission list display ospf process id retrans queue Display the information about OSPF ABR and ASBR display ospf process id abr asbr Display OSPF interface information display ospf process id int...

Page 340: ...annot be elected as the DR No priority is set for SwitchD so it has a default priority of 1 II Network diagram BDR 196 1 1 4 24 196 1 1 3 24 196 1 1 2 24 DR Sw itch A Sw itch D Sw itch B Sw itch C 1 1 1 1 4 4 4 4 3 3 3 3 2 2 2 2 196 1 1 1 24 BDR 196 1 1 4 24 196 1 1 3 24 196 1 1 2 24 DR Sw itch A Sw itch D Sw itch B Sw itch C 1 1 1 1 4 4 4 4 3 3 3 3 2 2 2 2 196 1 1 1 24 Figure 4 3 DR election base...

Page 341: ...itchA has three peers The state of each peer is full which means that adjacency is established between SwitchA and each peer SwitchA and SwitchC must establish adjacencies with all the switches on the network so that they can serve as the DR and BDR respectively on the network SwitchA is DR while SwitchC is BDR on the network All the other neighbors are DR others This means that they are neither D...

Page 342: ...tween SwitchB and SwitchC in Area 1 II Network diagram 152 1 1 1 24 196 1 1 2 24 Sw itch A 1 1 1 1 Sw itch B 2 2 2 2 Virtual link 197 1 1 2 24 Area 2 Area 1 Area 0 Sw itch C 3 3 3 3 197 1 1 1 24 196 1 1 1 24 152 1 1 1 24 196 1 1 2 24 Sw itch A 1 1 1 1 Sw itch B 2 2 2 2 Virtual link 197 1 1 2 24 Area 2 Area 1 Area 0 Sw itch C 3 3 3 3 197 1 1 1 24 196 1 1 1 24 Figure 4 4 OSPF virtual link configurat...

Page 343: ...B ospf 1 area 0 0 0 1 vlink peer 3 3 3 3 Configure SwitchC SwitchC system view SwitchC interface Vlan interface 1 SwitchC Vlan interface1 ip address 152 1 1 1 255 255 255 0 SwitchC Vlan interface1 quit SwitchC interface Vlan interface 2 SwitchC Vlan interface2 ip address 197 1 1 1 255 255 255 0 SwitchC Vlan interface2 quit SwitchC router id 3 3 3 3 SwitchC ospf SwitchC ospf 1 area 1 SwitchC ospf 1...

Page 344: ...nsistent p2p or virtually linked segments can have different segments and masks z Ensure that the dead timer value is at least four times of the hello timer value on the same interface z If the network type is NBMA you must use the peer ip address command to manually specify a peer z If the network type is broadcast or NBMA ensure that there is at least one interface with a priority greater than z...

Page 345: ...re 4 5 OSPF area z A virtual link cannot pass through a stub area The backbone area Area 0 cannot be configured as a stub area So if a virtual link has been set up between RTB and RTC neither Area 1 nor Area 0 can be configured as a stub area In Figure 4 5 only Area 2 can be configured as a stub area z A router in a stub area cannot receive external routes z The backbone area must guarantee the co...

Page 346: ...BGP 4 described in RFC1771 As the actual internet exterior routing protocol standard BGP 4 is widely employed between internet service providers ISP Note Unless otherwise noted BGP in the following sections refers to BGP 4 BGP is featured by the following z Unlike interior gateway protocols IGP such as OSPF open shortest path first RIP routing information field and so on BGP is an exterior gateway...

Page 347: ...he following forms z IBGP Internal BGP z EBGP External BGP When BGP runs inside an AS it is called interior BGP IBGP when BGP runs among different ASs it is called exterior BGP EBGP 5 1 1 BGP Message Type I Format of a BGP packet header BGP is message driven There are five types of BGP packets Open Update Notification Keepalive and Route refresh They share the same packet header the format of whic...

Page 348: ...ed when two BGP speakers negotiate for the connection between them The Hold times of two BGP peers are the same A BGP speaker considers the connection between itself and its BGP peer to be terminated if it receives no Keepalive or Update message from its BGP peer during the hold time z BGP Identifier The IP address of a BGP router z Opt Parm Len The length of the optional parameters A value of 0 i...

Page 349: ...TLV Type Length Value triplet In BGP loop avoidance routing and protocol extensions are implemented through these attribute values z NLRI Network Layer Reachability Information Contains the information such reachable route suffix and the corresponding suffix length IV Notification When BGP detects error state it sends the Notification message to peers and then tear down the BGP connection Figure 5...

Page 350: ...still be received and be forwarded to BGP speakers z Optional non transitive attributes which is dropped on the BGP routers that do not support them In this case the attributes are not forwarded to other BGP routers Table 5 1 lists basic BGP route attributes and the categories they belong to Table 5 1 BGP route attributes and the corresponding categories BGP route attribute Category Origin Well kn...

Page 351: ... route passes the ASs Before a BGP speaker advertises a route to the BGP speakers of other ASs it adds the local AS number to the head of the AS number queue in the AS_Path attribute According to the AS_Path attribute of a received BGP route a router can retrieve the information about the ASs the route passes In AS_Path attribute AS numbers are listed by the distances between the ASs and the local...

Page 352: ...The Next_Hop attribute is set in the following ways z When a BGP speaker advertises a route generated by itself to all its neighbors it sets the Next_Hop attribute of the routing information to the address of its own interface connecting to the peer z When a BGP speaker sends a received route to one of its EBGP peer it sets the Next_Hop attribute of the routing information to the address of its in...

Page 353: ...erA AS10 9 0 0 0 D 9 0 0 0 Next_Hop 2 1 1 1 MED 0 EBGP EBGP IBGP IBGP IBGP MED 0 MED 100 2 1 1 1 3 1 1 1 Figure 5 7 MED attribute Normally BGP only compares the MED attribute values of the routes received from the same AS Note In VRP implementations you can force BGP to compare MED values of routes coming from different ASs 5 Local_Pref The Local_Pref attribute is only valid among IBGP peers It is...

Page 354: ...tribute can be advertised to all BGP peers z No_Export Routes with this attribute cannot be sent to routers outside the local AS With the presence of the confederation routes of this kind cannot be advertised outside the confederation they can only be advertised in the sub ASs in the confederation For information about confederation refer to section 5 1 4 Problems in Large Scale BGP Network z No_A...

Page 355: ...o its peers when multiple valid routes exist z Sends only the routes used by itself to its peers z Sends all the EBGP routes to all its BGP peers including the EBGP peers and IBGP peers z Does not send IBGP routes to its IBGP peers z Sends IBGP routes to its EBGP peers z Sends all its BGP routes to the new peer once a new BGP connection is established 5 1 4 Problems in Large Scale BGP Networks I R...

Page 356: ...es a more instable route Each time a route flaps BGP adds a certain penalty value fixed to 1000 to the route When the penalty value excesses the suppression threshold the route will be suppressed and will neither be added to the routing table nor send update packets to other BGP peers The penalty value of a suppressed route is decreased by half in each specific period known as half life When the p...

Page 357: ...ribute of the route Besides the well known community attributes you can also use the community attributes list to customize extended community attributes so as to control the routing policy with more flexibility V Router reflector To ensure the connectivity among the IBGP peers in an AS you need to make the IBGP peers fully connected For an AS with the number of the routers in it being n you need ...

Page 358: ... case make sure all the RRs in the cluster are configured with the same cluster ID to avoid routing loops Figure shows a cluster containing two RRs Client Route Reflector1 IBGP IBGP IBGP Cluster Client Route Reflector2 Client IBGP AS65000 Figure 5 11 A cluster containing two RRs RR is unnecessary for clients that are already fully connected You can disable routing information reflection using corr...

Page 359: ...nvisible to the BGP speaker The confederation ID which is usually the corresponding AS number uniquely identifies a confederation In Figure 5 12 AS200 is a confederation ID The disadvantage of confederation is that when a AS changes from non confederation to confederation configurations are needed on the routers and the topology changes In a large scale BGP network router reflector and confederati...

Page 360: ...e routes The two attributes are all of the optional non transitive type Therefore BGP speakers that do not support multiple protocols ignore the information carried in the two attributes and do not pass the information to their neighbors 5 1 6 Protocol Standard Protocol standards concerning BGP are z RFC1771 A border gateway protocol 4 BGP 4 z RFC2858 Multiprotocol extensions for BGP 4 z RFC3392 C...

Page 361: ...ring BGP route dampening Optional Section 5 4 9 Configuring BGP Route Dampening Configuring BGP route attributes Optional Section 5 5 2 Configuring BGP Route Attributes Adjusting and optimizing a BGP network Optional Section 5 6 2 Adjusting and Optimizing a BGP Network Configuring a BGP peer group Required Section 5 7 2 Configuring BGP Peer Group Configuring a BGP community Required Section 5 7 3 ...

Page 362: ...ore performing basic BGP configuration make sure the following are available z Local AS number and router ID z IPv4 address and AS number of the peers z Source interface of update packets 5 3 2 Configuring BGP Multicast Address Family Table 5 3 Configure BGP multicast address family Operation Command Description Enter system view system view Enable BGP and enter BGP view bgp as number Required BGP...

Page 363: ...peer group peer group name ip address description description text Optional By default a peer a peer group is not assigned a description string Activate a specified BGP peer peer group name ip address enable Optional By default a BGP peer is active Enable BGP logging log peer change Optional By default BGP logging is enabled Specify the source interface for route update packets peer group name ip ...

Page 364: ...ck interface as the router ID z In order for route updating packets being sent even if problems occur on interfaces you can configure the source interfaces of route update packets as a loopback interface z Normally EBGP peers are connected through directly connected physical links If no such link exists you need to use the peer ebgp max hop command to allow the peers to establish multiple hop TCP ...

Page 365: ...t the default route to the BGP routing table default route imported Optional By default BGP does not import default routes to BGP routing table Import and advertise routing information generated by other protocols import route protocol process id med med value route policy route policy name Required By default BGP does not import nor advertise the routing information generated by other protocols A...

Page 366: ...by using the network command cannot be automatically aggregated z Manual aggregation mode where local BGP routes are aggregated The priority of manual aggregation is higher than that of automatic aggregation Table 5 6 Configure BGP route aggregation Operation Command Description Enter system view system view Enable BGP and enter BGP view bgp as number Required By default BGP is disabled Enable aut...

Page 367: ...rol list ACL exist AS path filtering ACL and community attribute ACL AS path filtering list filters routing information by the AS_Path attribute of BGP route Community attribute list is a list identifying a community message Community attribute lists fall into two categories standard community access control list and extended community access control list Table 5 8 Configure related ACLs Operation...

Page 368: ...tised routes are not filtered Specify a route advertising policy for the routes advertised to a peer group peer group name route policy route policy name export Required By default no route advertising policy is specified for the routes advertised to a peer group Specify an ACL base d BGP route filtering policy for a peer group peer group name filter policy acl number export Specify an AS path ACL...

Page 369: ...ilter policy acl number gateway ip prefix name ip prefix ip prefix name import Required By default the received routing information is not filtered Specify a route filtering policy for routes coming from a peer peer group peer group name ip address route policy policy name import Required By default no route filtering policy is specified for a peer peer group Specify an ACL base d BGP route filter...

Page 370: ...z A peer group member and the peer group can use different inbound routing policies that is peers of a peer group can use different route filtering policies for receiving routing information 5 4 8 Configuring BGP IGP Route Synchronization Table 5 11 Configure BGP IGP route synchronization Operation Command Description Enter system view system view Enable BGP and enter BGP view bgp as number Requir...

Page 371: ... threshold the route gets valid and is thus advertised again BGP dampening suppresses unstable routing information Suppressed routes are neither added to the routing table nor advertised to other BGP peers Table 5 12 Configure BGP route dampening Operation Command Description Enter system view system view Enable BGP and enter BGP view bgp as number Required By default BGP is disabled Configure BGP...

Page 372: ...the local preference defaults to 100 Configure the default local MED value default med med value Optional By default the med value argument is 0 Configure the MED attribute Permit to compare the MED values of the routes coming from the neighbor routers in different ASs compare different a s med Optional By default the compare of MED values of the routes coming from the neighbor routers in differen...

Page 373: ...mber Caution z Using routing policy you can configure the preference for the routes that match the filtering conditions As for the unmatched routes the default preference is adopted z If other conditions are the same the route with the lowest MED value is preferred to be the exterior route of the AS z Normally a BGP router checks the AS_Path attribute of the routes it receives The routes with thei...

Page 374: ... sends refresh messages to its peers And the peers receiving the message in turn send their routing information to the local router In this way you can apply new routing policies and have the routing table dynamically updated seamlessly To apply a new routing policy in a network containing routers that do not support the route refresh function you need first to save all the route updates locally b...

Page 375: ...peer group name ip address timer keepalive keepalive interval hold holdtime interval Optional By default the keepalive time is 60 seconds and holdtime is 180 seconds The priority of the timer configured by the timer command is lower than that of the timer configured by the peer time command Configure the interval at which a peer group sends the same route update packet peer group name route update...

Page 376: ...ng table and apply a new routing policy without breaking the NGP connections z BGP soft reset requires all BGP routers in a network support the route refresh function If there is a router not supporting the route refresh function you need to configure the peer keep all routes command to save all the initial routing information of peers for the use of BGP soft reset z When configured in BGP view MD...

Page 377: ...rge scale BGP network you need to prepare the following data z Peer group type name and the peers included z If you want to use community the name of the applied routing policy is needed z If you want to use RR you need to determine the roles client non client of routers z If you want to use confederation you need to determine the confederation ID and the sub AS number 5 7 2 Configuring BGP Peer G...

Page 378: ...l Create a hybrid EBGP peer group Add a peer to a peer group peer ip address group group name as number as number Optional You can add multiple peers to the peer group Finish the session with the specified peer peer group peer group name ip address shutdown Optional Caution z It is not required to specify an AS number for creating an IBGP peer group z If there already exists a peer in a peer group...

Page 379: ...use a routing policy to define the specific community attribute and then apply the routing policy when a peer sends routing information z For configuration of routing policy refer to IP Routing Policy Configuration 5 7 4 Configuring BGP RR Table 5 17 Configure BGP RR Operation Command Description Enter system view system view Enable BGP and enter BGP view bgp as number Required By default the syst...

Page 380: ... are multiple RRs in a cluster use related command to configure the same cluster ID for them to avoid routing loopback 5 7 5 Configuring BGP Confederation Table 5 18 Configure BGP confederation Operation Command Description Enter system view system view Enable BGP and enter BGP view bgp as number Required By default the system does not operate BGP Configure confederation ID confederation id as num...

Page 381: ...Display BGP Operation Command Display information about peer group display bgp multicast group group name Display routing information exported by BGP display bgp multicast network Display information about AS path display bgp paths as regular expression Display information about a BGP peer display bgp multicast peer ip address verbose display bgp multicast peer verbose Display information in the B...

Page 382: ...received routes dampened regular expression network address mask statistic Display routing information matching with the AS regular expression display bgp multicast routing regular expression as regular expression Display routing statistics of BGP display bgp multicast routing statistic 5 8 2 BGP Connection Reset When a BGP routing policy or protocol changes if you need to make the new configurati...

Page 383: ...set bgp flap info regular expression as regular expression as path acl acl number ip address mask 5 9 Configuration Example 5 9 1 Configuring BGP AS Confederation Attribute I Network requirements Divide the AS 100 shown in the following figure into three sub ASs 1001 1002 and 1003 Configure EBGP Confederation EBGP and IBGP II Network diagram AS200 AS100 AS1002 AS1001 AS1003 Ethernet 172 68 10 1 17...

Page 384: ... 172 68 10 3 group confed1003 as number 1003 Configure SwitchC SwitchC bgp 1003 SwitchC bgp confederation id 100 SwitchC bgp confederation peer as 1001 1002 SwitchC bgp group confed1001 external SwitchC bgp peer 172 68 10 1 group confed1001 as number 1001 SwitchC bgp group confed1002 external SwitchC bgp peer 172 68 10 2 group confed1002 as number 1002 SwitchC bgp group ebgp200 external SwitchC bg...

Page 385: ...tchA Vlan interface2 ip address 192 1 1 1 255 255 255 0 SwitchA Vlan interface2 interface Vlan interface 100 SwitchA Vlan interface100 ip address 1 1 1 1 255 0 0 0 SwitchA Vlan interface100 quit SwitchA bgp 100 SwitchA bgp group ex external SwitchA bgp peer 192 1 1 2 group ex as number 200 SwitchA bgp network 1 0 0 0 255 0 0 0 2 Configure SwitchB Configure VLAN2 SwitchB interface Vlan interface 2 ...

Page 386: ... ip address 194 1 1 2 255 255 255 0 Configure a BGP peer SwitchD bgp 200 SwitchD bgp group in internal SwitchD bgp peer 194 1 1 1 group in Use the display bgp routing table command to display the BGP routing table on SwitchB Note that SwitchB has already known the existence of network 1 0 0 0 Use the display bgp routing table command to display the BGP routing table on SwitchD Note that SwitchD kn...

Page 387: ...figure SwitchA SwitchA interface Vlan interface 2 SwitchA Vlan interface2 ip address 192 1 1 1 255 255 255 0 SwitchA interface Vlan interface 3 SwitchA Vlan interface3 ip address 193 1 1 1 255 255 255 0 Enable BGP SwitchA bgp 100 Specify the destination network for BGP routes SwitchA bgp network 1 0 0 0 Configure BGP peers SwitchA bgp group ex192 external SwitchA bgp peer 192 1 1 2 group ex192 as ...

Page 388: ... the outbound routing update of neighbor SwitchB 192 1 1 2 SwitchA bgp 100 SwitchA bgp peer 193 1 1 2 route policy apply_med_50 export SwitchA bgp peer 192 1 1 2 route policy apply_med_100 export 2 Configure SwitchB SwitchB interface vlan 2 SwitchB Vlan interface2 ip address 192 1 1 2 255 255 255 0 SwitchB interface vlan interface 4 SwitchB Vlan interface4 ip address 194 1 1 2 255 255 255 0 Switch...

Page 389: ...ork 4 0 0 0 0 255 255 255 SwitchD bgp 200 SwitchD bgp undo synchronization SwitchD bgp group in internal SwitchD bgp peer 195 1 1 2 group in SwitchD bgp peer 194 1 1 2 group in z To make the configuration take effect all BGP neighbors need to execute the reset bgp all command z After the above configuration because the MED attribute value of the route 1 0 0 0 learnt by SwitchC is smaller than that...

Page 390: ...0 0 0 coming from SwitchC first 5 10 BGP Error Configuration Example 5 10 1 BGP Peer Connection Establishment Error I Symptom When you use the display bgp peer command to display the BGP peer information the connection with the opposite peer cannot be established II Analysis Establishing BGP neighbor needs to use the 179 port to establish TCP session and correct exchange of Open message is require...

Page 391: ...es provide three kinds of filters Route policy ACL and ip prefix which can be referenced by routing protocols The following sections introduce these filters I Route policy A route policy is used to match some attributes with given routing information and the attributes of the information will be set if the conditions are satisfied A route policy can comprise multiple nodes Each node is a unit for ...

Page 392: ...ou can use the gateway option to specify that only routing information advertised by certain routers will be received An ip prefix is identified by its ip prefix name Each ip prefix can include multiple items and each item identified by an index number can independently specify the match range in network prefix form An index number specifies the matching sequence in the ip prefix During the matchi...

Page 393: ...change the attributes of the routing information if the conditions are met The above mentioned filtering lists can serve as the match conditions A route policy can comprise multiple nodes and each node comprises z if match clause Defines matching rules that is the filtering conditions that the routing information should satisfy for passing the current route policy The matching objects are some att...

Page 394: ...n deny mode In this mode no apply clause is executed If a route satisfies all the if match statements of the node no apply clause for the node will be executed and the test of the next node will not be taken If not however the route takes the test of the next node z If multiple nodes are defined in a route policy at least one of them should be in permit mode When a route policy is applied to filte...

Page 395: ...outing information Define a rule to match the next hop interface of routing information if match interface interface type interface number Optional By default no matching is performed on the next hop interface of routing information Define a rule to match the next hop address of routing information if match ip next hop acl acl number ip prefix ip prefix name Optional By default no matching is perf...

Page 396: ...d of OSPF routing information Note z A route policy comprises multiple nodes The relationship among the nodes in a route policy is OR As a result the system examines the nodes in sequence and once the route passes a node in the route policy it will pass the matching test of the route policy without entering the test of the next node z During the matching the relationship among the if match stateme...

Page 397: ... range in the form of network prefix and is identified by an index number For example the following is an ip prefix list named abcd z ip ip prefix abcd index 10 permit 1 0 0 0 8 z ip ip prefix abcd index 20 permit 2 0 0 0 8 During the matching of a route the router checks the items in the ascending order of index number Once the route match an item the route passes the filtering of the ip prefix l...

Page 398: ...pression Optional By default no AS path list is defined 6 6 Community List Configuration In BGP community attributes are optional transitive Some community attributes are globally recognized and they are called standard community attributes Some are for special purposes and they can be customized A route can have one or more community attributes The speaker of multiple community attributes of a ro...

Page 399: ...and debug a route policy Operation Command Description Display route policy information display route policy route policy name Display address prefix list information display ip ip prefix ip prefix name You can execute the display command in any view 6 8 IP Routing Policy Configuration Example 6 8 1 Configuring IP Routing Policy Information I Network requirements z As shown in Figure 6 1 SwitchA c...

Page 400: ...interface100 10 0 0 1 8 Vlan interface100 Figure 6 1 Filter routing information received III Configuration procedure 1 Configure SwitchA Configure the IP addresses of the interfaces SwitchA system view SwitchA interface vlan interface 100 SwitchA Vlan interface100 ip address 10 0 0 1 255 0 0 0 SwitchA interface vlan interface 200 SwitchA Vlan interface200 ip address 12 0 0 1 255 0 0 0 SwitchA Vlan...

Page 401: ...5 0 0 0 SwitchB Vlan interface100 quit Enable the OSPF protocol and specify the ID of the area to which the interface belongs SwitchB router id 2 2 2 2 SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 10 0 0 0 0 255 255 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 quit Display the OSPF routing table on SwitchB and check if route policy takes effect SwitchB display ospf...

Page 402: ...o node in the route policy it means that the route information does not pass the filtering of the route policy Therefore when all the nodes in the route policy are in the deny mode no routing information will pass the filtering of the route policy At least one item in an ip prefix list should be in permit mode The items in deny mode can be defined first to rapidly filter out the routing informatio...

Page 403: ...rements To avoid decreasing system stability and availability due to improper configuration it is not recommended to modify the configuration 7 1 2 Route Capacity Limitation on the S5600 Series Huge routing tables are usually caused by OSPF and BGP routes Therefore the route capacity limitation implemented by a S5600 switch applies to OSPF and BGP routes only but not to static and RIP routes When ...

Page 404: ...it and the safety value of switch memory Operation Command Description Enter system view system view Set the lower limit and the safety value of switch memory memory safety safety value limit limit value Optional By default the default values are used Note The safety value must be greater than the limit value 7 2 2 Enabling Disabling Automatic Protocol Connection Recovery Table 7 2 Enable automati...

Page 405: ...the safety value Therefore do not disable this function if not necessary 7 3 Displaying Route Capacity Configuration After the above configuration you can use the display command in any view to display and verify the route capacity configuration Table 7 3 Display route capacity configuration Operation Command Description Display memory occupancy of a switch display memory unit unit id Optional Dis...

Page 406: ...nfiguration 2 6 2 2 1 Enabling IGMP Snooping 2 6 2 2 2 Configuring Timers 2 7 2 2 3 Enabling IGMP Fast Leave 2 7 2 2 4 Configuring IGMP Snooping Filtering ACL 2 8 2 2 5 Configuring to Limit Number of Multicast Groups on a Port 2 9 2 2 6 Configuring IGMP Querier 2 9 2 2 7 Configuring Multicast VLAN 2 10 2 3 Displaying and Maintaining IGMP Snooping 2 13 2 4 IGMP Snooping Configuration Example 2 13 2...

Page 407: ... 13 6 3 Displaying IGMP 6 13 Chapter 7 PIM Configuration 7 1 7 1 PIM Overview 7 1 7 1 1 Introduction to PIM DM 7 1 7 1 2 Work Mechanism of PIM DM 7 2 7 1 3 Introduction to PIM SM 7 4 7 1 4 Work Mechanism of PIM SM 7 5 7 2 Common PIM Configuration 7 10 7 2 1 Enabling PIM DM PIM SM on the Interface 7 10 7 2 2 Configuring the interval of sending Hello packets 7 11 7 2 3 Configuring PIM Neighbors 7 12...

Page 408: ...ication 8 9 8 3 4 Configuring an MSDP Mesh Group 8 10 8 3 5 Configuring MSDP Peer Connection Control 8 11 8 4 Configuring SA Message Transmission 8 11 8 4 1 Configuration Prerequisites 8 12 8 4 2 Configuring the Transmission and Filtering of SA Request Messages 8 12 8 4 3 Configuring a Rule for Filtering the Multicast Sources of SA Messages 8 13 8 4 4 Configuring a Rule for Filtering Received and ...

Page 409: ...hly dependent on bandwidth and real time data interaction such as e commerce web conference online auction video on demand VoD and tele education have come into being These services have higher requirements for information security legal use of paid services and network bandwidth In the network packets are sent in three modes unicast broadcast and multicast The following sections describe and comp...

Page 410: ... information transmission in broadcast mode Server Broadcast User A User B User C User D User E Figure 1 2 Information transmission in the broadcast mode Assume that users B D and E need the information The source server broadcasts this information through routers and users A and C on the network also receive this information The security and payment of the information cannot be guaranteed As we c...

Page 411: ...ate and distribute the information based on the distribution of the receivers in this set Finally the information is correctly delivered to users B D and E The advantages of multicast over unicast are as follows z No matter how many receivers exist there is only one copy of the same multicast data flow on each link z With the multicast mode used to transmit information an increase of the number of...

Page 412: ...ticast sources can send packets to the same multicast group at the same time There may be routers that do not support multicast on the network A multicast router encapsulates multicast packets in unicast IP packets in the tunnel mode and then sends them to the neighboring multicast routers through the router that do no support multicast The neighboring multicast routers remove the header of the un...

Page 413: ...to peer service Based on the protocol layer sequence from bottom to top the multicast mechanism contains addressing mechanism host registration multicast routing and multicast application as shown in Figure 1 4 Multicast route Host registration Addressing mechanism Multicast application Host registration Addressing mechanism Multicast source Host Multicast router Receiver Host Multicast route Host...

Page 414: ...ormation source and members of a multicast group a group of information receivers network layer multicast addresses namely IP multicast addresses must be provided In addition a technology must be available to map IP multicast addresses to link layer MAC multicast addresses The following sections describe these two types of multicast addresses I IP multicast address Internet Assigned Numbers Author...

Page 415: ...e 1 1 Table 1 1 Range and description of Class D IP addresses Class D address range Description 224 0 0 0 to 224 0 0 255 Reserved multicast addresses IP addresses for permanent multicast groups The IP address 224 0 0 0 is reserved Other IP addresses can be used by routing protocols 224 0 1 0 to 231 255 255 255 233 0 0 0 to 238 255 255 255 Available any source multicast ASM multicast addresses IP a...

Page 416: ...17 All SBMS 224 0 0 18 Virtual router redundancy protocol VRRP 224 0 0 19 224 0 0 255 Other protocols Note Like having reserved the private network segment 10 0 0 0 8 for unicast IANA has also reserved the network segments ranging from 239 0 0 0 to 239 255 255 255 for multicast These are administratively scoped addresses With the administratively scoped addresses you can define the range of multic...

Page 417: ...XXXXXXXX 1110XXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX 32 bit IP address 48 bit MAC address 23bit mapping Five bits are lost XXXXX 25bitMAC address prefix XXXXXXXX XXXXXXXX XXXXX 25 bit MAC address prefix XXXXXXXX XXXXXXXX XXXXXXXX 1110XXXX XXXXXXXX XXXXXXXX 1110XXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXX...

Page 418: ...roup address in the destination address field of an IP data packet Unlike a unicast model a multicast model must forward data packets to multiple external interfaces so that all receiver sites can receive the packets Therefore the forwarding process of multicast is more complicated than unicast In order to guarantee the transmission of multicast packets in the network multicast packets must be for...

Page 419: ...witch uses IGMP Snooping to analyze and process the IGMP messages as shown in Table 2 1 Table 2 1 IGMP message processing on the switch Received message type Sender Receiver Switch processing IGMP host report message Host Switch Add the host to the corresponding multicast group IGMP leave message Host Switch Remove the host from the multicast group By listening to IGMP messages the switch establis...

Page 420: ... Non multicast group member Non multicast group member Video stream Video stream Multicast packet transmission without IGMP Snooping Multicast packet transmission with IGMP Snooping Internet Video stream Muliticast Multicast group member Non group member Non group member Internet Video stream Muliticast Multicast group member Non group member Non group member Multicast packet transmission without ...

Page 421: ...nding multicast MAC address Internet Internet IGMP enabled router IGMP message IGMP message IGMP Snooping enabled Ethernet switch Figure 2 2 IGMP Snooping implementation To implement Layer 2 multicast the switch processes four different types of IGMP messages it received as shown in Table 2 3 Table 2 3 IGMP Snooping messages Message Sender Receiver Purpose Switch action If yes reset the aging time...

Page 422: ...ck if the port exists in the MAC multicast group If not add the port to the MAC multicast group reset the aging timer of the port and check if the corresponding IP multicast group exists If not create an IP multicast group and add the port to it IGMP host report message Host Multicast router and multicast switch Apply for joining a multicast group or respond to an IGMP query message Check if the I...

Page 423: ...ost Multicast router and multicast switch Notify the multicast router and multicast switch that the host is leaving its multicast group Multicast router and multicast switch send IGMP specific group query packet s to the multicast group whose member host sends leave packets to check if the multicast group has any members and enable the corresponding query timer If no response is received from the ...

Page 424: ...IGMP Snooping Filtering ACL Configure to limit ports passing multicast group Optional Section 2 2 5 Configuring to Limit Number of Multicast Groups on a Port Configure IGMP Snooping queriers Optional Section 2 2 6 Configuring IGMP Querier Configure multicast VLAN Optional Section 2 2 7 Configuring Multicast VLAN 2 2 1 Enabling IGMP Snooping You can use the command here to enable IGMP Snooping so t...

Page 425: ... switch removes the router port from the port member lists of all MAC multicast groups z If the switch receives no IGMP host report message within the aging time of the member port it sends IGMP group specific query to the port and enables the query response timer of the IP multicast group Table 2 6 Configure timers Operation Command Description Enter system view system view Configure the aging ti...

Page 426: ...Configuring IGMP Snooping Filtering ACL You can configure multicast filtering ACLs on the switch ports connected to user ends so as to use the IGMP Snooping filter function to limit the multicast streams that the users can access With this function you can treat different VoD users in different ways by allowing them to access the multicast streams in different multicast groups In practice when a u...

Page 427: ...icast group z By default the multicast filtering feature is disabled 2 2 5 Configuring to Limit Number of Multicast Groups on a Port With a limit imposed on the number of multicast groups on the switch port users can no longer have as many multicast groups as they want when demanding multicast group programs Thereby the bandwidth on the port is controlled Table 2 9 Configure to limit number of mul...

Page 428: ...s disabled by default Enter VLAN view vlan vlan id Enable the IGMP Snooping feature in VLAN view igmp snooping enable Required By default the IGMP Snooping feature is disabled Configure the IGMP Snooping querier feature igmp snooping querier Required The IGMP Snooping querier feature is disabled by default Configure the interval of sending general query packets igmp snooping query interval seconds...

Page 429: ...Exit the VLAN view quit Create a multicast VLAN interface and enter VLAN interface view interface Vlan interface vlan id Enable IGMP igmp enable Required By default the IGMP feature is disabled Exit the VLAN interface view quit Enter the view of the Ethernet port connected to the Layer 2 switch interface interface type interface number Define the port as a trunk or hybrid port port link type trunk...

Page 430: ...rface type interface number Define the port as a hybrid port port link type hybrid Required Specify the VLANs to be allowed to pass the port port hybrid vlan vlan id list tagged untagged Required The multicast VLAN must be included and set as untagged Note z One port can belong to only one multicast VLAN z The port connected to a user end can only be a hybrid port z The multicast member port must ...

Page 431: ... Operation Command Description Display the current IGMP Snooping configuration display igmp snooping configuration Display IGMP Snooping message statistics display igmp snooping statistics Display IP and MAC multicast groups in one or all VLANs display igmp snooping group vlan vlanid You can execute the display commands in any view Clear IGMP Snooping statistics reset igmp snooping statistics You ...

Page 432: ...igmp snooping enable 2 4 2 Example 2 Configure multicast VLAN on Layer 2 and Layer 3 switches I Network requirements The multicast source is Workstation Switch A forwards the multicast data flows that the multicast source sends The multicast data flows are forwarded by the Layer 2 switch Switch B to the end user PC1 and PC2 Table 2 13 describes the network devices involved in this example and the ...

Page 433: ...s connected to the GigabitEthernet1 0 2 port on Switch B Configure a multicast VLAN so that the users in VLAN 2 and VLAN 3 can receive multicast streams through the multicast VLAN II Network diagram Figure 2 4 Network diagram for multicast VLAN configuration III Configuration procedure The following configuration is based on the prerequisite that the devices are properly connected and all the requ...

Page 434: ...terface10 pim dm SwitchA Vlan interface10 igmp enable 2 Configure Switch B Enable the IGMP Snooping feature on Switch B SwitchB system view SwitchB igmp snooping enable Configure VLAN 10 as a multicast VLAN and enable the IGMP Snooping feature on it SwitchB vlan 10 SwitchB vlan10 service type multicast SwitchB vlan10 igmp snooping enable SwitchB vlan10 quit Define GigabitEthernet 1 0 10 as a hybri...

Page 435: ...ation command to check the status of IGMP Snooping z If IGMP Snooping is disabled check whether it is disabled globally or on the corresponding VLAN If it is disabled globally use the igmp snooping enable command in both system view and VLAN view to enable it both globally and on the corresponding VLAN at the same time If it is only disabled on the corresponding VLAN use the igmp snooping enable c...

Page 436: ...entries from being sent to Layer 3 switches or routers z Configuring suppression on the multicast source port In the network some users may set up multicast servers privately which results in the shortage of multicast network resources and affects the multicast bandwidth and the transmission of valid information in the network You can configure the suppression on the multicast source port feature ...

Page 437: ... the multicast routing protocol are configured Configure limit on the number of multicast route entries multicast route limit limit Required By default the maximum number of entries in a multicast routing table is 1024 Note To protect the unused sockets against malicious attacks and improve the switch security S5600 series Ethernet switches provide the following function z When the multicast routi...

Page 438: ...source de ny interface interface list Required The suppression on the multicast source port feature is disabled by default II Configure suppression on the multicast source port in Ethernet port view Table 3 4 Configure suppression on the multicast source port in Ethernet port view Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interfac...

Page 439: ...e interface type interface number Clear the related MFC forwarding entries Clear the route entries in the core multicast routing table reset multicast routing table all group address mask group mask group mask length source address mask source mask source mask length incoming interface interface type interface number Clear the route entries in the core multicast routing table 3 3 Displaying Common...

Page 440: ...z If only the port type is specified the statistics information about the suppression on the multicast source ports of the type is displayed z If both the port type and the port number is specified the statistics information about the suppression on the specified multicast source port is displayed Display the information about the multicast routing table display multicast routing table group addre...

Page 441: ...ect data transmission The correlations of them are z Each multicast routing protocol has its own multicast routing table z The multicast routing information of all multicast routing protocols is integrated to form the core multicast routing table z The core multicast routing table is consistent with the multicast forwarding table which is in really in charge of multicast packet forwarding ...

Page 442: ...packet in the VLAN to which the port belongs However you can configure a static multicast MAC address entry to avoid this case 4 2 Configuring a Multicast MAC Address Entry You can configure multicast MAC address entries in system view or Ethernet port view Table 4 1 Configure a multicast MAC address entry in system view Operation Command Description Enter system view system view Create a multicas...

Page 443: ...st MAC address entries learned by the switch z If you want to add a port to a multicast MAC address entry created through the mac address multicast command you must delete this entry first create this entry again and then add the specified port to the forwarding ports of this entry z The system does not support adding multicast MAC addresses to IRF ports If a port is already an IRF port the system...

Page 444: ...will be broadcast in the VLAN When the unknown multicast packet drop feature is enabled the switch will drop the received multicast packet whose multicast address is not registered Thus the bandwidth is saved and the processing efficiency of the system is improved 5 2 Unknown Multicast Packet Drop Configuration Table 5 1 Configure unknown multicast packet drop Operation Command Description Enter s...

Page 445: ...otocol a multicast router checks the network segment connected with each interface to see whether there are receivers of a multicast group namely group members A multicast router need not and cannot save the membership information of all the hosts While a host has to save the information that which multicast groups that it joins in IGMP is asymmetric between the host and the router The host needs ...

Page 446: ...has left the group In IGMP Version 2 when a host replying to the last membership query message decides to leave a multicast group it will send a leave group message to the multicast router III Group specific query In IGMP Version 1 a multicast query message of the multicast router aims at all the multicast groups in the network segment This query is called general query IGMP Version 2 adds group s...

Page 447: ... joins I Working mechanism of IGMPv1 VRP implements the IGMPv1 protocol according to RFC1112 IGMPv1 manages the multicast groups based on the query response mechanism With the help of the Layer 3 routing protocol IGMP selects the designated router DR as the querier which is responsible for sending query messages Figure 6 1 describes the IGMPv1 message interaction in the network Host A DR Assert qu...

Page 448: ...will be forwarded to this network segment and the receiver hosts receive the data IGMP leave packet is not defined in IGMPv1 so when a host leaves a multicast group only when a query message times out can the multicast router know that a host has left the group When all the hosts in a network segment have left the multicast group the branch corresponding to the related network segment is pruned fr...

Page 449: ...essage VLAN interface 1 33 33 33 1 33 33 33 2 22 22 22 1 Switch A Switch B Host Exterior network General group Group Specific Query information IGMP join IGMP leave information Exterior network General group Group Specific Query information IGMP join IGMP leave information Exterior network General group Group Specific Query information IGMP join IGMP leave information Exterior network General grou...

Page 450: ...tional Section 6 2 3 Configuring IGMP Multicast Groups on the Interface Configure router ports to join the specified multicast group Optional Section 6 2 4 Configuring Router Ports to Join the Specified Multicast Group Configure IGMP Proxy Optional Section 6 2 5 Configuring IGMP Proxy Remove the joined IGMP groups from the interface Optional Section 6 2 6 Removing the Joined IGMP Groups from the I...

Page 451: ...packets at the user defined interval for the user defined times when it receives the IGMP leave packets from the hosts Suppose a host in a multicast group decides to leave the multicast group The related procedure is as follows z The host sends an IGMP leave packet z When the IGMP querier receives the packet it will send IGMP group specific query packets at the interval configured by the igmp last...

Page 452: ...rmation of the multicast group Through configuring the reasonable maximum response time you can enable the host to respond to the query information quickly and enable the Layer 3 switch to understand the membership information of multicast groups quickly Table 6 3 Configure IGMP query packets Operation Command Description Enter system view system view Enter VLAN interface view interface Vlan inter...

Page 453: ...k segment the querier is responsible for sending IGMP query messages to all the hosts in the network segment 6 2 3 Configuring IGMP Multicast Groups on the Interface You can perform the following configurations on the interface for the IGMP multicast groups z Limit the number of joined multicast groups z Limit the range of multicast groups that the interface serves I Limit the number of joined mul...

Page 454: ...rrent interface igmp enable Required IGMP is disabled on the interface by default Configure limit on the number of joined IGMP groups on the interface igmp group limit limit Required By default the number of multicast groups passing a port is not limited Limit the range of multicast groups that the interface serves igmp group policy acl number 1 2 port interface type interface number to interface ...

Page 455: ...ups has exceeded the configured limit on the number of joined multicast groups on the interface the system will delete some existing multicast groups automatically until the number of multicast groups on the interface is conforming to the conferred limit 6 2 4 Configuring Router Ports to Join the Specified Multicast Group Generally the host running IGMP will respond to the IGMP query packets of th...

Page 456: ...fault the router port does not join in any multicast group 6 2 5 Configuring IGMP Proxy I Configure IGMP Proxy You can configure IGMP proxy to reduce the workload of configuration and management of leaf networks without affecting the multicast connections of the leaf network After the configuration of IGMP Proxy on the Layer 3 switch of the leaf network the leaf Layer 3 switch is just a host for t...

Page 457: ...ce You can remove all the joined IGMP groups on all ports of the router or all the joined IGMP groups on the specified interfaces or remove a specified IGMP group address or group address network segment on the specified interface Perform the following configuration in user view Table 6 7 Remove the joined IGMP groups from the interface Operation Command Description Remove the joined IGMP groups f...

Page 458: ... 6 8 Display IGMP Operation Command Description Display the membership information of the IGMP multicast group display igmp group group address interface interface type interface number Display the IGMP configuration and running information of the interface display igmp interface interface type interface number You can execute the display command in any view ...

Page 459: ...et of the network there is at least one receiver interested in the multicast source z Multicast packets are flooded to all the points in the network and the related resources bandwidth and the CPU of the router are consumed at the same time In order to reduce the network resource consumption PIM DM prunes the branches which do not forward multicast data and keeps only the branches including receiv...

Page 460: ...roup G it begins with RPF check according to the unicast routing table z If the RPF check passes the router will create an entry S G and forward the packet to all the downstream PIM DM nodes That is the process of flooding z If not that is the router considers that the multicast packets travel into the router through incorrect interfaces the router just discards the packets After this process the ...

Page 461: ... multicast source S The intermediate nodes will return acknowledgements when receiving Graft messages Thus the pruned branches are restored to the information transmission state IV RPF check PIM DM adopts the RPF check mechanism to establish a multicast forwarding tree from the data source S based on the existing unicast routing table static multicast routing table and MBGP routing table The proce...

Page 462: ... node Router D will receive three copies of the same multicast packet In order to avoid such cases the Assert mechanism is needed to select one forwarder Routers in the network select the best path through sending Assert packets If two or more paths have the same priority and metric to the multicast source the router with the highest IP address will be the upstream neighbor of the S G entry which ...

Page 463: ...he multicast source sends the data to RP When the data reaches RP the multicast packets are replicated and sent to the receiver Replication happens only in the branch of RPT The procedure is repeated automatically until the multicast packets reach the receiver PIM SM is independent of the special unicast routing protocol Instead it performs RPF check based on the existing unicast routing table 7 1...

Page 464: ...ters Note In PIM SM network DR mainly serves as the querier of IGMPv1 III RP discovery RP is the core router in the PIM SM domain The shared tree established based on the multicast routing information is rooted in RP There is a mapping relationship between the multicast group and RP One multicast group is mapped to one RP and multiple multicast groups can be mapped to the same RP In a small and si...

Page 465: ...ng RP information The auto election among candidate BSRs is described in the following section z Specify a PIM SM enabled interface when configuring a router as a candidate BSR z Each candidate BSR considers itself as the BSR of the PIM SM and uses the IP address of the specified interface as the BSR address to send Bootstrap messages z When the candidate BSR receives Bootstrap messages from other...

Page 466: ...ed In the same way multiple C RPs can be configured in a PIM SM domain the RP corresponding to each multicast group is worked out through the BSR mechanism IV RPT building Assume the receiver hosts are User B User D and User E When a receiver host joins in a multicast group G it will inform the leaf router directly connected to the host through IGMP packets Thus the leaf router masters the receive...

Page 467: ...s interested in the multicast information If not the upstream router will continue to forward the Prune message to upstream routers V Multicast source registration In order to inform RP about the existence of multicast source S when multicast source S sends a multicast packet to the multicast group G the router directly connected to S will encapsulate the received packet into a registration packet...

Page 468: ...source S to the receiver directly Through the switching from RPT to SPT PIM SM can build SPT in a more economical way than PIM DM The related threshold values are not set on S5600 series Ethernet switches When the switch receives multicast data forwarded along RPT it will update the input interface automatically and sends Prune messages to RP 7 2 Common PIM Configuration You can configure the PIM ...

Page 469: ...hbors send Table 7 3 Configure the interval of sending Hello packets Operation Command Description Enter system view system view Enable the multicast routing protocol multicast routing enable Required Enter VLAN interface view interface Vlan interface interface number Enable PIM DM PIM SM on the current interface pim dm pim sm Required Configure the PIM protocol type on the interface Configure the...

Page 470: ...gure PIM neighbors Operation Command Description Enter system view system view Enable the multicast routing protocol multicast routing enable Required Enter VLAN interface view interface Vlan interface interface number Enable PIM DM PIM SM on the current interface pim dm pim sm Required Configure the PIM protocol type on the interface Configure limit on the number of PIM neighbors on the interface...

Page 471: ...uration in user view Clear PIM neighbors reset pim neighbor all neighbor address interface interface type interface number Perform the configuration in user view 7 3 PIM DM Configuration Perform the following configuration to configure PIM DM When the router runs in PIM DM domain you are recommended to enable PIM DM on all the interfaces of non boarder routers 7 3 1 Configuring Filtering Policies ...

Page 472: ... Section Configure filtering policies for multicast sources groups Optional Section 7 4 1 Configuring Filtering Policies for Multicast Source Group Configure BSR RP Optional Section 7 4 2 Configuring BSR RP Configure PIM SM domain boundary Optional Section 7 4 3 Configuring PIM SM Domain Boundary Filter the registration packets from RP to DR Optional Section 7 4 4 Filtering the Registration Packet...

Page 473: ...es of some multicast groups in ACL z By default candidate RPs are not set for the switch and the value of priority is 0 Configure static RPs static rp rp address acl number Optional z You can configure to filter the IP addresses of some multicast groups in ACL z By default static RPs are not set for the switch Limit the range of valid BSRs bsr policy acl number Optional z You can configure to filt...

Page 474: ...ic RP address is the address of an UP interface on the local switch the switch will serve as RP z Static RPs do not take effect until the RP generated by the BSR mechanism takes effect z The PIM protocol need not be enabled on the interface of static RPs z The limit on the range of valid BSRs is to prevent the valid BSRs in the network being replaced maliciously The other BSR information except th...

Page 475: ...he network can be effectively divided into domains using different BSRs 7 4 4 Filtering the Registration Packets from RP to DR Through the registration packet filtering mechanism in PIM SM network you can determine which sources send packets to which groups on RP that is RP can filter the registration packets from DR and receive the specified packets only Table 7 10 Filter the registration packets...

Page 476: ...d When an invalid ACL is defined RP will reject all the registration packets 7 4 5 Configuring the Threshold at Which the Shared Tree is Switched to the SPT In PIM SM Ethernet switches forward multicast packets through the shared tree at the beginning If the threshold is set to 0 the Ethernet switch at the last hop of multicast packets will switch the shared tree to the SPT Table 7 11 Set the thre...

Page 477: ...arse mode Display the information about PIM interfaces display pim interface interface type interface number Display the information about PIM neighbor routers display pim neighbor interface interface type interface number Display BSR information display pim bsr info Display RP information display pim rp info group address You can execute the display command in any view 7 6 PIM Configuration Examp...

Page 478: ...tem view Quidway multicast routing enable Enable IGMP and PIM DM on the interfaces Quidway vlan 10 Quidway vlan10 port GigabitEthernet 1 0 2 to GigabitEthernet 1 0 3 Quidway vlan10 quit Quidway vlan 11 Quidway vlan11 port GigabitEthernet 1 0 4 to GigabitEthernet 1 0 5 Quidway vlan11 quit Quidway vlan 12 Quidway vlan12 port GigabitEthernet 1 0 6 to GigabitEthernet 1 0 7 Quidway vlan12 quit Quidway ...

Page 479: ...lan interface 12 z LS_C is connected to Host B through Vlan interface 10 to LS_B through Vlan interface 11 and to LS_A through Vlan interface 12 Host A is the receiver of the multicast group whose multicast IP address is 225 0 0 1 Host B begins to send data to the destination 225 0 0 1 and LS_A receives the multicast data from Host B through LS_B II Network diagram LSD LSB LSC LSA HostA HostB VLAN...

Page 480: ... 12 Quidway Vlan interface12 pim sm Quidway Vlan interface12 quit 2 Configure LS_B Enable PIM SM Quidway system view Quidway multicast routing enable Quidway vlan 10 Quidway vlan10 port GigabitEthernet 1 0 2 to GigabitEthernet 1 0 3 Quidway vlan10 quit Quidway interface Vlan interface 10 Quidway Vlan interface10 pim sm Quidway Vlan interface10 quit Quidway vlan 11 Quidway vlan11 port GigabitEthern...

Page 481: ... system view Quidway multicast routing enable Quidway vlan 10 Quidway vlan10 port GigabitEthernet 1 0 2 to GigabitEthernet 1 0 3 Quidway vlan10 quit Quidway interface Vlan interface 10 Quidway Vlan interface10 pim sm Quidway Vlan interface10 quit Quidway vlan 11 Quidway vlan11 port GigabitEthernet 1 0 4 to GigabitEthernet 1 0 5 Quidway vlan11 quit Quidway interface Vlan interface 11 Quidway Vlan i...

Page 482: ... the display pim bsr info command to see whether BSR information exists If not you must check whether there are unicast routes to the BSR Then use the display pim rp info command to check whether the RP information is right If RP information does not exist you must check whether there are unicast routes to RP z Use the display pim neighbor command to check whether the neighboring relationship is c...

Page 483: ...ces reside and forward the information to their own members MSDP is designed to address this issue and used to discover multicast sources in other protocol independent multicast sparse mode PIM SM domains MSDP is only valid for the any source multicast ASM model MSDP describes a mechanism of interconnecting multiple PIM SM domains It requires that the inter domain multicast routing protocol must b...

Page 484: ...S through multicast source register messages and then sends source active SA messages periodically to MSDP peers RP nodes in other PIM SM domains An SA message contains the IP address of the multicast source S the multicast group address G the address of the RP that has generated the SA message and the first multicast data received by the RP in the PIM SM1 domain The SA message is forwarded by pee...

Page 485: ...in The candidate RP C RP function is enabled on an interface typically the loopback interface of each of multiple routers in the same PIM SM domain and these interfaces have the same IP address An MSDP peering relationship is formed among these interfaces as shown in Figure 8 2 RP1 RP2 SA MSDP user user S1 S2 user PIM SM SA message MSDP peers user user Figure 8 2 Typical networking of Anycast RP T...

Page 486: ...rce RP2 RP4 RP3 PIM SM 1 PIM SM 2 PIM SM 3 PIM SM 4 user 5 5 DR 1 2 user 3 4 4 4 4 4 5 Flow MSDP peers Figure 8 3 Identifying the multicast source and receiving multicast data The complete interoperation process between a multicast source S in the PIM SM1 domain and receivers in the PIM SM1 and PIM SM4 domains is as follows 1 The multicast source S in the PIM SM1 domain begins to send data packets...

Page 487: ...n the domain Now the last hop router of connected with group members in the PIM SM4 domain selects whether to switch to the SPT II Forwarding messages between MSDP peers and performing RPF check To establish an MSDP peering relationship between routers you have to create routes between routers to for SA messages to travel Assume that three autonomous systems AS exist They are AS1 AS2 and AS3 Each ...

Page 488: ...it to RP6 6 If an SA message comes from an MSDP peer in a different AS and this AS is the next AS of the RP optimal path in the PIM SM domain where the multicast source resides for example when RP4 sends an SA message to RP6 the receiver accepts the SA message and forwards it to other peers 7 The receiver does not accept or forward other SA messages Note S5600 series switches do not support inter ...

Page 489: ...policy keyword are configured when any of the peers receives an SA message it will forward the SA message to other peers z None of the peers use the rp policy keyword Based on the configured sequence only the first static RPF peer whose connection state is UP is active All the SA messages from this peer will be received while the SA messages from other static RPF peers will be discarded Once the a...

Page 490: ... you can use the MSDP mesh mechanism to improve traffic When multiple MSDP peers are fully connected with one another these MSDP peers form a mesh group When an MSDP peer in the mesh group receives SA messages from outside the mesh group it sends them to other members of the group On the other hand a mesh group member does not perform RPF check on SA messages from within the mesh group and does no...

Page 491: ...formation for MSDP Peers You can configure description information for each MSDP peer to manage and memorize the MSDP peers Table 8 3 Configure description information for an MSDP peer Operation Command Description Enter system view system view Enter MSDP view msdp Configure description information for an MSDP peer peer peer address description text Optional The peer address argument is the addres...

Page 492: ...er Required By default the RP address in SA messages is the RP address configured by PIM Note In Anycast RP application C BSR and C RP must be configured on different devices or ports 8 3 4 Configuring an MSDP Mesh Group Configure a mesh group name on all the peers that will become members of the MSDP mesh group so that the peers are fully connected with one another in the mesh group Table 8 5 Con...

Page 493: ...DP peer connection control Operation Command Description Enter system view system view Enter MSDP view msdp Shut down an MSDP peer shutdown peer address Optional Configure retry interval of setting up an MSDP peer connection timer retry seconds Optional The default value is 30 seconds 8 4 Configuring SA Message Transmission An SA message contains the IP address of the multicast source S multicast ...

Page 494: ...asic PIM SM functions z Configuring basic MSDP functions Table 8 7 Configuration tasks Operation Descripti on Related section Configure the transmission and filter of SA request messages Optional Section 8 4 2 Configuring the Transmission and Filtering of SA Request Messages Configure a rule for filtering the multicast source of SA messages Optional Section 8 4 3 Configuring a Rule for Filtering t...

Page 495: ...te upon receipt of an SA message Enable MSDP peers to send SA request messages peer peer address request sa enable Optional By default upon receipt of a Join message the router sends no SA request message to its MSDP peer but waits for the next SA message Configure a rule for filtering the SA messages received by an MSDP peer peer peer address sa request policy acl acl number Optional You can conf...

Page 496: ...You can control the reception of SA messages using the MSDP inbound filter corresponding to the import keyword you can control the forwarding of SA messages by using either the MSDP outbound filter corresponding to the export argument or the TTL threshold By default an MSDP peer receives and forwards all SA messages MSDP inbound outbound filter implements the following functions z Filtering out al...

Page 497: ...tly joins can obtain all active sources directly from the SA cache and join the corresponding SPT source tree instead of waiting for the next SA message You can configure the number of SA entries cached in each MSDP peer on the router by executing the following command but the number must be within the system limit To protect a router against Deny of Service DoS attacks you can manually configure ...

Page 498: ... peer status display msdp peer status peer address Display the S G state learned from MSDP peers display msdp sa cache group address source address autonomous system number Display the number of sources and groups in the MSDP cache display msdp sa count autonomous system number Reset the TCP connection with the specified MSDP peer reset msdp peer peer address Clear the cached SA messages reset msd...

Page 499: ...th of the specified S G RP entries Once the transmission path of SA messages is determined correct configuration can prevent the flooding of SA messages 8 6 MSDP Configuration Example 8 6 1 Configuration Example of Anycast RP Application I Network requirements Each PIM SM network is a single BSR administrative domain with multiple multicast sources S and receivers With Anycast RP configured in eac...

Page 500: ...nterface 101 192 168 3 1 24 Vlan interface 200 10 110 4 1 8 1 1 1 1 8 10 1 1 1 8 MSDP peer 10 110 3 1 8 10 110 2 1 8 10 110 1 1 8 Figure 8 5 Network diagram for Anycast RP configuration III Configuration procedure 1 Configure interface IP addresses and unicast routing protocol on the switches In the PIM SM domain configure the interface IP addresses on the switches and interconnect the switches th...

Page 501: ...nnect interface loopback0 SwitchC msdp quit Configure an MSDP peer on Loopback0 on SwitchD SwitchD msdp SwitchD msdp originating rp loopback0 SwitchD msdp peer 1 1 1 1 connect interface loopback0 SwitchD msdp quit 8 7 Troubleshooting MSDP Configuration 8 7 1 MSDP Peer Always in the Down State I Symptom An MSDP peer is configured but it is always in the down state II Analysis An MSDP peer relations...

Page 502: ...omain to the neighboring MSDP peer via SA messages The acl keyword is optional If you do not use this keyword all S G entries will be filtered out by default that is none of the S G entries in the local multicast domain will be advertised Before the import source command is carried out the system will send all S G entries in the local multicast domain If the MSDP fails to send the S G entries of t...

Page 503: ... 2 802 1x Configuration 1 12 1 3 Basic 802 1x Configuration 1 13 1 3 1 Prerequisites 1 13 1 3 2 Configuring Basic 802 1x Functions 1 13 1 4 Timer and Maximum User Number Configuration 1 15 1 5 Advanced 802 1x Configuration 1 16 1 5 1 Prerequisites 1 16 1 5 2 Configuring Proxy Checking 1 16 1 5 3 Configuring Client Version Checking 1 17 1 5 4 Enabling DHCP triggered Authentication 1 18 1 5 5 Config...

Page 504: ...rver Authentication server system Services pr ovided by authenticator Authenticator PAE Authenticator system Port under control Port not authorized Port not Under control LAN WLAN Supplicant PAE Supplicant system Authentication server Authentication server system Services pr ovided by authenticator Authenticator PAE Authenticator system Controlled port Port not authorized Uncontrolled port LAN WLA...

Page 505: ...tems when they log into the LAN and controls the authorizing state on off of the controlled ports according to the authentication result The supplicant system PAE responds to the authentication requests received from the authenticator system and submits user authentication information to the authenticator system It can also send authentication and disconnection requests to the authenticator system...

Page 506: ...stem PAE Authentication server EAPoL EAP PAP CHAP exchanges carried by RADIUS protocol Supplicant system PAE Authenticator System PAE Authentication server Authentication server EAP PAP CHAP exchanges carried by RADIUS protocol Figure 1 2 The mechanism of an 802 1x authentication system z EAP protocol packets transmitted between the supplicant system and the authenticator system are encapsulated a...

Page 507: ...ket is an EAPoL key packet which carries key information packets 04 Indicates that the packet is an EAPoL encapsulated ASF Alert packet which is used to support the alerting messages of ASF alerting standards forum z The Length field indicates the size of the Packet body field A value of 0 indicates that the Packet Body field does not exist z The Packet body field differs with the Type field Note ...

Page 508: ...ar to PPP CHAP and indicates that the packet includes query information z The Type Date field differs according to different types of Request and Response packets III Newly added fields for EAP authentication Two fields EAP message and Message authenticator are added to a RADIUS protocol packet for EAP authentication Refer to the Introduction to RADIUS protocol section in the AAA RADIUS RADIUS HWT...

Page 509: ...a value of 79 and the Message authenticator field with a value of 80 Four authentication ways EAP MD5 EAP TLS transport layer security EAP TTLS and PEAP protected extensible authentication protocol are available for the EAP relay mode z EAP MD5 authenticates the supplicant system The RADIUS server sends MD5 keys contained in EAP request MD5 challenge packets to the supplicant system which in turn ...

Page 510: ... MD5 Challenge EAP Success EAP Response MD5 Challenge RADIUS Access Reque EAP Response Identi RADIUS Access Challen EAP Request MD5 Challe st ty ge nge RADIUS Access Accep EAP Success RADIUS Access Reques EAP Response MD5 Challe t t nge Port authorized Handshake timer time out Handshake requesting packet EAP Request Identity Handshake response packet EAP Response Identity EAPoL Logoff Supplicant s...

Page 511: ...state to allow the supplicant system access the network z The supplicant system can also terminate the authenticated state by sending EAPoL Logoff packets to the switch The switch then changes the port state from accepted to rejected Note In EAP relay mode packets are not modified during transmission Therefore if one of the four ways are used that is PEAP EAP TLS EAP TTLS or EAP MD5 to authenticat...

Page 512: ...dentity EAP Response Identity EAP Request MD5 Challenge EAP Success EAP Response MD5 Challenge RADIUS Access Reque CHAP Response MD5 Chal st lenge RADIUS Access Acce CHAP Success pt Port accepted Handshake timer time out Handshake request packet EAP Request Identity Handshake reply packet EAP Response Identity EAPOL Logoff Port rejected Figure 1 9 802 1x authentication procedure in EAP terminating...

Page 513: ...od and is triggered after a supplicant system passes the authentication It sets the interval for a switch to send handshake request packets to online users If you set the number of retries to N by using the dot1x retry command an online user is considered offline when the switch does not receive response packets from it in a period N times of the handshake period z Quiet period timer quiet period ...

Page 514: ... or IE proxies By default an 802 1x client program allows use of multiple network adapters a proxy server and an IE proxy server If CAMS is configured to disable use of multiple network adapters proxies or IE proxies it prompts the 802 1x client to disable use of multiple network adapters proxies or IE proxies through messages after the supplicant system passes the authentication Note z The client...

Page 515: ...the Guest VLAN can access the resources of the Guest VLAN without being authenticated But they need to be authenticated before accessing external resources Normally the Guest VLAN function is coupled with the dynamic VLAN delivery function Refer to AAA RADIUS RADIUS HWTACACS EAD Operation Manual for detailed information about dynamic VLAN assignment function 1 2 802 1x Configuration 802 1x provide...

Page 516: ... as a backup In this case the local authentication scheme is adopted when the RADIUS server fails Refer to the AAA RADIUS RADIUS HWTACACS EAD Operation Manual for detailed information about AAA configuration 1 3 Basic 802 1x Configuration To utilize 802 1x features you need to perform basic 802 1x configuration 1 3 1 Prerequisites z Configure ISP domain and its AAA scheme specify the authenticatio...

Page 517: ...l be performed in system view Port access control mode and port access method can also be configured in port view z If you perform a configuration in system view and do not specify the interface list argument the configuration applies to all ports Configurations performed in Ethernet port view apply to the current Ethernet port only and the interface list argument is not needed in this case z 802 ...

Page 518: ...o send request packets dot1x retry max retry value Optional By default the maximum retry times to send a request packet is 2 That is the authenticator system sends a request packet to a supplicant system for up to two times by default Configure 802 1x timers dot1x timer handshake period handshake period value quiet period quiet period value tx period tx period value supp timeout supp timeout value...

Page 519: ...iguration 1 5 1 Prerequisites Configuration of basic 802 1x 1 5 2 Configuring Proxy Checking This function needs the support of 802 1x client program and CAMS as listed below z The 802 1x clients must be able to check whether multiple network cards proxy servers or IE proxy servers are used on the user devices z On CAMS enable the function that forbids clients from using multiple network cards a p...

Page 520: ... 1 5 3 Configuring Client Version Checking Table 1 4 Configure client version checking Operation Command Description Enter system view system view Enable 802 1x client version checking dot1x version check interface interface list Required By default 802 1x client version checking is disabled on a port Configure the maximum number of retires to send version checking request packets dot1x retry vers...

Page 521: ...5 Configuring Guest VLAN Table 1 6 Configure Guest VLAN Operation Command Description Enter system view system view Configure port access method dot1x port method macbased portbased Optional The default port access method is MAC address based That is the macbased keyword is used by default Enable the Guest VLAN function dot1x guest vlan vlan id interface interface list Required By default the Gues...

Page 522: ... by force if the RADIUS server fails The name of an authenticated supplicant system is not suffixed with the domain name A connection is terminated if the total size of the data passes through it during a period of 20 minutes is less than 2 000 bytes All connected clients belong to the same default domain aabbcc net which accommodates up to 30 clients Authentication is performed either on the RADI...

Page 523: ...ounting RADIUS Configure the waiting period for the switch to resend packets to the RADIUS server to be 5 seconds that is if after 5 seconds the RADIUS still has not sent any responses back the switch will resend packets Configure the number of times that a switch resends packets to the RADIUS server to be 5 Configure the switch to send real time counting packets to the RADIUS server every 15 minu...

Page 524: ... view Quidway radius scheme radius1 Assign IP addresses to the primary authentication and accounting RADIUS servers Quidway radius radius1 primary authentication 10 11 1 1 Quidway radius radius1 primary accounting 10 11 1 2 Assign IP addresses to the secondary authentication and accounting RADIUS server Quidway radius radius1 secondary authentication 10 11 1 2 Quidway radius radius1 secondary acco...

Page 525: ... the RADIUS scheme of the user domain If RADIUS server is invalid specify to adopt local authentication scheme Quidway isp aabbcc net scheme radius scheme radius1 local Specify the maximum number of users the user domain can accommodate to 30 Quidway isp aabbcc net access limit enable 30 Enable the idle disconnecting function and set the related parameters Quidway isp aabbcc net idle cut enable 20...

Page 526: ... switch to a given port This allows HABP packets to bypass 802 1x authentication and to be forwarded between HABP enabled switches Therefore the management devices can get the MAC addresses of their attached switches to manage them effectively HABP is implemented by HABP server and HABP client Normally an HABP server sends HABP request packets regularly to HABP clients to collect the MAC addresses...

Page 527: ...ation HABP clients reside on switches attached to HABP servers After you enable HABP for a switch the switch operates as an HABP client by default So you only need to enable HABP on a switch to make it an HABP client Table 2 2 Configure an HABP client Operation Command Description Enter system view system view Enable HABP habp enable Optional HABP is enabled by default And a switch operates as an ...

Page 528: ...nual 802 1x Quidway S5600 Series Ethernet Switches Release 1510 Chapter 2 HABP Configuration Huawei Technologies Proprietary 2 3 Operation Command Description Display statistics on HABP traffic display habp traffic ...

Page 529: ...ervers 1 23 1 4 3 Configuring RADIUS Accounting Servers 1 24 1 4 4 Configuring Shared Keys for RADIUS Packets 1 26 1 4 5 Configuring the Maximum Number of Transmission Attempts of RADIUS Requests 1 27 1 4 6 Configuring the Supported RADIUS Server Type 1 28 1 4 7 Configuring the Status of RADIUS Servers 1 28 1 4 8 Configuring the Attributes for Data to be Sent to RADIUS Servers 1 29 1 4 9 Configuri...

Page 530: ...RADIUS Authentication of Telnet SSH Users 1 42 1 7 2 Local Authentication of FTP Telnet Users 1 44 1 7 3 TACACS Authentication Authorization of Telnet Users 1 45 1 8 Troubleshooting AAA RADIUS HWTACACS Configuration 1 46 1 8 1 Troubleshooting the RADIUS Protocol 1 46 1 8 2 Troubleshooting the HWTACACS Protocol 1 47 Chapter 2 EAD Configuration 2 1 2 1 Introduction to EAD 2 1 2 2 Typical Network App...

Page 531: ...on Users are trusted and are not authenticated Generally this method is not recommended z Local authentication User information including user name password and attributes is configured on this device Local authentication is fast and requires lower operational cost But the information storage capacity is limited by device hardware z Remote authentication Users are authenticated remotely through th...

Page 532: ...er name for authentication and isp name as the domain name In a multi ISP environment the users connected to the same access device may belong to different domains Since the users of different ISPs may have different attributes such as different compositions of user name and password different service types rights it is necessary to distinguish the users by setting ISP domains You can configure a ...

Page 533: ...ing three databases as shown in Figure 1 1 z Users This database stores information about users such as user name password adopted protocol and IP address z Clients This database stores the information about RADIUS clients such as shared keys z Dictionary This database stores the information used to interpret the attributes and attribute values of the RADIUS protocol RADIUS server Users Clients Di...

Page 534: ...e 7 Accounting Request stop 8 Accounting Response 9 Inform the user the access is ended 6 The user starts to access the resources Figure 1 2 Basic message exchange procedure of RADIUS The basic message exchange procedure of RADIUS is as follows 1 The user enters the user name and password 2 The RADIUS client receives the user name and password and then sends an authentication request Access Reques...

Page 535: ... the server to determine if the user can access the network This packet carries user information It must contain the User Name attribute and may contain the following attributes NAS IP Address User Password and NAS Port 2 Access Accept Direction server client The server transmits this packet to the client if all the attribute values carried in the Access Request packet are acceptable that is the u...

Page 536: ... is used to verify the packet returned from the RADIUS server it is also used in the password hiding algorithm There are two kinds of authenticators Request and Response 5 The Attribute field contains special authentication authorization and accounting information to provide the configuration details of a request or response packet This field is represented by a field triplet Type Length and Value...

Page 537: ...umber 60 CHAP Challenge 20 Callback ID 61 NAS Port Type 21 unassigned 62 Port Limit 22 Framed Route 63 Login LAT Port The RADIUS protocol takes good scalability Attribute 26 Vender Specific defined in this protocol allows a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS Figure 1 4 depicts the structure of attribute 26 The Vendor ID field representing ...

Page 538: ...CS and RADIUS protocols Table 1 3 Comparison between HWTACACS and RADIUS HWTACACS RADIUS Adopts TCP providing more reliable network transmission Adopts UDP Encrypts the entire packet except the HWTACACS header Encrypts only the password field in authentication packets Separates authentication from authorization For example you can provide authentication and authorization on different TACACS server...

Page 539: ...e user name User enters the user name Authentication continuance packet carrying the user name Authentication response packet requesting for the password Request User for the password User enters the password Authentication continuance packet carrying the password Authentication success packet Authorization request packet Authorization success packet User is permitted Accounting start request pack...

Page 540: ...e TACACS server 6 The TACACS server sends back an authentication response indicating that the user has passed the authentication 7 The TACACS client sends the user authorization request packet to the TACACS server 8 The TACACS server sends back the authorization response indicating that the user has passed the authorization 9 Upon receipt of the response indicating an authorization success the TAC...

Page 541: ... refer to section 1 3 6 Configuring the Attributes of a Local User If RADIUS authenticati on is adopted refer to section 1 4 RADIUS Configuratio n Section 1 3 4 Configuring an AAA Scheme for an ISP Domain Configure dynamic VLAN assignment Optional Section 1 3 5 Configuring Dynamic VLAN Assignment Configure the attributes of a local user Optional Section 1 3 6 Configuring the Attributes of a Local ...

Page 542: ...requests Optional Section 1 4 5 Configuring the Maximum Number of Transmission Attempts of RADIUS Requests Configure the supported RADIUS server type Optional Section 1 4 6 Configuring the Supported RADIUS Server Type Configure the status of RADIUS servers Optional Section 1 4 7 Configuring the Status of RADIUS Servers Configure the attributes for data to be sent to RADIUS servers Optional Section...

Page 543: ...figuring HWTACACS Authorization Servers Configure HWTACACS accounting servers Optional Section 1 5 4 Configuring HWTACACS Accounting Servers Configure shared keys for RADIUS packets Optional Section 1 5 5 Configuring Shared Keys for RADIUS Packets Configure the attributes for data to be sent to TACACS servers Optional Section 1 5 6 Configuring the Attributes for Data to be Sent to TACACS Servers H...

Page 544: ...refer to section 1 5 HWTACACS Configuration 1 3 2 Creating an ISP Domain Table 1 5 Create an ISP domain Operation Command Description Enter system view system view Create an ISP domain and enter its view enter the view of an existing ISP domain or configure the default ISP domain domain isp name default disable enable isp name Required The default ISP domain is system 1 3 3 Configuring the Attribu...

Page 545: ... default the messenger function is disabled Set the self service server location function self service url disable enable url string Optional By default the self service server location function is disabled Caution z On an S5600 series switch each access user belongs to an ISP domain You can configure up to 16 ISP domains on the switch When a user logs in if no ISP domain name is carried in the us...

Page 546: ...AA scheme If you specify a RADIUS or HWTACACS scheme the authentication authorization and accounting will be uniformly implemented by the RADIUS server or TACACS server specified in the RADIUS or HWTACACS scheme In this way you cannot specify different schemes for authentication authorization and accounting respectively Table 1 7 Configure a bound AAA scheme Operation Command Description Enter sys...

Page 547: ... secondary scheme in case the TACACS server does not respond normally That is if the communication between the switch and the TACACS server is normal no local authentication is performed otherwise local authentication is performed z If you adopt local or none as the primary scheme the local authentication is performed or no authentication is performed In this case you cannot perform RADIUS authent...

Page 548: ...eme radius scheme name hwtacacs scheme hwtacacs scheme name Optional By default no separate accounting scheme is configured Note z If a bound AAA scheme is configured as well as the separate authentication authorization and accounting schemes the separate ones will be adopted in precedence z RADIUS scheme and local scheme do not support the separation of authentication and authorization Therefore ...

Page 549: ...ing If the RADIUS server assigns string type of VLAN IDs you can set the VLAN assignment mode to string on the switch Then upon receiving a string ID assigned by the RADIUS authentication server the switch compares the ID with existing VLAN names on the switch If it finds a match it adds the port to the corresponding VLAN Otherwise the VLAN assignment fails and the user cannot pass the authenticat...

Page 550: ...igure the relevant attributes The local users are users set on the switch with each user uniquely identified by a user name To make a user who is requesting network service pass through the local authentication you should add an entry in the local user database on the switch for the user Table 1 10 Configure the attributes of a local user Operation Command Description Enter system view system view...

Page 551: ...parameter the following ip address is 127 0 0 1 by default representing this device If the user is bound to a local port you do not need to specify the nas ip parameter Caution z The character string of user name cannot contain and Moreover can be used no more than once z After the local user password display mode cipher force command is executed all passwords will be displayed in cipher mode even...

Page 552: ...rformed on a RADIUS scheme basis In an actual network environment you can either use a single RADIUS server or two RADIUS servers primary and secondary servers with the same configuration but different IP addresses in a RADIUS scheme After creating a new RADIUS scheme you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme These RADIUS servers f...

Page 553: ...S scheme basis You should first create a RADIUS scheme and enter its view before performing other RADIUS protocol configurations Table 1 12 Create a RADIUS scheme Operation Command Description Enter system view system view Create a RADIUS scheme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system has already been created in the system Caution A RADI...

Page 554: ...uthorization information Therefore no separate authorization server can be specified z In an actual network environment you can either specify two RADIUS servers as the primary and secondary authentication authorization servers respectively or specify only one server as both the primary and secondary authentication authorization servers z The IP address and port number of the primary authenticatio...

Page 555: ...ver are 0 0 0 0 and 1813 Enable stop accounting packet buffering stop accounting buffer enable Optional By default stop accounting packet buffering is enabled Set the maximum number of transmission attempts of the buffered stop accounting packets retry stop accounting retry times Optional By default the system tries at most 500 times to transmit a buffered stop accounting request Set the maximum n...

Page 556: ...DIUS accounting server until it gets a response or the maximum number of transmission attempts is reached in this case it discards the request z You can set the maximum number of real time accounting request attempts in the case that the accounting fails If the switch makes all the allowed real time accounting request attempts but fails to perform accounting it cuts down the connection of the user...

Page 557: ...ys on the two servers are also different 1 4 5 Configuring the Maximum Number of Transmission Attempts of RADIUS Requests The communication in RADIUS is unreliable because this protocol adopts UDP packets to carry data Therefore it is necessary for the switch to retransmit a RADIUS request if it gets no response from the RADIUS server after the response timeout timer expires If the maximum number ...

Page 558: ...vers in a RADIUS scheme When the switch fails to communicate with the primary server due to some server trouble the switch will actively exchange packets with the secondary server After the time the primary server keeps in the block state exceeds the time set with the timer quiet command the switch will try to communicate with the primary server again when it receives a RADIUS request If the prima...

Page 559: ...state while the secondary servers are in the block state 1 4 8 Configuring the Attributes for Data to be Sent to RADIUS Servers Table 1 19 Configure the attributes for data to be sent to the RADIUS servers Operation Command Description Enter system view system view Create a RADIUS scheme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system has alread...

Page 560: ...or this reason the user name format command is designed for you to specify whether or not ISP domain names are carried in the user names sent to the RADIUS server z For a RADIUS scheme if you have specified that no ISP domain names are carried in the user names you should not adopt this RADIUS scheme in more than one ISP domain Otherwise such errors may occur the RADIUS server regards two differen...

Page 561: ...ser can obtain the RADIUS service This wait time is called response timeout time of RADIUS servers and the timer in the switch system that is used to control this wait time is called the response timeout timer of RADIUS servers For the primary and secondary servers authentication authorization servers or accounting servers in a RADIUS scheme When the switch fails to communicate with the primary se...

Page 562: ...te Set the real time accounting interval timer realtime accounting minutes Optional By default the real time accounting interval is 12 minutes 1 4 11 Configuring Whether or not to Send Trap Message When RADIUS Server is Down Table 1 22 Configure whether or not to send trap message when RADIUS server is down Operation Command Description Enter system view system view Enable the sending of trap mess...

Page 563: ...AS IP address source IP address and session ID 2 The switch sends the Accounting On packet to CAMS at regular intervals 3 Once the CAMS receives the Accounting On packet it sends a response to the switch At the same time it finds and deletes the original online information of the users who access the network through the switch before the restart according to the information contained in this packe...

Page 564: ...ccounting On packets consecutively at intervals of three seconds 1 5 HWTACACS Configuration 1 5 1 Creating a HWTACAS Scheme HWTACACS protocol is configured scheme by scheme Therefore you must create a HWTACACS scheme and enter HWTACACS view before you perform other configuration tasks Table 1 24 Create a HWTACACS scheme Operation Command Description Enter system view system view Create a HWTACACS ...

Page 565: ...hentication server is 0 0 0 0 and the port number is 0 Set the IP address and port number of the secondary TACACS authentication server secondary authentication ip address port Required By default the IP address of the secondary authentication server is 0 0 0 0 and the port number is 0 Caution z The primary and secondary authentication servers cannot use the same IP address Otherwise the system wi...

Page 566: ...zation server is 0 0 0 0 and the port number is 0 Caution z The primary and secondary authorization servers cannot use the same IP address Otherwise the system will prompt unsuccessful configuration z You can remove a server only when it is not used by any active TCP connection for sending authorization packets 1 5 4 Configuring HWTACACS Accounting Servers Table 1 27 Configure HWTACACS accounting ...

Page 567: ...g servers cannot use the same IP address Otherwise the system will prompt unsuccessful configuration z You can remove a server only when it is not used by any active TCP connection for sending accounting packets 1 5 5 Configuring Shared Keys for RADIUS Packets When using a TACACS server as an AAA server you can set a key to improve the communication security between the router and the TACACS serve...

Page 568: ...acs scheme hwtacacs scheme name Required By default no HWTACACS scheme exists Set the format of the user names to be sent to TACACS servers user name format with domain without domain Optional By default the user names sent from the switch to TACACS servers carry ISP domain names data flow format data byte giga byte kilo byte ega byte m Set the units of measure for data flows sent to TACACS server...

Page 569: ...mers of TACACS Servers Table 1 30 Configure the timers of TACACS servers Operation Command Description Enter system view system view Create a HWTACACS scheme and enter its view hwtacacs scheme hwtacacs scheme name Required By default no HWTACACS scheme exists Set the response timeout time of TACACS servers timer response timeout seconds Optional By default the response timeout time is five seconds...

Page 570: ...interval requires higher device performance 1 6 Displaying and Maintaining AAA RADIUS HWTACACS Information After the above configurations you can execute the display commands in any view to view the operation of AAA RADIUS and HWTACACS and verify your configuration You can use the reset command in user view to clear the corresponding statistics Table 1 31 Display AAA information Operation Command ...

Page 571: ...erver statistics Display the configuration information about one specific or all RADIUS schemes display radius scheme radius scheme name Display the statistics about RADIUS packets display radius statistics Display the buffered no response stop accounting request packets display stop accounting buffer radius scheme radius scheme name session id session id time range start time stop time user name ...

Page 572: ...atistics about the TACACS protocol reset hwtacacs statistics accounting authentication authorization all Delete the buffered stop accounting request packets that are not responded to reset stop accounting buffer hwtacacs scheme hwtacacs scheme name session id session id time range start time stop time user name user name You can execute the reset command in user view 1 7 AAA RADIUS HWTACACS Config...

Page 573: ... the format of userid isp name if you have configure the switch to include domain names in the user names to be sent to the RADIUS server II Network diagram Authentication Server IP address 10 110 91 164 Internet Sw itch Telnet user Internet Authentication Server IP address 10 110 91 164 Internet Sw itch Authentication server IP address 10 110 91 164 Internet Sw itch Telnet user Internet Authentic...

Page 574: ...r logging into the switch by a name in the format of userid cams belongs to the cams domain and will be authenticated according to the configuration of the cams domain 1 7 2 Local Authentication of FTP Telnet Users Note The configuration procedure for the local authentication of FTP users is similar to that of Telnet users The following description only takes the local authentication of Telnet use...

Page 575: ... method described in section 1 7 1 You only need to change the server IP address the authentication password and the UDP port number for authentication service in configuration step Configure a RADIUS scheme in section 1 7 1 to 127 0 0 1 huawei and 1645 respectively and configure local users whether the name of local user carries domain name should be consistent with the configuration in RADIUS sc...

Page 576: ...y hwtacacs scheme hwtac Quidway hwtacacs hwtac primary authentication 10 110 91 164 49 Quidway hwtacacs hwtac primary authorization 10 110 91 164 49 Quidway hwtacacs hwtac key authentication expert Quidway hwtacacs hwtac key authorization expert Quidway hwtacacs hwtac user name format without domain Quidway hwtacacs hwtac quit Configure the domain name of the HWTACACS scheme to hwtac Quidway domai...

Page 577: ...ly Symptom 2 RADIUS packets cannot be sent to the RADIUS server Possible reasons and solutions z The communication links physical link layer between the switch and the RADIUS server is disconnected blocked Take measures to make the links connected unblocked z None or incorrect RADIUS server IP address is set on the switch Be sure to set a correct RADIUS server IP address z One or all AAA UDP port ...

Page 578: ...ines the validity of packets it receives according to the source IP address of the packets z Only those packets sent from the authentication server and the security policy server can be regarded as valid z The switch dynamically adjusts the VLAN rate packet scheduling priority and the access control list ACL on the user terminal according to the session control packet thus to control user access r...

Page 579: ...ants the client more access rights Note The system does not support the scenario that the security policy server issues QoS Profile and isolation ACL at the same time 2 3 EAD Configuration The EAD configuration includes the following z Configuring the attributes such as the user name user type and password for access users If local authentication is performed you need to configure these attributes...

Page 580: ...e I Network requirements In Figure 2 2 z A user is connected to GigabitEthernet1 0 1 of the switch z The user adopts 802 1X client supporting EAD extended function z By configuring the switch user remote authentication is implemented through RADIUS server and EAD control is achieved through security policy server The following are the configuration tasks z Connect the authentication server RADIUS ...

Page 581: ...the switch Refer to the 802 1X module in Quidway S5600 Series Ethernet Switches Operation Manual for detailed description Configure domain Quidway system view Quidway domain system Quidway isp system quit Configure RADIUS scheme Quidway radius scheme cams Quidway radius cams primary authentication 10 110 91 164 1812 Quidway radius cams key authentication expert Quidway radius cams accounting optio...

Page 582: ...Configuring a Virtual Router IP address 1 7 1 2 3 Configuring Backup Group Related Parameters 1 8 1 2 4 Configuring the Port Tracking Function 1 8 1 2 5 Configuring the Auto Detect Function for VRRP 1 9 1 3 Displaying and Maintaining VRRP 1 10 1 4 VRRP Configuration Example 1 10 1 4 1 Single VRRP Backup Group Configuration 1 10 1 4 2 VRRP Tracking Interface Configuration 1 12 1 4 3 Multiple VRRP B...

Page 583: ...twork segments and sourced from these hosts go through the default routes to the Layer 3 Switch implementing communication between these hosts and the external network z If Switch fails all the hosts on this segment taking Switch as the next hop through the default routes are cut off from the external network Ethernet Sw itch Host 1 H ost 2 Host 3 10 100 10 7 1 0 100 10 8 10 100 10 9 10 1 00 10 1 ...

Page 584: ...witch z Hosts on the LAN only know the IP address of this virtual router that is 10 100 10 1 but not the specific IP addresses 10 100 10 2 of the master switch and 10 100 10 3 of the backup switch z Hosts in the LAN use the IP address of the virtual router that is 10 100 10 1 as their default next hop IP addresses If the master switch in the backup group goes down the backup switch with the highes...

Page 585: ...sed by the backup group If the IP address of a host is also used by the virtual router all packets destined for the network segment will be forwarded to the host In this case data in this network segment cannot be forwarded properly Before enabling VRRP feature on an S5600 series switch you can enable the switches in a backup group to respond the ping operations destined for the virtual router IP ...

Page 586: ...o be tracked for a backup group I Switch priority in a backup group You can configure the priority of a switch in a backup group VRRP will determine the status of each switch in a backup group according to the priority of the switch The master switch in a backup group is the one currently with the highest priority Switch priority ranges from 0 to 255 a larger number indicates a higher switch prior...

Page 587: ...th the locally configured one If they are the same the packet will be taken as a true and legal one Otherwise it will be regarded as an illegal packet and be discarded In this case a simple authentication key should not exceed eight characters In a vulnerable network the authentication type can be set to md5 The switch then uses the authentication type provided by the Authentication Header and MD5...

Page 588: ...rities higher than that of the current master switch exist in the backup group a new master switch will be then determined VI Introduction to the Port Tracking Function VRRP backup group port tracking function can track the link state of the physical port and decrease the priority of the switch when the physical port fails When the master s uplink physical port fails the priority of the master swi...

Page 589: ...pose you have correctly configured the relation between the port and VLAN Table 1 3 Configure a virtual router IP address Operation Command Description Enter system view system view Configure that the virtual IP address can be pinged vrrp ping enable Optional By default the virtual IP address cannot be pinged Map the virtual router IP address to a MAC address vrrp method real mac virtual mac Optio...

Page 590: ...mode and delay period for the backup group vrrp vrid virtual router id preempt mode timer delay delay value Optional By default a backup group operates in the preemptive mode Configure the authentication type and authentication key vrrp authentication mode authentication type authentication key Optional By default a backup group does not authenticate Configure the VRRP timer vrrp vrid virtual rout...

Page 591: ...ber Enable the port tracking function vrrp vlan interface vlan id vrid virtual router id track reduced value reduced Required By default the value by which the priority of an Ethernet port is decreased is 10 Note The port to be tracked can be in the VLAN which the VLAN interface of the backup group belongs to 1 2 5 Configuring the Auto Detect Function for VRRP Note You need to create the detecting...

Page 592: ...VRRP statistics Table 1 7 Display and Maintain VRRP Operation Command Description Display VRRP state information and statistics information display vrrp interface Vlan interface vlan id statistics Vlan interface vlan id virtual router id This command can be executed in any view Clear VRRP statistics reset vrrp statistics vlan interface vlan id virtual router id Execute this command in user view 1 ...

Page 593: ...3 Vlan interface2 202 38 160 1 Internet Vlan interface2 202 38 160 2 Host B Virtual IP address 202 38 160 111 LSW A Host A 202 38 160 3 Vlan interface2 202 38 160 1 Internet LSW B Vlan interface2 202 38 160 2 Host B Virtual IP address 202 38 160 111 Host A 202 38 160 3 Vlan interface2 202 38 160 1 Internet Vlan interface2 202 38 160 2 Host B Figure 1 3 Network diagram for single VRRP backup group ...

Page 594: ...2 quit Enable a backup group to respond to ping operations destined for its virtual router IP address LSW B vrrp ping enable Create a backup group LSW B interface vlan 2 LSW B Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Configure the preemptive mode for the backup group LSW B Vlan interface2 vrrp vrid 1 preempt mode The IP address of the default gateway of Host A can be configured to be ...

Page 595: ...net LSW B Vlan interface2 202 38 160 2 Host B Virtual IP address 202 38 160 111 Host A 202 38 160 3 Vlan interface2 202 38 160 1 Internet Vlan interface2 202 38 160 2 Host B Virtual IP address 202 38 160 111 LSW A Host A 202 38 160 3 Vlan interface2 202 38 160 1 Internet LSW B Vlan interface2 202 38 160 2 Host B Virtual IP address 202 38 160 111 Host A 202 38 160 3 Vlan interface2 202 38 160 1 Int...

Page 596: ...r View with Ctrl Z LSW B vlan 2 LSW B vlan2 port GigabitEthernet 1 0 5 LSW B vlan2 quit LSW B interface Vlan interface 2 LSW B Vlan interface2 ip address 202 38 160 2 255 255 255 0 LSW B Vlan interface2 quit Configure that the virtual router can be pinged LSW B vrrp ping enable Create a backup group LSW B interface Vlan interface 2 LSW B Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Set th...

Page 597: ... mutual backup are implemented II Network diagram Bac kup goup 1 Virtual IP address 202 38 160 111 Switch_A Host A 202 38 160 3 Vlan interface2 202 38 160 1 Internet Switch_B Vlan interface2 202 38 160 2 Vlan interface3 10 100 10 2 Host B 10 2 3 1 Backup goup 2 Virtual IP address 202 38 160 112 Bac kup goup 1 Virtual IP address 202 38 160 111 Switch_A Host A 202 38 160 3 Vlan interface2 202 38 160...

Page 598: ...255 255 255 0 Create backup group 1 LSW B Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Create backup group 2 LSW B Vlan interface2 vrrp vrid 2 virtual ip 202 38 160 112 Set Switch A s priority in backup group 2 LSW B Vlan interface2 vrrp vrid 2 priority 110 Note Normally multiple backup groups are used in actual use 1 4 4 Port Tracking Configuration Example I Network requirements z Backup...

Page 599: ...n interface2 202 38 160 1 Internet Vlan interface2 202 38 160 2 Host B Vlan interface3 10 100 10 2 10 2 3 1 Virtual IP addr ess 202 38 160 111 LSW A Host A 202 38 160 3 Vlan interface2 202 38 160 1 Internet LSW B Vlan interface2 202 38 160 2 Host B Virtual IP addr ess 202 38 160 111 Host A 202 38 160 3 Vlan interface2 202 38 160 1 Internet Vlan interface2 202 38 160 2 Host B Vlan interface3 10 100...

Page 600: ...2 Switch A Switch B Switch C Switch D VLAN 1 20 1 1 4 24 VLAN 1 VLAN 1 VLAN 1 192 168 1 2 20 1 1 2 10 1 1 3 10 1 1 4 Switch C 192 168 1 1 24 192 168 1 2 24 192 168 1 3 24 20 1 1 3 24 10 1 1 3 24 Ethernet 1 0 1 10 1 1 4 24 Switch A Switch B Switch C Switch D VLAN 1 20 1 1 4 24 VLAN 1 VLAN 1 VLAN 1 192 168 1 2 20 1 1 2 10 1 1 3 10 1 1 4 Switch C 192 168 1 1 24 192 168 1 2 24 192 168 1 3 24 20 1 1 3 ...

Page 601: ... errors on the console This indicates that incorrect VRRP packets are received It may be because of the inconsistent configuration of the switches within the backup group or the attempt of other devices sending out illegal VRRP packets The first possible fault can be solved through modifying the configuration And as the second possibility is caused by the malicious attempt of some devices non tech...

Page 602: ...er 1 VRRP Configuration Huawei Technologies Proprietary 1 20 III Symptom 3 VRRP state of a switch changes repeatedly Such problems occur when the backup group timer duration is too short They can be solved through prolonging the duration or configuring the preemption delay period ...

Page 603: ...onfiguration 1 2 1 2 1 Configuration Overview 1 2 1 2 2 Enabling Centralized MAC Address Authentication Globally 1 2 1 2 3 Enabling Centralized MAC Address Authentication for a Port 1 3 1 2 4 Configuring Centralized MAC Address Authentication Mode 1 4 1 2 5 Configuring the ISP Domain for MAC Address Authentication Users 1 4 1 2 6 Configuring the Timers Used in Centralized MAC Address Authenticatio...

Page 604: ...ication can be performed locally or on a RADIUS server 1 When a RADIUS server is used for authentication the switch serves as a RADIUS client Authentication is carried out through the cooperation of switches and the RADIUS server z In MAC address mode a switch sends user MAC addresses detected to the RADIUS server as both user names and passwords The rest handling procedures are the same as that o...

Page 605: ...ntralized MAC Address Authentication for a Port Required 1 2 3 Enabling Centralized MAC Address Authentication for a Port Configuring Centralized MAC Address Authentication Mode Optional 1 2 4 Configuring Centralized MAC Address Authentication Mode Configuring the ISP Domain for MAC Address Authentication Users Optional 1 2 5 Configuring the ISP Domain for MAC Address Authentication Users Configur...

Page 606: ...Ethernet port view Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Enable centralized MAC address authentication for the current port mac authentication Required By default centralized MAC address authentication is disabled on a port Caution The configuration of the maximum number of learned MAC addresses refer to the m...

Page 607: ...ation authmode usernamefixed Optional Set a user name for fixed mode mac authentication authusername username Required for fixed mode By default the user name is mac and no password is needed Set the password for fixed mode mac authentication authpassword password Optional 1 2 5 Configuring the ISP Domain for MAC Address Authentication Users Table 1 6 lists the operations to configure the ISP doma...

Page 608: ...timers used in centralized MAC address authentication Table 1 7 Configure the timers used in centralized MAC address authentication Operation Command Description Enter system view system view Configure a timer used in centralized MAC address authentication mac authentication timer offline detect offline detect value quiet quiet value server timeout server timeout value Optional The default setting...

Page 609: ...cated by RADIUS server need to be configured as both user name and password on the RADIUS server The following section describes how to enable centralized MAC address authentication globally and for a port and how to configure a local user For other related configuration refer to the configuration examples in 802 1x Configuration Enable centralized MAC address authentication for GigabitEthernet 1 ...

Page 610: ... Address Authentication Configuration Huawei Technologies Proprietary 1 7 Quidway mac authentication Configure the domain name for centralized MAC address authentication users as aabbcc163 net Quidway mac authentication domain aabbcc163 net For domain related configuration refer to the 802 1x Configuration Example part of this manual ...

Page 611: ...1 3 1 1 5 Introduction to Gratuitous ARP 1 5 1 2 ARP Configuration 1 6 1 2 2 Adding a Static ARP Mapping Entry Manually 1 6 1 2 3 Configuring the ARP Aging Timer for Dynamic ARP Entries 1 7 1 2 4 Enabling the ARP Entry Checking Function 1 7 1 2 5 Configuring the Gratuitous ARP Packet Learning Function 1 8 1 3 Displaying and Debugging ARP 1 8 Chapter 2 Resilient ARP Configuration 2 1 2 1 Introducti...

Page 612: ...ed as ARP request packets and ARP reply packets Figure 1 1 illustrates the structure of these two types of ARP packets z As for an ARP request packet all the fields except the hardware address of the receiver field are set The hardware address of the receiver is what the sender request for z As for an ARP reply packets all the fields are set IP address of the receiver Hardware address of the recei...

Page 613: ...ddress of the sender IP address of the sender Hardware address of the receiver z For an ARP request packet this field is null z For an ARP reply packet this field carries the hardware address of the receiver IP address of the receiver IP address of the receiver Table 1 2 Description on the values of the hardware type field Value Description 1 Ethernet 2 Experimental Ethernet 3 X 25 4 Proteon ProNE...

Page 614: ...ription IF index Index of the physical interface port on the device owning the physical address and IP address contained in the entry Physical address Physical address of the device that is the MAC address IP address IP address of the device Type Entry type which can be z 1 An entry falling out of the following three cases z 2 Invalid entry z 3 Dynamic entry z 4 Static entry 1 1 4 ARP Implementati...

Page 615: ...e Ethernet As mentioned earlier the ARP request packet contains the IP address of Host B the IP address of Host A and the MAC address of Host A Since the ARP request packet is broadcasted all hosts on the network segment can receive it However only the requested host namely Host B processes the request z Host B saves the IP address and the MAC address carried in the request packet that is the IP a...

Page 616: ...dresses carried in a gratuitous ARP packet are the local addresses and the source MAC address carried in it is the local MAC addresses z If a device finds that the IP addresses carried in a received gratuitous packet conflict with those of its own it returns an ARP response to the sending device to notify of the IP address conflict By sending gratuitous ARP packets a network device can z Determine...

Page 617: ...P entries in an S5600 series Ethernet switch can either be static entries or dynamic entries as described in Table 1 4 Table 1 4 ARP entries ARP entry Generation Method Maintenance Mode Static ARP entry Manually configured Manual maintenance Dynamic ARP entry Dynamically generated ARP entries of this type age with time The aging period is set by the ARP aging timer 1 2 2 Adding a Static ARP Mappin...

Page 618: ...Dynamic ARP Entries The ARP aging timer applies to all dynamic ARP mapping entries Table 1 6 Configure the ARP aging timer for dynamic ARP entries Operation Command Description Enter system view system view Configure the ARP aging timer arp timer aging aging time Optional By default the ARP aging timer is set to 20 minutes 1 2 4 Enabling the ARP Entry Checking Function When multiple hosts share on...

Page 619: ...P packet sending function is always enabled There is no command to control it 1 3 Displaying and Debugging ARP After the above configuration you can execute the display command in any view to display the running of the ARP configuration and to verify the effect of the configuration You can execute the reset command in user view to clear ARP mapping entries Table 1 9 Display and debug ARP Operation...

Page 620: ...RP Configuration Huawei Technologies Proprietary 1 9 Operation Command Description Display the setting of the ARP aging timer display arp timer aging Clear specific ARP mapping entries reset arp dynamic static interface interface type interface number Execute this command in user view ...

Page 621: ...Master L3slave L2Master and L2slave L3Master sends Resilient ARP packets periodically to notify other fabrics that the local fabric is in the Layer 3 state Resilient ARP implements the system state switching by sending receiving Resilient ARP packets periodically so as to determine a device to work as a Layer 3 device or a Layer 2 device 2 2 Resilient ARP Configuration Resilient ARP configuration ...

Page 622: ...n status and verify the configuration effect through the displayed information Table 2 2 Display and Maintain Resilient ARP Operation Command Description Display information about the Resilient ARP state display resilient arp unit unit id The display command can be executed in any view 2 4 Resilient ARP Configuration Example I Network requirements There are four units in an IRF network unit 1 to u...

Page 623: ...it3 Unit 4 IRF Switch Unit 2 Unit 1 Unit3 Unit 4 Switch Unit 2 Unit 1 Unit3 Unit 4 IRF Switch Unit 2 Unit 1 Unit3 Unit 4 Switch Figure 2 1 Network diagram for Resilient ARP III Configuration procedure Enable Resilient ARP function Quidway resilient arp enable Configure the Resilient ARP packets to be sent through the VLAN 2 interface Quidway resilient arp interface Vlan interface 2 ...

Page 624: ...al Address Pool Mode on Interface s 2 5 2 2 4 Configuring How to Assign IP Addresses in a Global Address Pool 2 6 2 2 5 Configuring DNS Services for the DHCP Server 2 9 2 2 6 Configuring NetBIOS Services for the DHCP Server 2 10 2 2 7 Customizing DHCP Service 2 11 2 2 8 Configuring Gateway Addresses for DHCP Clients 2 12 2 2 9 Configuring Connection Between a DHCP Global Address Pool and a BIMS Se...

Page 625: ...DHCP Relay Configuration 3 1 3 1 Introduction to DHCP Relay 3 1 3 1 1 Usage of DHCP Relay 3 1 3 1 2 DHCP Relay Fundamentals 3 1 3 1 3 Option 82 Supporting 3 2 3 2 DHCP Relay Configuration 3 4 3 2 1 DHCP Relay Configuration Tasks 3 4 3 2 2 Enabling DHCP 3 4 3 2 3 Configuring an Interface to Operate in DHCP Relay Mode 3 5 3 2 4 Configuring DHCP Relay Security 3 6 3 2 5 Configuring Option 82 Supporti...

Page 626: ...requests to DHCP servers for configuration parameters and the DHCP servers return the corresponding configuration information such as IP addresses to configure IP addresses dynamically A typical DHCP application includes one DHCP server and multiple clients such as PCs and laptops as shown in Figure 1 1 LAN DHCP Server DHCP Client DHCP Client DHCP Client DHCP Client Figure 1 1 Typical DHCP applica...

Page 627: ...CP OFFER packets to the DHCP client the DHCP client only accepts the DHCP OFFER packet that first arrives and then broadcasts a DHCP REQUEST packet containing the assigned IP address carried in the DHCP OFFER packet 4 Acknowledge Upon receiving the DHCP REQUEST packet the DHCP server returns a DHCP ACK packet to the DHCP client to confirm the assignment of the IP address to the client or returns a...

Page 628: ...alues of some fields in the packets are different The DHCP packet format is based on that of the BOOTP packets The following table describes the packet format the number in the brackets indicates the field length in bytes option variable file 128 sname 64 chaddr 16 giaddr 4 siaddr 4 yiaddr 4 ciaddr 4 flags 2 secs 2 xid 4 hops 1 hlen 1 htype 1 op 1 option variable file 128 sname 64 chaddr 16 giaddr...

Page 629: ...epending on your configuration z Global address pool In response to the DHCP packets received from DHCP clients the DHCP server picks IP addresses from its global address pools and assigns them to the DHCP clients z Interface address pool In response to the DHCP packets received from DHCP clients the DHCP server picks IP addresses from the interface address pools and assigns them to the DHCP clien...

Page 630: ...Operation Manual DHCP Quidway S5600 Series Ethernet Switches Release 1510 Chapter 1 DHCP Overview Huawei Technologies Proprietary 1 5 z RFC1542 Clarifications and Extensions for the Bootstrap Protocol ...

Page 631: ...in a centralized way to fit the IRF environment z DHCP servers run as tasks on all the units including the master unit and the slave units in a Fabric system But only the one running on the master unit receives sends packets and carries out all functions of a DHCP server Those running on the slave units only operate as the backup tasks of the one running on the master unit z When a slave unit rece...

Page 632: ...o perform DHCP server configurations if the new IRF system does not have DHCP server related configurations z In an IRF system the UDP HELPER function must be enabled on the DHCP servers that are in fabric state 2 1 3 DHCP Address Pool A DHCP address pool holds the IP addresses to be assigned to DHCP clients When a DHCP server receives a DHCP request from a DHCP client it selects an address pool d...

Page 633: ...guration on the child address pool z The child address pool does not inherit the new configuration if there is already a corresponding configuration on the child address pool 2 1 4 DHCP IP Address Preferences Interfaces of the DHCP server can work in the global address pool mode or in the interface address pool mode If the DHCP server works in the interface address pool mode it picks IP addresses ...

Page 634: ...ddress pool mode Configure to assign IP addresses dynamically One among these two options is required Only one mode can be selected for the same global address pool 2 2 4 Configuring How to Assign IP Addresses in a Global Address Pool Configure DNS services for the DHCP server Optional 2 2 5 Configuring DNS Services for the DHCP Configure NetBIOS services for the DHCP server Optional 2 2 6 Configu...

Page 635: ...me time The preceding functions are implemented as follows z After you enable DHCP by using the dhcp enable command if the DHCP server and DHCP relay are not configured sockets UDP 67 and UDP 68 will not be enabled If the DHCP server and DHCP relay are configured sockets UDP 67 and UDP 68 will be enabled z After you disable DHCP by using the undo dhcp enable command even if the DHCP server and DHC...

Page 636: ...hen DHCP is disabled sockets UDP 67 and UDP 68 are shut down at the same time The preceding functions are implemented as follows z After you create a DHCP address pool by using the dhcp server ip pool command sockets UDP 67 and UDP 68 will be enabled z After you delete the DHCP address pool by using the undo dhcp server ip pool command and disable all the DHCP functions sockets UDP 67 and UDP 68 w...

Page 637: ... the DHCP clients Currently only one IP address in a global DHCP address pool can be statically bound to a MAC address or a client ID Table 2 4 Configure to assign IP addresses by static binding Operation Command Description Enter system view system view Create a DHCP address pool and enter DHCP address pool view dhcp server ip pool pool name Required By default no global DHCP address pool is crea...

Page 638: ... The IP address is not limited by the lease time of the IP addresses in the address pool II Configuring to assign IP addresses dynamically IP addresses dynamically assigned to DHCP clients including those that are permanently leased and those that are temporarily leased belong to addresses segments that are previously specified Currently an address pool can contain only one address segment whose r...

Page 639: ...In the same DHCP global address pool the network command can be executed repeatedly In this case the new configuration overwrites the previous one z The dhcp server forbidden ip command can be executed repeatedly That is you can repeatedly configure IP addresses that are not dynamically assigned to DHCP clients z If an IP address that is not to be automatically assigned has been configured as a st...

Page 640: ...communicate through NetBIOS protocol the host name to IP address translation is carried out by Windows internet naming service WINS servers So you need to perform WINS related configuration for most Windows based hosts Currently you can configure up to eight WINS addresses for a DHCP address pool Host name to IP address mappings are needed for DHCP clients communicating through NetBIOS protocol Ac...

Page 641: ...tain mappings Table 2 7 Configure NetBIOS services for the DHCP server Operation Command Description Enter system view system view Create a DHCP address pool and enter DHCP address pool view dhcp server ip pool pool name Required By default no global DHCP address pool is created Configure WINS server addresses for DHCP clients nbns list ip address 1 8 Required By default no WINS server address is ...

Page 642: ...server the DHPC server provides the gateway addresses to DHCP clients as well while assigning IP addresses to them You can configure gateway addresses for address pools on a DHCP server Currently you can configure up to eight gateway addresses for a DHCP address pool Table 2 9 Configure gateway addresses for DHCP clients Operation Command Description Enter system view system view Create a DHCP add...

Page 643: ... server bims server ip ip address port port number sharekey key Required By default no connection between the DHCP global address pool and the BIMS server is configured 2 3 Interface Address Pool based DHCP Server Configuration Caution In the interface address pool mode after the addresses in the interface address pool have been assigned the DHCP server picks IP addresses from the global interface...

Page 644: ... interface address pool based DHCP server configuration Configuration task Remarks Section Enable DHCP Required 2 3 2 Enabling DHCP Configure to assign the IP addresses of the local interface based address pools to DHCP clients Required 2 3 3 Configuring to Assign the IP Addresses of Interface Address Pools to DHCP Clients Configure to bind IP address statically to DHCP clients Configure to assign...

Page 645: ...3 3 Configuring to Assign the IP Addresses of Interface Address Pools to DHCP Clients If the DHCP server works in the interface address pool mode it picks IP addresses from the interface address pools and assigns them to the DHCP clients If there is no available IP address in the interface address pools the DHCP server picks IP addresses from its global address pool that contains the interface add...

Page 646: ...nabled z After you delete the DHCP interface address pool by using the undo dhcp select interface command and disable all the DHCP functions sockets UDP 67 and UDP 68 will be disabled 2 3 4 Configuring to Assign IP Addresses of DHCP Address Pools to DHCP Clients You can assign IP addresses by static binding or assign IP addresses dynamically to DHCP clients as needed I Configuring to assign IP add...

Page 647: ...cally bound to only one MAC address or one client ID A MAC address or client ID can be bound with only one IP address statically z The IP address to be statically bound cannot be an interface IP address of the DHCP server otherwise the static binding does not take effect II Configuring to assign IP addresses dynamically As an interface based address pool is created after the interface is assigned ...

Page 648: ... number all Optional The default lease time is one day Specify the IP addresses that are not dynamically assigned dhcp server forbidden ip low ip address high ip address Optional By default all IP addresses in a DHCP address pool are available for being dynamically assigned Note z The dhcp server forbidden ip command can be executed repeatedly That is you can repeatedly configure IP addresses that...

Page 649: ...CP clients while the DHCP server assigns IP addresses to the DHCP clients Table 2 16 Configure DNS services for the DHCP server Operation Command Description Enter system view system view interface interface type interface number dhcp server domain name domain name Configure the current interface quit Configure a domain name for DHCP clients Configure multiple interfaces in system view dhcp server...

Page 650: ...e source node z P node Nodes of this type establish their mappings by communicating with NetBIOS servers The character p stands for peer to peer The source node sends the unicast packet to the WINS server After receiving the unicast packet the WINS server returns the IP address corresponding to the destination node name to the source node z M node Nodes of this type are p nodes mixed with broadcas...

Page 651: ... dhcp server netbios type b node h node m node p node interface interface type interface number to interface type interface number all Required By default no NetBIOS node type is specified and a DHCP client uses an h node 2 3 7 Customizing DHCP Service With the evolution of DHCP new options are constantly coming into being You can add the new options as the properties of DHCP servers by performing...

Page 652: ...tained IP addresses from the interface address pool Table 2 19 Configure connection between the DHCP interface address pool and the BIMS server Operation Command Description Enter system view system view Configure connection between the DHCP interface address pool and the BIMS server dhcp server bims server ip ip address port port number sharekey key interface interface type interface number to in...

Page 653: ... server detecting function dhcp server detect Required By default the private DHCP server detecting function is disabled 2 4 3 Configuring IP Address Detecting To avoid IP address conflicts caused by assigning the same IP address to multiple DHCP clients simultaneously you can configure a DHCP server to detect an IP address before it assigns the address to a DHCP client IP address detecting is ach...

Page 654: ...eives packets containing option 82 forwarded by the DHCP relay the DHCP server processes the packets normally and assigns IP addresses for the clients If a DHCP server does not support option 82 after the DHCP server receives packets containing option 82 forwarded by the DHCP relay the DHCP server does not process the packets For details of option 82 see 3 1 3 Option 82 Supporting 2 5 2 Configurat...

Page 655: ... defines four proprietary sub options for this option enabling the DHCP server to put the information required by a DHCP client in the response packet to the client I Basic concept The four sub options of option 184 mainly carry information about voice The following lists the sub options and the carried information z option An option in a DHCP message This option may be a field in variable length ...

Page 656: ...on 184 is intended for identifying the server serving as the network call controller and the server used for application downloading When used in option 184 this sub option must be the first sub option that is sub option 1 AS IP sub option 2 The AS IP sub option carries the IP address of the alternate server AS The alternate NCP server identified by sub option 2 of option 184 acts as the backup of...

Page 657: ...oice VLAN A flag value of 0 indicates that the voice VLAN identification function is not enabled in which case the information carried by the VLAN ID part will be neglected A flag value of 1 indicates that the voice VLAN identification function is enabled Fail Over Call Routing sub option 4 The fail over call routing sub option carries the IP address for fail over call routing and the associated d...

Page 658: ...2 The DHCP server checks the request list in option 55 carried by the request packet and then adds the sub options of option 184 in the Options field of the response packet sent to the DHCP client Note Only when the DHCP client specifies in option 55 of the request packet that it requires option 184 does the DHCP server add option 184 in the response packet sent to the client 2 6 2 Prerequisites T...

Page 659: ...r to interface type interface number Required Configure the NCP IP sub option dhcp server voice config ncp ip ip address all interface interface type interface number to interface type interface number Required Configure the AS IP sub option dhcp server voice config as ip ip address all interface interface type interface number to interface type interface number Configure the voice VLAN configurat...

Page 660: ...on Command Description Enter system view system view Enter interface view interface interface type interface number Configure an IP address for the interface ip address ip address net mask Configure the interface to operate in DHCP server mode and assign the IP addresses of an interface based address pool to DHCP clients dhcp select interface Required Configure the NCP IP sub option dhcp server vo...

Page 661: ...scription Enter system view system view Configure the interface to operate in DHCP server mode and assign the IP addresses of an interface based address pool to DHCP clients dhcp select global all interface interface type interface number to interface type interface number Required Enter DHCP address pool view dhcp server ip pool pool name Configure an IP address range IP addresses in which are dy...

Page 662: ... option 184 supporting function is configured for a global DHCP address pool The sub options of option 184 are as follows z NCP IP 3 3 3 3 z AS IP 2 2 2 2 z Voice VLAN enabled z Voice VLAN ID 3 z Fail over routing IP 1 1 1 1 z Dialer string 99 II Network diagram 局域网 DHCP client GE1 0 1 10 1 1 1 24 3COM VCX LAN DHCP client DHCP server 局域网 DHCP client GE1 0 1 10 1 1 1 24 3COM VCX LAN DHCP client DHC...

Page 663: ...twork 10 1 1 1 mask 255 255 255 0 Quidway dhcp pool 123 voice config as ip 2 2 2 2 Quidway dhcp pool 123 voice config ncp ip 3 3 3 3 Quidway dhcp pool 123 voice config as ip 2 2 2 2 Quidway dhcp pool 123 voice config voice vlan 3 enable Quidway dhcp pool 123 voice config fail over 1 1 1 1 99 2 7 Displaying and Debugging a DHCP Server You can verify your DHCP related configuration by executing the ...

Page 664: ... interface interface type interface number all Clear the statistics on a DHCP server reset dhcp server statistics The reset command can be executed in user view Note Executing the save command will not save the lease information on a DHCP server to the flash memory Therefore the configuration file contains no lease information after the DHCP server restarts or you clear the lease information by ex...

Page 665: ... name aabbcc com z DNS server 10 1 1 2 z WINS server 10 1 1 4 z Gateway 10 1 1 254 Note If you use the inheriting relation of parent and child address pools make sure that the number of the assigned IP addresses does not exceed the number of the IP addresses in the child address pool otherwise extra IP addresses will be obtained from the parent address pool The attributes for example gateway also ...

Page 666: ... diagram for DHCP configuration III Configuration procedure 1 Configure a VLAN and add a port in this VLAN and then configure the IP address of the VLAN interface omitted 2 Configure DHCP service Enable DHCP Quidway system view Quidway dhcp enable Configure the IP addresses that are not dynamically assigned That is the IP addresses of the DNS server WINS server and gateways Quidway dhcp server for...

Page 667: ...ddress conflicts are usually caused by IP addresses that are manually configured on hosts III Solution z Disconnect the DHCP client from the network and then check whether there is a host using the conflicting IP address by performing ping operation on another host on the network with the conflicting IP address as the destination and an enough timeout time z The IP address is manually configured o...

Page 668: ... DHCP client DHCP client DHCPclient DHCPclient Sw itch DHCP relay DHCPserver Ethernet Internet DHCP client DHCP client DHCPclient DHCPclient Ethernet Internet DHCP client DHCP client DHCPclient DHCPclient Sw itch DHCP relay DHCPserver Ethernet Internet DHCP client DHCP client DHCPclient DHCPclient Ethernet Internet DHCP client DHCP client DHCPclient DHCPclient Sw itch DHCP relay DHCPserver Etherne...

Page 669: ...software you can achieve the DHCP assignment limitation and accounting functions II Primary terminologies z Option A length variable field in DHCP packets carrying information such as part of the lease information and packet type It includes at least one option and at most 255 options z Option 82 Also known as relay agent information option This option is a part of the Option field in DHCP packet ...

Page 670: ...rver 4 If the packet does not contain option 82 the DHCP relay adds option 82 to the packet and forwards the packet to the DHCP server The forwarded packet contains the port number of the switch to which the DHCP client is connected the VLAN to which the DHCP client belongs and the MAC address of the DHCP relay 5 Upon receiving the DHCP request packet forwarded by the DHCP relay the DHCP server st...

Page 671: ...uired 3 2 2 Enabling DHCP Configure an interface to operate in DHCP relay mode Required 3 2 3 Configuring an Interface to Operate in DHCP Relay Mode Configure DHCP relay security Optional 3 2 4 Configuring DHCP Relay Security Configure option 82 supporting Optional 3 2 5 Configuring Option 82 Supporting 3 2 2 Enabling DHCP Make sure to enable DHCP before you perform other DHCP relay related config...

Page 672: ...DHCP server IP address es in a specified DHCP server group dhcp server groupNo ip ip address 1 8 Required By default no DHCP server IP address is configured in a DHCP server group interface interface type interface number Map an interface to a DHCP server group dhcp server groupNo Required By default a VLAN interface is not mapped to any DHCP server group Note z You can configure up to eight exter...

Page 673: ...ding information about the DHCP client You can also configure user address entries manually static entries to bind an IP address and a MAC address statically The purpose of the address checking function on DHCP relay is to prevent unauthorized users from statically configuring IP addresses to access external networks With this function enabled a DHCP relay inhibits a user from accessing external n...

Page 674: ...dshake packet the DHCP REQUEST packet periodically to the DHCP server z When the DHCP client releases this IP address the client unicasts the DHCP RELEASE packet to the DHCP server z The DHCP relay does not process this packet so the user address entries of the DHCP relay cannot be updated in real time Table 3 5 Enable disable DHCP relay handshake Operation Command Description Enter system view sy...

Page 675: ...iew system view Enable DHCP relay handshake dhcp relay hand enable Required Set the interval at which the DHCP relay dynamically updates the user address entries dhcp security tracker interval auto Optional IV Configuring pseudo DHCP server detection function If there is an authorized DHCP server in the network when a client applies for an IP address the authorized DHCP server interconnects with t...

Page 676: ...trategy related configurations such as network parameters of the DHCP server address pool and lease time z The routes between the DHCP relay and the DHCP server are reachable II Enabling option 82 supporting on a DHCP relay The following operations need to be performed on a DHCP relay enabled network device Table 3 8 Enable option 82 supporting on a DHCP relay Operation Command Description Enter s...

Page 677: ...o execute the reset command to clear the statistics information about the specified DHCP server group Table 3 9 Display DHCP relay information Operation Command Description Display the information about a specified DHCP server group display dhcp server groupNo Display the information about the DHCP server group to which a specified VLAN interface is mapped display dhcp server interface vlan interf...

Page 678: ...0 202 38 1 1 Figure 3 2 Network diagram for DHCP relay III Configuration procedure Enter system view Quidway system view Enable DHCP Quidway dhcp enable Create DHCP server group 1 and configure an IP address of 202 38 1 2 for it Quidway dhcp server 1 ip 202 38 1 2 Map VLAN 2 interface to DHCP server group 1 Quidway interface Vlan interface 2 Quidway Vlan interface2 dhcp server 1 Configure an IP ad...

Page 679: ...ormation about debugging and interface state You can display the information by executing the corresponding display command III Solution z Check if DHCP is enabled on the DHCP server and the DHCP relay z Check if an address pool that is on the same network segment with the DHCP clients is configured on the DHCP server z Check if a reachable route is configured between the DHCP relay and the DHCP s...

Page 680: ... an untrusted port by the DHCP snooping function z Trusted ports can be used to connect DHCP servers or ports of other switches Untrusted ports can be used to connect DHCP clients or networks z Untrusted ports drop the DHCP ACK and DHCP OFFER packets received from DHCP servers Trusted ports forward any received DHCP packets to ensure that DHCP clients can obtain IP addresses from valid DHCP server...

Page 681: ...erver DHCP client DHCP client DHCP client DHCP server DHCPserver DHCP Request DHCP Offer DHCP ACK DHCP Renew DHCP ACK DHCP Discover DHCP Request DHCP Offer DHCP ACK DHCP Renew DHCP ACK DHCP Request DHCP Offer DHCP ACK DHCP Renew DHCP ACK DHCP Discover Figure 4 2 Interaction between a DHCP client and a DHCP server DHCP snooping listens the following two types of packets to retrieve the IP addresses...

Page 682: ...ion Example I Network requirements As shown in Figure 4 1 the GigabitEthernet1 0 1 port of Switch A an S5600 series switch is connected to Switch B acting as a DHCP relay A network segment containing some DHCP clients is connect to the GigabitEthernet 1 0 2 port of Switch A z The DHCP snooping function is enabled on Switch A z The GigabitEthernet1 0 1 port of Switch A is a trusted port II Configur...

Page 683: ...4 Table 4 2 Display DHCP snooping Operation Command Description Display the user IP MAC address mapping entries recorded by the DHCP snooping function display dhcp snooping unit unit id Display the enabled disabled state of the DHCP snooping function and the trusted ports display dhcp snooping trust You can execute the display command in any view ...

Page 684: ...to the DHCP client the DHCP server sends an Accounting START packet to a specified RADIUS server The RADIUS server processes the packet makes a record and sends a response to the DHCP server z Once releasing a lease for some reason the DHCP server sends an Accounting STOP packet to the RADIUS server The RADIUS server processes the packet stops the recording for the DHCP client and sends a response...

Page 685: ...g is enabled on the DHCP server z The IP addresses of the global DHCP address pool belongs to the network segment 10 1 1 0 24 The DHCP server operates as a RADIUS client and adopts AAA for authentication II Network diagram RADIUS Server 10 1 2 2 24 DHCP Client DHCP Server GigabitEthernet 1 0 1 vlan3 10 1 2 1 24 GigabitEthernet 1 0 2 vlan2 10 1 1 1 24 RADIUS Server 10 1 2 2 24 DHCP Client DHCP Serv...

Page 686: ... Quidway GigabitEthernet1 0 1 quit Enter VLAN 2 interface view and assign the IP address 10 1 1 1 24 to the VLAN interface Quidway interface Vlan interface 2 Quidway Vlan interface2 ip address 10 1 1 1 24 Quidway Vlan interface2 quit Enter VLAN 3 interface view and assign the IP address 10 1 2 1 24 to the VLAN interface Quidway interface Vlan interface 3 Quidway Vlan interface3 ip address 10 1 2 1...

Page 687: ...n Manual DHCP Quidway S5600 Series Ethernet Switches Release 1510 Chapter 5 DHCP Accounting Configuration Huawei Technologies Proprietary 5 4 Enable DHCP accounting Quidway dhcp pool test accounting domain 123 ...

Page 688: ...ning Advanced ACLs 1 6 1 4 1 Configuration Preparation 1 6 1 4 2 Configuration Procedure 1 6 1 4 3 Configuration Example 1 12 1 5 Defining Layer 2 ACLs 1 12 1 5 1 Configuration Preparation 1 12 1 5 2 Configuration Tasks 1 12 1 5 3 Configuration Example 1 14 1 6 Defining User Defined ACLs 1 15 1 6 1 Configuration Preparation 1 15 1 6 2 Configuration Procedure 1 15 1 6 3 Configuration Example 1 16 1...

Page 689: ...ly z Advanced ACL rules are made based on the L3 and L4 information such as the source and destination IP addresses of the data packets the type of protocol over IP protocol specific features and so on z Layer 2 ACL rules are made based on the Layer 2 information such as the source and destination MAC address information VLAN priority Layer 2 protocol and so on z User defined ACL such rules specif...

Page 690: ... the depth first order With the depth first rule adopted the rules of an ACL are matched in the following order 1 Protocol range The range for IP protocol is 1 to 255 and those of other protocols are the same as the corresponding protocol numbers The smaller the protocol range the higher the priority 2 Range of source IP address The smaller the source IP address range that is the longer the mask t...

Page 691: ...pecified time range is configured and the system time is within the time range If you remove the time range of an ACL rule the ACL rule becomes invalid the next time the ACL rule timer refreshes 1 1 4 Types of ACLs Supported by the Ethernet Switch The following types of ACLs are supported by the Ethernet switch z Basic ACL z Advanced ACL z Layer 2 ACL z User defined ACL 1 2 Configuring Time Ranges...

Page 692: ... in a time range the time range is active only when the periodic time range and the absolute time range are both matched Assume that a time range defines an absolute time section from 00 00 January 1 2004 to 23 59 December 31 2004 and a periodic time section from 12 00 to 14 00 every Wednesday This time range is active only from 12 00 to 14 00 every Wednesday in 2004 If the start time is specified...

Page 693: ... deny fragment source sour addr sour wildcard any time range time name Required Define the description information of the ACL description text Optional Display ACL information display acl all acl number Optional This command can be executed in any view In the case that you specify the rule ID when defining a rule z If the rule corresponding to the specified rule ID already exists you will edit the...

Page 694: ...pport analysis and processing of three packet priority levels type of service ToS priority IP priority and differentiated services codepoint Priority DSCP Using advanced ACLs you can define classification rules that are more accurate more abundant and more flexible than those defined with basic ACLs 1 4 1 Configuration Preparation Before configuring an ACL rule containing time range arguments you ...

Page 695: ...corresponding to the specified rule ID does not exists you will create and define a new rule z The content of a modified or created rule must not be identical with the content of any existing rule otherwise the rule modification or creation will fail and the system will prompt that the rule already exists If you do not specify a rule ID you will create and define a new rule and the system will ass...

Page 696: ...cket expressed in dotted decimal notation dest wildcard can be 0 which represents a host address any represents any destination address precedence precedence Packet precedence Packet priority Value range 0 to 7 tos tos Packet precedence ToS priority Value range 0 to 15 dscp dscp Packet precedence DSCP priority Value range 0 to 63 fragment Fragment information Specifies that the rule is effective f...

Page 697: ...100 af23 22 010110 af31 26 011010 af32 28 011100 af33 30 011110 af41 34 100010 af42 36 100100 af43 38 100110 cs1 8 001000 cs2 16 010000 cs3 24 011000 cs4 32 100000 cs5 40 101000 cs6 48 110000 cs7 56 111000 be default 0 000000 To define IP precedence you can directly input a value ranging from 0 to 7 or input a keyword listed in Table 1 6 Table 1 6 Description of IP precedence values Keyword IP Pre...

Page 698: ...1000 If the protocol type is TCP or UDP you can also define the following information Table 1 8 TCP UDP specific rule information Parameter Type Function Description source port operator port1 port2 Source port s Defines the source port information of UDP TCP packets destination port operator port1 port2 Destination port s Defines the destination port information of UDP TCP packets The value of op...

Page 699: ...message code information of ICMP packets in the rule icmp type ICMP message type ranging 0 to 255 icmp code ICMP message code ranging 0 to 255 If the protocol type is ICMP you can also directly input the ICMP message name after the icmp type argument The following table describes some common ICMP messages Table 1 10 ICMP messages Name ICMP TYPE ICMP CODE echo Type 8 Code 0 echo reply Type 0 Code 0...

Page 700: ...ule Acl s step is 1 rule 0 permit icmp 1 5 Defining Layer 2 ACLs Layer 2 ACLs define rules based on the Layer 2 information such as the source and destination MAC address information VLAN priority and Layer 2 protocol to process packets The value range for Layer 2 ACL numbers is 4 000 to 4 999 1 5 1 Configuration Preparation Before configuring an ACL rule containing time range arguments you need t...

Page 701: ...it the rule and the modified part in the rule will replace the original content while other parts remain unchanged z If the rule corresponding to the specified rule ID does not exists you will create and define a new rule z The content of a modified or created rule must not be identical with the content of any existing rule otherwise the rule modification or creation will fail and the system will ...

Page 702: ... Specifies the destination MAC address range in the rule dest addr destination MAC address in the format of H H H dest mask destination MAC address mask in the format of H H H cos vlan pri Priority Defines the 802 1p priority of the rule vlan pri VLAN priority in the range of 0 to 7 time range time name Time range information Specifies the time range in which the rule is active time name specifies...

Page 703: ...g Time Ranges 1 6 2 Configuration Procedure Table 1 13 Define a user defined ACL rule Operation Command Description Enter system view system view Create or enter user defined ACL view acl number acl number Required Define an ACL rule rule rule id permit deny rule string rule mask offset 1 8 time range name Required Define the description for the ACL rule description text Optional Define a comment ...

Page 704: ...t1 Quidway acl user 5001 display acl 5001 User defined ACL 5001 2 rules Acl s step is 1 rule 3 deny rule 25 permit ff 12 5 time range t1 Inactive 1 7 Applying ACLs on Ports By applying ACLs on ports you can filter outbound or inbound packets on the corresponding ports 1 7 1 Configuration Preparation You need to define an ACL before applying it on a port For operations to define ACLs refer to secti...

Page 705: ... group acl number rule rule Apply one rule in an IP type ACL and one rule in a Link type ACL simultaneously ip group acl number rule rule link group acl number rule rule Note For the user defined ACL rules if you set to match the fields after the VLAN tag two VLAN tags are added for matching of either tagged or untagged packets For the packets with their type filed as 0800 the offset value should ...

Page 706: ...f the switch To view the statistics of data forwarded by the hardware of the switch use the display qos interface traffic statistic command 1 9 ACL Configuration Example 1 9 1 Advanced ACL Configuration Example I Network requirements Different departments of an enterprise are interconnected on the intranet through the ports of a switch The IP address of the wage query server is 192 168 1 2 Devices...

Page 707: ...ts destined for the wage server Quidway acl adv 3000 rule 1 deny ip destination 192 168 1 2 255 255 255 0 time range test Quidway acl adv 3000 quit 3 Apply the ACL on the port Apply ACL 3000 on the port Quidway interface gigabitethernet1 0 1 Quidway GigabitEthernet1 0 1 packet filter inbound ip group 3000 1 9 2 Basic ACL Configuration Example I Network requirements Through basic ACL configuration ...

Page 708: ...resses being 10 1 1 1 Quidway acl basic 2000 rule 1 deny source 10 1 1 1 0 time range test Quidway acl basic 2000 quit 3 Apply the ACL on the port Apply ACL 2000 on the port Quidway interface gigabitethernet1 0 1 Quidway GigabitEthernet1 0 1 packet filter inbound ip group 2000 1 9 3 Layer 2 ACL Configuration Example I Network requirements Through Layer 2 ACL configuration packets with the source M...

Page 709: ...dress of 00e0 fc01 0101 and destination MAC address of 00e0 fc01 0303 specifying the time range named test for the ACL rule Quidway acl ethernetframe 4000 rule 1 deny source 00e0 fc01 0101 ffff ffff ffff dest 00e0 fc01 0303 ffff ffff ffff time range test Quidway acl ethernetframe 4000 quit 3 Activate the ACL Activate ACL 4000 Quidway interface GigabitEthernet1 0 1 Quidway GigabitEthernet1 0 1 pack...

Page 710: ... the time range Define the time range ranging from 8 00 to 18 00 Quidway time range aaa 8 00 to 18 00 daily 2 Create an ACL rule to filter TCP packets Create ACL 5000 Quidway acl number 5000 Define a rule for TCP packets Quidway acl user 5000 rule 1 deny 06 ff 35 time range aaa 3 Activate the ACL Activate ACL 5000 Quidway interface GigabitEthernet1 0 1 Quidway GigabitEthernet1 0 1 packet filter in...

Page 711: ...ority and Queues 1 11 1 4 Setting to Use the Port Priority or Packet Priority 1 12 1 5 Configuring Priority Remark 1 13 1 5 1 Configuration Prerequisites 1 14 1 5 2 Configuration Procedure 1 14 1 5 3 Configuration Example 1 15 1 6 Setting the Precedence of Protocol Packet 1 15 1 6 1 Configuration Prerequisites 1 15 1 6 2 Configuration Procedure 1 15 1 6 3 Configuration Example 1 16 1 7 Configuring...

Page 712: ...istics Information 1 24 1 11 4 Configuration Example 1 24 1 12 QoS Configuration Example 1 24 1 12 1 Configuration Example of TP and Rate Limit on the Port 1 24 1 12 2 Configuration Example of Priority Remark 1 26 Chapter 2 QoS Profile Configuration 2 1 2 1 Introduction to QoS Profile 2 1 2 1 1 Application Mode of QoS Profile 2 1 2 2 Introduction to QoS Profile Configurations 2 1 2 3 Configuring Q...

Page 713: ...as delay delay variation and packet loss ratio in the packet delivery 1 1 1 Traffic Traffic means service traffic that is all the packets passing the switch 1 1 2 Traffic Classification Traffic classification means to identify packets conforming to certain characters according to certain rules A classification rule is a filter rule configured to meet your management requirements It can be very sim...

Page 714: ... that the device sets the service class with the DS model z The last two bits bit 6 and bit 7 are reserved bits The precedence values of the IP packet indicate 8 different service classes Table 1 1 Description on IP Precedence IP Precedence decimal IP Precedence binary Description 0 000 routine 1 001 priority 2 010 immediate 3 011 flash 4 100 flash override 5 101 critical 6 110 internet 7 111 netw...

Page 715: ...f it exceeds the limit Current IP network traffic belongs to this class by default Table 1 2 Description on DSCP values DSCP DSCP value decimal DSCP value binary ef 46 101110 af11 10 001010 af12 12 001100 af13 14 001110 af21 18 010010 af22 20 010100 af23 22 010110 af31 26 011010 af32 28 011100 af33 30 011110 af41 34 100010 af42 36 100100 af43 38 100110 cs1 8 001000 cs2 16 010000 cs3 24 011000 cs4 ...

Page 716: ...ndicate a packet with an 802 1Q tag Figure 1 3 describes the detailed contents of an 802 1Q tag header Figure 1 3 802 1Q tag headers In the figure above the 3 bit priority field in TCI is 802 1p priority in the range of 0 to 7 The 3 bits specify the precedence of the frame 8 classes of precedence are used to determine which packet is sent preferentially when the switch is congested Table 1 3 Descr...

Page 717: ...packets to the port by the set classification rule Step 2 Perform the filter drop operation on the classified packets The packet filter function can be implemented by applying ACL rules on the port Refer to the description in the ACL module for detailed configurations 1 1 7 Rate Limit on Ports Rate limit on ports is port based rate limit It limits the total rate of outbound packets on a port 1 1 8...

Page 718: ...Classify Drop Figure 1 4 Evaluate the traffic with the token bucket 1 Evaluate the traffic with the token bucket The evaluation for the traffic specification is based on whether the number of tokens in the bucket can meet the need of packet forwarding If the number of tokens in the bucket is enough to forward the packets generally one token is associated with a 1 bit forwarding authority the traff...

Page 719: ... TP is widely used in policing the traffic into the network of internet service providers ISP TP can classify the policed traffic and perform pre defined policing actions according to different evaluation results These actions include z Forward Forward the packet whose evaluation result is conforming or mark DSCP precedence for Diff Serv packets and then forward them z Drop Drop the packet whose e...

Page 720: ... manual aggregation group This operation can be performed not only on the local device but also cross devices in intelligent resilient framework IRF z You can use the copy command to copy the queue scheduling configuration of a port Note For the introduction to the copy command refer to the Basic Port Configuration Module in this manual 1 1 10 Redirect You can re specify the forwarding port of pac...

Page 721: ...esponse delay Assume that there are 8 output queues on the port and the preferential queue classifies the 8 output queues on the port into 8 classes which are queue7 queue6 queue5 queue4 queue3 queue2 queue1 and queue0 Their priorities decrease in order In the queue scheduling SP sends packets in the queue with higher priority strictly following the priority order from high to low When the queue w...

Page 722: ... resources On a 100M port configure the weight value of WRR queue scheduling algorithm to 50 50 30 30 10 10 10 and 10 corresponding to w7 w6 w5 w4 w3 w2 w1 and w0 in order In this way the queue with the lowest priority can get 5Mbps bandwidth at least and the disadvantage of SP queue scheduling that the packets in queues with lower priority may not get service for a long time is avoided Another ad...

Page 723: ...es The mapping between the local precedence and the outbound queue is one to one You can modify the mapping between the 802 1p priority and the outbound queue through modifying the mapping between the 802 1p priority and the local priority I Configuration prerequisites You have understood the mapping between the 802 1p priority and the local precedence and the default mapping table II Configuratio...

Page 724: ...ocal precedence map cos local precedence map cos 802 1p 0 1 2 3 4 5 6 7 local precedence queue 2 3 4 1 7 0 5 6 1 4 Setting to Use the Port Priority or Packet Priority By default the switch replaces the 802 1p priority of the received packet with the priority of the inbound interface and then assigns local precedence for the packet according to the priority In this case you can set the port priorit...

Page 725: ...ority of GigabitEthernet1 0 1 to 7 Configuration procedure Quidway system view System View return to User View with Ctrl Z Quidway interface gigabitEthernet1 0 1 Quidway GigabitEthernet1 0 1 undo priority trust cos Quidway GigabitEthernet1 0 1 priority 7 z Set the switch to use the 802 1p priority carried in the packet on GigabitEthernet1 0 1 Configuration procedure Quidway system view System View...

Page 726: ...e ACL rules in traffic identifying and specify a new precedence for the packet matching with the ACL rules traffic priority inbound acl rule dscp dscp value ip precedence pre value from cos cos pre value from ipprec local precedence pre value Required Display the parameter configurations of priority remark display qos interface interface type interface number unit id traffic priority Display all t...

Page 727: ... acl number 2000 Quidway acl basic 2000 rule permit source 10 1 1 1 0 0 0 255 Quidway acl basic 2000 rule deny source any Quidway acl basic 2000 quit Quidway interface GigabitEthernet1 0 1 Quidway GigabitEthernet1 0 1 traffic priority inbound ip group 2000 dscp 56 1 6 Setting the Precedence of Protocol Packet The protocol packet carries its own precedence You can modify the precedence of the proto...

Page 728: ...the display command in any view 1 6 3 Configuration Example z Set the IP precedence of the ICMP protocol packet to 3 z Display the configuration results Configuration procedure Quidway system view System View return to User View with Ctrl Z Quidway protocol priority protocol type icmp ip precedence 3 Quidway display protocol priority Protocol icmp IP Precedence flash 3 1 7 Configuring Rate Limit o...

Page 729: ...view System View return to User View with Ctrl Z Quidway interface GigabitEthernet1 0 1 Quidway GigabitEthernet1 0 1 line rate outbound 1024 1 8 Configuring TP Refer to 1 1 8 TP for the introduction to TP 1 8 1 Configuration Prerequisites z ACL rules used for traffic identifying are defined Refer to the ACL module in the book for defining ACL rules z The limit rate for TP the actions for the packe...

Page 730: ...play all the QoS settings of the port display qos interface interface type interface number unit id all Optional You can execute the display command in any view acl rule Applied ACL rules which can be the combination of various ACL rules The way of combination is described in Table 1 9 Note z The granularity of TP is 64 kbps If the number you input is in the range of N 64 to N 1 64 N is a natural ...

Page 731: ...les z The port that the packets matching with the configurations rules are redirected to is specified z The ports that needs this configuration are specified 1 9 2 Configuration Procedure Table 1 13 Configure redirect Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Configure redirect traffic redirect inbound acl rule cp...

Page 732: ... 10 1 1 1 24 network segment to GigabitEthernet1 0 7 Configuration procedure Quidway system view System View return to User View with Ctrl Z Quidway acl number 2000 Quidway acl basic 2000 rule permit source 10 1 1 1 0 0 0 255 Quidway acl basic 2000 quit Quidway interface GigabitEthernet1 0 1 Quidway GigabitEthernet1 0 1 traffic redirect inbound ip group 2000 interface GigabitEthernet1 0 7 1 10 Con...

Page 733: ...d parameters on the switch display queue scheduler Optional You can execute the display command in any view Table 1 15 Configure queue scheduling in Ethernet port view Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Configure the queue scheduling mode queue scheduler wrr queue0 weight queue1 weight queue2 weight queue3 ...

Page 734: ... in a port aggregation group will be synchronized to other ports in the aggregation group automatically Note that the WRR weights you modified on port view cannot be displayed using the display queue scheduler command 1 10 3 Configuration Example z The switch adopts the WRR queue scheduling algorithm and the weight values of outbound queues are 2 2 3 3 4 4 5 and 5 respectively z Disable the applie...

Page 735: ...ified 1 11 2 Configuration Procedure of Traffic Statistics Table 1 16 Configure traffic statistics Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Use the ACL rules in traffic identifying and perform traffic statistics on the packets matching with the ACL rules traffic statistic inbound acl rule Required Display the tra...

Page 736: ... 1 of the switch is accessed into the 10 1 1 1 24 network segment z Perform traffic statistics on packets from the 10 1 1 1 24 network segment Configuration procedure Quidway system view System View return to User View with Ctrl Z Quidway acl number 2000 Quidway acl basic 2000 rule permit source 10 1 1 1 0 0 0 255 Quidway acl basic 2000 quit Quidway interface GigabitEthernet1 0 1 Quidway GigabitEt...

Page 737: ...tbound traffic of the salary query server Enter ACL 3000 view Quidway system view Quidway acl number 3000 Define ACL 3000 rules Quidway acl adv 3000 rule 1 permit ip source 129 110 1 2 0 0 0 0 destination any Quidway acl adv 3000 rule deny ip source any destination any Quidway acl adv 3000 quit 2 Limit the outbound traffic of the salary query server Limit the average rate of outbound traffic withi...

Page 738: ...GE1 0 2 VLAN2 1 0 0 1 8 VLAN3 2 0 0 1 8 PC1 PC2 Figure 1 8 QoS configuration example III Configuration procedure 1 Define the time rang from 8 00 to 18 00 Define the time rang Quidway system view Quidway time range test 8 00 to 18 00 daily 2 Define the traffic rules of PC packets Enter number identification based basic ACL view identified Quidway acl number 2000 Quidway acl basic 2000 rule 0 permi...

Page 739: ...rofile After the QoS profile function is configured the switch will dynamically issue the QoS profiles corresponding to you to your access port if you pass the authentication The processing procedures of the switch in different application modes are described as follows respectively z User based mode If the source information source MAC source IP or source MAC source IP is defined in the traffic r...

Page 740: ...y 2 4 Applying the QoS Profile to the Port Manually 2 3 Configuring QoS Profile Refer to 2 1 Introduction to QoS Profile for the introduction to QoS profile 2 3 1 Configuration Prerequisites z ACL rules used for traffic identifying are defined Refer to the ACL module in this book for defining ACL rules z The global 802 1x authentication function is enabled and 802 1x authentication function is ena...

Page 741: ... user based z If MAC address based authentication is configured in 802 1x the application mode of QoS profile must be user based z If port based authentication is configured in 802 1x the application mode of QoS profile must be port based Display the configurations of QoS profiles display qos profile all name profile name interface interface type interface number user user name Optional You can ex...

Page 742: ...ntication information and the matching relationship between the user name and the QoS profile and more details are not given here 2 Configuration on the switch Enable 802 1x Quidway system view Quidway dot1x Quidway dot1x interface GigabitEthernet 1 0 1 Configure the IP address information for the RADIUS server Quidway radius scheme radius1 Quidway radius radius1 primary authentication 10 11 1 1 Q...

Page 743: ...rop Quidway qos profile example traffic priority inbound ip group 3000 dscp 46 2 4 Applying the QoS Profile to the Port Manually After this configuration all the traffic actions in the QoS profile will be applied to the current port I Applying the QoS profile to the port in system view You can apply the profile configurations to one port or more continuous ports manually in system view Table 2 3 A...

Page 744: ...ishing the configurations mentioned above you can execute the display command in any view to check the running state of the QoS profile after the configuration You can verify the effect of the configuration by checking the information on display Table 2 5 Display the QoS profile Operation Command Description Display the configurations of the QoS profile display qos profile all name profile name in...

Page 745: ...Chapter 1 Mirroring Configuration 1 1 1 1 Overview 1 1 1 1 1 Traffic Mirroring 1 1 1 1 2 Port Mirroring 1 1 1 1 3 Remote Port Mirroring RSPAN 1 1 1 2 Mirroring Supported by S5600 1 3 1 3 Mirroring Configuration 1 4 1 3 1 Configuring Traffic Mirroring 1 4 1 3 2 Configuring Port Mirroring 1 6 1 3 3 Configuring RSPAN 1 9 1 3 4 Displaying Mirroring 1 15 ...

Page 746: ... maps traffic flows that match specific ACLs to the specified destination port for packet analysis and monitoring Before configuring traffic mirroring you need to define ACLs required for flow identification 1 1 2 Port Mirroring Port mirroring refers to the process of copying the packets received or sent by the specified port to the destination port 1 1 3 Remote Port Mirroring RSPAN Remote switche...

Page 747: ...Circumstances can occur where no intermediate switch is present if a direct connection exists between the source and destination switches z Destination switch The switch to which the destination port for remote mirroring belongs It forwards mirrored flows it received from the remote probe VLAN to the monitoring device through the destination port Table 1 1 describes how the ports on various switch...

Page 748: ...the trunk type z The default VLAN and management VLAN cannot be configured as remote probe VLAN z Required configurations are performed to ensure Layer 2 connectivity between the source and destination switches over the remote probe VLAN Caution To ensure the normal packet mirroring you are not recommended to perform any of the following operations on the remote probe VLAN z Configuring a source p...

Page 749: ...n 1 1 Overview 1 3 1 Configuring Traffic Mirroring I Configuration prerequisites z ACLs for identifying traffics have been defined For defining ACLs see the description on the ACL module in this manual z The destination port has been defined z The port on which to perform traffic mirroring configuration and the direction of traffic mirroring has been determined II Configuration procedure Table 1 3...

Page 750: ...de Form of acl rule Apply all rules in an IP type ACL either a basic or an advanced ACL separately ip group acl number Apply one rule in an IP type ACL separately ip group acl number rule rule id Apply all rules in a Layer 2 ACL separately link group acl number Apply one rule in a Layer 2 ACL separately link group acl number rule rule id Apply one rule in a user defined ACL separately user group a...

Page 751: ... received and sent by the port at the same time z The destination port is specified z The group number of the mirroring group is specified II Configuring port mirroring in Ethernet port view Table 1 5 Configure port mirroring in Ethernet port view 1 Operation Command Description Enter system view system view Create a port mirroring group mirroring group group id local Required Enter Ethernet port ...

Page 752: ...ing group group id monitor port Required LACP and TCP must be disabled on the destination port Exit current view quit Enter Ethernet port view of the source port interface interface type interface number Configure the source port and specify the direction of the packets to be mirrored mirroring group group id mirroring port both inbound outbound Required Display parameter settings of the mirroring...

Page 753: ...net port view z Configurations listed in Table 1 7 should to be performed in system view Therefore the mirroring group ID and port number need to be specified IV Configuration Example z The source port is GigabitEthernet 1 0 1 Mirror all packets received and sent via this port z The destination port is GigabitEthernet 1 0 4 1 Configuration procedure 1 Quidway system view Quidway mirroring group 1 ...

Page 754: ...kets to be monitored has been determined z The remote probe VLAN is enabled II Configuring RSPAN on the source switch Table 1 8 Configure RSPAN on the source switch Operation Command Description Enter system view system view Create a VLAN and enter its VLAN view vlan vlan id vlan id is the ID of the destination remote probe VLAN Define the current VLAN as a remote probe VLAN remote probe vlan enab...

Page 755: ...to another VLAN Configure the remote probe VLAN for the remote source mirroring group mirroring group group id remote probe vlan remote probe vlan id Required Display the configuration of the remote source mirroring group display mirroring group remote source Optional This command can be executed in any view Note z To mirror tagged packets you need to configure VLAN VPN on the reflector port z The...

Page 756: ... destination switch or another intermediate switch interface interface type interface number Configure the current port as Trunk port link type trunk Required By default the port type is Access Configure Trunk port to permit packets from the remote probe VLAN port trunk permit vlan remote probe vlan id Required This configuration is necessary for ports on the intermediate switch that are connected...

Page 757: ...o the source switch or an intermediate switch Exit current view quit Configure the remote destination mirroring group mirroring group group id remote destination Required Configure the destination port for remote mirroring mirroring group group id monitor port monitor port Required The destination port for remote mirroring must be of the Access type LACP and STP must be disabled on this port After...

Page 758: ...abitEthernet 1 01 1 the Trunk port of Switch C z GigabitEthernet 1 0 2 the port of Switch C is connected to PC1 The purpose is to monitor and analyze the packets sent to PC1 via the data detect device To meet the requirement above by using the RSPAN function perform the following configuration z Define VLAN10 as remote probe VLAN z Define Switch A as the destination switch configure GigabitEtherne...

Page 759: ...e GigabitEthernet 1 0 1 Quidway GigabitEthernet1 0 1 port trunk permit vlan 10 Quidway GigabitEthernet1 0 1 quit Quidway mirroring group 1 remote source Quidway mirroring group 1 mirroring port GigabitEthernet 1 0 2 inbound Quidway mirroring group 1 reflector port GigabitEthernet 1 0 3 Quidway mirroring group 1 remote probe vlan 10 Quidway display mirroring group remote source mirroring group 1 ty...

Page 760: ...t1 01 1 quit Quidway mirroring group 1 remote destination Quidway mirroring group 1 monitor port gigabitethernet1 0GigabitEthernet 1 0 2 Quidway mirroring group 1 remote probe vlan 10 Quidway display mirroring group remote destination mirroring group 1 type remote destination status active monitor port GigabitEthernet1 01 2 remote probe vlan 10 1 3 4 Displaying Mirroring After the above configurat...

Page 761: ...n 1 2 1 2 2 Work Flow of the Peer Fabric Port Detection Function 1 2 1 2 3 Prompt Information Analysis and Solution 1 3 1 3 IRF Fabric Configuration 1 4 1 3 1 Introduction to IRF Fabric Configuration 1 4 1 3 2 Setting a Unit ID for a Switch 1 5 1 3 3 Specifying the Fabric Port of a Switch 1 7 1 3 4 Assigning a Unit Name to a Switch 1 7 1 3 5 Assigning an IRF Fabric Name to a Switch 1 7 1 4 Display...

Page 762: ...Realizes unified management of multiple devices Only one connection and one IP address are required to manage the entire fabric Therefore management cost is reduced z Enables you to purchase devices on demand and expand network capacity smoothly Protects your investment to the full extent during network upgrade z Ensures high reliability by N 1 redundancy avoids single point failure and lessens se...

Page 763: ...nual 1 2 Peer Fabric Port Detection 1 2 1 Introduction to the Peer Fabric Port Detection Function As the basis of the IRF function the fabric topology management FTM module manages and maintains the entire topology of a fabric The FTM module also implements the peer fabric port detection function A device can join a fabric only when the following conditions are met z The number of the existing dev...

Page 764: ...C packet is illegal and will be discarded z If authentication is enabled in the fabric the current device in the fabric authenticates received packets sent by new directly connected devices Packets that fail to pass the authentication will be discarded 1 2 3 Prompt Information Analysis and Solution The IRF Fabric peer detection function outputs different prompt information according to the connect...

Page 765: ... switch and the existing fabric name of the fabric are not the same Configure the fabric name of the new device to be that of the fabric different product version indicates the software version of the directly connected device and that of the current device are not the same Make sure the software version of the new device is the same as that of the fabric auth failure it indicates error occurs whe...

Page 766: ...cally number the switches to constitute an IRF fabric so that each switch has a unique unit ID in the fabric You can use the command in the following table to set unit IDs for switches Make sure to set different unit IDs for different switches in an IRF fabric Otherwise FTM will automatically number the switches with the same unit ID Table 1 3 Set a unit ID for a switch Operation Command Descripti...

Page 767: ...d the priority is set to 5 Then you can use the fabric save unit id command to save the modified unit ID into the unit Flash memory and clear the information about the existing one z If auto numbering is selected the system sets the unit ID priority to 10 You can use the fabric save unit id command to save the modified unit ID into the unit Flash memory and clear the information about the existing...

Page 768: ...ng an IRF system requires a high consistency of the configuration of each device Hence before you enable the fabric port do not perform any configuration for the port and do not enable some functions that affect the IRF such as TACACAS and BGP for other ports or globally Otherwise you cannot enable the fabric port Refer to the error information output by devices for the detail restricts 1 3 4 Assi...

Page 769: ...on Command Description Display the information about an IRF fabric display irf fabric status Display the topology information of an IRF fabric display ftm information topology database Display RMON statistics of a specified unit in an IRF fabric display rmon statistics unit unit id Display RMON history data of a specified unit in an IRF fabric display rmon history unit unit id These commands can b...

Page 770: ...g diagram for forming an IRF fabric 1 5 3 Configuration procedure 1 Configure Switch A Configure the unit ID as 1 Quidway system view Quidway change unit id 1 to 1 Configure the unit name as unit 1 Quidway set unit 1 name unit1 Configure the fabric name as hello Quidway sysname hello 2 Configure Switch B Configure the unit ID as 2 Quidway system view Quidway change unit id 1 to 2 Configure the uni...

Page 771: ...ing NTDP Globally and for Specific Ports 1 8 1 2 5 Configuring NTDP related Parameters 1 9 1 2 6 Enabling the Cluster Function 1 9 1 2 7 Configuring Cluster Parameters 1 10 1 2 8 Configuring Interaction for the Cluster 1 11 1 2 9 Configuring NM Interface for the Cluster 1 11 1 3 Member Device Configuration 1 12 1 3 1 Member Device Configuration Tasks 1 12 1 3 2 Enabling NDP Globally and for Specif...

Page 772: ...ance operations intended for the member devices in a cluster are redirected by the management device Figure 1 1illustrates a typical cluster implementation Management Device Member Device Member Device Candidate Device 69 110 1 1 Network Management Device Cluster 69 110 1 100 Network Member Device Management Device Member Device Member Device Candidate Device 69 110 1 1 Network Management Device C...

Page 773: ...h locating each member and then distributes the configuration and management commands to members Member management means to manage the following events through the management device including adding a member removing a member and the member s authentication on the management device Member management also manages the cluster parameters including interval of sending handshake packets management VLAN...

Page 774: ...bor a member device informs the management device of the change through handshake packets The management device then collects the specified topology information through NTDP Such a mechanism enables topology changes to be tracked in time Note As for NTDP implementing you need to perform configurations on the management device the member devices and the candidate devices as follows z On the managem...

Page 775: ...ging host and SNMP host for the whole cluster When the members in the cluster communicate with external servers the data is transmitted to the management device first and then transmitted to external servers through the management device When the public FTP TFTP server is not configured for the cluster the management device is the default FTP TFTP server of the cluster You can specify the network ...

Page 776: ... commands that is forward the commands to the intended member devices for processing z Provide the following functions including neighbor discovery topology information collection cluster management and cluster state maintenance and support all types of FTP servers and SNMP host proxies Member device Normally a member device is not configured with a public IP address z Member in the cluster z Neig...

Page 777: ... collects NDP NTDP information to discover and determine candidate devices which can be then added into the cluster through manual configurations z A candidate device becomes a member device after being added to a cluster z A member device becomes a candidate device after being removed from the cluster Note After the cluster is set up the S5600 switch will collect the topology information of the n...

Page 778: ...cific Ports Configure NTDP related parameters Required Section 1 2 5 Configuring NTDP related Parameters Enable the cluster function Required Section 1 2 6 Enabling the Cluster Function Configure cluster parameters Required Section 1 2 7 Configuring Cluster Parameters Configure interaction for the cluster Required Section 1 2 8 Configuring Interaction for the Cluster Configure NM interface for the...

Page 779: ...mand Description Enter system view system view Configure the holdtime of NDP information ndp timer aging aging in seconds Optional By default the aging time of NDP packets is 180 seconds Configure the interval to send NDP packets ndp timer hello seconds Optional By default the interval of sending NDP packets is 60 seconds 1 2 4 Enabling NTDP Globally and for Specific Ports Table 1 5 Enable NTDP gl...

Page 780: ...ts ntdp timer hop delay time Optional By default the delay of the device is 200 ms Configure the port delay to forward topology collection request packets ntdp timer port delay time Optional By default the port delay is 20 ms Configure the interval to collect topology information ntdp timer interval in minutes Optional By default the interval of topology collection is 1 minute Quit system view Qui...

Page 781: ...ame argument is the name to be assigned to the cluster Configure a multicast MAC address for the cluster cluster mac H H H Optional By default the multicast MAC address is 0180 C200 000A Set the interval for the management device to send multicast packets cluster mac syn interval time interval Optional By default the management device sends a multicast packet every minute Configure the holdtime fo...

Page 782: ...Description Enter system view system view Enter cluster view cluster Required Configure the public FTP server for the cluster ftp server ip address Optional Configure the TFTP server for the cluster tftp server ip address Optional Configure the logging host for the cluster logging host ip address Optional Configure the SNMP host for the cluster snmp host ip address Optional 1 2 9 Configuring NM In...

Page 783: ...ific Ports Enable NTDP globally and for specific ports Required Section 1 3 3 Enabling NTDP Globally and for Specific Ports Configure member devices to access FTP TFTP server of the cluster Required Section 1 3 4 Configure Member Devices to Access FTP TFTP Server of the Cluster 1 3 2 Enabling NDP Globally and for Specific Ports Table 1 13 Enable NDP globally and for specific ports Operation Comman...

Page 784: ...er Perform the following configuration in user view of the member device Table 1 15 Configure member devices to access FTP TFTP server of the cluster Operation Command Description Access the public FTP server of the cluster ftp cluster Optional Download files from the public TFTP server of the cluster tftp cluster get source file destination file Optional Upload files to the public TFTP server of ...

Page 785: ...mber device view 1 5 Displaying and Maintaining a Cluster After the configuration above you can execute the display command to display the running status after the cluster configuration You can verify the configuration effect through checking the displayed information Table 1 17 Display and maintain cluster configurations Operation Command Description Display the global NDP configuration including...

Page 786: ...twork requirements Three switches form a cluster in which z The management device is an S900 series switch z The rest are member devices The S5600 switch manages the rest two member devices as the management device The detailed information about the cluster is as follows z The two member devices are connected to GigabitEthernet1 0 2 and GigabitEthernet1 0 3 ports of the management device z The man...

Page 787: ...9 172 55 4 63 172 55 1 VLAN2 interface IP address 163 172 55 1 Member device MAC address 00e0 fc01 0012 Management device Member device MAC address 00e0 fc01 0011 Cluster Network FTP server TFTP server E1 0 3 E1 0 2 E1 1 E1 1 69 172 55 4 63 172 55 1 VLAN2 interface IP address 163 172 55 1 Member device MAC address 00e0 fc01 0012 Management device Member device MAC address 00e0 fc01 0011 SNMP host ...

Page 788: ...igabitEthernet1 0 2 quit Quidway interface GigabitEthernet 1 0 3 Quidway GigabitEthernet1 0 3 ntdp enable Quidway GigabitEthernet1 0 3 quit Configure the hop count to collect topology to be 2 Quidway ntdp hop 2 Configure the delay time for topology collection request packets to be forwarded on member devices to be 150 ms Quidway ntdp timer hop delay 150 Configure the delay time for topology collec...

Page 789: ...r Log host and SNMP host for the cluster huawei_0 Quidway cluster ftp server 63 172 55 1 huawei_0 Quidway cluster tftp server 63 172 55 1 huawei_0 Quidway cluster logging host 69 172 55 4 huawei_0 Quidway cluster snmp host 69 172 55 4 3 Configure the member devices taking one member as an example Add the devices connected to the management device into the cluster and perform the following configur...

Page 790: ...For detailed information about these configurations refer to the preceding description in this chapter z After the configuration above on the SNMP host you can receive logs and SMMP trap messages of all the cluster members 1 6 2 NM Interface Configuration Example I Network requirements z Configure Vlan interface 2 as the network management interface of the switch z Configure VLAN 3 as the manageme...

Page 791: ...N 3 as the management VLAN Quidway system view Quidway management vlan 3 Add the GigabitEthernet 1 0 1 port into VLAN 3 Quidway vlan 3 Quidway vlan3 port GigabitEthernet 1 0 1 Quidway vlan3 quit Set the IP address of Vlan interface 3 to 192 168 5 30 Quidway interface Vlan interface 3 Quidway Vlan interface3 ip address 192 168 5 30 255 255 255 0 Quidway Vlan interface3 quit Add the GigabitEthernet ...

Page 792: ...utput Power on a Port 1 3 1 5 Setting PoE Management Mode and PoE Priority of a Port 1 4 1 6 Setting the PoE Mode on a Port 1 5 1 7 Configuring the PD Compatibility Detection Feature 1 5 1 8 Configuring PoE Over Temperature Protection on the Switch 1 6 1 9 Upgrading the PSE Processing Software Online 1 6 1 10 Displaying PoE Configuration 1 7 1 11 PoE Configuration Example 1 8 Chapter 2 PoE Profile...

Page 793: ...ght application prospect PoE can be applied to IP phones wireless access points APs chargers for portable devices card readers cameras and data collection II PoE components z Power sourcing equipment PSE PSE is comprised of the power and the PSE functional module It can implement PD detection PD power information collection PoE power supply monitoring and power off for devices z PD PDs receive pow...

Page 794: ...ipment which you can query through the display command z The switch provides two modes auto and manual to manage the power feeding to ports in the case of PSE power overload z The switch provides over temperature protection mechanism Using this mechanism the switch disables the PoE feature on all ports when its internal temperature exceeds 65 0 C 149 0 F for self protection and restores the PoE fe...

Page 795: ...l Section 1 8 Configuring PoE Over Temperature Protection on the Switch Upgrade the PSE processing software online Optional Section 1 9 Displaying PoE Configuration 1 3 Enabling the PoE Feature on a Port Table 1 2 Enable the PoE feature on a port Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Enable the PoE feature on ...

Page 796: ...n supply power to the PDs that are connected to the ports with high priority For example Port A has the priority of critical When the switch is reaching its full load and a new PD is now added to port A the switch will power down the PD connected to the port with the low priority and turn to supply power to this new PD IF more than one port has the same lowest priority the switch will power down t...

Page 797: ... system view Enter Ethernet port view interface interface type interface number Set the PoE mode on the port poe mode signal spare Required S5600 series Ethernet switches do not support PoE in the spare mode currently 1 7 Configuring the PD Compatibility Detection Feature After the PD compatibility detection feature is enabled the switch can supply power to the detected PDs that do not conform to ...

Page 798: ...e protection feature is enabled on the switch Note z When the internal temperature of the switch decreases to 650 C 1490 F below but 600 C 1400 F above the switch still disables the PoE feature on all the ports z When the internal temperature of the switch increases to 60 0 C 140 0 F above but 650 C 1490 F above the switch still enables the PoE feature on all the ports 1 9 Upgrading the PSE Proces...

Page 799: ...grade in full mode fails after restart you must upgrade in full mode after power off and restart of the device and then restart the device manually In this way the former PoE configuration is restored 1 10 Displaying PoE Configuration After the above configuration execute the display command in any view to see the operation of the PoE feature and verify the effect of the configuration Table 1 9 Po...

Page 800: ...s connected to the GigabitEthernet1 0 24 port even when the S5624P PWR switch is under full load II Networking diagram Network GE1 0 1 GE1 0 2 S2016C AP AP Network S5624P PWR GE1 0 24 AP S2016C AP GE1 0 24 AP S2016C AP S2016C AP AP Network GE1 0 1 GE1 0 2 S2016C AP AP Network S5624P PWR GE1 0 24 AP S2016C AP GE1 0 24 AP S2016C AP S2016C AP AP Figure 1 1 Network diagram for PoE III Configuration pr...

Page 801: ...bitEthernet1 0 2 poe max power 2500 Quidway GigabitEthernet1 0 2 quit Set the PoE priority of GigabitEthernet 1 0 24 to critical to guarantee the power feeding to the AP to which this port connects Quidway interface GigabitEthernet 1 0 24 Quidway GigabitEthernet1 0 24 poe priority critical Quidway GigabitEthernet1 0 24 quit Set the power supply management mode on the switch to auto it is the defau...

Page 802: ...es Features of PoE profile z Various PoE profiles can be created PoE policy configurations applicable to different user groups are stored in the corresponding PoE profiles These PoE profiles can be applied to the ports used by the corresponding user groups z When users connect a PD to a PoE profile enabled port the PoE configurations in the PoE profile will be enabled on the PD 2 2 PoE Profile Con...

Page 803: ...default maximum power is set to be 15 400 mW Quit system view quit In system view apply poe profile profile name interface interface type interface number to interface type interface number Enter Ethernet port view interface interface type interface number Apply the existing PoE profile to the specified Ethernet port In Ethernet port view Apply the existing PoE profile to the port apply poe profil...

Page 804: ...les are applied successfully Caution z PoE profile configuration is a global configuration and applies synchronously in the IRF system z Combination of Unit creates a new Fabric In the newly created Fabric the PoE profile configuration of the Unit with the smallest Unit ID number will become the PoE profile configuration for the Fabric currently in use z Split of Fabric results in many new Fabrics...

Page 805: ...reas The PoE priority for GigabitEthernet1 0 6 through GigabitEthernet1 0 10 is High z The maximum power for GigabitEthernet1 0 1 through GigabitEthernet1 0 5 ports is 3000mW whereas the maximum power for GigabitEthernet1 0 6 through GigabitEthernet1 0 10 is 15 400mW Based on the above requirements two PoE profiles are made for users of group A z Apply PoE profile1 for GigabitEthernet1 0 1 through...

Page 806: ...profile name Profile1 Create profile 2 and enter poe profile view Quidway poe profile profile2 In Profile 2 add the PoE policy configuration applicable to GigabitEthernet1 0 6 through GigabitEthernet1 0 10 ports for type A group users Quidway poe profile Profile2 poe enable Quidway poe profile Profile2 poe mode signal Quidway poe profile Profile2 poe priority high Quidway poe profile Profile2 poe ...

Page 807: ...ies Proprietary i Table of Contents Chapter 1 UDP Helper Configuration 1 1 1 1 Introduction to UDP Helper 1 1 1 2 Configuring UDP Helper 1 2 1 3 Displaying and Debugging UDP Helper 1 3 1 4 UDP Helper Configuration Example 1 3 1 4 1 Network requirements 1 3 1 4 2 Network diagram 1 4 1 4 3 Configuration procedure 1 4 ...

Page 808: ...ts and duplicates those with their destination port numbers being that configured for UDP Helper to the UDP Helper module The UDP helper module in turn modifies the destination IP addresses of the packets and then sends the packet to the specified destination server Note The DHCP Relay module uses UDP port 67 and 68 to relay BOOTP DHCP broadcast packets so do not use port 67 and 68 as UDP Helper r...

Page 809: ...rface vlan interface vlan id Configure the destination server to which the UDP packets are to be forwarded udp helper server ip address Required By default no destination server is configured Caution z You need to enable the UDP Helper function before specifying a UDP Helper destination port z The dns netbios ds netbios ns tacacs tftp and time keywords refers to the six default UDP ports You can c...

Page 810: ...ough viewing the running status of the UDP Helper configuration You can use the reset command in user view to clear statistics about packets forwarded by UDP Helper Table 1 3 Display and debug UDP Helper configuration Operation Command Description View the information of the destination server and the number of packets forwarded to the corresponding destination server display udp helper server int...

Page 811: ...tch 2 Figure 1 1 Network diagram for UDP Helper configuration 1 4 3 Configuration procedure Enable UDP Helper on Switch1 Quidway system view Quidway udp helper enable Specify port 137 to be the UDP port for forwarding broadcast UDP packets Port 137 is the default UDP port as prompted in the command line Quidway udp helper port 137 Port has been configured Please check the port again Specify the de...

Page 812: ... Functions 1 3 1 3 Configuring Trap 1 6 1 3 1 Configuration Prerequisites 1 6 1 3 2 Configuration Tasks 1 6 1 4 Setting the Logging Function for Network Management 1 7 1 5 Displaying SNMP 1 8 1 6 SNMP Configuration Example 1 9 1 6 1 SNMP Configuration Example 1 9 Chapter 2 RMON Configuration 2 1 2 1 Introduction to RMON 2 1 2 1 1 Working Mechanism of RMON 2 1 2 1 2 Commonly Used RMON Groups 2 2 2 ...

Page 813: ...cts 1 1 1 SNMP Operation Mechanism SNMP can be divided into two parts namely Network Management Station and Agent Network management station NMS is the workstation for running the client program At present the commonly used NM platforms include QuidView Sun NetManager and IBM NetView Agent is the server software operated on network devices The NMS can send GetRequest GetNextRequest and SetRequest ...

Page 814: ...NMP packet is used to describe management objects of a device To uniquely identify the management objects of the device in SNMP messages SNMP adopts the hierarchical naming scheme to identify the managed objects It is like a tree and each tree node represents a managed object as shown in Figure 1 1 Thus the object can be identified with the unique path starting from the root A 2 6 1 5 2 1 1 2 1 B ...

Page 815: ...C2665 OSPF MIB RFC1253 Public MIB IF MIB RFC1573 DHCP MIB DHCP MIB QACL MIB ADBM MIB IGMP Snooping MIB RSTP MIB VLAN MIB Device management Interface management QACL MIB ADBM MIB RSTP MIB VLAN MIB Device management Private MIB Interface management 1 2 Configuring SNMP Basic Functions The configuration of SNMP V3 configuration is different from that of SNMP V1 and SNMP V2C therefore SNMP basic funct...

Page 816: ... the system location is Hangzhou China and the SNMP version is SNMP V3 Create or update the view information snmp agent mib view included excluded view name oid tree Optional By default the view name is ViewDefault and OID is 1 Direct configu ration Set a commun ity name snmp agent community read write community name acl acl number mib view view name Set an SNMP group snmp agent group v1 v2c group...

Page 817: ...w Enable SNMP Agent snmp agent Required By default SNMP Agent is disabled You can enable SNMP agent by executing this command or any configuration command of snmp agent Set system information snmp agent sys info contact sys contact location sys location version v1 v2c v3 all Optional By default the contact information for system maintenance is R D Beijing Huawei Technologies Co Ltd the system loca...

Page 818: ...ber device information 1 3 Configuring Trap Trap is the information that the managed device initiatively sends to the NMS without request Trap is used to report some urgent and important events e g the managed device is rebooted 1 3 1 Configuration Prerequisites Complete SNMP basic configuration 1 3 2 Configuration Tasks Table 1 4 Configure Trap Operation Command Description Enter system view syst...

Page 819: ...ce address to send Trap packets snmp agent trap source interface type interface number Optional Set the information queue length of Trap packet sent to destination host snmp agent trap queue size size Optional The default value is 100 Set aging time for Trap packets snmp agent trap life seconds Optional The default aging time for Trap packets is 120 seconds 1 4 Setting the Logging Function for Net...

Page 820: ... view to view the running status of SNMP and to verify the configuration Table 1 6 Display SNMP Operation Command Description Display system information of the current SNMP device display snmp agent sys info contact location version Display SNMP packet statistics information display snmp agent statistics Display the engine ID of the current device display snmp agent local engineid remote engineid ...

Page 821: ...10 10 1 10 10 10 2 Ethernet NMS 10 10 10 1 10 10 10 2 Figure 1 2 Network diagram for SNMP III Network procedure Set the community name group name and user Quidway system view Quidway snmp agent Quidway snmp agent sys info version all Quidway snmp agent community write public Quidway snmp agent mib view include internet 1 3 6 1 Quidway snmp agent group v3 managev3group write view internet Quidway s...

Page 822: ...rap address udp domain 10 10 10 1 udp port 5000 params securityname public IV Configuring NMS The S5600 series switch supports Huawei s QuidView NMS SNMP V3 adopts user name and password authentication In Quidview Authentication Parameter you need to set a user name choose security level and set authorization mode authorization password encryption mode and encryption password respectively accordin...

Page 823: ...emote network devices more effectively and actively thus providing a satisfactory means of monitoring the operation of the subnet With RMON the communication traffic between NMS and agents is reduced thus facilitating the management of large scale internetworks 2 1 1 Working Mechanism of RMON RMON allows multiple monitors It collects data in one of the following two ways z Using the dedicated RMON...

Page 824: ...such as the statistics of a port When the value of a monitored variable exceeds the threshold an alarm event is generated which triggers the network device to act in the set way Events are defined in event groups With an alarm entry defined in an alarm group a network device performs the following operations accordingly z Sampling the defined alarm variables alarm variable once in each specified p...

Page 825: ...Statistics group contains the statistics of each monitored port on a network device An entry in a statistics group is an accumulated value counting from the time when the statistics group is created The statistics include the number of the following items collisions packets with cyclic redundancy check CRC errors undersize or oversize packets broadcast packets multicast packets and received bytes ...

Page 826: ...ld value1 event entry1 falling_threshold threshold value2 event entry2 entrytype forever cycle cycle period owner text Optional Before adding an extended alarm entry you need to use the rmon event command to define the event referenced by the extended alarm entry Enter Ethernet port view interface interface type interface number Add a history entry rmon history entry number buckets number interval...

Page 827: ...ry number Display extended RMON alarm information display rmon prialarm prialarm entry number Display RMON events display rmon event event entry Display RMON event logs display rmon eventlog event entry The display comman d can be executed in any view 2 4 RMON Configuration Example I Network requirements z Ensure that the SNMP agents are correctly configured before performing RMON configuration z ...

Page 828: ...gabitEthernet 1 0 1 rmon statistics 1 owner user1 rmon View RMON configuration Quidway GigabitEthernet 1 0 1 display rmon statistics GigabitEthernet 1 0 1 Statistics entry 1 owned by user1 rmon is VALID Interface GigabitEthernet 1 0 1 ifIndex 4227626 etherStatsOctets 0 etherStatsPkts 0 etherStatsBroadcastPkts 0 etherStatsMulticastPkts 0 etherStatsUndersizePkts 0 etherStatsOversizePkts 0 etherStats...

Page 829: ...uisites 1 6 1 2 2 Configuring NTP Implementation Modes 1 6 1 3 Access Control Permission Configuration 1 9 1 4 NTP Authentication Configuration 1 9 1 4 1 Prerequisites 1 10 1 4 2 Configuring NTP Authentication 1 10 1 5 Configuration of Optional NTP Parameters 1 12 1 6 Displaying and Debugging NTP 1 13 1 7 Configuration Example 1 14 1 7 1 NTP Server Mode Configuration 1 14 1 7 2 NTP Peer Mode Confi...

Page 830: ...on and debugging information collected from different devices is meaningful and valid only when network devices that generate the information adopts the same time z The accounting system requires that the clocks of all the network devices be consistent z Some functions such as restarting all the network devices in a network simultaneously require that they adopt the same time z When multiple syste...

Page 831: ...series switch can serve as a time server only when it is synchronized 1 1 2 Working Principle of NTP The working principle of NTP is shown in Figure 1 1 In Figure 1 1 The Ethernet switch A LS_A is connected to the Ethernet switch B LS_B through their Ethernet ports Both of them have system clocks of their own and they need to synchronize the clocks of each other through NTP For ease of understandi...

Page 832: ...m 10 00 00 am NTP Packet received at 10 00 03 am 1 2 3 4 LS_A LS_A LS_A LS_A LS_B LS_B LS_B LS_B NTP Packet NTP Packet Netw ork Netw ork NTP Packet10 00 00am Netw ork Netw ork 11 00 01am 10 00 00am 11 00 01am 11 00 02am 10 00 00am NTP Packet received at 10 00 03 1 2 3 4 LS_A LS_A LS_A LS_A LS_B LS_B LS_B LS_B NTP Packet NTP Packet Netw ork Netw ork NTP Packet 10 00 00 am Netw ork Netw ork 11 00 01...

Page 833: ...synchronization request packet Operates in the passive peer mode automatically Netw ork Response packet Synchronize Active peer Passive peer Netw ork Clock synchronization request packet Operates in the passive peer mode automatically Netw ork Response packet Synchronize Active peer Passive peer Netw ork Clock synchronization request packet Operates in the passive peer mode automatically Netw ork ...

Page 834: ...e request after receiving the first multicast packet Response packet Multicast clock synchronization packets periodically Work as a server automatically and send response packets Obtain the delay betw een the client and the server andwork as a client in multicast mode Receive multicast packets and synchronize its local clock Netw ork Client Server Multicast clock synchronization packets periodical...

Page 835: ...face configure on the switch z Configure the S5600 switch to operate in NTP multicast client mode In this case the S5600 switch receives multicast NTP packets through the VLAN interface configure on the switch 1 2 NTP Implementation Mode Configuration A switch can operate in the following NTP modes z NTP client mode z NTP server mode z NTP peer mode z NTP broadcast server mode z NTP broadcast clie...

Page 836: ...rates in the NTP peer mode Enter VLAN interface view interface Vlan interface vlan id Configure to operate in the NTP broadcast client mode ntp service broadcast client Optional By default no Ethernet switch operates in the NTP broadcast client mode Configure to operate in the NTP broadcast server mode ntp service broadcast server authentication keyid key id version number Optional By default no E...

Page 837: ...fied by the remote ip argument operates as the NTP time server The S5600 series switch operates as the client whose clock is synchronized to the NTP server In this case the clock of the NTP server is not synchronized to the local client z When the remote ip argument is an IP address of a host it cannot be a broadcast or a multicast address neither can it be the IP address of a reference clock II N...

Page 838: ...e NTP broadcast client mode or NTP multicast client mode the connections it establishes with the peers are dynamic If it operates in other modes the connections it establishes with the peers are static 1 3 Access Control Permission Configuration Access control permission to NTP server is a security measure that is of the minimum extent Authentication is more reliable comparing to it An access requ...

Page 839: ... are performed z You need to couple the NTP authentication with a trusted key z The configurations performed on the server and the client must be the same z A client with NTP authentication enabled is only synchronized to a server that can provide a trusted key 1 4 2 Configuring NTP Authentication I Configuring NTP authentication on the client Table 1 4 Configure NTP authentication on the client O...

Page 840: ...cation requires that the authentication keys configured for the server and the client are the same Besides the authentication keys must be trusted keys Otherwise the client cannot be synchronized with the server z In NTP server mode and NTP peer mode you need to associate the specified key with the corresponding NTP server active peer on the client passive peer In these two modes multiple servers ...

Page 841: ...rver on the server z You can associate an NTP server with an authentication key while configuring a switch to operate in a specific NTP mode You can also associate them using this command after configuring the NTP mode where a switch is to operate Note The procedures for configuring NTP authentication on the server are the same as that on the client Besides the client and the server must be config...

Page 842: ...cast peer command if you provide the address of the sending interface in these two commands z Dynamic connections can only be established when a switch operates in passive peer mode NTP broadcast client mode or NTP multicast client mode In other modes the connections established are static 1 6 Displaying and Debugging NTP After the above configuration you can execute the display command in any vie...

Page 843: ...12 24 Quidway 1 1 0 1 11 24 S5600 1 0 1 12 24 Quidway 1 1 0 1 11 24 1 0 1 12 24 Quidway 1 1 0 1 11 24 S5600 1 0 1 12 24 n Figure 1 6 Network diagram for the NTP server mode configuratio III Configuration procedures The following configurations are for the S5600 switch View the NTP status of the S5600 switch before synchronization S5600 display ntp service status Clock status unsynchronized Clock s...

Page 844: ...at the S5600 series switch is synchronized to Quidway1 and the stratum of its clock is 3 one stratum higher than Quidway1 View the information about the NTP sessions of the S5600 series switch You can see that the S5600 series switch establishes a connection with Quidway1 5600 display ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 127 127 1 0 2 1 64 1 ...

Page 845: ... configuration III Configuration procedures 1 Configure the S5600 series switch Set Quidway2 to be the time server S5600 system view S5600 ntp service unicast server 3 0 1 31 2 Configure Quidway3 after the S5600 series switch is synchronized to Quidway2 Enter system view Quidway3 system view Quidway3 After the local synchronization set the S5600 series switch to be its peer Quidway3 ntp service un...

Page 846: ...m higher than Quidway3 View the information about the NTP sessions of the S5600 series switch and you can see that a connection is established between the S5600 series switch and Quidway3 S5600 display ntp service sessions source reference stra reach poll now offset delay disper 2 3 0 1 32 127 127 1 0 1 1 64 1 350 1 15 1 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured 1 ...

Page 847: ... Quidway 3 Quidway 4 3 0 1 31 24 3 0 1 32 24 1 0 1 31 24 Vlan interface 2 Vlan interface 2 Vlan interface 2 Quidway 3 Quidway 4 3 0 1 31 24 3 0 1 32 24 1 0 1 31 24 Vlan interface 2 Vlan interface 2 Vlan interface 2 S5600 2 S5600 1 Figure 1 8 Network diagram for the NTP broadcast mode configuration III Configuration procedures 1 Configure Quidway3 Enter system view Quidway3 system view Quidway3 Ent...

Page 848: ...onized Clock stratum 3 Reference clock ID 3 0 1 31 Nominal frequency 250 0000 Hz Actual frequency 249 9992 Hz Clock precision 2 19 Clock offset 198 7425 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Thu Sep 6 2001 BF422AE4 05AEA86C The output information indicates that S5600 1 is synchronized to Quidway3 with the clock stratum of 3 one str...

Page 849: ... 1 Quidway 3 Quidway 4 3 0 1 31 24 3 0 1 32 24 1 0 1 31 24 Vlan interface 2 Vlan interface 2 Vlan interface 2 Quidway 3 Quidway 4 3 0 1 31 24 3 0 1 32 24 1 0 1 31 24 Vlan interface 2 Vlan interface 2 Vlan interface 2 Quidway 3 Quidway 4 3 0 1 31 24 3 0 1 32 24 1 0 1 31 24 Vlan interface 2 Vlan interface 2 Vlan interface 2 Quidway 3 Quidway 4 3 0 1 31 24 3 0 1 32 24 1 0 1 31 24 Vlan interface 2 Vla...

Page 850: ... receiving multicast packets sent by Quidway3 View the status of S5600 1 after the synchronization S5600 1 display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 3 0 1 31 Nominal frequency 250 0000 Hz Actual frequency 249 9992 Hz Clock precision 2 19 Clock offset 198 7425 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 ...

Page 851: ...NTP clock II Network diagram Quidway 1 1 0 1 11 24 1 0 1 12 24 Quidway 1 1 0 1 11 24 S5600 1 0 1 12 24 Quidway 1 1 0 1 11 24 1 0 1 12 24 Quidway 1 1 0 1 11 24 S5600 1 0 1 12 24 Figure 1 10 Network diagram for NTP server mode with authentication configuration III Configuration procedures 1 Configure the S5600 series switch Enter system view S5600 system view S5600 Configure Quidway1 to be the time ...

Page 852: ...ation keyid 42 authentication model md5 aNiceKey Specify the key to be a trusted key Quidway1 ntp service reliable authentication keyid 42 After the above configuration the S5600 series switch can be synchronized to Quidway1 You can view the status of S5600 after the synchronization S5600 display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 1 0 1 11 Nominal frequ...

Page 853: ... performs subsequent processing When the switch receives an NTP packet without authentication information there are the following scenarios z If the switch enables NTP authentication it regards the packet an invalid packet and discards the packet z If the switch does not enable NTP authentication it does not perform authentication processing for the packet When the switch receive an NTP packet fro...

Page 854: ...erminal Services 1 1 1 1 1 Introduction to SSH 1 1 1 1 2 SSH Server Configuration 1 3 1 1 3 SSH Client Configuration 1 10 1 1 4 Displaying SSH Configuration 1 11 1 1 5 SSH Server Configuration Example 1 12 1 1 6 SSH Client Configuration Example 1 14 1 2 SFTP Service 1 16 1 2 1 SFTP Overview 1 16 1 2 2 SFTP Server Configuration 1 16 1 2 3 SFTP Client Configuration 1 17 1 2 4 SFTP Configuration Exam...

Page 855: ...n to the Switch remotely through an insecure network environment A Switch can connect to multiple SSH clients and currently supports SSHv2 0 version SSH client functions to enable SSH connections between users and the Switch or UNIX host that support SSH server Figure 1 1 and Figure 1 2 shows respectively SSH connection establishment for client and server z SSH connections through LAN 100BASE TX S...

Page 856: ...age These operations are completed at this stage z The client sends TCP connection requirement to the server z When TCP connection is established both ends begin to negotiate the SSH version z If they can work together in harmony they enter the key algorithm negotiation stage Otherwise the server clears the TCP connection 2 Key algorithm negotiation stage These operations are completed at this sta...

Page 857: ...ication works as follows z Configure the RSA public key of the client user at the server z The client sends the member modules of its RSA public key to the server z The server checks the validity of the member module If it is valid the server generates a random number which is sent to the client after being encrypted with RSA public key of the client z Both ends calculate authentication data based...

Page 858: ...cation retry times ssh server authentication retries Set the update interval for the server key ssh server rekey interval Specify the server compatible with the SSHv1 x version supported client ssh server compatible ssh1x enable Refer to the Configuring server SSH attributes Allocate public keys for SSH users ssh user username assign rsa key keyname or rsa peer public key key name import sshkey fi...

Page 859: ...guration task is used to generate or destroy the server RSA key pair The name of the server RSA key pair is in the format of switch name plus _Host and switch name plus _Server Quidway_Host and Quidway_Server for example After you input the rsa local key pair command the system prompts you to define the key length z In SSHv1 x the key length is in the range of 512 to 2 048 bits z In SSHv2 0 the ke...

Page 860: ...ompatible mode if you execute the display rsa local key pair public command two public keys are displayed They are Quidway_Host and Quidway_Server z When the switch works in the SSHv2 0 mode if you execute the display rsa local key pair public command only one public key is displayed It is Quidway_ Host III Configuring authentication type New users must specify authentication type Otherwise they c...

Page 861: ...rname is the SSH local user name so that there is no need to configure a local user in AAA IV Configuring server SSH attributes Configuring server SSH authentication timeout time retry times server keys update interval and SSH compatible mode can effectively assure security of SSH connections by avoiding illegal actions such as malicious password guessing Table 1 5 Configure server SSH attributes ...

Page 862: ...e server end There are two methods to set client public key 1 Assign public keys to SSH users one by one Operations at client end z Use SSH1 5 2 0 client software to generate random RSA key pair z Run SSHKEY EXE file and convert the public key in the RSA key pair to PKCS code Operations at server end Table 1 6 Configure client public keys Operation Command Description Enter system view system view...

Page 863: ... end z Use SSH1 5 2 0 client software to generate random RSA key pair z Use FTP TFTP to transfer the public key fil to the Flash memory of the server Operations at server end Table 1 7 Use command to assign public keys automatically Operation Command Description Enter system view system view Convert public key format and automatically assign public key rsa peer public key key name import sshkey fi...

Page 864: ...1 9 Configure SSH client Operation Command Description Enter system view system view Create the connection between SSH client and server ssh2 host ip host name port prefer_kex dh_group1 dh_exchange_group prefer_ctos_cipher des aes128 prefer_stoc_cipher des aes128 prefer_ctos_hmac sha1 sha1_96 md5 md5_96 prefer_stoc_hmac sha1 sha1_96 md5 md5_96 Required You can use this command to enable the connec...

Page 865: ...IP address for sending traffic packets Operation Command Description Enter system view system view Specify source IP address for SSHv2 0 Client ssh2 source ip ip address Optional Specify source interface for SSHv2 0 Client ssh2 source interface interface type interface number Optional 1 1 4 Displaying SSH Configuration Use the display commands in any view to view the running of SSH and further to ...

Page 866: ... runs the client software which supports SSHv2 0 establish a local connection with the switch SSH Server and ensure the security of data exchange II Network diagram SSH Client Switch SSH Server PC Switch SSH Server SSH Client PC Figure 1 3 Network diagram for SSH server configuration III Configuration procedure 1 Generate a local RSA key pair Quidway system view Quidway rsa local key pair create N...

Page 867: ... abc z RSA public key authentication Set AAA authentication on the user interfaces Quidway user interface vty 0 4 Quidway ui vty0 4 authentication mode scheme Set the user interfaces to support SSH Quidway ui vty0 4 protocol inbound ssh Configure the login protocol for the client002 user as SSH and authentication type as RSA public key Quidway ssh user client002 authentication type rsa Generate ra...

Page 868: ...IP address 10 165 87 136 SSH Client Switch B SSH Server Switch A PC IP address 10 165 87 136 Switch B SSH Server SSH Client Switch A Figure 1 4 Network diagram for SSH client configuration III Configuration procedure 1 Configure the client to run the initial authentication Quidway ssh client first time enable 2 Configure server public keys on the client Quidway rsa peer public key public Quidway r...

Page 869: ...ncated Do you continue access it Y N y Do you want to save the server s public key Y N y Enter password All rights reserved 1997 2005 Without the owner s prior written consent no decompiling or reverse engineering shall be allowed Quidway z Start the client and use the RSA public key authentication according to the encryption algorithm defined Quidway ssh2 10 165 87 136 22 perfer_kex dh_group1 per...

Page 870: ...nfiguration tasks z Configuring service type for an SSH user z Enabling the SFTP server z Setting connection timeout time I Configuring service type for an SSH user Table 1 12 Configure service type for an SSH user Operation Command Description Enter system view system view Configure service type for an SSH user ssh user username service type stelnet sftp all Optional By default the available serv...

Page 871: ...ut time is 10 minutes 1 2 3 SFTP Client Configuration The following sections describe SFTP client configuration tasks Table 1 15 Configure SFTP client Operation Command Key word View Description Enable the SFTP client sftp System view Required bye exit Disable the SFTP client quit SFTP client view Optional Change the current directory cd Return to the upper directory cdup Display the current direc...

Page 872: ...nformation about SFTP client commands help SFTP client view Optional I Enabling the SFTP client You can enable the SFTP client establish a connection to the remote SFTP server and enter STP client view Table 1 16 Enable the SFTP client Operation Command Description Enter system view system view Enable the SFTP client sftp host ip host name port num prefer_kex dh_group1 dh_exchange_group prefer_cto...

Page 873: ...t view sftp host ip host name Change the current directory cd remote path Return to the upper directory cdup Display the current directory pwd Optional dir remote path Display the list of the files in a directory ls remote path Optional The dir and ls commands have the same function Create a directory on the SFTP server mkdir remote path Delete a directory from the SFTP server rmdir remote path Op...

Page 874: ...nformation You can display help information about a command such as syntax and parameters Table 1 20 Display help information about SFTP client commands Operation Command Description Enter system view system view Enter SFTP client view sftp host ip host name Display help information about SFTP client commands help command name Optional VI Specifying source IP address for sending traffic packets Th...

Page 875: ...itch B z Switch B serves as an SFTP server with IP address 10 111 27 91 z Switch A serves as an SFTP client z An SSH user name abc with password hello is created II Network diagram PC IP address 10 111 27 91 SFTP Client Switch B SFTP Server Switch A PC IP address 10 111 27 91 Switch B SFTP Server SFTP Client Switch A Figure 1 5 Network diagram for SFTP configuration III Configuration procedure 1 C...

Page 876: ...3 06 52 vrpcfg cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub Create directory new1 and verify the operation sftp client mkdir new1 New directory created sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 vrpcfg cfg rwxrwxrwx 1 noone nogro...

Page 877: ...e pu to the SFTP server and rename it to puk Verify the operations sftp client put pu puk Local file pu Remote file flash puk Uploading file successfully ended sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 vrpcfg cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new drwxrwxrwx 1 noone no...

Page 878: ...stem 1 3 1 2 2 Introduction to Operation and Configuration Tasks on the File System 1 3 1 2 3 Directory Operations 1 4 1 2 4 File Operations 1 5 1 2 5 Flash Operations 1 6 1 2 6 Prompt Mode Configuration 1 7 1 2 7 File System Configuration Example 1 7 1 3 Configuration Backup and Restore 1 8 1 3 1 Operation Preparation 1 9 1 3 2 Operation Procedure 1 9 Chapter 2 FTP TFTP Lighting Configuration 2 1...

Page 879: ...tup files The main startup file is used first for a switch to startup In the Flash there can be only one app file one configuration file and one Web file with main attribute backup Identifies backup startup files The backup startup file is used after a switch fails to startup using the main startup file In the Flash there can be only one app file one configuration file and one Web file with the ba...

Page 880: ...kup attribute of the files Perform the configuration listed in Table 1 2 in user view The display commands can be executed in any view Table 1 2 Configure file attributes Operation Command Description Configure the app file with the main attribute for the next startup boot boot loader file url fabric Optional Configure the app file with the backup attribute for the next startup boot boot loader ba...

Page 881: ...2 File System Configuration 1 2 1 Introduction to File System To facilitate management on the Flash memory Ethernet switches provide the file system module The file system allows users to access and manage files and directories through creating deleting a directory displaying the current work directory and displaying the contents of a directory By default a switch prompts for confirmation before e...

Page 882: ...ethod can be used to specify a file in the Flash memory of the current unit z Inputting the path name or file name directly This method can be used to specify a path or a file in the current work directory 1 2 3 Directory Operations The file system provides directory related functions such as z Creating deleting a directory z Displaying the current work directory or contents in a specified directo...

Page 883: ... 1 5 describes the file related operations Perform the following configuration in user view Note that the execute command should be executed in system view and the display command can be executed in any view Table 1 5 File operations Operation Command Description Delete a file delete unreserved file url delete running files standby files fabric unreserved Optional A deleted file can be restored if...

Page 884: ...s are the same only the latest deleted file is kept in the recycle bin and can be restored z The files which are deleted using the delete command with the unreserved keyword not specified are actually moved to the recycle bin and thus still take storage space You can clear the recycle bin to make room for other files by using the reset recycle bin command z Use the update fabric command only when ...

Page 885: ...nter system view system view Configure the prompt mode of the file system file prompt alert quiet Required By default prompt mode of the file system is alert 1 2 7 File System Configuration Example Display all the files in the root directory of the file system on the local unit Quidway dir all Directory of unit1 flash 1 rw 5822215 Jan 01 1970 00 07 03 s5600 bin 2 rwh 4 Apr 01 2000 23 55 49 snmpboo...

Page 886: ...2000 04 50 07 test 15367 KB total 4631 KB free with main attribute b with backup attribute b with both main and backup attribute Quidway dir unit1 flash test Directory of unit1 flash test 1 rw 1376 Apr 04 2000 04 50 30 1 cfg 15367 KB total 2025 KB free with main attribute b with backup attribute b with both main and backup attribute 1 3 Configuration Backup and Restore Formerly you can only back u...

Page 887: ...vant units support TFTP client z The TFTP server is started and reachable 1 3 2 Operation Procedure Perform the following operations in user view Table 1 8 Back up and restore configuration file Operation Command Description Back up the current configuration of a specified unit backup unit unit id current configuration to dest addr dest hostname filename cfg Optional Back up the current configurat...

Page 888: ...rk administrator should configure the IP address of the FTP server before the user can successfully log in Then the user can access the files on the FTP server z FTP client A user runs a terminal emulation program or Telnet program on a PC and connects to the Ethernet switch which acts as an FTP client After that the user input the ftp X X X X command where X X X X represents the IP address of an ...

Page 889: ...of local users local user password displ ay mode auto cipher force Optional By default this mode is auto that is the switch displays user passwords in the modes adopted when the passwords are set Log into the remote FTP server Required For detailed configuration refer to the configuration instruction relevant to FTP client FTP client Upload file from the FTP client to the FTP server Required For d...

Page 890: ...tain the access rights of corresponding directory and file z At the same time the user logs into the FTP server the switch enters FTP client command view FTP client Download files from the remote FTP server and save the files to the local device get remotefile localfile Required If no local file name is specified the system will consider that the local file name is identical with the file name on ...

Page 891: ...her The switch can only act as a TFTP client Switch PC Network Switch Switch PC n Network Figure 2 2 Network diagram for TFTP configuratio 2 2 2 TFTP Lighting Procedure Caution The TFTP server and the TFTP client must be reachable to each other for the TFTP function operates normally After TFTP client is enabled on an S5600 switch the seven segment digital LED on the front panel of the switch will...

Page 892: ...TP TFTP Lighting Configuration Huawei Technologies Proprietary 2 5 Device Operation Command Description TFTP client Log into a remote TFTP server download and save a remote file to the local device tftp tftp server get source file dest file Required This command should be executed in user view ...

Page 893: ... 1 1 Introduction to FTP 1 1 1 1 2 FTP Configuration A Switch Operating as an FTP Server 1 2 1 1 3 Configuration Example A Switch Operating as an FTP Server 1 6 1 1 4 FTP Configuration A Switch Operating as an FTP Client 1 8 1 1 5 Configuration Example A Switch Operating as an FTP Client 1 11 1 2 TFTP Configuration 1 13 1 2 1 Introduction to TFTP 1 13 1 2 2 TFTP Configuration 1 15 1 2 3 TFTP Confi...

Page 894: ...odes z Binary mode for program file transfer z ASCII mode for text file transfer An Ethernet switch can act as an FTP client or the FTP server in FTP employed data transmission z FTP server An Ethernet switch can operate as an FTP server to provide file transmission services for FTP clients You can log into a switch operating as an FTP server by running an FTP client program on your PC to access f...

Page 895: ...cute the ftp X X X X command on your PC X X X X is the IP address of an FTP server Table 1 2 describes the configurations needed when a switch operates as an FTP client Table 1 2 Configurations needed when a switch operates as an FTP client Device Configuration Default Description Switch Run the ftp command to log into a remote FTP server directly To log into a remote FTP server and operates files...

Page 896: ...word display mode for the local users z Configuring service types for the local users For commands used in these configurations refer to the AAA RADIUS HWTACACS EAD module of this manual for local user local user password display mode password and service type II Configuration procedure Table 1 3 Configure an FTP server Operation Command Description Enter system view system view Enable the FTP ser...

Page 897: ...provide a user name and a password for being authenticated by the FTP server III Specifying the source interface and source IP address for an FTP server You can specify the source interface and source IP address for an FTP server to enhance server security After this configuration FTP clients can access this server only through the IP address of the specified interface or the specified IP address ...

Page 898: ...onnecting a specified user On the FTP server you can disconnect a specified user from the FTP server to secure the network Table 1 5 Disconnect a specified user Operation Command Description Enter system view system view On the FTP server disconnect a specified user from the FTP server ftp disconnect user name Required Note If you attempt to disconnect a user that is uploading downloading data to ...

Page 899: ... VLAN interface on the switch and 2 2 2 2 for the PC Ensure the route between the two is reachable The switch application named switch bin is stored on the PC Upload it to the FTP server through FTP to upgrade the application of the switch and download the switch configuration file named vrpcfg cfg from the switch to backup the configuration file II Network diagram Switch PC Network Network Switch...

Page 900: ...ch bin is located In this example it is in the root directory of C C Access the Ethernet switch through FTP Input the user name switch and password hello to log in and enter FTP view C ftp 1 1 1 1 Connected to 1 1 1 1 220 FTP service ready User 1 1 1 1 none switch 331 Password required for switch Password 230 User logged in ftp Upload the switch bin file ftp put switch bin 200 Port command okay 15...

Page 901: ... the switch application is upgraded Quidway boot boot loader switch app Quidway reboot Note For information about the boot boot loader command and how to specify the startup file for a switch refer to the System Maintenance and Debugging module of this manual 1 1 4 FTP Configuration A Switch Operating as an FTP Client I Basic configurations on an FTP client The function for a switch to operate as ...

Page 902: ...k directory on the FTP server pwd Optional Create a directory on the remote FTP server mkdir pathname Optional Remove a directory on the remote FTP server rmdir pathname Optional Delete a specified file delete remotefile Optional Query the specified files dir filename localfile Optional Query a specified remote file ls remotefile localfile Optional Download a remote file get remotefile localfile O...

Page 903: ...it connects with a remote FTP server through the IP address of the specified interface or the specified IP address Table 1 8 Specify the source interface and source IP address for an FTP client Operation Command Description Specify the source interface so that the FTP client uses it to connect with an FTP server for the next time ftp cluster remote server source interface interface type interface ...

Page 904: ...ient always uses to connect to an FTP server the former will be used for the next connection z Only one of the source interface or source IP address can be set for the FTP client at one time That is only one of the commands source interface and ftp server source ip can be effective at one time If you execute both of them the new setting will overwrite the original one 1 1 5 Configuration Example A...

Page 905: ...software 2 Configure the switch Log into the switch You can log into a switch through the Console port or by Telneting to the switch See the Log into an Ethernet Switch section for detailed information Quidway Caution If available space on the Flash memory of the switch is not enough to hold the file to be uploaded you need to delete files from the Flash memory to make room for the file Connect to...

Page 906: ...tart the switch Thus the switch application is upgraded Quidway boot boot loader switch bin Quidway reboot Note For information about the boot boot loader command and how to specify the startup file for a switch refer to the System Maintenance and Debugging module of this manual 1 2 TFTP Configuration 1 2 1 Introduction to TFTP Compared with FTP TFTP trivial file transfer protocol features simple ...

Page 907: ...er and make sure the route between the two is reachable z A switch can only operate as a TFTP client Switch PC Network Network Switch PC Network Network Figure 1 4 Network diagram for TFTP configuration Table 1 9 describes the operations needed when a switch operates as a TFTP client Table 1 9 Configurations needed when a switch operates as a TFTP client Device Configuration Default Description Co...

Page 908: ...ted when a switch attempts to connect a TFTP server tftp server acl acl number Optional III Specifying the source interface and source IP address for a TFTP client You can specify the source interface and source IP address for a switch acting as a TFTP client so that it connects with a remote TFTP server through the IP address of the specified interface or the specified IP address Table 1 11 Speci...

Page 909: ...alue of argument ip address must be an IP address on the device where the configuration is performed and otherwise a prompt appears to show the configuration fails z The latest connection setting is prior to the fixed setting That is if you configure the source IP address or source interface be used when the TFTP client connect with an TFTP server for the next time and the IP address or interface ...

Page 910: ...5 Network diagram for TFTP configurations III Configuration procedure 1 Start the TFTP server and configure the work directory on the PC 2 Configure the switch Log into the switch You can log into a switch through the Console port or by Telneting to the switch See section Log into an Ethernet Switch for detailed information Quidway Caution If available space on the Flash memory of the switch is no...

Page 911: ...in switch bin Upload the switch configuration file named vrpcfg cfg to the TFTP server Quidway tftp 1 1 1 2 put vrpcfg cfg vrpcfg cfg Use the boot boot loader command to specify the downloaded file switch bin to be the startup file used when the switch starts the next time and restart the switch Thus the switch application is upgraded Quidway boot boot loader switch bin Quidway reboot Note For inf...

Page 912: ... Output to a Log Host 1 7 1 2 3 Enabling Information Output to the Console 1 8 1 2 4 Enabling Information Output to a Monitor Terminal 1 10 1 2 5 Enabling Information Output to the Log Buffer 1 11 1 2 6 Enabling Information Output to the Trap Buffer 1 12 1 2 7 Enabling Information Output to the SNMP 1 13 1 3 Displaying and Debugging Information Center Configuration 1 14 1 4 Information Center Conf...

Page 913: ...g output to a log host 188 Apr 9 17 28 50 524 2004 Quidway IFNET 5 UPDOWN Line protocol on the interface Vlan interface 2 is UP SIP 10 5 1 5 SP 1080 The following describes the fields in front of the content field of an information item 1 Priority The calculation formula for priority is priority facility 8 severity 1 For VRP the default facility value is 23 and severity ranges from one to eight Se...

Page 914: ...ble 1 1 Examples of modules generating the information Module name Description 8021X 802 1x module ACL Access control list module ADBM Address base module AM Access management module ARP Address resolution protocol module BGP Border gateway protocol module CFAX Configuration agent module CFG Configuration management plane module CFM Configuration file management module CLST Cluster management modu...

Page 915: ...module IPC Inter processes communication module L2INF Layer 2 interface management module LACL Lanswitch access control list module LAGG Link aggregation module LINE Terminal line module LQOS Lanswitch quality of service module LS Local server module MACAUTH Centralized MAC authentication module MPM Multicast port management module MSDP Multicast source discovery protocol module MSTP Multiple span...

Page 916: ...on module RTPRO Routing protocol module SC Server control module SHELL User interface module SNMP Simple network management protocol module SOCKET Socket module SSH Secure shell module SYSMIB System MIB module TAC Terminal access controller module TELNET Telnet module TFTPC TFTP client module UDPH UDP helper module VAA VLAN access agent module VFS Virtual file system module VLAN Virtual local area...

Page 917: ... definitions on the information center Severity Value Description emergencies 1 The system is unavailable alerts 2 Errors that need to be corrected immediately critical 3 Critical errors errors 4 Common errors warnings 5 Warnings notifications 6 Normal information that needs to be noticed informational 7 Normal prompt information debugging 8 Debugging information Note that a slash separates the le...

Page 918: ...e monitor terminal monitor log host loghost trap buffer trapbuffer log buffer logbuffer and SNMP snmp agent z Filtering information by information severities information is divided into eight severity levels z Filtering information by modules where information is generated z Language options Chinese or English for information output to a log host 1 2 1 Enabling Synchronous Terminal Output To avoid...

Page 919: ...ion output for a specified switch in a fabric info center switch on unit unit id master all debugging logging trapping By default debugging information output is enabled and log and trap information output are disabled for the master switch in a fabric Debugging log and trap information output are all disabled for other switches in the fabric Enable information output to a log host info center log...

Page 920: ...nd receives information sent by other switches at the same time to update the information on itself In this way the switch ensures the synchronization of log debugging and trap information in the whole fabric z To view the debugging information of specific modules you need to set the information type as debug in the info center source command and enable debugging for corresponding modules through ...

Page 921: ...only enable log information output to the console but also enable log information terminal display with the terminal logging command Perform the following operations in user view Table 1 7 Enable debugging log trap terminal display Operation Command Description Enable the debugging log trap information terminal display function terminal monitor Optional By default this function is enabled for cons...

Page 922: ...el channel number channel name log trap debug level severity state state Required Set the format of time stamp info center timestamp log trap debugging boot date none Optional This is to set the time stamp format for log debugging trap information output This determines how the time stamp is presented to users Note z When there are multiple Telnet users or dumb terminal users some configuration pa...

Page 923: ...ult debugging information terminal display is disabled for terminal users Enable log information terminal display function terminal logging Optional By default log information terminal display is enabled for console users Enable trap information terminal display function terminal trapping Optional By default trap information terminal display is enabled for terminal users 1 2 5 Enabling Information...

Page 924: ...ug in the info center source command and enable debugging on corresponding modules with the debugging command as well 1 2 6 Enabling Information Output to the Trap Buffer Table 1 11 lists the related configurations on the switch Table 1 11 Enable information output to the trap buffer Operation Command Description Enter system view system view Enable the information center info center enable Option...

Page 925: ...mation Output to the SNMP Table 1 12 lists the related configurations on the switch Table 1 12 Enable information output to the SNMP Operation Command Description Enter system view system view Enable the information center info center enable Optional By default the information center is enabled Enable information output to the SNMP info center snmp channel channel number channel name Required By d...

Page 926: ...log buffer and trap buffer Table 1 13 Display and debug information center Operation Command Descriptio n Display information on information channel display channel channel number channel name Display the operation status of information center the configuration of information channels the format of time stamp and the information output in case of fabric display info center unit unit id Display the...

Page 927: ...ystem view Quidway info center enable Disable for all modules the function of outputting information to log host channels Quidway undo info center source default channel loghost Configure the host whose IP address is 202 38 1 10 as the log host Set the output language to English Permit ARP and IP modules to output information with severity level higher than informational to the log host Quidway in...

Page 928: ...ponding parameters configured in the commands info center loghost and info center source Otherwise log information may not be output to the log host normally Step 3 After the log file information is created and the file etc syslog conf is modified run the following command to send a HUP signal to the system daemon syslogd so that it reads its new configuration file etc syslog conf ps ae grep syslo...

Page 929: ... 38 1 10 as the log host Set the output language to English Permit all modules to output information with severity level higher than error to the log host Quidway info center loghost 202 38 1 10 facility local7 language english Quidway info center source default channel loghost log level errors debug state off trap state off 2 Configure the log host Step 1 Execute the following commands as the sup...

Page 930: ... 3 After the log file information is created and the file etc syslog conf is modified run the following commands to view the process ID of the system daemon syslogd stop the process and then restart the daemon syslogd in the background with the r option ps ae grep syslogd 147 kill 9 147 syslogd r Note In case of Linux log host the daemon syslogd must be started with the r option After all the abov...

Page 931: ...Quidway info center enable Disable for all modules the function of outputting information to the console channels Quidway undo info center source default channel console Enable log information output to the console Permit ARP and IP modules to output information with severity level higher than informational to the console Quidway info center console channel console Quidway info center source arp c...

Page 932: ... from User View 2 1 2 1 3 Setting the System Name of the Switch 2 2 2 1 4 Setting the Date and Time of the System 2 2 2 1 5 Setting the Local Time Zone 2 2 2 1 6 Setting the Summer Time 2 2 2 1 7 Setting the CLI Language Mode 2 3 2 1 8 Returning from Current View to Lower Level View 2 3 2 1 9 Returning from Current View to User View 2 3 2 2 Displaying the System Status 2 4 2 3 System Debugging 2 4...

Page 933: ... Ethernet Switches Release 1510 Table of Contents Huawei Technologies Proprietary ii 4 2 5 Updating the BootROM 4 3 4 2 6 Updating the Host Software in the Fabric 4 3 4 3 Displaying the Device Management Configuration 4 3 4 4 Remote Switch Update Configuration Example 4 4 ...

Page 934: ...witch through an Ethernet port This chapter introduces how to load BootROM and host software to a switch locally and how to do this remotely 1 1 Introduction to Loading Approaches You can load software locally by using z XMODEM through Console port z TFTP through Ethernet port z FTP through Ethernet port You can load software remotely by using z FTP z TFTP Note The BootROM software version should ...

Page 935: ... Starting Quidway S5600 BOOTROM Version 318 Copyright c 1998 2005 Huawei Technologies Co Ltd Creation date Dec 20 2005 15 52 47 CPU type BCM1122 CPU Clock Speed 400MHz BUS Clock Speed 33MHz Memory Size 128MB Mac Address 00e0fc005600 Press Ctrl B to enter Boot Menu 5 Press Ctrl B The system displays Password Note To enter the Boot Menu you should press Ctrl B within five seconds after the informati...

Page 936: ...on generally the maximum number of retransmission attempts is ten The XMODEM transmission procedure is completed by a receiving program and a sending program The receiving program sends negotiation characters to negotiate a packet checking method After the negotiation the sending program starts to transmit data packets When receiving a complete packet the receiving program checks the packet using ...

Page 937: ... system displays the following information Download baudrate is 115200 bps Please change the terminal s baudrate to 115200 bps and select XMODEM protocol Press enter key when ready Note If you have chosen 9600 bps as the download baud rate you need not modify the HyperTerminal s baud rate and therefore you can skip Step 4 and 5 below and proceed to Step 6 directly In this case the system will not ...

Page 938: ...ance and Debugging Quidway S5600 Series Ethernet Switches Release 1510 Chapter 1 BootROM and Host Software Loading Huawei Technologies Proprietary 1 5 Figure 1 1 Properties dialog box Figure 1 2 Console port configuration dialog box ...

Page 939: ...tons Note The new baud rate takes effect only after you disconnect and reconnect the HyperTerminal program Step 6 Press Enter to start downloading the program The system displays the following information Now please start transfer file with XMODEM protocol If you want to exit Press Ctrl X Loading CCCCCCCCCC Step 7 Choose Transfer Send File in the HyperTerminal s window and click Browse in pop up d...

Page 940: ... following information when it completes the loading Bootrom updating done Note z If the HyperTerminal s baud rate is not reset to 9600 bps the system prompts Your baudrate should be set to 9600 bps again Press enter key when ready z You need not reset the HyperTerminal s baud rate and can skip the last step if you have chosen 9600 bps In this case the system upgrades BootROM automatically and pro...

Page 941: ...ce II Loading BootROM software Switch PC Console port Ethernet port TFTP server Switch PC Console port Ethernet port Switch PC Console port Ethernet port TFTP client Switch PC Console port Ethernet port Switch PC Console port Ethernet port TFTP server Switch PC Console port Ethernet port Switch PC Console port Ethernet port TFTP client Switch PC Console port Ethernet port Figure 1 6 Local loading ...

Page 942: ...ss Enter The system displays the following information Are you sure to update your bootrom Yes or No Y N Step 6 Enter Y to start file downloading or N to return to the Bootrom update menu If you enter Y the system begins to download and update the BootROM software Upon completion the system displays the following information Loading done Bootrom updating done III Loading host software Follow these...

Page 943: ...lient Switch PC Console port Ethernet port FTP server Switch PC Console port Ethernet port Switch PC Console port Ethernet port Switch PC Console port Ethernet port FTP client Switch PC Console port Ethernet port FTP server Switch PC Console port Ethernet port Switch PC Console port Ethernet port Switch PC Console port Ethernet port Figure 1 7 Local loading using FTP client Step 1 As shown in Figu...

Page 944: ...g information Are you sure to update your bootrom Yes or No Y N Step 6 Enter Y to start file downloading or N to return to the Bootrom update menu If you enter Y the system begins to download and update the program Upon completion the system displays the following information Loading done Bootrom updating done z Loading host software Follow these steps to load the host software Step 1 Select 1 in ...

Page 945: ...ly 1 3 1 Remote Loading Using FTP I Loading Process Using FTP Client 1 Loading BootROM As shown in Figure 1 8 a PC is used as both the configuration device and the FTP server You can telnet to the switch and then execute the FTP commands to download the BootROM program s5600 btm from the remote FTP server with an IP address 10 1 1 1 to the switch FTP client Switch PC Ethernet port FTP 1 server 0 1...

Page 946: ...te Before restarting the switch make sure you have saved all other configurations that you want so as to avoid losing configuration information 2 Loading host software Loading the host software is the same as loading the BootROM program except for that the file to be downloaded is the host software file and that you need to use the boot boot loader command to select the host software at reboot of ...

Page 947: ...0 1 1 1 Internet Switch PC Ethernet port 10 1 1 1 Internet FT FTP Server 192 168 0 56 P Client r Figure 1 9 Remote loading using FTP serve Step 1 As shown in Figure 1 9 connect the switch through an Ethernet port to the PC with IP address 10 1 1 1 Step 2 Configure the IP address of VLAN1 on the switch to 192 168 0 56 and subnet mask to 255 255 255 0 Note You can configure the IP address for any VL...

Page 948: ...dway luser test service type ftp Step 4 Enable FTP client software on PC Refer to Figure 1 10 for the command line interface in Windows operating system Figure 1 10 Command line interface Step 5 Enter cd in the interface to switch to the path that the BootROM upgrade file is to be stored and assume the name of the path is D Bootrom as shown in Figure 1 11 Figure 1 11 Switch to BootROM ...

Page 949: ...r the user name test password pass as shown in Figure 1 12 to log on the FTP server Figure 1 12 Log on the FTP server Step 7 Use the put command to upload the file s5600 btm to the switch as shown in Figure 1 13 Figure 1 13 Upload file s5600 btm to the switch Step 8 Configure s5600 btm to be the BootROM at reboot and then restart the switch Quidway boot bootrom s5600 btm This will update Bootrom o...

Page 950: ...software file and that you need to use the boot boot loader command to select the host software at reboot of the switch Note z The steps listed above are performed in the Windows operating system if you use other FTP client software refer to the corresponding user s guide before operation z Only the configurations steps concerning loading are illustrated here for detailed description on the corres...

Page 951: ...1 3 Setting the System Name of the Switch Set the date and time of the system Optional Section 2 1 4 Setting the Date and Time of the System Set the local time zone Optional Section 2 1 5 Setting the Local Time Zone Set the summer time Optional Section 2 1 6 Setting the Summer Time Set the CLI language mode Optional Section 2 1 7 Setting the CLI Language Mode Return from current view to lower leve...

Page 952: ...D Optional By default it is 23 55 00 04 01 2000 when the system starts up 2 1 5 Setting the Local Time Zone This configuration task is to set the name of the local time zone and the difference between the local time zone and the standard UTC universal time coordinated time Table 2 5 Set the local time zone Operation Command Description Set the local time zone clock timezone zone name add minus HH ...

Page 953: ...te end time end date offset time Optional 2 1 7 Setting the CLI Language Mode Table 2 7 Set the CLI language mode Operation Command Description Set the CLI language mode language mode chinese english Optional By default the command line interface CLI language mode is English 2 1 8 Returning from Current View to Lower Level View Table 2 8 Return from current view to lower level view Operation Comma...

Page 954: ...nterfaces display users all Display the debugging status display debugging fabric unit unit id interface interface type interface number module name You can execute the display command in any view 2 3 System Debugging 2 3 1 Enabling Disabling System Debugging The Ethernet switch provides a variety of debugging functions Most of the protocols and features supported by the Ethernet switch are provid...

Page 955: ...nformation Figure 2 1 Debugging information outpu You can use the following commands to operate the two kinds of switches Perform the following operations in user view Table 2 11 Enable debugging and terminal display Operation Command Description Enable system debugging debugging module name debugging option By default all debugging is disabled in the system Because the output of debugging informa...

Page 956: ... Displaying Operating Information about Modules in System When your Ethernet switch is in trouble you may need to view a lot of operating information to locate the problem Each functional module has its own operating information display command s You can use the command here to display the current operating information about the modules settled when this command is designed in the system for troub...

Page 957: ...sponse time of the response packet are displayed z Final statistics including the numbers of sent packets and received response packets the irresponsive packet percentage and the minimum average and maximum values of response time 3 1 2 tracert You can use the tracert command to trace the gateways a packet passes during its journey from the source to the destination This command is mainly used to ...

Page 958: ...rk Connectivity Test Huawei Technologies Proprietary 3 2 Table 3 2 The tracert command Operation Command Description Trace the gateways a packet passes from the source host to the destination tracert a source ip f first ttl m max ttl p port q num packet w timeout string You can execute the tracert command in any view ...

Page 959: ...Tasks Table 4 1 Device management configuration tasks Operation Description Related section Restart the Ethernet switch Section 4 2 2 Restarting the Ethernet Switch Schedule a reboot on the switch Optional Section 4 2 3 Scheduling a Reboot on the Switch Specify the ARP to be adopted at reboot Optional Section 4 2 4 Specifying the APP to be Adopted at Reboot Update the BootROM Optional Section 4 2 ...

Page 960: ...ion Schedule a reboot on the switch and set the reboot date and time schedule reboot at hh mm mm dd yyyy yyyy mm dd Optional Schedule a reboot on the switch and set the reboot waiting delay schedule reboot delay hh mm mm Optional Enter system view system view Schedule a reboot on the switch and set the reboot period schedule reboot regularity at hh mm period Optional Note There is at most one minu...

Page 961: ...mmand The BootROM can be used when the switch reboots Perform the following configuration in user view Table 4 5 Update the BootROM Operation Command Description Update the BootROM boot bootrom file url device name Optional 4 2 6 Updating the Host Software in the Fabric You can execute the following commands on any device and use a specified host software to upload all devices in a Fabric thus to ...

Page 962: ... information to a file suffixed with diag in the Flash memory display diagnostic information Display enabled debugging on a specified switch or all switches in the fabric display debugging fabric unit unit id interface interface type interface number module name Display enabled debugging on all switches in the fabric in terms of module names display debugging fabric by module You can execute the d...

Page 963: ...diagram PC Switch PC Network Network PC Switch Switch Switch PC Network Network PC Switch Switch Switch PC Network Network PC Switch Switch Switch Switch Switch PC Network Network Figure 4 1 Network diagram of FTP configuration III Configuration procedure 1 Configure the following FTP server related parameters on the PC an FTP user with the username and password as switch and hello respectively be...

Page 964: ...ssword 230 Logged in successfully ftp Enter the authorized path on the FTP server ftp cd switch Execute the get command to download the switch bin and boot btm files on the FTP server to the Flash memory of the switch ftp get switch bin ftp get boot btm Execute the quit command to terminate the FTP connection and return to user view ftp quit Quidway Update the BootROM Quidway boot bootrom boot btm...

Page 965: ...e and Debugging Quidway S5600 Series Ethernet Switches Release 1510 Chapter 4 Device Management Huawei Technologies Proprietary 4 7 The current boot app is switch bin The main boot app is switch bin The backup boot app is Quidway reboot ...

Page 966: ...ration Prerequisites 1 2 1 2 2 Configuration procedure 1 2 1 3 Inner VLAN Tag Priority Replication Configuration 1 3 1 3 1 Configuration Prerequisites 1 3 1 3 2 Configuration procedure 1 3 1 4 VLAN VPN Configuration Example 1 4 Chapter 2 BPDU Tunnel Configuration 2 1 2 1 BPDU Tunnel Overview 2 1 2 1 1 Introduction to the BPDU Tunnel Function 2 1 2 1 2 BPDU Tunnel Fundamental 2 1 2 2 BPDU Tunnel Co...

Page 967: ...ser VLAN TAG ETYPE DATA 0 1500B 2B 2B 2B 2B 2B 6B 6B FCS 4B DA SA ETYPE Nested VLAN TAG ETYPE User VLAN TAG ETYPE DATA 0 1500B 2B 2B 2B 2B 2B 6B 6B DA SA ETYPE Nested VLAN TAG ETYPE User VLAN TAG ETYPE DATA 0 1500B 2B 2B 2B 2B 2B 6B 6B Figure 1 2 Structure of packets with double layer VLAN tags Compared with MPLS based Layer 2 VPN VLAN VPN has the following features z It provides Layer 2 VPN tunne...

Page 968: ... If any of the protocols among GVRP GMRP NTDP STP 802 1x and Centralized MAC address authentication is enabled for a port you can not enable the VLAN VPN function for the port z By default STP and NTDP are enabled on a device You can disable these two protocols using the stp disable and undo ntdp enable commands 1 2 2 Configuration procedure Table 1 1 Configure the VLAN VPN function for a port Ope...

Page 969: ...function and the VLAN VPN function are mutually exclusive will not be copied 1 3 Inner VLAN Tag Priority Replication Configuration You can configure to replicate the tag priority of the inner VLAN tag of a VLAN VPN packet to the outer VLAN tag to remain the original tag priority after the packet is inserted an outer VLAN tag 1 3 1 Configuration Prerequisites The VLAN VPN function is enabled 1 3 2 ...

Page 970: ...h C Switch B Switch A Switch C Switch B GE1 0 1 access VLAN 10 VLAN VPN port GE1 0 2 trunk permit VLAN 10 GE1 0 1 access VLAN 10 VLAN VPN port Switch A Switch C Switch B GE3 1 1 trunk permit VLAN 10 GE3 1 2 trunk permit VLAN 10 Switch A Switch C Switch B Switch A Switch C Switch B Switch A Switch C Switch B GE1 0 1 access VLAN 10 VLAN VPN port GE1 0 2 trunk permit VLAN 10 GE1 0 2 trunk permit VLAN...

Page 971: ... to VLAN 10 SwitchA interface GigabitEthernet1 0 1 SwitchA GigabitEthernet1 0 1 port access vlan 10 SwitchA GigabitEthernet1 0 1 vlan vpn enable SwitchA GigabitEthernet1 0 1 quit 2 Configure Switch B As Switch B is from other manufacturer here come only configuration requirements set ports GigabitEthernet3 1 1 and GigabitEthernet3 1 2 of Switch B to Trunk ports both of which belong to VLAN 10 Swit...

Page 972: ... 0 2 port z The packet reaches GigabitEthernet3 1 2 port of Switch B in the public network Switch B forwards the packet in VLAN 10 to GigabitEthernet3 1 1 z The packet is forwarded from GigabitEthernet3 1 1 port of Switch B to the network on the other side and enters GigabitEthernet1 0 2 port of Switch C Then Switch C forwards the packet in VLAN 10 to its GigabitEthernet1 0 1 As GigabitEthernet1 0...

Page 973: ...packet conforming with IEEE standards carries a special destination MAC address and contains a type field Some proprietary protocols adopt the same packet structure where a private MAC address is used to identify the corresponding proprietary protocol and the type field is used to identify the specific protocol type II Transmitting BPDU packets transparently As shown in Figure 2 1 the network on t...

Page 974: ...r s network User s network Receiving sending device Receiving sending device Figure 2 1 BPDU Tunnel network hierarchy Figure 2 2 and Figure 2 3 show the structure of a BPDU packet before and after it enter a BPDU tunnel BPDU Data FCS Destination MAC address Protocol specific MAC Source MAC address BPDU Data FCS Destination MAC address Protocol specific MAC Source MAC address Figure 2 2 The structu...

Page 975: ...able the BPDU Tunnel in system view or in Ethernet view By default NDP is enabled globally Enable the BPDU Tunnel function for the packets of a specific protocol bpdu tunnel lacp ndp cdp vtp Required Note The BPDU Tunnel is unavailable to all the ports of a device if the device has the fabric function enabled on one of its ports 2 3 BPDU Tunnel Configuration Example I Network requirements z Custom...

Page 976: ...de1 Enable NDP on GigabitEthernet1 0 1 port Quidway system view Quidway interface GigabitEthernet 1 0 1 Quidway GigabitEthernet1 0 1 ndp enable Enable the BPDU Tunnel function on GigabitEthernet1 0 2 port Quidway GigabitEthernet1 0 1 quit Quidway interface GigabitEthernet 1 0 2 Quidway GigabitEthernet1 0 2 bpdu tunnel uplink Quidway GigabitEthernet1 0 2 bpdu tunnel ndp 2 Configure Provider2 Enable...

Page 977: ...uawei Technologies Proprietary i Table of Contents Chapter 1 HWPing Configurations 1 1 1 1 Introduction to HWPing 1 1 1 2 HWPing Configuration 1 1 1 2 1 Introduction to HWPing Configuration 1 1 1 2 2 Configuring HWPing 1 2 1 2 3 Displaying HWPing Configuration 1 3 1 2 4 Configuration Example 1 3 ...

Page 978: ... timeout status of each packet on the console terminal in real time You need to execute the display hwping command to view the statistic results of your HWPing test operation HWPing allows administrators to set the parameters of HWPing test groups and start HWPing test operations X 25 Internet HWPing Client Switch A Switch B X 25 Internet X 25 Internet HWPing Client Switch A Switch B X 25 Internet...

Page 979: ...sidered a failure This parameter is similar to the t keyword in the ping command but has a different unit the t keyword in the ping command is in ms while the timeout time in the HWPing command is in seconds 1 2 2 Configuring HWPing Table 1 1 Configure HWPing Operation Command Description Enter system view system view Enable HWPing Client hwping agent enable Required By default HWPing Client is di...

Page 980: ...of HWPing test history display hwping history administrator name operation tag Display the latest HWPing test results display hwping results administrator name operation tag The display command can be executed in any view 1 2 4 Configuration Example I Network Requirement Perform an HWPing ICMP test between two switches Like a ping test this test uses ICMP to test the RTTs of data packets between t...

Page 981: ... Square Sum of Round Trip Time 66 Last complete test time 2004 4 2 7 59 54 7 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 Quidway hwping administrator icmp display hwping history ad...

Page 982: ...w 1 1 1 1 1 Static Domain Name Resolution 1 1 1 1 2 Dynamic Domain Name Resolution 1 1 1 2 Configuring Static Domain Name Resolution 1 3 1 3 Configuring Dynamic Domain Name Resolution 1 3 1 3 1 Configuration Dynamic Domain Name Resolution 1 3 1 3 2 DNS Configuration Example 1 4 1 4 Displaying and Maintaining DNS 1 4 1 5 Troubleshooting DNS Configuration 1 5 ...

Page 983: ...ses can be put in the static database 1 1 1 Static Domain Name Resolution The static domain name resolution manually sets up mappings between names and IP addresses IP addresses of the corresponding names can be found in the static domain name resolution database for applications 1 1 2 Dynamic Domain Name Resolution I Resolving procedure Huawei 3Com s router supports the following dynamic domain n...

Page 984: ...ent gets the information from the DNS messages II DNS suffixes The DNS Client normally holds a list of suffixes which can be defined by the users It is used when the name to be resolved is not complete The resolver can supply the missing part which is call automatic DNS suffix For example a user can configure com as the suffix for aabbcc com The user only needs to type aabbcc to get the IP address...

Page 985: ...ssigned to the host name can overwrite the old one if there is any You may create up to 50 entries for the domain name resolution 1 3 Configuring Dynamic Domain Name Resolution 1 3 1 Configuration Dynamic Domain Name Resolution Table 1 2 Configure dynamic domain name resolution Operation Command Description Enter the system view system view Enable dynamic domain name resolution dns resolve Require...

Page 986: ... 16 1 1 1 1 16 S5600 2 1 1 2 16 host1 3 1 1 1 16 DNS Client DNS Server 1 1 16 DNS Client DNS Server Internet 2 1 1 1 16 1 1 1 1 16 S5600 2 1 1 2 16 host1 3 1 1 1 16 DNS Client DNS Server Internet 2 1 1 1 16 1 1 1 1 16 Figure 1 2 Network diagram for dynamic domain name resolution III Configuration procedure Note Before doing the following configuration make sure the route between S5600 and host 1 i...

Page 987: ...olution result nslookup type ptr ip address a domain name Available in any view Reset the caching memory of dynamic domain name resolution reset dns dynamic host Available in user view 1 5 Troubleshooting DNS Configuration I Symptom After enabling the dynamic domain name resolution the user cannot get the IP address or the IP address is incorrect II Solution z Use the display dns dynamic host comm...

Page 988: ...Operation Manual Appendix Quidway S5600 Series Ethernet Switches Release 1510 Table of Contents i Table of Contents Appendix A Acronyms A 1 ...

Page 989: ...der Router B BDR Backup Designated Router C CAR Committed Access Rate CLI Command Line Interface CoS Class of Service D DHCP Dynamic Host Configuration Protocol DR Designated Router D V Distance Vector Routing Algorithm E EGP Exterior Gateway Protocol F FTP File Transfer Protocol G GARP Generic Attribute Registration Protocol GE Gigabit Ethernet GVRP GARP VLAN Registration Protocol GMRP GARP Multi...

Page 990: ...NBMA Non Broadcast MultiAccess NIC Network Information Center NMS Network Management System NVRAM Nonvolatile RAM O OSPF Open Shortest Path First P PIM Protocol Independent Multicast PIM DM Protocol Independent Multicast Dense Mode PIM SM Protocol Independent Multicast Sparse Mode Q QoS Quality of Service R RIP Routing Information Protocol RMON Remote Network Monitoring RSTP Rapid Spanning Tree Pr...

Page 991: ...A Acronyms A 3 TFTP Trivial File Transfer Protocol ToS Type of Service TTL Time To Live U UDP User Datagram Protocol V VLAN Virtual LAN VOD Video On Demand VRRP Virtual Router Redundancy Protocol W WRR Weighted Round Robin X XID eXchange Identification XRN eXpandable Resilient Networking ...

Search results

Summary of Contents for Quidway S5600

Reviews:

Brands by name

Popular brands

Huawei Quidway S5600, Operation Manual

Search results

Summary of Contents for Quidway S5600

Reviews:

Brands by name

Popular brands