H3C S3610-28F Скачать руководство пользователя страница 905

Страница: 905 / 1547

Operation Manual – 802.1x-HABP-MAC Authentication
H3C S3610&S5510 Series Ethernet Switches

Chapter 4 MAC Authentication Configuration

4-1

Chapter 4 MAC Authentication Configuration

When configuring MAC authentication, go to these sections for information you are

interested in:

MAC Authentication Overview

Related Concepts

Configuring MAC Authentication

Displaying and Maintaining MAC Authentication

MAC Authentication Configuration Examples

ACL Assigning Configuration Example

4.1 MAC Authentication Overview

MAC authentication provides a way for authenticating users based on ports and MAC

addresses, without requiring any client software to be installed on the hosts. Once

detecting a new MAC address, it initiates the authentication process without requiring

username or password.

Currently, the device supports two MAC authentication modes:

Remote Authentication Dial-In User Service (RADIUS) based MAC authentication

Local MAC authentication

For detailed information about RADIUS authentication and local authentication, refer to

AAA RADIUS HWTACACS Configuration

After determining the authentication mode to be used, you can choose the type of MAC

authentication username, including:

MAC address, where the MAC address of a user serves as both the username and

password.

Fixed username, where all users use the same preconfigured username and

password for authentication, regardless of the MAC addresses.

4.1.1 RADIUS-Based MAC Authentication

In RADIUS-base MAC authentication, the device serves as a RADIUS client and

requires a RADIUS server to cooperate with it.

If the type of MAC authentication username is MAC address, the device forwards

a detected MAC address as the username and password to the RADIUS server for

authentication of the user.

If the type of MAC authentication username is fixed username, the device sends

the same username and password configured locally to the RADIUS server for

authentication of each user.

Содержание S3610-28F

Страница 1: ...H3C S3610 S5510 Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co Ltd http www h3c com Manual Version 20081229 C 1 01 Product Version Release 5303...

Страница 2: ...InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information i...

Страница 3: ...hernet Switches Operation Manual Release 5303 is organized as follows Part Contents 0 Product Overview Introduces the system features service features and network application of the switches 1 Login I...

Страница 4: ...3 IPv6 IS IS and IPv6 BGP 15 Multicast Protocol Introduces the multicast protocol related configurations 16 802 1x HABP MAC Authentication Introduces 802 1x HABP and MAC related configurations 17 AAA...

Страница 5: ...and the related configuration 35 OAM Introduces ethernet OAM configuration 36 DLDP Introduces DLDP and the related configuration 37 RRPP Introduces RRPP and the related configuration 38 SSL HTTPS Intr...

Страница 6: ...sign can be entered 1 to n times A line starting with the sign is comments II GUI conventions Convention Description Button names are inside angle brackets For example click OK Window names menu item...

Страница 7: ...plications 4 1 4 1 H3C S3610 Series Ethernet Switches Networking Applications 4 1 4 1 1 Broadband Ethernet Access for Residential Communities 4 1 4 1 2 Application in Networks of Branches or Small to...

Страница 8: ...product version upgrade or some other reasons Therefore the contents in the CD ROM may not be the latest version This manual serves the purpose of user guide only Unless otherwise noted all the infor...

Страница 9: ...ries Ethernet Switches Chapter 1 Obtaining the Documentation 1 2 1 3 Software Release Notes With software upgrade new software features may be added You can acquire the information about the newly add...

Страница 10: ...5303 For details refer to Table 2 1 Table 2 1 Added features in Release 5303 Features Location VLAN check 02 VLAN MAC Address Synchronization 04 QinQ BPDU Tunneling VLAN ignore Transparent BPDU Transm...

Страница 11: ...itan area networks MANs and to meet the requirements at the access layer Supporting IPv4 IPv6 double stack they offer abundant service features and routing functionalities 3 2 Switch Models Table 3 1...

Страница 12: ...ding ports on S3610 series Model Combo port Corresponding port 49 53 50 54 51 55 S3610 52M AC S3610 52M DC 52 56 Table 3 3 lists the models in the S5510 series Table 3 3 Models in the S5510 series Mod...

Страница 13: ...eatures of S3610 S5510 series Ethernet switches Part Feature 01 Login z Logging into a switch through the Console port z Logging into a switch by using Telnet through an Ethernet port z Logging into a...

Страница 14: ...t BPDU transmission z BPDU Tagging Function 10 IPv6 z IPv6 basic configuration z Ping IPv6 Traceroute IPv6 z Manual IPv6 tunnel z Configuring IPv4 compatible with the IPv6 tunnel z 6to4 tunnel z ISATA...

Страница 15: ...i terminal access controller access control system HWTACACS 18 ARP z Configuring ARP entries manually z Gratuitous ARP z ARP source suppression z Proxy ARP 19 DHCP z DHCP server z DHCP relay z DHCP Sn...

Страница 16: ...enter z System logs z Alarms in different severities z Debugging information output 30 System Maintaining and Debugging z Configuring command levels z Configuring online help for command lines z Confi...

Страница 17: ...users and uplinked to a core Layer 3 switch through a GE extension module to connect to the MAN backbone MAN Backbone Core layer Distribution layer Community building access layer Corridor access laye...

Страница 18: ...4 1 3 Application in Large Enterprise and Campus Networks In a large enterprise or campus network the H3C S3610 series are located at the convergence layer They are downlinked to Layer 2 switches S31...

Страница 19: ...ies Server cluster PC PC Figure 4 3 H3C S3610 series application in large enterprise and campus network 4 1 4 IPv4 IPv6 Hybrid Networking Full IPv4 networking and full IPv6 networking are similar At t...

Страница 20: ...ernet Switches Networking Applications 4 2 1 Broadband Ethernet Access for Residential Communities An H3C S5510 series Ethernet switch can operate on the distribution layer of a broadband MAN You can...

Страница 21: ...n the branches of a small medium sized or large enterprises you can use H3C S5510 series Ethernet switches as the backbone layer devices In this case network devices can connect to an S5510 Ethernet s...

Страница 22: ...layer devices in the networks of large enterprises and campus networks In this case you can connect an S5510 Ethernet switch to a backbone router or Layer 3 switches through its GigabitEthernet optic...

Страница 23: ...networks are common This gives full play to the IPv4 IPv6 dual stack and IPv6 over IPv4 tunneling features provided by the H3C S5510 series and enables flexible networking IPv4 backbone Layer 3 switc...

Страница 24: ...nfiguration with Authentication Mode Being Password 2 10 2 5 1 Configuration Procedure 2 10 2 5 2 Configuration Example 2 12 2 6 Console Port Login Configuration with Authentication Mode Being Scheme...

Страница 25: ...1 Overview 7 1 7 2 Configuring Source IP Address for Telnet Service Packets 7 1 7 3 Displaying the source IP address Interface Specified for Telnet Packets 7 2 Chapter 8 Controlling Login Users 8 1 8...

Страница 26: ...2 1 Supported User Interfaces S3610 S5510 series Ethernet switch supports two types of user interfaces AUX and VTY Table 1 1 Description on user interface User interface Applicable user Port used Des...

Страница 27: ...is not locked by default Specify to send messages to all user interfaces a specified user interface send all number type number Optional Execute this command in user view Disconnect a specified user i...

Страница 28: ...he screen length 0 command to disable the function to display information in pages Make terminal services available shell Optional By default terminal services are available in all user interfaces Set...

Страница 29: ...nto an S3610 S5510 series Ethernet switch through its Console port only To log into an Ethernet switch through its Console port the related configuration of the user terminal must be in accordance wit...

Страница 30: ...e Console port launch a terminal emulation utility such as Terminal in Windows 3 X or HyperTerminal in Windows 9X Windows 2000 Windows XP and perform the configuration shown in Figure 2 2 through Figu...

Страница 31: ...sfully completes POST power on self test The prompt such as H3C appears after the user presses the Enter key z You can then configure the switch or check the information about the switch by executing...

Страница 32: ...the AUX user interface Optional By default commands of level 3 are available to the users logging into the AUX user interface Define a shortcut key for aborting tasks Optional The default shortcut ke...

Страница 33: ...urations for Different Authentication Modes Table 2 3 lists Console port login configurations for different authentication modes Table 2 3 Console port login configurations for different authenticatio...

Страница 34: ...he user name and password of a local user are configured on the switch z The user name and password of a remote user are configured on the DADIUS server Refer to user manual of RADIUS server for more...

Страница 35: ...nal The default data bits of a Console port is 8 Configure the command level available to users logging into the user interface user privilege level level Optional By default commands of level 3 are a...

Страница 36: ...d level available to users logging into a switch depends on both the authentication mode none command and the user privilege level level command as listed in the following table Table 2 4 Determine th...

Страница 37: ...user logging in through the Console port H3C ui aux0 authentication mode none Specify commands of level 2 are available to the user logging into the AUX user interface H3C ui aux0 user privilege level...

Страница 38: ...ssword authentication Set the local password set authentication password cipher simple password Required Set the baud rate speed speed value Optional The default baud rate of an AUX port also the Cons...

Страница 39: ...er size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time for the user interface idle timeout minutes seconds Optional The default timeout time of a us...

Страница 40: ...need to limit the Console user at the following aspects z The user is authenticated against the local password when logging in through the Console port z The local password is set to 123456 in plain t...

Страница 41: ...user privilege level 2 Set the baud rate of the Console port to 19 200 bps H3C ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 H3C ui aux0 screen length 30 Set the ma...

Страница 42: ...pecify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to the AA...

Страница 43: ...ailable to users logging into the user interface user privilege level level Optional By default commands of level 3 are available to users logging into the AUX user interface Define a shortcut key for...

Страница 44: ...eout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is perf...

Страница 45: ...mmand authorization Users logging into the Console port and pass AAA RADIUS or local authentication The user privilege level level command is executed and the service type terminal level level command...

Страница 46: ...authentication password to 123456 in plain text H3C luser guest password simple 123456 Set the service type to Terminal Specify commands of level 2 are available to the user logging into the AUX user...

Страница 47: ...f the AUX user interface to 6 minutes H3C ui aux0 idle timeout 6 After the above configuration to ensure a successful login the console user needs to change the corresponding configuration of the term...

Страница 48: ...other settings are configured Refer to Table 3 2 and Table 3 3 Telnet is running Telnet terminal The IP address of the management VLAN of the switch is available Note z After you log into the switch...

Страница 49: ...hortcut key combination for aborting tasks is Ctrl C Make terminal services available Optional By default terminal services are available in all user interfaces Set the maximum number of lines the scr...

Страница 50: ...to perform local authentication or RADIUS authentication AAA configuration specifies whether to perform local authentication or RADIUS authentication Optional Local authentication is performed by defa...

Страница 51: ...er interfaces Configure the protocols to be supported by the VTY user interface protocol inbound all ssh telnet Optional By default both Telnet protocol and SSH protocol are supported Set the command...

Страница 52: ...es You can use the idle timeout 0 command to disable the timeout function Note that if you configure not to authenticate the users the command level available to users logging into a switch depends on...

Страница 53: ...ation procedure Enter system view and enable the Telnet service H3C system view H3C telnet server enable Enter VTY 0 user interface view H3C user interface vty 0 Configure not to authenticate Telnet u...

Страница 54: ...o users logging into the user interface user privilege level level Optional By default commands of level 0 are available to users logging into VTY user interface Configure the protocol to be supported...

Страница 55: ...er interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the...

Страница 56: ...gram Figure 3 2 Network diagram for Telnet configuration with the authentication mode being password III Configuration procedure Enter system view and enable the Telnet service H3C system view H3C tel...

Страница 57: ...al AAA scheme is applied If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply an existing scheme by providing the ra...

Страница 58: ...Set the command that is automatically executed when a user logs into the user interface auto execute command text Optional By default no command is automatically executed when a user logs into a user...

Страница 59: ...user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Note that if you configure to...

Страница 60: ...command level Determined by the service type command The user privilege level level command is not executed and the service type command does not specify the available command level The user privilege...

Страница 61: ...Configuration Example I Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging into VTY 0 z Configure the name of the loca...

Страница 62: ...mode scheme Configure Telnet protocol is supported H3C ui vty0 protocol inbound telnet Set the maximum number of lines the screen can contain to 30 H3C ui vty0 screen length 30 Set the maximum number...

Страница 63: ...to different authentication modes for them Refer to section 3 2 Telnet Configuration with Authentication Mode Being None section 3 3 Telnet Configuration with Authentication Mode Being Password and s...

Страница 64: ...ut the commands Note z A Telnet connection will be terminated if you delete or modify the IP address of the VLAN interface in the Telnet session z By default commands of level 0 are available to Telne...

Страница 65: ...switch operating as the Telnet client Step 3 Execute the following command on the switch operating as the Telnet client H3C telnet xxxx Where xxxx is the IP address or the host name of the switch ope...

Страница 66: ...g into a switch using a modem Item Requirement The PC can communicate with the modem connected to it The modem is properly connected to PSTN Administrator side The telephone number of the switch side...

Страница 67: ...corresponding configuration on the switch is the same as those when logging into the switch locally through its Console port except that z When you log in through the Console port using a modem the b...

Страница 68: ...following configuration on the modem directly connected to the switch AT F Restore the factory settings ATS0 1 Configure to answer automatically after the first ring AT D Ignore DTR signal AT K0 Disab...

Страница 69: ...ection by using modems Step 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 4 2 and Figure 4 3 Note t...

Страница 70: ...such as H3C appears You can then configure or manage the switch You can also enter the character at anytime for help Refer to the following chapters for information about the configuration commands No...

Страница 71: ...IP address of the management VLAN of the switch is configured The route between the switch and the network management terminal is available Refer to the module IP Addressing and Performance and IP Rou...

Страница 72: ...r PC and the switch as shown in the following figure Figure 5 1 Establish an HTTP connection between your PC and the switch Step 4 Log into the switch through IE Launch IE on the Web based network man...

Страница 73: ...e this command in system view The Web server is started by default Start the Web server ip http enable Required Execute this command in system view 5 4 Displaying Web Users After the above configurati...

Страница 74: ...MS and the agent To log into a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 6 1 Requirements for logging into a switch through an NMS Item Requi...

Страница 75: ...e switch is used to transmit packets between the Telnet client and the Telnet server This conceals the IP address of the actual interface used As a result external attacks are guarded and the security...

Страница 76: ...e interface number Optional Not specified by default Note To perform the configurations listed in Table 7 1 and Table 7 2 make sure that z The IP address specified is that of the local device z The in...

Страница 77: ...resses Through Layer 2 ACLs Section 8 2 4 Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACLs Section 8 3 2 Controlling Network Management Users by Source I...

Страница 78: ...d The inbound keyword specifies to filter the users trying to Telnet to the current switch The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch 8 2...

Страница 79: ...g Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs which are numbered from 4000 to 4999 Refer to the ACL module for information about defining an ACL To do Use the command Rem...

Страница 80: ...fig H3C acl basic 2000 rule 1 permit source 10 110 100 52 0 H3C acl basic 2000 rule 2 permit source 10 110 100 46 0 H3C acl basic 2000 rule 3 deny source any H3C acl basic 2000 quit Apply the ACL H3C...

Страница 81: ...view system view Create a basic ACL or enter basic ACL view acl number acl number match order config auto As for the acl number command the config keyword is specified by default Define rules for the...

Страница 82: ...munity command take effect in the network management systems that adopt SNMPv1 or SNMPv2c Similarly as SNMP group name and SNMP user name are features of SNMPv2c and the higher SNMP versions the speci...

Страница 83: ...m the IP addresses of 10 110 100 52 and 10 110 100 46 to access the switch H3C snmp agent community read h3c acl 2000 H3C snmp agent group v2c h3cgroup acl 2000 H3C snmp agent usm user v2c h3cuser h3c...

Страница 84: ...specified by default Define rules for the ACL rule rule id permit deny source sour addr sour wildcard any time range time name fragment logging Required Quit to system view quit Apply the ACL to cont...

Страница 85: ...olling Web users using ACLs III Configuration procedure Define a basic ACL H3C system view H3C acl number 2030 match order config H3C acl basic 2030 rule 1 permit source 10 110 100 52 0 H3C acl basic...

Страница 86: ...iguring a Protocol Based VLAN 1 12 1 6 Configuring IP Subnet Based VLAN 1 13 1 6 1 Introduction 1 13 1 6 2 Configuring an IP Subnet Based VLAN 1 13 1 7 Displaying and Maintaining VLAN 1 14 1 8 VLAN Co...

Страница 87: ...3 2 GVRP Configuration Task List 3 5 3 3 Configuring GVRP 3 5 3 3 1 Enabling GVRP 3 5 3 3 2 Configuring GARP Timers 3 6 3 4 Displaying and Maintaining GVRP 3 7 3 5 GVRP Configuration Examples 3 8 3 5...

Страница 88: ...dium is shared in an Ethernet network performance may degrade as the number of hosts on the network is increasing If the number of the hosts in the network reaches a certain level problems caused by c...

Страница 89: ...ance much easier and more flexible 1 1 2 VLAN Fundamental To enable packets being distinguished by the VLANs they belong to The VLAN tag fields used to identify VLANs are added to packets As common sw...

Страница 90: ...length and with its value ranging from 0 to 4095 identifies the ID of the VLAN a packet belongs to As VLAN IDs of 0 and 4095 are reserved by the protocol the value of this field actually ranges from...

Страница 91: ...create or remove reserved VLANs which are reserved for specific functions z Dynamic VLANs cannot be removed using the undo vlan command z If a VLAN has a QoS policy configured the VLAN cannot be remo...

Страница 92: ...dress mask mask length sub Optional Not configured by default Specify the descriptive string for the VLAN interface description text Optional VLAN interface name is used by default for example Vlan in...

Страница 93: ...id and Trunk port z A Hybrid port allows packets of multiple VLANs to be sent without the Tag label z A Trunk port only allows packets from the default VLAN to be sent without the Tag label II Default...

Страница 94: ...the packet with the default VLAN ID z Receive the packet if the VLAN ID is the same as the default VLAN ID and the VLAN ID is in the list of permitted VLANs of the port z Receive the packet if the VLA...

Страница 95: ...w Enter VLAN view vlan vlan id Required If the specified VLAN does not exist this command be created first creates the VLAN before entering its view Add an Access port to the current VLAN port interfa...

Страница 96: ...emarks Enter system view system view Enter Ethernet port view interface interface type interface number Enter Ethernet port view or port group view Enter port group view port group manual port group n...

Страница 97: ...ure the Hybrid port based VLAN To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enter Ethernet port view or port group vie...

Страница 98: ...sable VLAN check vlan check disable Enable VLAN check undo vlan check disable Configure either command as needed Enabled by default 1 5 Protocol Based VLAN Configuration 1 5 1 Introduction to Protocol...

Страница 99: ...2 Configuring a Protocol Based VLAN Follow these steps to configure a protocol based VLAN To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Required If the speci...

Страница 100: ...t set etype id in ethernetii etype etype id to 0x0800 0x809b 0x8137 or 0x86dd Otherwise the encapsulation format of the matching packets will be the same as that of the IPv4 IPX AppleTalk and IPv6 pac...

Страница 101: ...oup view port group manual port group name aggregation agg id Use either command In Ethernet port view the subsequent configurations only apply to the current port in port group view the subsequent co...

Страница 102: ...n any view Display the IP subnet based VLAN information and IP subnet index of specified ports display ip subnet vlan interface interface type interface number to interface type interface number all A...

Страница 103: ...permit vlan 2 6 to 50 100 Please wait Done 2 Configure Device B following similar steps as that of Device A IV Verification Verifying the configuration of Device A is similar to that of Device B So o...

Страница 104: ...ttles 0 CRC 0 frame 0 overruns 0 aborts ignored parity errors Output total packets bytes broadcasts multicasts pauses Output normal 0 packets 0 bytes 0 broadcasts 0 multicasts 0 pauses Output 0 output...

Страница 105: ...traffic improving transmission priority and ensuring voice quality A device determines whether a received packet is a voice packet by checking its source MAC address Packets containing source MAC add...

Страница 106: ...matically add the port into the Voice VLAN and apply ACL rules and configure the packet precedence An aging time can be configured for the voice VLAN The system will remove a port from the voice VLAN...

Страница 107: ...ybrid not supported Access not supported Trunk supported provided that the default VLAN of the access port exists and is not the voice VLAN and that the access port belongs to the default VLAN Tagged...

Страница 108: ...llowed to go through a certain port 2 1 2 Security Mode and Normal Mode for the Voice VLAN Ports that have the voice VLAN feature enabled can be divided into two modes based on their filtering mechani...

Страница 109: ...efault OUI addresses of different vendors Enable the voice VLAN feature globally voice vlan vlan id enable Required Enter Ethernet port view interface interface type interface number Configure the por...

Страница 110: ...erface interface type interface number Configure the working mode as manual undo voice vlan mode auto Required Disabled by default Access port Refer to Configuring an Access Port Based VLAN Trunk port...

Страница 111: ...nd Maintaining Voice VLAN To do Use the command Remarks Display the voice VLAN state display voice vlan state Available in any view Display the OUI addresses currently supported by system display voic...

Страница 112: ...0 0000 as the legal address of the voice VLAN DeviceA voice vlan mac address 0011 2200 0000 mask ffff ff00 0000 Enable the voice VLAN feature globally DeviceA voice vlan 2 enable Configure the voice V...

Страница 113: ...00 0000 Pingtel phone 00e0 7500 0000 ffff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3com phone Display the current Voice VLAN state DeviceA display voice vlan state Voice VLAN status ENABL...

Страница 114: ...eviceA voice vlan mac address 0011 2200 0000 mask ffff ff00 0000 description test Create VLAN 2 Enable voice VLAN feature for it DeviceA vlan 2 DeviceA vlan2 quit DeviceA voice vlan 2 enable Configure...

Страница 115: ...ff ff00 0000 Cisco phone 0004 0d00 0000 ffff ff00 0000 Avaya phone 0011 2200 0000 ffff ff00 0000 test 0060 b900 0000 ffff ff00 0000 Philips NEC phone 00d0 1e00 0000 ffff ff00 0000 Pingtel phone 00e0 7...

Страница 116: ...does not exist on a device as an entity GARP compliant participants are known as GARP applications One example is GVRP When a GARP participant is present on a port on your device the port is regarded...

Страница 117: ...a join timer to set the sending interval If the first Join message is not acknowledged after the interval defined by the Join timer the GARP participant sends the second Join message z Leave timer St...

Страница 118: ...th a particular multicast MAC address as destination Based on this address a device can identify to which GVRP application GVRP for example should a GARP PDU be delivered III GARP message format The f...

Страница 119: ...local database about active VLAN members and through which port they can be reached It thus ensures that all GVRP participants on a bridged LAN maintain the same VLAN registration information The VLA...

Страница 120: ...ers Optional 3 3 Configuring GVRP 3 3 1 Enabling GVRP Follow these steps to enable GVRP on a trunk port To do Use the command Remarks Enter system view system view Enable GVRP globally gvrp Required G...

Страница 121: ...iew interface interface type interface number Enter Ethernet port view or port group view Enter port group view port group manual port group name aggregation agg id Use either command In Ethernet port...

Страница 122: ...ble in any view Display GARP timers for specified or all ports display garp timer interface interface list Available in any view Display the local VLAN information maintained by GVRP display gvrp loca...

Страница 123: ...Configure port Ethernet 1 0 1 as a Trunk port allowing all VLANs to pass DeviceA interface ethernet 1 0 1 DeviceA Ethernet1 0 1 port link type trunk DeviceA Ethernet1 0 1 port trunk permit vlan all E...

Страница 124: ...work requirements Configure GVRP for dynamic VLAN information registration and update among devices Specify fixed GVRP registration on Device A and normal GVRP registration on Device B II Network diag...

Страница 125: ...nk permit vlan all Enable GVRP on Ethernet 1 0 1 DeviceB Ethernet1 0 1 gvrp DeviceB Ethernet1 0 1 quit Create VLAN 3 a static VLAN Sysname vlan 3 3 Verify the configuration Display dynamic VLAN inform...

Страница 126: ...t1 0 1 gvrp registration forbidden DeviceA Ethernet1 0 1 quit Create VLAN 2 a static VLAN DeviceA vlan 2 2 Configure Device B Enable GVRP globally DeviceB system view DeviceB gvrp Configure port Ether...

Страница 127: ...Addressing 1 7 Chapter 2 IP Performance Configuration 2 1 2 1 IP Performance Overview 2 1 2 2 Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network 2 1 2 2 1 Enablin...

Страница 128: ...01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1 1 for the...

Страница 129: ...s 255 255 255 255 1 1 2 Special Case IP Addresses The following IP addresses are for special use and they cannot be used as host IP addresses z IP address with an all zero net ID Identifies a host on...

Страница 130: ...l ones are not assignable to hosts The same is true of subnetting When designing your network you should note that subnetting is somewhat a tradeoff between subnets and accommodated hosts For example...

Страница 131: ...command Remarks Enter system view system view Enter interface view interface interface type interface number Assign an IP address to the interface ip address ip address mask mask length sub Required N...

Страница 132: ...ch z Set the switch as the gateway on all hosts II Network diagram Vlan int1 172 16 1 1 24 172 16 2 1 24 sub 172 16 1 0 24 172 16 1 2 24 172 16 2 0 24 172 16 2 2 24 Host A Host B Switch Figure 1 3 Net...

Страница 133: ...4 Use the ping command to verify the connectivity between the switch and the hosts on the subnet 172 16 2 0 24 Switch ping 172 16 2 2 PING 172 16 2 2 56 data bytes press CTRL_C to break Reply from 172...

Страница 134: ...splaying and Maintaining IP Addressing To do Use the command Remarks Display information about a specified or all Layer 3 interfaces display ip interface interface type interface number Display brief...

Страница 135: ...MSS of the interface z Enabling the SYN Cookie feature and protection against Naptha attack z Configuring TCP timers z Configuring the TCP buffer size z Enabling ICMP error packets sending 2 2 Enablin...

Страница 136: ...ed from receiving directed broadcasts 2 2 2 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network Follow these steps to enable the device to forward directed broadcasts To do Use...

Страница 137: ...arding directed broadcasts III Configuration procedure z Configure Switch A Enable Switch A to receive directed broadcasts SwitchA system view SwitchA ip forward broadcast Configure IP addresses for V...

Страница 138: ...SYN ACK message the originator returns an ACK message Thus the TCP connection is established Malicious attackers may mount SYN Flood attacks during TCP connection establishment Attackers send SYN mes...

Страница 139: ...so as to exhaust the memory resource of the server As a result the server cannot process normal services The protection against Naptha attack reduces the risk of the server being attacked by accelera...

Страница 140: ...r If no response packets are received within the synwait timer timeout the TCP connection is not successfully created z finwait timer When the TCP connection is in FIN_WAIT_2 state finwait timer will...

Страница 141: ...irect packets to the source host and notify it to reselect a correct next hop router to send the subsequent packets if the following conditions are satisfied z The receiving and forwarding interfaces...

Страница 142: ...ectly connected the device will send the source a source routing failure ICMP error packet z When forwarding a packet if the MTU of the sending interface is smaller than the packet but the packet has...

Страница 143: ...intaining IP Performance To do Use the command Remarks Display current TCP connection state display tcp status Display TCP connection statistics display tcp statistics Display UDP statistics display u...

Страница 144: ...hernet Switches Chapter 2 IP Performance Configuration 2 10 To do Use the command Remarks Clear statistics of IP packets reset ip statistics Clear statistics of TCP connections reset tcp statistics Cl...

Страница 145: ...3 Configuring Selective QinQ 1 4 1 4 Configuring MAC Address Synchronization 1 5 1 5 Configuring the TPID to Be Used in the Outer Tag 1 6 1 6 QinQ Configuration Example 1 6 Chapter 2 BPDU Tunneling Co...

Страница 146: ...stomer networks private networks so that the Ethernet frames will travel across the service provider s backbone network public network with double VLAN tags The inner VLAN tag is the customer network...

Страница 147: ...AN VPN feature enabled on a port when a frame arrives at the port the switch will tag it with the port s default VLAN tag regardless of whether the frame is tagged or untagged If the received frame is...

Страница 148: ...ar vendor to allow interoperability with the devices of that vendor The TPID in an Ethernet frame has the same position with the protocol type field in a frame without a VLAN tag To avoid problems in...

Страница 149: ...ture allows adding different outer VLAN tags based on different inner VLAN tags With selective QinQ configured on a port the device will add different outer VLAN tags based on the inner VLAN tags fram...

Страница 150: ...port for transmission When the returned packet arrives at the uplink port the switch searches the MAC address table of the outer VLAN for the packet s downlink MAC address but can find none As a resu...

Страница 151: ...interface type interface number Enter Ethernet port view or port group view Enter interface group view port group manual port group name aggregation agg id Required Use either command Configurations...

Страница 152: ...o each other through VLAN 2000 of the provider network II Network diagram Public Network VLAN1000 VLAN2000 TPID 0x8200 Customer A Customer B Customer C Provider A Provider B Eth1 0 1 Trunk Eth1 0 2 Ac...

Страница 153: ...und 20 ProviderA Ethernet1 0 1 vid 2000 quit ProviderA Ethernet1 0 1 quit z Configuration on Ethernet 1 0 2 Configure VLAN 1000 as the default VLAN of the port ProviderA interface ethernet 1 0 2 Provi...

Страница 154: ...AN 2000 as the default VLAN of the port ProviderB interface ethernet 1 0 2 ProviderB Ethernet1 0 2 port access vlan 2000 Enable basic QinQ so as to tag frames from VLAN 20 with an outer tag with the V...

Страница 155: ...network This prevents each network from correctly calculating its spanning tree As a result when redundant links exist in a network data loops will unavoidably occur By allowing each network to have...

Страница 156: ...s BPDU input output device BPDU input output device Service provider network Figure 2 1 Network hierarchy of BPDU tunneling z At the BPDU input side the device changes the destination MAC address of a...

Страница 157: ...p Enable BPDU tunneling for the port s bpdu tunnel dot1q enable Required Disabled by default Note z BPDU tunneling must be enabled globally before the BPDU tunnel configuration for a port can take eff...

Страница 158: ...on the port s bpdu tunnel dot1q stp Required Disabled by default Note z BPDU tunneling must be enabled globally before the BPDU tunnel configuration for a port can take effect z The BPDU tunneling fea...

Страница 159: ...network access devices z Provider A Provider B and Provider C are service provider network access devices which are interconnected through configured trunk ports The configuration is required to satis...

Страница 160: ...0 2 ProviderB Ethernet1 0 2 port access vlan 4 ProviderB Ethernet1 0 2 undo ntdp enable ProviderB Ethernet1 0 2 bpdu tunnel dot1q enable 3 Configuration on Provider C Configure BPDU transparent trans...

Страница 161: ...Note When STP works stably on the customer network if Customer A acts as the root bridge the ports of Customer C and Customer D connected with Provider C can receive BPDUs from Customer A Since BPDU...

Страница 162: ...atio for an Ethernet Port 1 6 1 1 7 Setting the Interval for Collecting Ethernet Port Statistics 1 6 1 1 8 Enabling the Forwarding of Jumbo Frames 1 7 1 1 9 Enabling Loopback Detection on an Ethernet...

Страница 163: ...ptional Testing the Cable on an Ethernet Port Optional 1 1 1 Configuring a Combo Port I Introduction to Combo port A Combo port is formed by two Ethernet ports on the panel one of which is an optical...

Страница 164: ...l ports refer to the installation manual 1 1 2 Performing Basic Ethernet port Configuration Three types of duplex modes are available to Ethernet ports z Full duplex mode full Ports operating in this...

Страница 165: ...a small form factor pluggable SFP port that uses a 100 Mbps module the duplex mode can only be configured as full and the port rate can only be 100 Mbps for a SFP port that uses a 1000 Mbps module the...

Страница 166: ...est the hardware functions of an Ethernet port To perform external loopback testing on an Ethernet port you need to install a loopback plug on the Ethernet port In this case packets sent from the port...

Страница 167: ...n port groups A link aggregation port group is automatically created together with the creation of a link aggregation group and cannot be created by users through command line input Adding or deleting...

Страница 168: ...group view port group manual port group name aggregation agg id Use either command If configured in Ethernet port view this feature takes effect on the current port only if configured in port group v...

Страница 169: ...Port The purpose of loopback detection is to detect loops on a port When loopback detection is enabled on an Ethernet port the device will routinely check whether the ports have any external loopback...

Страница 170: ...oopback detection on a given port is enabled only after the loopback detection enable command has been issued in both system view and the port view of the port z Loopback detection on all ports will b...

Страница 171: ...Ethernet port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Test the current operating state of the cable connected to...

Страница 172: ...nd Remarks Display the current ports of a specified type display port hybrid trunk Available in any view Display the information about a manual port group or all the port groups display port group man...

Страница 173: ...umber of the ports an isolation group can contain is not limited Note z When a port in an aggregation group is configured as the ordinary port for some isolation group the other ports of the aggregati...

Страница 174: ...Figure 2 1 Connectivity of layer 2 data between ports inside and outside an isolation group on a device supporting uplink port Note The arrows in the above figure indicate the transmission direction...

Страница 175: ...k port port isolate uplink port group Required An isolation group has no uplink port by default Note z An isolation group can have only one uplink port When a user configures multiple ports as the upl...

Страница 176: ...vice Add ports Ethernet 1 0 1 Ethernet 1 0 2 and Ethernet 1 0 3 to the isolation group Device system view Device interface ethernet 1 0 1 Device Ethernet1 0 1 port isolate enable Device Ethernet1 0 1...

Страница 177: ...tion Manual Port Correlation Configuration H3C S3610 S5510 Series Ethernet Switches Chapter 2 Port Isolation Configuration 2 5 Group ID 1 Uplink port Ethernet1 0 4 Ethernet1 0 1 Ethernet1 0 2 Ethernet...

Страница 178: ...aggregation 1 4 1 3 Load Sharing in a Link Aggregation Group 1 5 1 4 Service Loop Group 1 6 1 5 Aggregation Port Group 1 7 Chapter 2 Link Aggregation Configuration 2 1 2 1 Configuring Link Aggregation...

Страница 179: ...sends LACPDUs to notify the remote system of its system LACP priority system MAC address port LACP priority port number and operational key Upon receipt of an LACPDU the remote system compares the re...

Страница 180: ...rict priority SP queuing Weighted round robin WRR queuing Weighted fair queuing WFQ Port priority Port trust mode GVRP GVRP state on ports enabled or disabled GVRP registration type GARP timers Q in Q...

Страница 181: ...rt with the highest priority in the up state as the reference port of the aggregation group Port priority descends in the following order full duplex high speed full duplex low speed half duplex high...

Страница 182: ...port group where you can make configuration for all member ports When the configuration of some port in a manual aggregation group changes the system does not remove the aggregation instead it re set...

Страница 183: ...static aggregation Like in a manual aggregation group in a static LACP aggregation group only ports with configurations consistent with those of the reference port can become selected These configura...

Страница 184: ...e ID Caution The arrived broadcasts multicasts unknown unicasts may be distributed over different selected ports if they have different VLAN IDs source ports or source devices if they are only differe...

Страница 185: ...rations Their configuration consistency requires administrative maintenance which is troublesome after you change some configuration To simplify configuration port groups are provided allowing you to...

Страница 186: ...al Link Aggregation Group Follow these steps to create a manual aggregation group and add an Ethernet port to it To do Use the command Remarks Enter system view system view Create a manual aggregation...

Страница 187: ...hanging system LACP priority can affect the selected unselected state of the ports in the group Create a static LACP aggregation group link aggregation group agg id mode static Required Enter Ethernet...

Страница 188: ...ter port is unselected 2 1 3 Configuring an Aggregation Group Name Follow these steps to configure a name for an aggregation group To do Use the command Remarks Enter system view system view Configure...

Страница 189: ...gation port group view port group aggregation agg id Caution In aggregation port group view you can configure aggregation related settings such as STP VLAN QoS GVRP Q in Q BPDU tunnel MAC address lear...

Страница 190: ...guration Example I Network requirements Device A aggregates ports Ethernet 1 0 1 through Ethernet 1 0 3 to form one link connected to Device B and performs load sharing among these ports Create a tunn...

Страница 191: ...s Ethernet 1 0 1 through Ethernet 1 0 3 to the group DeviceA interface ethernet 1 0 1 DeviceA Ethernet1 0 1 port link aggregation group 1 DeviceA Ethernet1 0 1 interface ethernet 1 0 2 DeviceA Etherne...

Страница 192: ...uction to MAC Address Table 1 1 1 2 Configuring MAC Address Table Management 1 2 1 2 1 Configuring MAC Address Entries 1 2 1 2 2 Configuring MAC Address Aging Timer 1 3 1 2 3 Configuring the Maximum N...

Страница 193: ...ding Each entry in this table contains the MAC address of a connected device to which port this device is connected and to which VLAN the port belongs A MAC address table consists of two types of entr...

Страница 194: ...d the frame will be dropped 4 Upon receipt of the response the device adds an entry in the MAC address table indicating from which port the frames destined for the MAC address should be sent 5 Forward...

Страница 195: ...t 1 2 2 Configuring MAC Address Aging Timer The MAC address table on your device is available with an aging mechanism for dynamic entries to prevent its resources from being exhausted Set the aging ti...

Страница 196: ...nter port group view port group aggregation agg id manual port group name Required Use either command to configure on a port or ports in a group Configure the maximum number of MAC addresses that can...

Страница 197: ...dynamic MAC address entries z Add a static entry 000f e235 dc71 for port Ethernet 1 0 1 in VLAN 1 II Configuration procedure Add a static MAC address entry Sysname system view Sysname mac address stat...

Страница 198: ...ard Overview 1 1 1 2 Configuring a Static Binding Entry 1 1 1 3 Configuring Port Filtering 1 2 1 4 Displaying IP Source Guard 1 2 1 5 IP Source Guard Configuration Examples 1 3 1 5 1 Static Binding En...

Страница 199: ...illegal IP addresses and MAC addresses from traveling through improving the network security IP source guard filters packets based on two types of binding entries z IP port binding entry A port permit...

Страница 200: ...guring Port Filtering Port filtering allows IP source guard to filter packets based on the MAC IP port binding entries created and maintained by DHCP snooping Follow these steps to configure port filt...

Страница 201: ...e source IP address of 192 168 0 3 can pass z On port Ethernet 1 0 1 of Switch A only IP packets with the source MAC address of 00 01 02 03 04 06 and the source IP address of 192 168 0 1 can pass z On...

Страница 202: ...rface ethernet 1 0 1 SwitchB Ethernet1 0 1 user bind ip address 192 168 0 1 mac address 0001 0203 0406 SwitchB Ethernet1 0 1 quit Configure port Ethernet 1 0 2 of Switch B to allow only IP packets wit...

Страница 203: ...1 of Switch A to prevent attacks from clients using fake source IP addresses to the DHCP server Note For detailed configuration of DHCP Server refer to DHCP Configuration in this manual II Network di...

Страница 204: ...cal with the dynamic entries that port Ethernet 1 0 1 has obtained SwitchA display dhcp snooping DHCP Snooping is enabled The client binding table for all untrusted ports Type D Dynamic S Static Type...

Страница 205: ...Ports 1 29 1 3 11 Configuring Whether Ports Connect to Point to Point Links 1 30 1 3 12 Configuring the Mode a Port Uses to Recognize Send MSTP Packets 1 31 1 3 13 Enabling the Output of Port State T...

Страница 206: ...on Example 1 46 1 9 Configuring Protection Functions 1 46 1 9 1 Configuration prerequisites 1 47 1 9 2 Enabling BPDU Guard 1 47 1 9 3 Enabling Root Guard 1 48 1 9 4 Enabling Loop Guard 1 49 1 9 5 Enab...

Страница 207: ...e This avoids proliferation and infinite recycling of packets that would occur in a loop network and prevents deterioration of the packet processing capability of network devices caused by duplicate p...

Страница 208: ...d bridge and designated port The following table describes a designated bridge and a designated port Table 1 1 Description of designated bridge and designated port Classification Designated bridge Des...

Страница 209: ...STP works STP identifies the network topology by transmitting configuration BPDUs between network devices Configuration BPDUs contain sufficient information for network devices to complete the spanni...

Страница 210: ...n BPDU Each device sends out its configuration BPDU and receives configuration BPDUs from other devices The process of selecting the optimum configuration BPDU is as follows Table 1 2 Selection of the...

Страница 211: ...ssumes itself to be the root bridge with the root bridge ID being its own device ID By exchanging configuration BPDUs the devices compare one another s root bridge ID The device with the smallest root...

Страница 212: ...U so that the port will only receive BPDUs but not send any and will not forward data Note When the network topology is stable only the root port and designated ports forward traffic while other ports...

Страница 213: ...ration BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the configuration received message and discards the received configuration BPDU...

Страница 214: ...guration BPDU BP1 0 0 0 AP1 BP2 1 0 1 BP2 Device B z Device B compares the configuration BPDUs of all its ports and determines that the configuration BPDU of BP1 is the optimum configuration BPDU Then...

Страница 215: ...AP2 Designated port CP2 0 10 2 CP2 z Next port CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to its old one Device C launches a...

Страница 216: ...sends out this configuration BPDU through the designated port z If the configuration BPDU received on the designated port has a lower priority than the configuration BPDU of the local port the port w...

Страница 217: ...propagated throughout the network z Hello time is the time interval at which a device sends hello packets to the surrounding devices to ensure that the paths are fault free z Max age is a parameter u...

Страница 218: ...ing tree 2 Features of MSTP The multiple spanning tree protocol MSTP overcomes the shortcomings of STP and RSTP In addition to support for rapid network convergence it also allows data flows of differ...

Страница 219: ...apping configuration z They have the same MSTP revision level configuration and z They are physically linked with one another For example all the devices in region A0 in Figure 1 4 have the same MST r...

Страница 220: ...s in a switched network If you regard each MST region as a device the CST is a spanning tree calculated by these devices through STP or RSTP For example the red lines in Figure 1 4 describe the CST 5...

Страница 221: ...hird party s device that supports boundary port recognition the third party s device may malfunction in recognizing a boundary port 10 Roles of ports In the MSTP calculation process port roles include...

Страница 222: ...vice C form a loop z Port 3 and port 4 of device D connect downstream to other MST regions 11 Port states In MSTP port states fall into the following tree z Forwarding the port learns MAC addresses an...

Страница 223: ...oot bridge of the CIST MSTP generates an IST within each MST region through calculation and at the same time MSTP regards each MST region as a single device and generates a CST among these MST regions...

Страница 224: ...onfigure MSTP Task Remarks Configuring an MST Region Required Specifying the Root Bridge or a Secondary Root Bridge Optional Configuring the Work Mode of MSTP Device Optional Configuring the Priority...

Страница 225: ...al Configuring Leaf Nodes Enabling the MSTP Feature Required Performing mCheck Optional Configuring the VLAN Ignore Feature Optional Configuring Digest Snooping Optional Configuring No Agreement Check...

Страница 226: ...Use either command All VLANs in an MST region are mapped to MST instance 0 by default Configure the MSTP revision level of the MST region revision level level Optional 0 by default Activate MST regio...

Страница 227: ...ed to instance 1 and VLAN 20 through VLAN 30 to instance 2 Sysname system view Sysname stp region configuration Sysname mst region region name info Sysname mst region instance 1 vlan 2 to 10 Sysname m...

Страница 228: ...ot bridge or a secondary root bridge of another instance However the same device cannot be the root bridge and a secondary root bridge in the same instance at the same time z There is one and only one...

Страница 229: ...nable to recognize MSTP packets For hybrid networking with legacy STP devices and full interoperability with RSTP compliant devices MSTP supports three work modes STP compatible mode RSTP mode and MST...

Страница 230: ...f the device z During root bridge selection if all devices in a spanning tree have the same priority the one with the lowest MAC address will be selected as the root bridge of the spanning tree II Con...

Страница 231: ...20 by default Note A larger maximum hops setting means a larger size of the MST region Only the maximum hops configured on the regional root bridge can restrict the size of the MST region II Configura...

Страница 232: ...r 6 1 3 7 Configuring Timers of MSTP MSTP involves three timers forward delay hello time and max age You can configure these three parameters for MSTP to calculate spanning trees I Configuration proce...

Страница 233: ...dds to the device burden and causes waste of network resources We recommend that you use the default setting z If the max age time setting is too small the network devices will frequently launch spann...

Страница 234: ...ning the timeout time I Configuration procedure Follow these steps to configure the timeout factor To do Use the command Remarks Enter system view system view Configure the timeout factor of the devic...

Страница 235: ...transmission rate setting of a port is too big the port will send a large number of MSTP packets within each hello time thus using excessive network resources We recommend that you use the default se...

Страница 236: ...rom another port it will become a non edge port again In this case you must reset the port before you can configure it to be an edge port again z If a port directly connects to a user terminal configu...

Страница 237: ...t to point link Note z In the case of link aggregation every port in the aggregation group can be configured to connect to a point to point link If a port works in auto negotiation mode and the negoti...

Страница 238: ...oup manual port group name aggregation agg id Required Use either command Configurations made in Ethernet interface view will take effect on the current port only configurations made in port group vie...

Страница 239: ...t log all instance instance id Optional Whether this function is enabled by default depends on the specific device model 1 3 14 Enabling the MSTP Feature I Configuration procedure Follow these steps t...

Страница 240: ...1 Configuring an MST Region Refer to Configuring an MST Region in the section about root bridge configuration 1 4 2 Configuring the Work Mode of MSTP Refer to Configuring the Work Mode of MSTP Device...

Страница 241: ...es the default path cost for ports based on a private standard Follow these steps to specify a standard for the device to use when calculating the default path cost To do Use the command Remarks Enter...

Страница 242: ...nk speed is the sum of the link speed values of the non blocked ports in the aggregated link II Configuring Path Costs of Ports Follow these steps to configure the path cost of ports To do Use the com...

Страница 243: ...n different MST instances and the same port can play different roles in different MST instances so that data of different VLANs can be propagated along different physical paths thus implementing per V...

Страница 244: ...onfiguring Whether Ports Connect to Point to Point Links in the section about root bridge configuration 1 4 9 Configuring the Mode a Port Uses to Recognize Send MSTP Packets Refer to Configuring the M...

Страница 245: ...to perform global mCheck To do Use the command Remarks Enter system view system view Perform mCheck stp mcheck Required II Performing mCheck in Ethernet interface view Follow these steps to perform mC...

Страница 246: ...the traffic of VLAN 2 to pass through Switch A and Switch B run MSTP Switch A is the root bridge and port A and port C on it are designated ports Port B on Switch B is the root port and port D is the...

Страница 247: ...abled VLAN SwitchB display stp ignored vlan STP Ignored VLAN 2 1 7 Configuring Digest Snooping As defined in IEEE 802 1s interconnected devices are in the same region only when the region related conf...

Страница 248: ...nterface type interface number Enter Ethernet interface or port group view Enter port group view port group manual port group name aggregation agg id Required Use either command Configurations made in...

Страница 249: ...bally and on associated ports to make it take effect It is recommended to enable the feature on all associated ports first and then globally making all configured ports take effect and disable the fea...

Страница 250: ...s Both RSTP and MSTP switches can perform rapid transition operation on a designated port only when the port receives an agreement packet from the downstream switch The differences between RSTP and MS...

Страница 251: ...to transit rapidly and can only change to the forwarding state after a period twice the Forward Delay In this case you can enable the No Agreement Check feature on the downstream device s port to perf...

Страница 252: ...e A connects to a third party s device that has different MSTP implementation Both switches are in the same region z Another vendor s device is the regional root bridge and Device A is the downstream...

Страница 253: ...nnect directly with user terminals such as PCs or file servers In this case the access ports are configured as edge ports to allow rapid transition of these ports When these ports receive configuratio...

Страница 254: ...bridge may receive a configuration BPDU with a higher priority In this case the current legal root bridge will be superseded by another device causing undesired change of the network topology As a re...

Страница 255: ...re depends on the specific device model z We recommend that you enable loop guard if your device supports this function By keeping receiving BPDUs from the upstream device a device can maintain the st...

Страница 256: ...evice will receive a larger number of TC BPDUs within a short time and frequent deletion operations bring a big burden to the device and hazard network stability With the TC BPDU guard function enable...

Страница 257: ...figure the function of transmitting BPDUs transparently To do Use the command Remarks Enter system view System view Enter port view interface interface type interface number Enable the function of tra...

Страница 258: ...other VLAN to the MSTI z When CIST information does not need calculating you can use the stp bpdu tagged cist ignore command on the corresponding port to enable the function of ignoring CIST informat...

Страница 259: ...e interface list Available in user view 1 13 MSTP Configuration Example 1 13 1 MSTP Configuration Example I Network requirements Configure MSTP so that packets of different VLANs are forwarded along d...

Страница 260: ...Enter MST region view DeviceA system view DeviceA stp region configuration Configure the region name VLAN to instance mappings and revision level of the MST region DeviceA mst region region name exam...

Страница 261: ...eviceB mst region instance 1 vlan 10 DeviceB mst region instance 3 vlan 30 DeviceB mst region instance 4 vlan 40 DeviceB mst region revision level 0 Activate MST region configuration manually DeviceB...

Страница 262: ...MST instance 4 DeviceC stp instance 4 root primary View the MST region configuration information that has taken effect DeviceC display stp region configuration Oper configuration Format selector 0 Reg...

Страница 263: ...ransparently I Network requirements z Switch A and Switch B are interconnected through a VPN network which permits only tagged packets to pass through z Ethernet 1 0 1 and Ethernet 1 0 2 of Switch A a...

Страница 264: ...t 1 0 4 Switch B system view Switch B interface Ethernet1 0 3 Switch B Ethernet1 0 3 stp bpdu transparent forwarding Switch B Ethernet1 0 3 quit Switch B interface Ethernet1 0 4 Switch B Ethernet1 0 4...

Страница 265: ...vlan 20 Switch A mst region active region configuration Switch A mst region quit Enable the function of tagging BPDUs on Ethernet 1 0 1 and Ethernet 1 0 2 of Switch A Switch A interface Ethernet 1 0...

Страница 266: ...1 60 Enable the function of tagging BPDUs on Ethernet 1 0 3 and Ethernet 1 0 4 of Switch B Switch B interface Ethernet1 0 3 Switch B Ethernet1 0 3 stp bpdu tagged Switch B Ethernet1 0 3 quit Switch B...

Страница 267: ...A Message 1 16 1 4 4 Configuring the Number of Attempts to Send an NS Message for DAD 1 19 1 5 Configuring PMTU Discovery 1 19 1 5 1 Configuring a Static PMTU for a Specified IPv6 Address 1 19 1 5 2 C...

Страница 268: ...xample 3 7 3 4 Configuring Automatic IPv4 Compatible IPv6 Tunnel 3 10 3 4 1 Configuration Prerequisites 3 10 3 4 2 Configuration Procedure 3 11 3 4 3 Configuration Example 3 13 3 5 Configuring 6to4 Tu...

Страница 269: ...ation z IPv6 Configuration Example z Troubleshooting IPv6 Basics Configuration Note The term router or the router icon in this document refers to a router in a generic sense or a Layer 3 Ethernet swit...

Страница 270: ...rison between IPv4 packet header format and basic IPv6 packet header format II Adequate address space The source and destination IPv6 addresses are both 128 bits 16 bytes long IPv6 can provide 3 4 x 1...

Страница 271: ...xchange between neighbor nodes on the same link The group of ICMPv6 messages takes the place of Address Resolution Protocol ARP message Internet Control Message Protocol version 4 ICMPv4 router discov...

Страница 272: ...ss in any of the notations and prefix length is a decimal number indicating how many bits from the utmost left of an IPv6 address are the address prefix II IPv6 address classification IPv6 addresses f...

Страница 273: ...ervice providers The type of address allows efficient route prefix aggregation to restrict the number of global routing entries z The link local address is used for communication between link local no...

Страница 274: ...0 0 1 FFXX XXXX Where FF02 0 0 0 0 1 FF is permanent and consists of 104 bits and XX XXXX is the last 24 bits of an IPv6 unicast or anycast address V Interface identifier in IEEE EUI 64 format Interf...

Страница 275: ...sage 136 When the link layer changes the local node initiates an NA message to notify neighbor nodes of the node information change Router solicitation RS message 133 After started a node sends an RS...

Страница 276: ...A and unicasts an NA message containing its link layer address 3 Node A acquires the link layer address of node B from the NA message II Neighbor reachability detection After node A acquires the link...

Страница 277: ...prefix discovery means that a node locates the neighboring routers and learns the prefix of the network where the host is located and other configuration parameters from the received RA message Statel...

Страница 278: ...lect a better next hop to forward packets similar to the ICMP redirection function in IPv4 The gateway will send an IPv6 ICMP redirect message when the following conditions are satisfied z The receivi...

Страница 279: ...the destination host is determined 1 1 5 Introduction to IPv6 DNS In the IPv6 network a Domain Name System DNS supporting IPv6 converts domain names into IPv6 addresses instead of IPv4 addresses Howe...

Страница 280: ...1 2 IPv6 Basics Configuration Task List Complete the following tasks to perform IPv6 basics configuration Task Remarks Configuring Basic IPv6 Functions Required Configuring IPv6 NDP Optional Configur...

Страница 281: ...e interface z Manual assignment IPv6 link local addresses can be assigned manually Follow these steps to configure an IPv6 unicast address To do Use the command Remarks Enter system view system view E...

Страница 282: ...v6 address auto link local command However if an IPv6 site local address or aggregatable global unicast address is already configured for an interface the interface still has a link local address beca...

Страница 283: ...e port number belongs to the VLAN specified by vlan id After a static neighbor entry is configured the device relates the VLAN interface to an IPv6 address to uniquely identify a static neighbor entry...

Страница 284: ...me link can perform stateless autoconfiguration operations M flag This field determines whether hosts use the stateful autoconfiguration to acquire IPv6 addresses If the M flag is set to 1 hosts use t...

Страница 285: ...ghbor reachable within the time of Reachable Time Follow these steps to configure parameters related to an RA message To do Use the command Remarks Enter system view system view Configure the current...

Страница 286: ...onfiguration Set the O flag bit to 1 ipv6 nd autoconfig other flag Optional By default the O flag bit is set to 0 that is hosts acquire other information through stateless autoconfiguration Configure...

Страница 287: ...ptional 1 by default When the value argument is set to 0 DAD is disabled 1 5 Configuring PMTU Discovery 1 5 1 Configuring a Static PMTU for a Specified IPv6 Address You can configure a static PMTU for...

Страница 288: ...establishment fails z finwait timer When the IPv6 TCP connection status is FIN_WAIT_2 the finwait timer is triggered If no packet is received before the finwait timer expires the IPv6 TCP connection i...

Страница 289: ...based on the HASH algorithm ipv6 fib loadbalance type hash based Configure the IPv6 FIB load sharing mode Configure the load sharing based on polling undo ipv6 fib loadbalance type hash based Optional...

Страница 290: ...ed 1 8 2 Enable Sending of Multicast Echo Replies If hosts are capable of relying multicast echo requests Host A can attack Host B by sending an echo request with the source being Host B to a multicas...

Страница 291: ...that you only need to enter some fields of a domain name and the system can automatically add the preset suffix for address resolution The system can support at most 10 DNS suffixes Follow these step...

Страница 292: ...rface type interface number Display neighbor information display ipv6 neighbors ipv6 address all dynamic interface interface type interface number static vlan vlan id begin exclude include text Availa...

Страница 293: ...IPv6 UDP packets reset udp ipv6 statistics Available in user view Note The display dns domain command is the same as the one of IPv4 DNS For details about the commands refer to DNS Commands 1 11 IPv6...

Страница 294: ...v6 nd ra halt z Configuration on Switch B Enable the IPv6 packet forwarding function SwitchB system view SwitchB ipv6 Configure VLAN interface 2 to automatically generate a link local address SwitchB...

Страница 295: ...s 2001 64 3001 2 subnet is 3001 64 Joined group address es FF02 1 FF00 2 FF02 1 FF00 1 FF02 2 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 millisecond...

Страница 296: ...k Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 1 hop limit 255 time 40 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 2 hop limit 255 time 70 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Seq...

Страница 297: ...uration I Symptom The peer IPv6 address cannot be pinged II Solution z Use the display current configuration command in any view or the display this command in system view to check that the IPv6 packe...

Страница 298: ...r an IPv6 node to be compatible with an IPv4 node is to maintain a complete IPv4 stack A network node that supports both IPv4 and IPv6 is called a dual stack node A dual stack node configured with an...

Страница 299: ...to enable IPv4 IPv6 dual stack supporting by using the switch mode dual ipv4 ipv6 command Otherwise IPv6 packets cannot be forwarded even if dual stack is enabled 2 2 2 Configuring Dual Stack You must...

Страница 300: ...format ipv6 address ipv6 address prefix le ngth eui 64 Use either command By default no local address or global unicast address is configured on an interface Automatically create an IPv6 link local ad...

Страница 301: ...ver the network A tunnel is a virtual point to point connection In practice the virtual interface that supports only point to point connections is called tunnel interface One tunnel provides one chann...

Страница 302: ...e device at the destination end decapsulates the packet if the destination address of the encapsulated packet is the device itself 4 The destination device forwards the packet according to the destina...

Страница 303: ...are adopted at both ends of such a tunnel The address format is 0 0 0 0 0 0 a b c d 96 where a b c d represents an embedded IPv4 address The tunnel destination is automatically determined by the embe...

Страница 304: ...IPv6 routers or between a host and an IPv6 router over an IPv4 network Figure 3 2 Principle of ISATAP tunnel IV Expedite termination For a tunnel packet arriving at the device if the source IP address...

Страница 305: ...nnel 3 3 1 Configuration Prerequisites IP addresses are configured for interfaces such as the VLAN interface and loopback interface on the device These interfaces serve as the source interfaces of tun...

Страница 306: ...Pv6 global unicast address or site local address is configured Specify the IPv6 manual tunnel mode tunnel protocol ipv6 ipv4 Required By default the tunnel mode is manual The same tunnel type should b...

Страница 307: ...ext hop to the tunnel interface number or network address at the local end of the tunnel Such configurations must be performed at both ends of the tunnel z Before configuring dynamic routes you must e...

Страница 308: ...1 0 2 SwitchA vlan100 quit SwitchA interface vlan interface 100 SwitchA Vlan interface100 ip address 192 168 100 1 255 255 255 0 SwitchA Vlan interface100 quit Configure a manual IPv6 tunnel SwitchA...

Страница 309: ...otocol ipv6 ipv4 Configure the tunnel to reference link aggregation group 1 in tunnel interface view SwitchB Tunnel0 aggregation group 1 IV Configuration verification After the above configurations di...

Страница 310: ...hop limit 64 time 31 ms Reply from 3001 2 bytes 56 Sequence 2 hop limit 64 time 16 ms Reply from 3001 2 bytes 56 Sequence 3 hop limit 64 time 1 ms Reply from 3001 2 bytes 56 Sequence 4 hop limit 64 ti...

Страница 311: ...dress ipv6 address ipv6 address link local Optional By default after an interface is configured with a local IPv6 address or global unicast address the link local address is generated automatically ip...

Страница 312: ...el interface Configure the service loop group ID to be referenced by the tunnel interface aggregation group aggregation group id Required By default no link aggregation group ID is referenced Enable t...

Страница 313: ...s the destination IP address of the packet instead of the IPv4 address of the tunnel destination and set the next hop to the tunnel interface number or network address at the local end of the tunnel S...

Страница 314: ...an automatic IPv4 comptabile IPv6 tunnel SwitchA interface Tunnel 0 SwitchA Tunnel0 ipv6 address 2 1 1 1 96 SwitchA Tunnel0 source Vlan interface 100 SwitchA Tunnel0 tunnel protocol ipv6 ipv4 auto tun...

Страница 315: ...ress of the tunnel peer from Router A SwitchA ping ipv6 2 1 1 2 PING 2 1 1 2 56 data bytes press CTRL_C to break Reply from 2 1 1 2 bytes 56 Sequence 1 hop limit 255 time 219 ms Reply from 2 1 1 2 byt...

Страница 316: ...length eui 64 Required Use either command By default no IPv6 global unicast address or site local address is configured for the tunnel interface ipv6 address auto link local Configure an IPv6 address...

Страница 317: ...ace on a device the slot of the tunnel interface should be that of the source interface namely the interface sending packets In this way the forwarding efficiency can be improved z If the addresses of...

Страница 318: ...for a 6to4 tunnel III Configuration procedure z Configuration on Switch A Enable IPv6 SwitchA system view SwitchA ipv6 Configure a link aggregation group Disable STP on the port before adding it into...

Страница 319: ...urce vlan interface 100 SwitchA Tunnel0 tunnel protocol ipv6 ipv4 6to4 SwitchA Tunnel0 quit Configure the tunnel to reference link aggregation group 1 in tunnel interface view SwitchA Tunnel0 aggregat...

Страница 320: ...he 6to4 tunnel SwitchB interface tunnel 0 SwitchB Tunnel0 ipv6 address 2002 0501 0101 1 64 SwitchB Tunnel0 source vlan interface 100 SwitchB Tunnel0 tunnel protocol ipv6 ipv4 6to4 SwitchB Tunnel0 quit...

Страница 321: ...uired By default the IPv6 forwarding function is disabled Create a tunnel interface and enter tunnel interface view interface tunnel number Required By default there is no tunnel interface on the devi...

Страница 322: ...the tunnel source ip address interface type interface number Required By default no source address or interface is configured for the tunnel Reference a link aggregation group aggregation group aggreg...

Страница 323: ...unnel interface number or network address at the local end of the tunnel Such a route must be configured at both ends of the tunnel z Before referencing a link aggregation group on the tunnel interfac...

Страница 324: ...0 ipv6 address 2001 1 64 eui 64 Switch Tunnel0 source vlan interface 101 Switch Tunnel0 tunnel protocol ipv6 ipv4 isatap Configure the tunnel to reference link aggregation group 1 in tunnel interface...

Страница 325: ...nterface 2 Automatic Tunneling Pseudo Interface Guid 48FCE3FC EC30 E50E F1A7 71172AEEE3AE does not use Neighbor Discovery uses Router Discovery routing preference 1 EUI 64 embedded IPv4 address 2 1 1...

Страница 326: ...onfiguration of related parameters such as tunnel source address tunnel destination address and tunnel type the tunnel interface is still not up Solution Follow the steps below 1 The common cause is t...

Страница 327: ...1 1 1 1 1 Routing 1 1 1 1 2 Routing Through a Routing Table 1 1 1 2 Routing Protocol Overview 1 3 1 2 1 Static Routing and Dynamic Routing 1 3 1 2 2 Classification of Dynamic Routing Protocols 1 3 1 2...

Страница 328: ...through routers Upon receiving a packet a router finds an optimal route based on the destination address and forwards the packet to the next router in the path until the packet reaches the last router...

Страница 329: ...rface is configured its address will be the IP address of the next hop z Priority for the route Routes to the same destination but having different nexthops may have different priorities and be found...

Страница 330: ...able networks with simple topologies Its major drawback is that you must perform routing configuration again whenever the network topology changes it cannot adjust to network changes by itself Dynamic...

Страница 331: ...d and calculated III Type of the destination address z Unicast routing protocols RIP OSPF BGP and IS IS z Multicast routing protocols PIM SM and PIM DM This chapter focuses on unicast routing protocol...

Страница 332: ...n be configured with a different priority z IPv4 and IPv6 routes have their own respective routing tables 1 2 4 Load Balancing and Route Backup I Load balancing In multi route mode a routing protocol...

Страница 333: ...bution mechanism For detailed information refer to the description about route redistribution in each routing protocol 1 3 Displaying and Maintaining a Routing Table To do Use the command Remarks Disp...

Страница 334: ...v6 address prefix length longer match verbose Display routing information permitted by an IPv6 ACL display ipv6 routing table acl acl6 number verbose Display routing information permitted by an IPv6 p...

Страница 335: ...onfiguring RIP Basic Functions 2 6 2 2 1 Configuration Prerequisites 2 6 2 2 2 Configuration Procedure 2 6 2 3 Configuring RIP Route Control 2 8 2 3 1 Configuring an Additional Routing Metric 2 8 2 3...

Страница 336: ...1 Prerequisites 3 23 3 3 2 Configuration Procedure 3 23 3 4 Configuring OSPF Area Parameters 3 24 3 4 1 Prerequisites 3 24 3 4 2 Configuration Procedure 3 25 3 5 Configuring OSPF Network Types 3 25 3...

Страница 337: ...Capability 3 42 3 8 2 Configuring the OSPF GR Helper 3 43 3 8 3 Triggering OSPF Graceful Restart 3 44 3 9 Displaying and Maintaining OSPF 3 45 3 10 OSPF Configuration Examples 3 46 3 10 1 Configuring...

Страница 338: ...Host Name Mapping 4 31 4 5 8 Configuring IS IS Authentication 4 32 4 5 9 Configuring LSDB Overload Tag 4 33 4 5 10 Logging the Adjacency Changes 4 33 4 5 11 Enabling an Interface to Send Small Hello...

Страница 339: ...eer Groups 5 34 5 7 3 Configuring BGP Community 5 35 5 7 4 Configuring a BGP Route Reflector 5 35 5 7 5 Configuring a BGP Confederation 5 36 5 8 Configuring BGP GR 5 37 5 9 Displaying and Maintaining...

Страница 340: ...iguring a Routing Policy 6 6 6 4 1 Prerequisites 6 6 6 4 2 Creating a Routing Policy 6 6 6 4 3 Defining if match Clauses for the Routing Policy 6 7 6 4 4 Defining apply Clauses for the Routing Policy...

Страница 341: ...usage of static routes can improve network performance and ensure bandwidth for important network applications The disadvantage of using static routes is that they cannot adapt to network topology ch...

Страница 342: ...he destination address of the packet The system can find the corresponding link layer address and forward the packet only after the next hop address is specified When specifying the output interface n...

Страница 343: ...reference preference value tag tag value description description text Configure a static route ip route static vpn instance s vpn instance name 1 6 dest address mask mask length gateway address bfd co...

Страница 344: ...D session otherwise the BFD function cannot work To implement BFD with the echo packet mode the BFD function can work without the remote end needing to create any BFD session z If route oscillation oc...

Страница 345: ...ch B SwitchB system view SwitchB ip route static 1 1 2 0 255 255 255 0 1 1 4 1 SwitchB ip route static 1 1 3 0 255 255 255 0 1 1 5 6 Configure a default route on Switch C SwitchC system view SwitchC i...

Страница 346: ...the IP routing table of Switch B SwitchB display ip routing table Routing Tables Public Destinations 10 Routes 10 Destination Mask Proto Pre Cost NextHop Interface 1 1 2 0 24 Static 60 0 1 1 4 1 Vlan...

Страница 347: ...applicable to complex networks RIP is still widely used in practical networking due to easier implementation configuration and maintenance than OSPF and IS IS 2 1 1 RIP Working Mechanism I Basic conce...

Страница 348: ...ppressed state In the suppressed state only routes which come from the same neighbor and whose metric is less than 16 will be received by the router to replace unreachable routes z The garbage collect...

Страница 349: ...t only RIPv1 protocol messages do not carry mask information which means it can only recognize routing information of natural networks such as Class A B C That is why RIPv1 does not support discontigu...

Страница 350: ...r a host address z Metric Cost of the route II RIPv2 message format The format of RIPv2 message is similar with RIPv1 Figure 2 2 shows it Figure 2 2 RIPv2 Message Format The differences from RIPv1 are...

Страница 351: ...entication is adopted Note z RFC 1723 only defines plain text authentication For information about MD5 authentication refer to RFC2082 RIPv2 MD5 Authentication z With RIPv1 you can configure the authe...

Страница 352: ...work network address Required Disabled by default Note z If you make some RIP configurations in interface view before enabling RIP those configurations will take effect after RIP is enabled z RIP runs...

Страница 353: ...sion otherwise it uses the RIP version configured on it z With RIPv1 configured an interface sends RIPv1 broadcasts and can receive RIPv1 broadcasts and RIPv1 unicasts z With RIPv2 configured a multic...

Страница 354: ...ty for RIP z Configuring RIP Route Redistribution Before configuring RIP routing feature complete the following tasks z Configure an IP address for each interface and make sure all neighboring routers...

Страница 355: ...le RIPv2 route automatic summarization if you want to advertise all subnet routes Follow these steps to enable RIPv2 route automatic summarization To do Use the command Remarks Enter system view Syste...

Страница 356: ...case you can disable RIP from receiving host routes to save network resources Follow these steps to disable RIP from receiving host routes To do Use the command Remarks Enter system view System view E...

Страница 357: ...ps to configure route filtering To do Use the command Remarks Enter system view system view Enter RIP view rip process id vpn instance vpn instance name Configure the filtering of incoming routes filt...

Страница 358: ...tional 100 by default 2 3 7 Configuring RIP Route Redistribution Follow these steps to configure RIP route redistribution To do Use the command Remarks Enter system view system view Enter RIP view rip...

Страница 359: ...arbage collect timer are 30s 180s 120s and 120s respectively Note Based on network performance you need to make RIP timers of RIP routers identical to each other to avoid unnecessary traffic or route...

Страница 360: ...rface number Enable poison reverse rip poison reverse Required Disabled by default 2 4 3 Configuring the Maximum Number of Load Balanced Routes Follow these steps to configure the maximum number of lo...

Страница 361: ...e same network segment RIP discards the message For a message received on a serial interface RIP checks whether the source address of the message is the IP address of the peer interface If not RIP dis...

Страница 362: ...t or multicast links you need to manually specify RIP neighbors If a specified neighbor is not directly connected you must disable source address check on incoming updates Follow these steps to specif...

Страница 363: ...id vpn instance vpn instance name Display all active routes in RIP database display rip process id database Display RIP interface information display rip process id interface interface type interface...

Страница 364: ...0 0 0 SwitchB rip 1 quit Display the RIP routing table of Switch A SwitchA display rip 1 route Route Flags R RIP T TRIP P Permanent A Aging S Suppressed G Garbage collect Peer 192 168 1 2 on Vlan inte...

Страница 365: ...running on Switch B which communicates with Switch A through RIP100 and with Switch C through RIP 200 Configure route redistribution on Switch B letting the two RIP processes redistribute routes from...

Страница 366: ...Switch C SwitchC system view SwitchC rip 200 SwitchC rip 200 network 3 0 0 0 SwitchC rip 200 network 4 0 0 0 SwitchC rip 200 network 5 0 0 0 SwitchC rip 200 version 2 SwitchC rip 200 undo summary Dis...

Страница 367: ...0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 4 Configure an filtering policy to filter redistributed routes Define ACL 2000 and reference it to a filtering policy to filter routes redistributed from RI...

Страница 368: ...ent configuration command to check RIP configuration z Use the display rip command to check whether some interface is disabled 2 7 2 Route Oscillation Occurred Symptom When all links work well route o...

Страница 369: ...ute Control z Configuring OSPF Network Optimization z Configuring OSPF Graceful Restart z Displaying and Maintaining OSPF z OSPF Configuration Examples z Troubleshooting OSPF Configuration Note z The...

Страница 370: ...et multicasting on some types of links 3 1 1 Basic Concepts I Autonomous System A set of routers using the same routing protocol to exchange routing information constitute an Autonomous System AS II O...

Страница 371: ...eded LSAs to the neighbor z LSAck link state acknowledgment packet Acknowledges received LSU packets It contains the headers of received LSAs a packet can acknowledge multiple LSAs V LSA types OSPF se...

Страница 372: ...o packet via the OSPF interface and the router that receives the hello packet checks parameters carried in the packet If parameters of the two routers match they become neighbors Adjacency A relations...

Страница 373: ...long to one OSPF area 2 Area Border Router ABR An area border router belongs to more than two areas one of which must be the backbone area It connects the backbone area to a non backbone area The conn...

Страница 374: ...ity to the backbone area z The backbone area itself must maintain connectivity In practice due to physical limitations the requirements may not be satisfied In this case configuring OSPF virtual links...

Страница 375: ...stub area does not distribute Type 5 LSAs into the area so the routing table size and amount of routing information in this area are reduced significantly You can configure the stub area as a totally...

Страница 376: ...o Area 1 Like stub areas virtual links cannot transit NSSA areas Figure 3 5 NSSA area VI Route summarization Route summarization An ABR or ASBR summarizes routes with the same prefix with a single rou...

Страница 377: ...le with the cost of an OSPF internal route The cost from a router to the destination of the Type 1 external route the cost from the router to the corresponding ASBR the cost from the ASBR to the desti...

Страница 378: ...networks are fully meshed non broadcast and multi access P2MP networks are not required to be fully meshed z It is required to elect the DR and BDR on NBMA networks while DR and BDR are not available...

Страница 379: ...an interface determines its qualification for DR BDR election Interfaces attached to the network and having priorities higher than 0 are election candidates The election votes are hello packets Each...

Страница 380: ...DD LSR LSU and LSAck respectively z Packet length Total length of the OSPF packet in bytes including the header z Router ID ID of the advertising router z Area ID ID of the area where the advertising...

Страница 381: ...ed with the router s sending interface If two routers have different network masks they cannot become neighbors z HelloInterval Interval for sending hello packets If two routers have different interva...

Страница 382: ...t to 1 if more DD Packets are to follow z MS Master Slave The Master Slave bit When set to 1 it indicates that the router is the master during the database exchange process Otherwise the router is the...

Страница 383: ...Determined by LSA type z Advertising Router ID of the router that sent the LSA V LSU packet LSU Link State Update packets are used to send the requested LSAs to peers and each packet carries a collec...

Страница 384: ...r as shown in the following figure Figure 3 15 LSA header format Major fields z LS age Time in seconds elapsed since the LSA was originated A LSA ages in the LSDB added by 1 per second but does not in...

Страница 385: ...r of router links interfaces to the area described in the LSA z Link ID Determined by Link type z Link Data Determined by Link type z Type Link type A value of 1 indicates a point to point link to a r...

Страница 386: ...ncluding the DR itself 3 Summary LSA Network summary LSAs Type 3 LSAs and ASBR summary LSAs Type 4 LSAs are originated by ABRs Other than the difference in the Link State ID field the format of type 3...

Страница 387: ...oute the Link State ID is always set to Default Destination 0 0 0 0 and the Network Mask is set to 0 0 0 0 z Network Mask The IP address mask for the advertised destination z E External Metric The typ...

Страница 388: ...eractions between different routing protocols Multiple OSPF processes can use the same RID An interface of a router can only belong to a single OSPF process II Authentication OSPF supports authenticat...

Страница 389: ...e upon receiving the responses from neighbors After reestablishing a neighbor relationship the GR Restarter will synchronize the LSDB and exchange routing information with all adjacent GR capable neig...

Страница 390: ...LSA Minimum Repeat Arrival Interval Optional Specifying the LSA Generation Interval Optional Disabling Interfaces from Sending OSPF Packets Optional Configuring Stub Routers Optional Configuring OSPF...

Страница 391: ...nfigure an OSPF process to run in a specified VPN instance to configure an association between the two The configurations for routers in an area are performed on the area basis Wrong configurations ma...

Страница 392: ...residing on the AS boundary you can configure them as stub areas to further reduce the size of routing tables on routers in these areas and the number of LSAs A stub area cannot redistribute routes a...

Страница 393: ...lts to 1 Configure a virtual link vlink peer router id hello seconds retransmit seconds trans delay seconds dead seconds simple plain cipher password md5 hmac md5 key id plain cipher password Optional...

Страница 394: ...neighboring nodes accessible with each other at network layer z OSPF basic functions 3 5 2 Configuring the OSPF Network Type for an Interface Follow these steps to configure the OSPF network type for...

Страница 395: ...e type interface number Configure a router priority for the interface ospf dr priority priority Optional The default router priority is 1 Note The DR priority configured with the ospf dr priority comm...

Страница 396: ...SPF areas on an ABR To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Enter OSPF area view area area id Require...

Страница 397: ...by default Note Since OSPF is a link state based interior gateway protocol routing information is contained in LSAs However OSPF cannot filter LSAs Using the filter policy import command is to filter...

Страница 398: ...e a bandwidth reference value To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Configure a bandwidth reference...

Страница 399: ...process id router id router id vpn instance instance name Configure the maximum number of equivalent load balanced routes maximum load balancing maximum Optional 4 by default 3 6 8 Configuring a Prio...

Страница 400: ...quired Not configured by default Configure OSPF to filter redistributed routes before advertisement filter policy acl number ip prefix ip prefix name export protocol process id Optional Not configured...

Страница 401: ...rk Optimization You can optimize your OSPF network in the following ways z Change OSPF packet timers to adjust the OSPF network convergence speed and network load On low speed links you need to consid...

Страница 402: ...and defaults to 30 seconds on P2MP and NBMA interfaces Specify the poll interval ospf timer poll seconds Optional The poll interval defaults to 120 seconds Specify the dead interval ospf timer dead se...

Страница 403: ...nges frequently a large amount of network resources will be occupied reducing the working efficiency of routers You can adjust the SPF calculation interval for the network to reduce negative influence...

Страница 404: ...1000 milliseconds Note The interval set with the lsa arrival interval command should be smaller or equal to the interval set with the lsa generation interval command 3 7 6 Specifying the LSA Generatio...

Страница 405: ...esses can disable the same interface from sending OSPF packets Use of the silent interface command disables only the interfaces associated with the current process rather than interfaces associated wi...

Страница 406: ...d Not configured by default Note A stub router has nothing to do with a stub area 3 7 9 Configuring OSPF Authentication By supporting packet authentication OSPF receives packets that pass the authenti...

Страница 407: ...into DD Packets Generally when an interface sends a DD packet it adds 0 into the Interface MTU field of the DD packet rather than the interface MTU Follow these steps to add the interface MTU into DD...

Страница 408: ...them compatible To do Use the command Remarks Enter system view system view Enter OSPF view ospf process id router id router id vpn instance instance name Required Make RFC1583 compatible rfc1583 com...

Страница 409: ...techange viriftxretransmit virnbrstatechange Optional Enabled by default Enter OSPF view ospf process id router id router id vpn instance instance name Enable messages logging enable log config error...

Страница 410: ...f opaque LSAs opaque capability enable Required Disabled by default Enable the IETF standard Graceful Restart capability for OSPF graceful restart ietf Optional Disabled by default Configure the Grace...

Страница 411: ...l restart ietf command can act as a GR Restarter and GR Helper at the same time z A device not configured with the graceful restart ietf command can act as a GR Helper only 3 8 2 Configuring the OSPF...

Страница 412: ...rigger OSPF Graceful Restart Ensure that these routers are enabled with the following capabilities first z LLS link local signaling z OOB out of band re synchronization z Opaque LSA advertisement z IE...

Страница 413: ...eer statistics Display next hop information display ospf process id nexthop Display routing table information display ospf process id routing interface interface type interface number nexthop nexthop...

Страница 414: ...process id redistribution Available in user view 3 10 OSPF Configuration Examples Note These examples only cover commands for OSPF configuration 3 10 1 Configuring OSPF Basic Functions I Network requi...

Страница 415: ...spf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 192 168 0 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 area 2 SwitchB ospf 1 area 0 0 0 2 network 192 168 2 0 0 0 0 255 Swi...

Страница 416: ...Normal State Full Mode Nbr is Slave Priority 1 DR 192 168 0 1 BDR 172 16 1 1 MTU 0 Dead timer due in 39 sec Neighbor is up for 00 07 32 Authentication Sequence 0 Display OSPF routing information on S...

Страница 417: ...8 28 80000001 3124 Sum Net 192 168 0 0 192 168 0 1 630 28 80000001 1562 Display OSPF routing information on Switch D SwitchD display ospf routing OSPF Process 1 with Router ID 192 168 2 2 Routing Tabl...

Страница 418: ...n between areas Switch D acts as the ASBR to redistribute routes static routes It is required to configure Area 1 as a Stub area reducing LSAs to this area without affecting route reachability II Netw...

Страница 419: ...24 4687 Inter area 192 168 1 1 192 168 0 1 0 0 0 1 192 168 1 0 24 1562 Stub 192 168 1 2 172 16 1 1 0 0 0 1 192 168 2 0 24 4686 Inter area 192 168 1 1 192 168 0 1 0 0 0 1 192 168 0 0 24 3124 Inter are...

Страница 420: ...24 1 Stub 172 16 1 1 172 16 1 1 0 0 0 1 172 17 1 0 24 68660 Inter area 192 168 1 1 192 168 0 1 0 0 0 1 192 168 1 0 24 1562 Stub 192 168 1 2 172 16 1 1 0 0 0 1 192 168 2 0 24 68659 Inter area 192 168...

Страница 421: ...one default external route 3 10 3 Configuring an OSPF NSSA Area I Network requirements The following figure shows an AS is split into three areas where all switches run OSPF Switch A and Switch B act...

Страница 422: ...configure the nssa command with the keyword default route advertise no summary on Switch A an ABR to reduce the routing table size on NSSA routers On other NSSA routers using the nssa command is ok D...

Страница 423: ...92 168 0 2 0 0 0 2 192 168 2 0 24 1562 Stub 192 168 2 2 172 17 1 1 0 0 0 2 192 168 0 0 24 3124 Inter area 192 168 2 1 192 168 0 2 0 0 0 2 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 1...

Страница 424: ...Configure Switch A SwitchA system view Switch A router id 1 1 1 1 Switch A ospf Switch A ospf 1 area 0 Switch A ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 SwitchA ospf 1 area 0 0 0 0 quit SwitchA...

Страница 425: ...e Priority 1 DR 192 168 1 4 BDR 192 168 1 3 MTU 0 Dead timer due in 38 sec Neighbor is up for 00 01 31 Authentication Sequence 0 Router ID 3 3 3 3 Address 192 168 1 3 GR State Normal State Full Mode N...

Страница 426: ...168 1 4 Vlan interface1 s neighbors Router ID 1 1 1 1 Address 192 168 1 1 GR State Normal State Full Mode Nbr is Slave Priority 100 DR 192 168 1 4 BDR 192 168 1 3 MTU 0 Dead timer due in 31 sec Neighb...

Страница 427: ...mer due in 39 sec Neighbor is up for 00 01 40 Authentication Sequence 0 Router ID 2 2 2 2 Address 192 168 1 2 GR State Normal State 2 Way Mode None Priority 0 DR 192 168 1 1 BDR 192 168 1 3 MTU 0 Dead...

Страница 428: ...interface OSPF Process 1 with Router ID 2 2 2 2 Interfaces Area 0 0 0 0 IP Address Type State Cost Pri DR BDR 192 168 1 2 Broadcast DROther 1 0 192 168 1 1 192 168 1 3 Note The interface state DROthe...

Страница 429: ...ospf 1 area 1 SwitchA ospf 1 area 0 0 0 1 network 192 168 1 0 0 0 0 255 SwitchA ospf 1 area 0 0 0 1 quit Configure Switch B SwitchB system view SwitchB ospf 1 router id 2 2 2 2 SwitchB ospf 1 area 1 S...

Страница 430: ...0 0 0 1 quit SwitchA ospf 1 quit Configure Switch B SwitchB ospf 1 SwitchB ospf 1 area 1 SwitchB ospf 1 area 0 0 0 1 vlink peer 1 1 1 1 SwitchB ospf 1 area 0 0 0 1 quit Display OSPF routing informatio...

Страница 431: ...h C Switch B Router ID 1 1 1 1 Router ID 2 2 2 2 Router ID 3 3 3 3 Figure 3 26 Network diagram for OSPF based GR configuration III Configuration procedure 1 Configure Switch A SwitchA system view Swit...

Страница 432: ...SwitchC ospf 100 SwitchC ospf 100 enable link local signaling SwitchC ospf 100 enable out of band resynchronization SwitchC ospf 100 area 0 SwitchC ospf 100 area 0 0 0 0 network 192 1 1 0 0 0 0 255 Sw...

Страница 433: ...other areas If a router connects to more than one area at least one area must be connected to the backbone The backbone cannot be configured as a Stub area In a Stub area all routers cannot receive ex...

Страница 434: ...al use the ranges assuming the switch operate in the default mode When the switch operates in the IPv4 IPv6 dual stack or the MCE mode the value ranges of some parameters may vary For the operating mo...

Страница 435: ...Link State Packet LSP Each IS can generate a LSP which contains all the link state information of the IS z Network Protocol Data Unit NPDU An NPDU is a network layer protocol packet in ISO which is eq...

Страница 436: ...er ID the system ID in IS IS can be obtained in the following way z Extend each decimal number of the IP address to 3 digits by adding 0s from the left like 168 010 001 001 z Divide the extended IP ad...

Страница 437: ...The Level 1 router only establishes the neighbor relationship with Level 1 and Level 1 2 routers in the same area The LSDB maintained by the Level 1 router contains the local area routing information...

Страница 438: ...rea 1 is a set of Level 2 routers called backbone network The other four areas are non backbone networks connected to the backbone through Level 1 2 routers Figure 4 2 IS IS topology Figure 4 3 shows...

Страница 439: ...type by configuring the routing hierarchy on the interface For example the level 1 interface can only establish Level 1 adjacency while the level 2 interface can only establish Level 2 adjacency By h...

Страница 440: ...such as PPP HDLC Note For the Non Broadcast Multi Access NBMA network such as ATM you need to configure point to point or broadcast network on its configured subinterfaces IS IS does not run on Point...

Страница 441: ...des can reduce LSPs the resources used by SPF and simplify the network topology Note On IS IS broadcast networks all routers are adjacent with each other The DIS is responsible for the synchronization...

Страница 442: ...cific headers present in bytes z Version Protocol ID Extension Set to 1 0x01 z ID Length The length of the NSAP address and NET ID z R Reserved Set to 0 z PDU Type For detail information refer to Tabl...

Страница 443: ...cast networks where the blue fields are the common header Figure 4 7 L1 L2 LAN IIH format z Reserved Circuit Type The first 6 bits are reserved with value 0 The last 2 bits indicates router types 00 m...

Страница 444: ...me PDU length Local Circuit ID Variable length fields 1 ID length 2 2 1 Figure 4 8 P2P IIH format Instead of the priority and LAN ID fields in the LAN IIH the P2P IIH has a Local Circuit ID field IV L...

Страница 445: ...nerated by the L1 L1 router only related with L1 LSP indicates that the router generating the LSP is connected with multiple areas z OL LSDB Overload Indicates that the LSDB is not complete because th...

Страница 446: ...Level 2 PSNP CSNP covers the summary of all LSPs in the LSDB to synchronize the LSDB between neighboring routers On broadcast networks CSNP is sent by the DIS periodically 10s by default On point to...

Страница 447: ...rotocol ID extension Length indicator Maximum area address R R PDU type No of Octets 1 1 1 1 1 1 1 1 PDU length Source ID Variable length fields 2 ID length 1 Figure 4 12 L1 L2 PSNP format VI CLV The...

Страница 448: ...S process to work in concert with a group of interfaces This means that a router can run multiple IS IS processes and each process corresponds to a unique group of interfaces For routers supporting VP...

Страница 449: ...r field allowing a maximum of only 256 fragments to be generated by an IS IS router limits the amount of link information that the IS IS router can advertise The LSP fragment extension feature allows...

Страница 450: ...nk state information in the extended LSP fragments advertised by the virtual systems z Mode 2 This mode is recommended in a network where all the routers support LSP fragment extension In this mode al...

Страница 451: ...z RFC 3373 Three Way Handshake for IS IS Point to Point Adjacencies z RFC 3567 Intermediate System to Intermediate System IS IS Cryptographic Authentication z RFC 3719 Recommendations for Interoperab...

Страница 452: ...rface to Send Small Hello Packets Optional Tuning and Optimizing IS IS Network Enabling SNMP Trap Optional Configuring IS IS GR Optional 4 3 Configuring IS IS Basic Functions 4 3 1 Configuration Prere...

Страница 453: ...sis circuit level level 1 level 1 2 level 2 Optional The default type is level 1 2 Note If a router s type is configured as Level 1 or Level 2 the type of interfaces must be the same which cannot be c...

Страница 454: ...nk cost in descending order of interface costs z Interface cost Assign a link cost for a single interface z Global cost Assign a link cost for all interfaces z Automatically calculated cost Calculate...

Страница 455: ...al IS IS cost circuit cost value level 1 level 2 Required Not specified by default III Enable automatic IS IS cost calculation Follow these steps to enable automatic IS IS cost calculation To do Use t...

Страница 456: ...face cost is 40 if the interface bandwidth is in the range of 156 M to 622 M the interface cost is 30 if the interface bandwidth is in the range of 623 M to 2500 M the interface cost is 20 and the def...

Страница 457: ...efault Note The cost of the summary route is the lowest cost among those summarized routes 4 4 6 Advertising a Default Route Follow these steps to advertise a default route To do Use the command Remar...

Страница 458: ...view Enter IS IS view isis process id vpn instance vpn instance name Redistribute routes from another routing protocol import route isis process id ospf process id rip process id bgp allow ibgp direct...

Страница 459: ...s from Level 2 to Level 1 Other routing policies specified for route reception and redistribution does not affect the route leaking 4 5 Tuning and Optimizing IS IS Network 4 5 1 Configuration Prerequi...

Страница 460: ...interface view interface interface type interface number Specify the interval between hello packets isis timer hello seconds level 1 level 2 Optional 10 seconds by default Specify the number of hello...

Страница 461: ...t applies to the level z On a point to point link if there is no response to a LSP sent by the local router within the specified retransmission interval the LSP is considered lost and the same LSP wil...

Страница 462: ...LSP refresh interval timer lsp refresh seconds Optional 900 seconds by default Specify the maximum LSP aging time timer lsp max age seconds Optional 1200 seconds by default Specify LSP generation inte...

Страница 463: ...ess enabled must not be less than 512 otherwise LSP fragment extension will not take effect z At least one virtual system needs to be configured for the router to generate extended LSP fragments 4 5 6...

Страница 464: ...view system view Enter IS IS view isis process id vpn instance vpn instance name Assign a local host name is name sys name Required No name is assigned by default This command also enables the mappin...

Страница 465: ...in order to authenticate neighbors All interfaces within a network must share the same authentication password at the same level Follow these steps to configure the authentication function To do Use...

Страница 466: ...late a router from the IS IS network by setting the overload tag Follow these steps to configure the LSDB overload tag To do Use the command Remarks Enter system view system view Enter IS IS view isis...

Страница 467: ...ce name Enable SNMP Trap is snmp traps enable Required Enabled by default 4 6 Configuring IS IS GR An ISIS restart may cause the termination of the adjacencies between a restarting router and its neig...

Страница 468: ...these steps to configure GR on the GR Restarter and GR Helper respectively To do Use the command Remarks Enter system view system view Enable IS IS and enter IS IS view isis process id vpn instance vp...

Страница 469: ...ilable in any view Display IS IS routing information display isis route ipv4 level 1 level 2 verbose process id vpn instance vpn instance name Available in any view Display SPF calculation log informa...

Страница 470: ...D is in area 20 II Network diagram Figure 4 14 Network diagram for IS IS basic configuration III Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure IS IS Configure Sw...

Страница 471: ...itchC interface vlan interface 300 SwitchC Vlan interface300 isis enable 1 SwitchC Vlan interface300 quit Configure Switch D SwitchD system view SwitchD isis 1 SwitchD isis 1 is level level 2 SwitchD...

Страница 472: ...60 988 68 0 0 0 0000 0000 0002 00 00 0x00000008 0xe651 1189 68 0 0 0 0000 0000 0002 01 00 0x00000005 0xd2b3 1188 55 0 0 0 0000 0000 0003 00 00 0x00000014 0x194a 1190 111 1 0 0 0000 0000 0003 01 00 0x0...

Страница 473: ...ATT P OL 0000 0000 0003 00 00 0x00000013 0xc73d 1003 100 0 0 0 0000 0000 0004 00 00 0x0000003c 0xd647 1194 84 0 0 0 0000 0000 0004 01 00 0x00000002 0xec96 1007 55 0 0 0 Self LSP Self LSP Extended ATT...

Страница 474: ...10 NULL Vlan100 Direct D L 10 1 2 0 24 10 NULL Vlan200 Direct D L Flags D Direct R Added to RM L Advertised in LSPs U Up Down Bit Set ISIS 1 IPv4 Level 2 Forwarding Table IPV4 Destination IntCost Ext...

Страница 475: ...in IS IS area 10 on a broadcast network Ethernet Switch A and Switch B are Level 1 2 switches Switch C is a Level 1 switch and Switch D is a Level 2 switch Change the DIS priority of Switch A to make...

Страница 476: ...sis enable 1 SwitchC Vlan interface100 quit Configure Switch D SwitchD system view SwitchD isis 1 SwitchD isis 1 network entity 10 0000 0000 0004 00 SwitchD isis 1 is level level 2 SwitchD isis 1 quit...

Страница 477: ...erfaces of Switch C SwitchC display isis interface Interface information for ISIS 1 Interface Vlan interface100 Id IPV4 State IPV6 State MTU Type DIS 001 Up Down 1497 L1 L2 Yes No Display information...

Страница 478: ...System Id 0000 0000 0002 Interface Vlan interface100 Circuit Id 0000 0000 0001 01 State Up HoldTime 28s Type L2 L1L2 PRI 64 System Id 0000 0000 0004 Interface Vlan interface100 Circuit Id 0000 0000 00...

Страница 479: ...for ISIS 1 Interface Vlan interface100 Id IPV4 State IPV6 State MTU Type DIS 001 Up Down 1497 L1 L2 No No Display information about IS IS neighbors and interfaces of Switch D SwitchD display isis peer...

Страница 480: ...itches ensuring that Switch A Switch B and Switch C can communicate with each other at layer 3 and dynamic route update can be implemented among them with IS IS The configuration procedure is omitted...

Страница 481: ...t Supported Total Number of Interfaces 1 Restart Status RESTARTING T3 Timer Status Remaining Time 65535 T2 Timer Status Remaining Time 59 Interface Vlan1 T1 Timer Status Remaining Time 1 RA Not Receiv...

Страница 482: ...ent z The value ranges of the parameters of the commands in this manual use the ranges assuming the switch operate in the default mode When the switch operates in the IPv4 IPv6 dual stack or the MCE m...

Страница 483: ...ation with other BGP speakers When a BGP speaker receives a new route or a route better than the current one from another AS it will advertise the route to all the other BGP speakers in the local AS B...

Страница 484: ...2 BGP open message format z Version This 1 byte unsigned integer indicates the protocol version number of the message The current BGP version is 4 z My Autonomous System This 2 byte unsigned integer...

Страница 485: ...al length of the Path Attributes field in bytes A value of 0 indicates that no Network Layer Reachability Information field is present in this Update message z Path Attributes List of path attributes...

Страница 486: ...ust be recognized by all BGP routers and must be included in every update message Routing information error occurs without this attribute z Well known discretionary Can be recognized by all BGP router...

Страница 487: ...command have the IGP attribute z EGP Has the second highest priority Routes obtained via EGP have the EGP attribute z incomplete Has the lowest priority The source of routes with this attribute is un...

Страница 488: ...are the same As shown in the above figure the BGP router in AS50 gives priority to the route passing AS40 for sending information to the destination 8 0 0 0 In some applications you can apply a routin...

Страница 489: ...ncing information refer to BGP Route Selection Figure 5 7 NEXT_HOP attribute 4 MED MULTI_EXIT_DISC The MED attribute is exchanged between two neighboring ASs each of which does not advertise the attri...

Страница 490: ...that is selected according to LOCAL_PREF EBGP Router B Router A Router C Router D D 8 0 0 0 NEXT_HOP 3 1 1 1 LOCAL_PREF 200 IBGP IBGP IBGP EBGP 2 1 1 1 8 0 0 0 LOCAL_PREF 100 NEXT_HOP 2 1 1 1 LOCAL_PR...

Страница 491: ...route with the smallest ORIGINATOR_ID z Select the route advertised by the router with the smallest Router ID Note z CLUSTER_IDs of route reflectors form a CLUSTER_LIST If a route reflector receives a...

Страница 492: ...the same AS_PATH ORIGIN LOCAL_PREF and MED z BGP load balancing is applicable between EBGPs between IBGPs and between confederations z If multiple routes to the same destination are available BGP sel...

Страница 493: ...P Synchronization The routing information synchronization between IBGP and IGP is for avoidance of giving wrong directions to routers outside of the local AS If a non BGP router works in an AS a packe...

Страница 494: ...urs the routing protocol sends an update to its neighbor and then the neighbor needs to recalculate routes and modify the routing table Therefore frequent route flaps consume large bandwidth and CPU r...

Страница 495: ...ed with identical commands The peer group feature simplifies configuration of this kind When a peer is added into a peer group the peer enjoys the same route update policy as the peer group to improve...

Страница 496: ...s act as clients connecting to the route reflector The route reflector forwards reflects routing information between clients BGP connections between clients need not be established The router neither...

Страница 497: ...ore bandwidth resources You can use related commands to disable route reflection in this case Note After route reflection is disabled between clients routes between a client and a non client can still...

Страница 498: ...6 BGP GR Note For GR Graceful Restart information refer to BFD GR Configuration 1 To establish a BGP session with a peer a BGP GR Restarter sends an OPEN message with GR capability to the peer 2 Upon...

Страница 499: ...tended attributes In BGP 4 the three types of attributes for IPv4 namely NLRI NEXT_HOP and AGGREGATOR contains the IP address of the speaker generating the summary route are all carried in updates To...

Страница 500: ...Capability for BGP 4 z RFC2439 BGP Route Flap Damping z RFC1997 BGP Communities Attribute z RFC2796 BGP Route Reflection z RFC3065 Autonomous System Confederations for BGP z draft ietf idr restart 08...

Страница 501: ...z Since BGP employs TCP you need to specify IP addresses of peers which may not be neighboring routers z Using logical links can also establish BGP peer relationships z In general IP addresses of loo...

Страница 502: ...er change Optional Enabled by default Enable the logging of peer state changes for a peer or peer group peer group name ip address log change Optional Enabled by default Specify a preferred value for...

Страница 503: ...h TCP connections to the peers when using the outbound interfaces of the best routes as the source interfaces z In general direct physical links should be available between EBGP peers If not you can u...

Страница 504: ...a network to the BGP routing table network ip address mask mask length short cut route policy route policy name Optional Not injected by default Note z The ORIGIN attribute of routes redistributed usi...

Страница 505: ...route summarization is configured by default Choose either as needed if both are configured the manual route summarization takes effect 5 4 4 Advertising a Default Route to a Peer or Peer Group Follo...

Страница 506: ...rt Reference an AS path ACL to filter routing information to a peer peer group peer group name ip address as path acl as path acl number export Reference an IP prefix list to filer routing information...

Страница 507: ...cy as needed If several filtering policies are configured they are applied in the following sequence z filter policy import z peer filter policy import z peer as path acl import z peer ip prefix impor...

Страница 508: ...tem view Enter BGP view bgp as number Configure BGP route dampening dampening half life reachable half life unreachable reuse suppress ceiling route policy route policy name Optional Not configured by...

Страница 509: ...t as med Optional Not enabled by default Enable the comparison of MED of routes from each AS bestroute compare med Optional Not enabled by default Configure the MED attribute Enable the comparison of...

Страница 510: ...default the router takes AS_PATH as a factor for best route selection Specify a fake AS number for a peer peer group peer group name ip address fake as as number Optional Not specified by default This...

Страница 511: ...s can only find the fake AS number z The peer substitute as command is used only in specific networking environments Inappropriate use of the command may cause routing loops 5 6 Tuning and Optimizing...

Страница 512: ...figuring this task you have configured BGP basic functions 5 6 2 Configuration Procedure Follow these steps to tune and optimize BGP networks To do Use the command Remarks Enter system view system vie...

Страница 513: ...policy peer group name ip address keep all routes Optional Not kept by default Return to user view return Perform manual soft reset on BGP connections refresh bgp all ip address group group name exter...

Страница 514: ...Configuring a Large Scale BGP Network In a large scale BGP network configuration and maintenance become difficult due to large numbers of BGP peers In this case configuring peer groups makes managemen...

Страница 515: ...roup name as number as number Configu re a pure EBGP peer group Add a peer into the group peer ip address group group name as number as number Optional You can add multiple peers into the group The sy...

Страница 516: ...es advertised to a peer peer group peer group name ip address route policy route policy name export Required Not configured by default Note z When configuring BGP community you need to configure a rou...

Страница 517: ...y one route reflector and the router ID is used to identify the cluster You can configure multiple route reflectors to improve network stability In this case you need to specify the same cluster ID fo...

Страница 518: ...y act as a GR Helper Follow these steps to configure BGP GR To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Enable GR Capability for BGP graceful restart Requi...

Страница 519: ...number Display BGP CIDR routing information display bgp routing table cidr Display BGP routing information matching the specified BGP community display bgp routing table community aa nn 1 13 no adver...

Страница 520: ...Remarks Reset all BGP connections reset bgp all Reset the BGP connections to an AS reset bgp as number Reset the BGP connection to a peer reset bgp ip address flap info Reset all EBGP connections res...

Страница 521: ...200 1 1 2 24 Vlan int500 9 1 2 2 24 Switch B Vlan int400 9 1 1 1 24 Switch C Vlan int500 9 1 2 1 24 Vlan int200 200 1 1 1 24 Vlan int300 9 1 3 2 24 Vlan int300 9 1 3 1 24 Figure 5 16 Network diagram f...

Страница 522: ...P routing table SwitchA bgp network 8 0 0 0 SwitchA bgp quit Configure Switch B SwitchB bgp 65009 SwitchB bgp peer 200 1 1 2 as number 65008 SwitchB bgp quit Display BGP peer information on Switch B S...

Страница 523: ...al s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn 8 0 0 0 200 1 1 2 0 0 65008i Display the BGP routing table on Switch C SwitchC display bgp routing tab...

Страница 524: ...Routes 4 BGP Local router ID is 3 3 3 3 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn i 8 0 0 0 2...

Страница 525: ...or BGP and IGP synchronization III Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure OSPF omitted 3 Configure the EBGP connection Configure Switch A SwitchA system vi...

Страница 526: ...m BGP on Switch B SwitchB ospf SwitchB ospf 1 import route bgp SwitchB ospf 1 quit Display routing table information on Switch C SwitchC display ip routing table Routing Tables Public Destinations 7 R...

Страница 527: ...1 bytes 56 Sequence 1 ttl 254 time 15 ms Reply from 9 1 2 1 bytes 56 Sequence 2 ttl 254 time 31 ms Reply from 9 1 2 1 bytes 56 Sequence 3 ttl 254 time 47 ms Reply from 9 1 2 1 bytes 56 Sequence 4 ttl...

Страница 528: ...1 as number 65009 SwitchA bgp peer 200 1 2 1 as number 65009 Inject route 8 0 0 0 8 to BGP routing table SwitchA bgp network 8 0 0 0 255 0 0 0 SwitchA bgp quit Configure Switch B SwitchB system view...

Страница 529: ...ilable and the one with the next hop being 200 1 1 1 is the optimal because the ID of Switch B is smaller 3 Configure loading balancing Configure Switch A SwitchA bgp 65008 SwitchA bgp balance 2 Switc...

Страница 530: ...rf PrefVal Path Ogn 8 0 0 0 0 0 0 0 0 0 i 9 1 1 0 24 200 1 2 1 0 0 65009i 200 1 1 1 100 0 65009i From the above information you can find the route with the next hop 200 1 2 1 is the best route because...

Страница 531: ...witchB bgp peer 200 1 2 1 as number 10 SwitchB bgp peer 200 1 3 2 as number 30 SwitchB bgp quit Configure Switch C SwitchC system view SwitchC bgp 30 SwitchC bgp router id 3 3 3 3 SwitchC bgp peer 200...

Страница 532: ...oute policy comm_policy permit node 0 SwitchA route policy apply community no export SwitchA route policy quit Apply the routing policy SwitchA bgp 10 SwitchA bgp peer 200 1 2 2 route policy comm_poli...

Страница 533: ...from Switch C II Network diagram Figure 5 20 Network diagram for BGP route reflector configuration III Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure BGP connectio...

Страница 534: ...Switch C SwitchC bgp 200 SwitchC bgp peer 193 1 1 2 reflect client SwitchC bgp peer 194 1 1 2 reflect client SwitchC bgp quit 4 Verify the above configuration Display the BGP routing table on Switch B...

Страница 535: ...Vlan int400 Vlan int500 Vlan int100 Vlan int100 Vlan int200 Vlan int100 Vlan int100 Vlan int200 Device Interface IP address Device Interface IP address Switch A Vlan int100 200 1 1 1 24 Switch D Vlan...

Страница 536: ...p quit Configure Switch C SwitchC system view SwitchC bgp 65003 SwitchC bgp router id 3 3 3 3 SwitchC bgp confederation id 200 SwitchC bgp confederation peer as 65001 65002 SwitchC bgp peer 10 1 2 1 a...

Страница 537: ...router id 6 6 6 6 SwitchF bgp peer 200 1 1 1 as number 200 SwitchF bgp network 9 1 1 0 255 255 255 0 SwitchF bgp quit 5 Verify above configuration Display the routing table on Switch B SwitchB displa...

Страница 538: ...display bgp routing table 9 1 1 0 BGP local router ID 4 4 4 4 Local AS number 65001 Paths 1 available 1 best BGP routing table entry information of 9 1 1 0 24 From 10 1 3 1 1 1 1 1 Relay Nexthop 0 0...

Страница 539: ...lection configuration III Configuration procedure 1 Configure IP addresses for interfaces omitted 2 Configure OSPF on Switch B C and D Configure Switch B SwitchB system view SwitchB ospf SwitchB ospf...

Страница 540: ...SwitchB bgp quit Configure Switch C SwitchC bgp 200 SwitchC bgp peer 193 1 1 1 as number 100 SwitchC bgp peer 195 1 1 1 as number 200 SwitchC bgp quit Configure Switch D SwitchD bgp 200 SwitchD bgp pe...

Страница 541: ...es 2 BGP Local router ID is 194 1 1 1 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn i 1 0 0 0 193...

Страница 542: ...roubleshooting BGP 5 11 1 No BGP Peer Relationship Established I Symptom Display BGP peer information using the display bgp peer command The state of the connection to a peer cannot become established...

Страница 543: ...al IPv4 Routing H3C S3610 S5510 Series Ethernet Switches Chapter 5 BGP Configuration 5 62 7 Use the display tcp status command to check the TCP connection 8 Check whether an ACL disabling TCP port 179...

Страница 544: ...tion to Routing Policy 6 1 1 Routing Policy and Policy Routing A routing policy is used on the router for route inspection filtering attributes modifying when routes are received advertised or redistr...

Страница 545: ...ng information advertised by certain routers will be received An IP prefix list is identified by name Each IP prefix list can comprise multiple items and each item which is identified by an index numb...

Страница 546: ...match clauses on a node is in logical AND relationship Only when the matching conditions specified by all the if match clauses on the node are satisfied can routing information pass the node The appl...

Страница 547: ...tem Follow these steps to define an IPv4 prefix list To do Use the command Remarks Enter system view system view Define an IPv4 prefix list ip ip prefix ip prefix name index index number permit deny i...

Страница 548: ...by number During matching the relation between items is logic OR that is if routing information matches one of these items it passes the community list Follow these steps to define a community list T...

Страница 549: ...y can comprise multiple nodes each node contains z if match clauses Define the match criteria that routing information must satisfy The matching objects are some attributes of routing information z ap...

Страница 550: ...ter routing information routing information that does not meet any node s conditions cannot pass the routing policy If all nodes of the routing policy are set using the deny keyword no routing informa...

Страница 551: ...nterface number 1 1 6 Optional Not configured by default Match routes having the specified route type if match route type internal external type1 external type2 external type1or2 is is level 1 is is l...

Страница 552: ...tribute for BGP routes apply community none additive community number 1 16 aa nn 1 16 internet no export subconfed no export no advertise additive Optional Not set by default Set a cost for routes app...

Страница 553: ...Use the command Remarks Display BGP AS path ACL information display ip as path as path number Display BGP community list information display ip community list basic community list number adv communit...

Страница 554: ...Network diagram for routing policy application to route redistribution III Configuration procedure 1 Specify IP addresses for interfaces omitted 2 Configure IS IS Configure Switch C SwitchC system vi...

Страница 555: ...OSPF and redistribute routes from IS IS SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 192 168 1 0 0 0 0 255 SwitchB ospf 1 area 0 0 0 0 quit SwitchB ospf 1 import route isis 1...

Страница 556: ...2002 SwitchB route policy apply tag 20 SwitchB route policy quit SwitchB route policy isis2ospf permit node 30 SwitchB route policy quit 6 Apply the routing policy to route redistribution Configure Sw...

Страница 557: ...IPv4 Routing Information Filtering Failure I Symptom Filtering routing information failed while routing protocol runs normally II Analysis At least one item of the IP prefix list should be configured...

Страница 558: ...D Basic Functions 1 6 1 3 1 Configuration Prerequisites 1 6 1 3 2 Configuration Procedure 1 6 1 4 Configuring BFD for Static Routing 1 7 1 5 Enabling BFD Trap 1 8 1 6 Displaying and Maintaining BFD 1...

Страница 559: ...H synchronous digital hierarchy transmission system alarms z If no hardware detection signals are provided or failures cannot be detected through hardware detection signals the network uses the hello...

Страница 560: ...sm After a BFD session is established if no BFD control packet is received from the neighbor within the BFD interval BFD sets the session state to down and notifies it to the protocol concerned Upon r...

Страница 561: ...a BFD session is established unless a protocol needs to explicitly verify the connectivity Note z At present only the asynchronous mode is supported z At present BFD can be implemented in the Echo mo...

Страница 562: ...future use z State Sta Current BFD session state Its value can be 0 for AdminDown 1 for Down 2 for Init and 3 for Up z Demand D If set to 1 it means the transmitting protocol wishes to operate in the...

Страница 563: ...ltiple BFD sessions between two protocols z Your Discriminator It is the discriminator received from the corresponding remote protocol This field reflects the received value of My Discriminator or ret...

Страница 564: ...2 Configuration Procedure Follow these steps to configure BFD session parameters To do Use the command Remarks Enter system view system view Specify a BFD session initiation mode bfd session init mode...

Страница 565: ...with the local device as the nexthop and enable BFD on the peer device z Use echo packets to establish a session These echo messages use the local device interface address as the destination and are d...

Страница 566: ...ly one end when the echo mode is used z For static route configuration refer to Static Routing Configuration in IPv4 Routing 1 5 Enabling BFD Trap Follow these steps to enable BFD trap To do Use the c...

Страница 567: ...witch A and enable BFD on it Implement BFD through BFD echo packets SwitchA system view SwitchA bfd echo source ip 123 1 1 1 SwitchA interface vlan interface 10 SwitchA vlan interface10 bfd min echo r...

Страница 568: ...information The neighbors will help the restarting device to update its routing information and to restore it to the state prior to the restart in minimal time The routing and forwarding remain highl...

Страница 569: ...or a period as specified by the GR Time 2 3 Graceful Restart Communication Procedure Configure a device as GR Restarter in a network This device and its GR Helper must support GR or be GR capable Thus...

Страница 570: ...restarting Figure 2 2 Restarting process for the GR Restarter As illustrated in Figure 2 2 The GR Helper detects that the GR Restarter has restarted its routing protocol and assumes that it will reco...

Страница 571: ...4 the GR Restarter obtains the necessary topology and routing information from all its neighbors through the GR sessions between them and calculates its own routing table based on this information 2...

Страница 572: ...RIPng Basic Functions 2 4 2 2 1 Configuration Prerequisites 2 4 2 2 2 Configuration Procedure 2 4 2 3 Configuring RIPng Route Control 2 5 2 3 1 Configuring an Additional Routing Metric 2 5 2 3 2 Confi...

Страница 573: ...7 Configuring OSPFv3 Route Redistribution 3 9 3 6 Tuning and Optimizing an OSPFv3 Network 3 10 3 6 1 Prerequisites 3 10 3 6 2 Configuring OSPFv3 Timers 3 10 3 6 3 Configuring the DR Priority for an I...

Страница 574: ...sing a Default Route to a Peer Peer Group 5 9 5 4 4 Configuring Route Distribution Policy 5 9 5 4 5 Configuring Route Reception Policy 5 10 5 4 6 Configuring IPv6 BGP and IGP Route Synchronization 5 1...

Страница 575: ...6 2 1 Prerequisites 6 3 6 2 2 Defining an IPv6 Prefix List 6 3 6 2 3 Defining an AS Path List 6 4 6 2 4 Defining a Community List 6 4 6 2 5 Defining an Extended Community List 6 5 6 3 Configuring a R...

Страница 576: ...e tunnel interfaces successfully 1 1 Introduction to IPv6 Static Routing Static routes are special routes that are manually configured by network administrators They work well in simple networks Confi...

Страница 577: ...nfigure an IPv6 static route To do Use the commands Remarks Enter system view System view Configure an IPv6 static route ipv6 route static ipv6 address prefix length interface type interface number ne...

Страница 578: ...nfigure IPv6 static routes Configure the default IPv6 static route on Switch A SwitchA system view SwitchA ipv6 SwitchA ipv6 route static 0 4 2 Configure two IPv6 static routes on Switch B SwitchB sys...

Страница 579: ...64 Protocol Direct NextHop 1 1 Preference 0 Interface Vlan100 Cost 0 Destination 1 1 128 Protocol Direct NextHop 1 Preference 0 Interface InLoop0 Cost 0 Destination 4 64 Protocol Direct NextHop 4 1 Pr...

Страница 580: ...g Configuration 1 5 bytes 56 Sequence 3 hop limit 254 time 62 ms Reply from 3 1 bytes 56 Sequence 4 hop limit 254 time 63 ms Reply from 3 1 bytes 56 Sequence 5 hop limit 254 time 63 ms 3 1 ping statis...

Страница 581: ...Multicast address RIPng uses FF02 9 as the link local multicast address z Destination Prefix 128 bit destination address prefix z Next hop 128 bit IPv6 address z Source address RIPng uses FE80 10 as t...

Страница 582: ...d Each time a route entry is modified the routing time is set to 0 z Route tag Identifies the route used in routing policy to control routing information 2 1 2 RIPng Packet Format I Basic format A RIP...

Страница 583: ...rom neighbors The receiving RIPng router processes RTEs in the request If there is only one RTE with the IPv6 prefix and prefix length both being 0 and with a metric value of 16 the RIPng router will...

Страница 584: ...ce configurations such as assigning an IPv6 address 2 2 1 Configuration Prerequisites Before the configuration accomplish the following tasks first z Enable IPv6 packet forwarding z Configure an IP ad...

Страница 585: ...he outbound additional metric is added to the metric of a sent route the route s metric in the routing table is not changed The inbound additional metric is added to the metric of a received route bef...

Страница 586: ...ised routing information as needed For filtering outbound routes you can also specify a routing protocol from which to filter routing information redistributed Follow these steps to configure a RIPng...

Страница 587: ...Optional By default the default metric of redistributed routes is 0 Redistribute routes from another routing protocol import route protocol process id allow ibgp cost cost route policy route policy n...

Страница 588: ...the following defaults z 30 seconds for the update timer z 180 seconds for the timeout timer z 120 seconds for the suppress timer z 120 seconds for the garbage collect timer Note When adjusting RIPng...

Страница 589: ...is set to 16 That is to say the route is unreachable Follow these steps to configure poison reverse To do Use the command Remarks Enter system view system view Enter interface view interface interface...

Страница 590: ...y default 2 5 Displaying and Maintaining RIPng To do Use the command Remarks Display configuration information of a RIPng process display ripng process id Available in any view Display routes in the R...

Страница 591: ...terface100 ripng 1 enable SwitchA Vlan interface100 quit SwitchA interface vlan interface 400 SwitchA Vlan interface400 ripng 1 enable SwitchA Vlan interface400 quit Configure Switch B SwitchB system...

Страница 592: ...Sec Dest 2 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 6 Sec Peer FE80 20F E2FF FE00 100 on Vlan interface200 Dest 3 64 via FE80 20F E2FF FE00 100 cost 1 tag 0 A 11 Sec Dest 4 64 via FE80 20F E2FF...

Страница 593: ...Garbage collect Peer FE80 20F E2FF FE23 82F5 on Vlan interface100 Dest 1 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 2 Sec Dest 2 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 2 Sec Peer FE80 20F E2...

Страница 594: ...and compliant with RFC2740 OSPF for IPv6 Identical parts between OSPFv3 and OSPFv2 z 32 bits router ID and area ID z Packets Hello DD Data Description LSR Link State Request LSU Link State Update LSAc...

Страница 595: ...nated by ABRs Area Border Routers and flooded throughout the LSA s associated area Each Inter Area Prefix LSA describes a route with IPv6 address prefix to a destination outside the area yet still ins...

Страница 596: ...If no response is received after retransmission interval elapses the router will send again the LSA The retransmission interval must be longer than the round trip time of the LSA in between II LSA de...

Страница 597: ...Costs for OSPFv3 Interfaces Optional Configuring the Maximum Number of OSPFv3 Load balanced Routes Optional Configuring a Priority for OSPFv3 Optional Configuring OSPFv3 Routing Information Management...

Страница 598: ...tiple OSPFv3 processes you need to specify a router ID for each process z You need to specify a router ID manually which is necessary to make OSPFv3 work 3 4 Configuring OSPFv3 Area Parameters The stu...

Страница 599: ...nnot delete an OSPFv3 area directly Only when you remove all configurations in area view and all interfaces attached to the area become down can the area be removed automatically z All routers attache...

Страница 600: ...Prerequisites z Enable IPv6 packet forwarding z Configure OSPFv3 basic functions 3 5 2 Configuring OSPFv3 Route Summarization Follow these steps to configure route summarization between areas To do U...

Страница 601: ...tered can be added into the local routing table 3 5 4 Configuring Link Costs for OSPFv3 Interfaces You can configure OSPFv3 link costs for interfaces to adjust routing calculation Follow these steps t...

Страница 602: ...iew system view Enter OSPFv3 view ospfv3 process id Configure a priority for OSPFv3 preference ase route policy route policy name preference Optional By default the priority of OSPFv3 interval routes...

Страница 603: ...However if the import route command is not configured executing the filter policy export command does not take effect 3 6 Tuning and Optimizing an OSPFv3 Network This section describes configurations...

Страница 604: ...onfigure the LSA transmission delay ospfv3 trans delay seconds instance instance id Optional Defaults to 1 second Return to system view quit Enter OSPFv3 view ospfv3 process id Configure the SPF timer...

Страница 605: ...check MTU in DD packets in order to improve efficiency Follow these steps to ignore MTU check for DD packets To do Use the command Remarks Enter system view system view Enter interface view interface...

Страница 606: ...ent direct routes of the interface can still be advertised in Intra Area Prefix LSAs via other interfaces but other OSPFv3 packets cannot be advertised Therefore no neighboring relationship can be est...

Страница 607: ...OSPFv3 neighbor information display ospfv3 process id area area id peer interface type interface number verbose peer router id Display OSPFv3 neighbor statistics display ospfv3 peer statistic Display...

Страница 608: ...a 2 Switch A Vlan int100 2001 2 64 Vlan int100 2001 1 64 Vlan int300 2001 3 1 64 Vlan int200 2001 1 2 64 Switch C Vlan int400 2001 2 1 64 Vlan int400 2001 2 2 64 Switch B Vlan int200 2001 1 1 64 Switc...

Страница 609: ...r id 3 3 3 3 SwitchC ospfv3 1 quit SwitchC interface vlan interface 100 SwitchC Vlan interface100 ospfv3 1 area 0 SwitchC Vlan interface100 quit SwitchC interface vlan interface 400 SwitchC Vlan inter...

Страница 610: ...tance ID 4 4 4 4 1 Full DR 00 00 38 Vlan400 0 Display OSPFv3 routing table information on Switch D SwitchD display ospfv3 routing E1 Type 1 external route IA Inter area route I Intra area route E2 Typ...

Страница 611: ...ute E2 Type 2 external route Seleted route OSPFv3 Router with ID 4 4 4 4 Process 1 Destination 0 Type IA Cost 11 NextHop FE80 F40D 0 93D0 1 Interface Vlan400 Destination 2001 64 Type IA Cost 2 NextHop...

Страница 612: ...ected Interface Vlan400 3 8 2 Configuring OSPFv3 DR Election I Network requirements In the following figure z The priority of Switch A is 100 the highest priority on the network so it will be the DR z...

Страница 613: ...tchB Vlan interface200 quit Configure Switch C SwitchC system view SwitchC ipv6 SwitchC ospfv3 SwitchC ospfv3 1 router id 3 3 3 3 SwitchC ospfv3 1 quit SwitchC interface vlan interface 100 SwitchC Vla...

Страница 614: ...VLAN interface 100 as 100 on Switch A SwitchA interface Vlan interface 100 SwitchA Vlan interface100 ospfv3 dr priority 100 SwitchA Vlan interface100 quit Configure the DR priority of VLAN interface 2...

Страница 615: ...0 4 4 4 4 1 Full DROther 00 00 37 Vlan200 0 Display neighbor information on Switch D You can find Switch A becomes the DR SwitchD display ospfv3 peer OSPFv3 Area ID 0 0 0 0 Process 1 Neighbor ID Pri...

Страница 616: ...st one area must be connected to the backbone The backbone cannot be configured as a Stub area In a Stub area all routers cannot receive external routes and all interfaces connected to the Stub area m...

Страница 617: ...IS go to these sections for information you are interested in z Introduction to IPv6 IS IS z Configuring IPv6 IS IS Basic Functions z Configuring IPv6 IS IS Routing Information Control z Displaying an...

Страница 618: ...lly z Configure IP addresses for interfaces and make sure all neighboring nodes are reachable z Enable IS IS 4 2 2 Configuration Procedure Follow these steps to configure the basic functions of IPv6 I...

Страница 619: ...tional 15 by default Configure an IPv6 IS IS summary route ipv6 summary ipv6 prefix prefix length avoid feedback generate_null0_route level 1 level 1 2 level 2 tag tag Optional Not configured by defau...

Страница 620: ...Optional 4 by default Note The ipv6 filter policy export command usually used in combination with the ipv6 import route command filters redistributed routes when advertising them to other routers If...

Страница 621: ...is peer verbose process id vpn instance vpn instanc name Available in any view Display IPv6 IS IS routing information display isis route ipv6 level 1 level 2 verbose process id Available in any view D...

Страница 622: ...e 4 1 Network diagram for IPv6 IS IS basic configuration III Configuration procedure 1 Configure IPv6 addresses for interfaces omitted 2 Configure IPv6 IS IS Configure Switch A SwitchA system view Swi...

Страница 623: ...ce 200 SwitchC Vlan interface200 isis ipv6 enable 1 SwitchC Vlan interface200 quit SwitchC interface vlan interface 300 SwitchC Vlan interface300 isis ipv6 enable 1 SwitchC Vlan interface300 quit Conf...

Страница 624: ...sic Functions z Controlling Route Distribution and Reception z Configuring IPv6 BGP Route Attributes z Tuning and Optimizing IPv6 BGP Networks z Configuring a Large Scale IPv6 BGP Network z Displaying...

Страница 625: ...ishing TCP Connections Optional Allowing the establishment of a Non Direct EBGP connection Optional Configuring a Description for a Peer Peer Group Optional Disabling Session Establishment to a Peer P...

Страница 626: ...onal 5 3 Configuring IPv6 BGP Basic Functions 5 3 1 Prerequisites Before configuring this task you need to z Specify IP addresses for interfaces z Enable IPv6 Note You need create a peer group before...

Страница 627: ...er IPv6 address family view ipv6 family Add a local route into IPv6 BGP routing table network ipv6 address prefix length short cut route policy route policy name Required Not added by default 5 3 4 Co...

Страница 628: ...ferred value refer to the peer ipv6 group name ipv6 address route policy route policy name import export command and the apply preferred value preferred value command 5 3 5 Specifying the Source Inter...

Страница 629: ...s as the source interfaces 5 3 6 Allowing the establishment of a Non Direct EBGP connection Follow these steps to allow the establishment of EBGP connection to a non directly connected peer peer group...

Страница 630: ...a Peer Peer Group Follow these steps to disable session establishment to a peer peer group To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Enter IPv6...

Страница 631: ...n and route dampening 5 4 1 Prerequisites Before configuring this task you have z Enabled the IPv6 function z Configured the IPv6 BGP basic functions 5 4 2 Configuring IPv6 BGP Route Redistribution Fo...

Страница 632: ...up peer ipv6 group name ipv6 address default route advertise route policy route policy name Required Not advertised by default Note With the peer default route advertise command used the local router...

Страница 633: ...iler routes advertised to a peer peer group peer ipv6 group name ipv6 address ipv6 prefix ipv6 prefix name export Required Not specified by default Note z Members of a peer group must have the same ou...

Страница 634: ...upper limit of address prefixes imported from a peer peer group peer ipv6 group name ipv6 address route limit limit percentage Optional By default no limit on prefixes Note z Only routes passing the s...

Страница 635: ...bgp as number Required Enter IPv6 address family view ipv6 family Configure IPv6 BGP route dampening parameters dampening half life reachable half life unreachable reuse suppress ceiling route policy...

Страница 636: ...ult local preference value Optional The value defaults to 100 Advertise routes to a peer peer group with the local router as the next hop peer ipv6 group name ipv6 address next hop local Required By d...

Страница 637: ...figured by default Prioritize MED values of routes from confederation peers bestroute med confederation Optional Not configured by default 5 5 4 Configuring the AS_PATH Attribute Follow these steps to...

Страница 638: ...their holdtime values taking the shorter one as the common holdtime If the holdtime is 0 neither keepalive massage is sent nor holdtime is checked z IPv6 BGP connection soft reset After modifying a ro...

Страница 639: ...onal The keepalive interval defaults to 60 seconds holdtime defaults to 180 seconds Configure the interval for sending the same update to a peer peer group peer ipv6 group name ipv6 address route upda...

Страница 640: ...cy peer ipv6 group name ipv6 address keep all routes Optional Not saved by default Return to user view return Soft reset BGP connections manually refresh bgp ipv6 all ipv6 address group ipv6 group nam...

Страница 641: ...peer group In a peer group all members enjoy a common policy Using the community attribute can make a set of IPv6 BGP routers in multiple ASs enjoy the same policy because sending of community betwee...

Страница 642: ...p To do Use the command Remarks Enter system view system view Enter BGP view bgp as number Required Not enabled by default Enter IPv6 address family view ipv6 family Create an EBGP peer group group ip...

Страница 643: ...er group you need to create a peer and specify its AS number that can be different from AS numbers of other peers but you cannot specify AS number for the EBGP peer group 5 7 3 Configuring IPv6 BGP Co...

Страница 644: ...BGP community you need to configure a routing policy to define the community attribute and apply the routing policy to route advertisement 5 7 4 Configuring an IPv6 BGP Route Reflector Follow these st...

Страница 645: ...d routing information display bgp ipv6 network Display IPv6 BGP AS path information display bgp ipv6 paths as regular expression Display IPv6 BGP peer peer group information display bgp ipv6 peer ipv6...

Страница 646: ...gth statistic Display IPv6 BGP routing information matching a regular expression display bgp ipv6 routing table regular expression as regular expression Display IPv6 BGP routing statistics display bgp...

Страница 647: ...g figure are all IPv6 BGP switches Between Switch A and Switch B is an EBGP connection Switch B Switch C and Switch D are IBGP fully meshed II Network diagram Figure 5 1 IPv6 BGP basic configuration n...

Страница 648: ...bgp ipv6 family SwitchD bgp af ipv6 peer 9 1 1 as number 65009 SwitchD bgp af ipv6 peer 9 2 1 as number 65009 SwitchD bgp af ipv6 quit SwitchD bgp quit 3 Configure the EBGP connection Configure Switch...

Страница 649: ...state 2 Peer V AS MsgRcvd MsgSent OutQ PrefRcv Up Down State 9 3 1 4 65009 4 4 0 0 00 02 18 Established 9 2 2 4 65009 4 5 0 0 00 01 52 Established Switch A and B established an EBGP connection Switch...

Страница 650: ...chB bgp ipv6 family SwitchB bgp af ipv6 peer 100 1 as number 100 SwitchB bgp af ipv6 peer 101 1 as number 200 SwitchB bgp af ipv6 peer 101 1 next hop local Configure Switch C SwitchC system view Switc...

Страница 651: ...any two routers need to establish a TCP session using port 179 and exchange open messages successfully III Processing steps 1 Use the display current configuration command to verify the peer s AS num...

Страница 652: ...filter routing information For example a router receives or advertises only routing information that matches the criteria of a routing policy a routing protocol redistributes routes from another prot...

Страница 653: ...ute field to identify a community A community list specifies matching conditions based on the community attribute V Extended community list Extended community list extcommunity list applies to IPv6 BG...

Страница 654: ...x list can comprise multiple items Each item specifies a matching address range in the form of network prefix which is identified by index number During matching the system compares the route to each...

Страница 655: ...CL Follow these steps to define an AS path ACL To do Use the command Remarks Enter system view system view Define an AS path ACL ip as path as path number deny permit regular expression Required Not d...

Страница 656: ...a Routing Policy A routing policy is used to filter routing information according to some attributes and modify some attributes of the routing information that matches the routing policy Match criter...

Страница 657: ...can neither pass the node nor go to the next node If route information cannot match any if match clause of the node it will go to the next node for a match z When a routing policy is defined with more...

Страница 658: ...t Match routes having specified outbound interface s if match interface interface type interface number 1 16 Optional Not configured by default Match routes having the specified route type if match ro...

Страница 659: ...ttribute for IPv6 BGP routes apply community none additive community number 1 16 aa nn 1 16 internet no export subconfed no export no advertise additive Optional Not set by default Set a cost for rout...

Страница 660: ...the Routing Policy To do Use the command Remarks Display IPv6 BGP AS path ACL information display ip as path as path number Display IPv6 BGP community list information display ip community list basic...

Страница 661: ...view SwitchA ipv6 SwitchA interface vlan interface 100 SwitchA Vlan interface100 ipv6 address 10 1 32 SwitchA Vlan interface100 quit SwitchA interface vlan interface 200 SwitchA Vlan interface200 ipv6...

Страница 662: ...ipng 1 route Route Flags A Aging S Suppressed G Garbage collect Peer FE80 7D58 0 CA03 1 on Vlan interface 100 Dest 10 32 via FE80 7D58 0 CA03 1 cost 1 tag 0 A 18 Sec Dest 20 32 via FE80 7D58 0 CA03 1...

Страница 663: ...ation failed while routing protocol runs normally II Analysis At least one item of the IPv6 prefix list should be configured as permit mode and at least one node of the Route policy should be configur...

Страница 664: ...tocols and Standards 2 6 2 2 IGMP Snooping Configuration Task List 2 6 2 3 Configuring Basic Functions of IGMP Snooping 2 8 2 3 1 Configuration Prerequisites 2 8 2 3 2 Enabling IGMP Snooping 2 8 2 3 3...

Страница 665: ...3 3 Configuring Basic Functions of MLD Snooping 3 7 3 3 1 Configuration Prerequisites 3 7 3 3 2 Enabling MLD Snooping 3 7 3 3 3 Configuring the Version of MLD Snooping 3 8 3 4 Configuring MLD Snooping...

Страница 666: ...ents in IGMPv3 5 4 5 1 5 Protocols and Standards 5 6 5 2 IGMP Configuration Task List 5 6 5 3 Configuring Basic Functions of IGMP 5 7 5 3 1 Configuration Prerequisites 5 7 5 3 2 Enabling IGMP 5 7 5 3...

Страница 667: ...M 6 30 6 4 1 PIM SSM Configuration Task List 6 30 6 4 2 Configuration Prerequisites 6 30 6 4 3 Enabling PIM SM 6 31 6 4 4 Configuring the SSM Group Range 6 31 6 5 Configuring PIM Common Information 6...

Страница 668: ...Message Filtering Rule 7 15 7 5 5 Configuring SA Message Cache 7 16 7 6 Displaying and Maintaining MSDP 7 16 7 7 MSDP Configuration Examples 7 17 7 7 1 Example of Leveraging BGP Routes 7 17 7 7 2 Any...

Страница 669: ...Multicast Forwarding Table Size 8 9 8 3 8 Tracing a Multicast Path 8 10 8 4 Displaying and Maintaining Multicast Routing and Forwarding 8 11 8 5 Configuration Examples 8 12 8 5 1 Multicast Static Rout...

Страница 670: ...ue of point to multipoint data transmission By allowing high efficiency point to multipoint data transmission over a network multicast greatly saves network bandwidth and reduces network load With the...

Страница 671: ...the number of hosts that need the information If a large number of users need the information the information source needs to send a copy of the same information to each of these users This means a t...

Страница 672: ...specific hosts moreover broadcast transmission is a significant usage of network resources III Multicast As discussed above the unicast and broadcast techniques are unable to provide point to multipo...

Страница 673: ...tributed an increase of the number of hosts will not remarkably add to the network load z Over broadcast As multicast data is sent only to the receivers that need it multicast uses the network bandwid...

Страница 674: ...or joins another group Note z A multicast source does not necessarily belong to a multicast group Namely a multicast source is not necessarily a multicast data receiver z A multicast source can send d...

Страница 675: ...el uses a multicast address range that is different from that of the ASM model and dedicated multicast forwarding paths are established between receivers and the specified multicast sources 1 3 Multic...

Страница 676: ...s can be used by routing protocols and for topology searching protocol maintenance and so on Commonly used permanent group addresses are listed in Table 1 3 A packet destined for an address in this bl...

Страница 677: ...ration Protocol DHCP server relay agent 224 0 0 13 All Protocol Independent Multicast PIM routers 224 0 0 14 Resource Reservation Protocol RSVP encapsulation 224 0 0 15 All Core Based Tree CBT routers...

Страница 678: ...local scope 2 Link local scope 4 Admin local scope 5 Site local scope 6 7 9 through D Unassigned 8 Organization local scope E Global scope III Ethernet multicast MAC addresses When a unicast IP packe...

Страница 679: ...As a result 32 multicast IPv4 addresses map to the same MAC address Therefore in Layer 2 multicast forwarding a device may receive some multicast data addressed for other IPv4 multicast groups and su...

Страница 680: ...IGMP Snooping IGMP multicast VLAN PIM and MSDP are for IPv4 MLD Snooping MLD IPv6 multicast VLAN and IPv6 PIM are for IPv6 This section provides only general descriptions about applications and funct...

Страница 681: ...ution trees within an AS so as to deliver multicast data to receivers Among a variety of mature intra domain multicast routing protocols protocol independent multicast PIM is a popular one Based on th...

Страница 682: ...extra burden on the Layer 3 device 1 4 Multicast Packet Forwarding Mechanism In a multicast model a multicast source sends information to the host group identified by the multicast group address in t...

Страница 683: ...ng IGMP Snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups 2 1 1 Principle of IGMP Snooping By analyzing received IGMP messages a Layer...

Страница 684: ...port A router port is a port on the Ethernet switch that leads switch towards the Layer 3 multicast device DR or IGMP querier In the figure Ethernet 1 0 1 of Switch A and Ethernet 1 0 1 of Switch B a...

Страница 685: ...ssages and actions Timer Description Message before expiry Action after expiry Router port aging timer For each router port the switch sets a timer initialized to the aging time of the route port IGMP...

Страница 686: ...es z Upon receiving an IGMP query a multicast group member host responds with an IGMP report z When intended to join a multicast group a host sends an IGMP report to the multicast router to announce t...

Страница 687: ...a group specific IGMP leave group message on a member port it first checks whether a forwarding table entry for that group exists and if one exists whether its outgoing port list contains that port z...

Страница 688: ...ormal way 2 In only PIM is enabled on the switch z The switch broadcasts IGMP messages as unknown messages in the VLAN z Upon receiving a PIM hello message the switch will maintain the corresponding r...

Страница 689: ...nfiguring Maximum Multicast Groups that Can Be Joined on a Port Optional Configuring an IGMP Snooping Policy Configuring Multicast Group Replacement Optional Note z Configurations made in IGMP Snoopin...

Страница 690: ...Disabled by default Return to system view quit Enter VLAN view vlan vlan id Enable IGMP Snooping in the VLAN igmp snooping enable Required Disabled by default Note z IGMP Snooping must be enabled glob...

Страница 691: ...atic Ports 2 4 Configuring IGMP Snooping Port Functions 2 4 1 Configuration Prerequisites Before configuring IGMP Snooping port functions complete the following tasks z Enable IGMP Snooping in the VLA...

Страница 692: ...ts in a VLAN Follow these steps to configure aging timers for dynamic ports in a VLAN To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure router port agi...

Страница 693: ...oes not respond to queries from the IGMP querier when static G or S G joining is enabled or disabled on a port the port does not send an unsolicited IGMP report or an IGMP leave group message z Static...

Страница 694: ...d by default Note z Each simulated host is equivalent to an independent host For example when receiving an IGMP query the simulated host corresponding to each configuration responds respectively z The...

Страница 695: ...Ethernet port view interface interface type interface number Enter the corresponding view Enter port group view port group manual port group name aggregation agg id Required Use either command Enable...

Страница 696: ...the Layer 2 switch will act as the IGMP Snooping querier to send IGMP queries thus allowing multicast forwarding entries to be established and maintained at the data link layer Follow these steps to e...

Страница 697: ...queries the maximum response time equals to the IGMP last member query interval I Configuring IGMP queries and responses globally Follow these steps to configure IGMP queries and responses globally T...

Страница 698: ...t forwarding entries from being correctly created at the data link layer and cause multicast traffic forwarding failure in the end When a Layer 2 device acts as an IGMP Snooping querier to avoid the a...

Страница 699: ...n actual application when a user requests a multicast program the user s host initiates an IGMP report Upon receiving this report message the switch checks the report against the configured ACL rule I...

Страница 700: ...ata refers to multicast data for which no entries exist in the IGMP Snooping forwarding table When the switch receives such multicast traffic z With the function of dropping unknown multicast data ena...

Страница 701: ...ooping view igmp snooping Enable IGMP report suppression report aggregation Optional Enabled by default 2 6 5 Configuring Maximum Multicast Groups that Can Be Joined on a Port By configuring the maxim...

Страница 702: ...xceed the number configured for the switch or the port In addition in some specific applications a multicast group newly joined on the switch needs to replace an existing multicast group automatically...

Страница 703: ...o configure the maximum number of multicast groups allowed on a port refer to Configuring Maximum Multicast Groups that Can Be Joined on a Port before configuring multicast group replacement Otherwise...

Страница 704: ...oins 2 8 IGMP Snooping Configuration Examples 2 8 1 Configuring Simulated Joining I Network requirements As shown in Figure 2 3 Router A connects to the multicast source through Ethernet 1 0 2 and to...

Страница 705: ...et1 0 2 quit 3 Configure Switch A Enable IGMP Snooping globally SwitchA system view SwitchA igmp snooping SwitchA igmp snooping quit Create VLAN 100 assign Ethernet 1 0 1 through Ethernet 1 0 4 to thi...

Страница 706: ...thernet 1 0 3 and Ethernet 1 0 4 of Switch A is listening to multicast streams that the multicast source 1 1 1 1 sends to the multicast group 224 1 1 1 0 0 0 0 224 1 1 1 2 8 2 Static Router Port Confi...

Страница 707: ...nterrupted during this process II Network diagram Source 1 1 1 1 24 Router A IGMP querier Eth1 0 1 10 1 1 1 24 Eth1 0 2 1 1 1 2 24 Switch A Switch C Switch B Eth1 0 1 Eth1 0 2 Eth1 0 2 Host C Host B H...

Страница 708: ...le SwitchA vlan100 quit Configure Ethernet 1 0 3 to be a static router port SwitchA interface ethernet 1 0 3 SwitchA Ethernet1 0 3 igmp snooping static router port vlan 100 SwitchA Ethernet1 0 3 quit...

Страница 709: ...01 30 Eth1 0 3 S IP group s the following ip group s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Attribute Host Port Host port s total 1 port Eth1 0 2 D 00 03 23 MAC group s MA...

Страница 710: ...chA igmp snooping SwitchA igmp snooping quit Create VLAN 100 and add Ethernet 1 0 1 and Ethernet 1 0 2 to VLAN 100 SwitchA vlan 100 SwitchA vlan100 port ethernet 1 0 1 ethernet 1 0 2 Enable IGMP Snoop...

Страница 711: ...this VLAN SwitchC vlan 100 SwitchC vlan100 port ethernet 1 0 1 to ethernet 1 0 3 SwitchC vlan100 igmp snooping enable 4 Verify the configuration View the IGMP message statistics on Switch C SwitchC v...

Страница 712: ...Symptom Although a multicast group policy has been configured to allow hosts to join specific multicast groups the hosts can still receive multicast data addressed to other multicast groups II Analysi...

Страница 713: ...S3610 S5510 Series Ethernet Switches Chapter 2 IGMP Snooping Configuration 2 31 whether this configuration conflicts with the configured multicast group policy If any conflict exists remove the port a...

Страница 714: ...nooping MLD Snooping is an IPv6 multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups 3 1 1 Introduction to MLD Snooping By analyzing received MLD m...

Страница 715: ...a port on the Ethernet switch that leads switch towards the Layer 3 multicast device DR or MLD querier In the figure Ethernet 1 0 1 of Switch A and Ethernet 1 0 1 of Switch B are router ports The swit...

Страница 716: ...before expiry Action after expiry Router port aging timer For each router port the switch sets a timer initialized to the aging time of the route port MLD general query of which the source address is...

Страница 717: ...responds with an MLD report z When intended to join an IPv6 multicast group a host sends an MLD report to the multicast router to announce that it is interested in the multicast information addressed...

Страница 718: ...h does not know whether any other hosts attached to the port are still listening to that IPv6 multicast group address the switch does not immediately removes the port from the outgoing port list of th...

Страница 719: ...Optional Configuring Aging Timers for Dynamic Ports Optional Configuring Static Ports Optional Configuring Simulated Joining Optional Configuring MLD Snooping Port Functions Configuring Fast Leave Pro...

Страница 720: ...he current port group For a given port a configuration made in MLD Snooping view is effective only if the same configuration is not made in Ethernet port view or port group view 3 3 Configuring Basic...

Страница 721: ...looded in the VLAN z MLD Snooping version 2 can process MLDv1 and MLDv2 messages Follow these steps to configure the version of MLD Snooping To do Use the command Remarks Enter system view system view...

Страница 722: ...ng timer of the port for that group expires If IPv6 multicast group memberships change frequently you can set a relatively small value for the member port aging timer and vice versa I Configuring agin...

Страница 723: ...static group ipv6 group address source ip ipv6 source address vlan vlan id Required Disabled by default Configure the port s as static router port s mld snooping static router port vlan vlan id Requir...

Страница 724: ...system view Enter Ethernet port view interface interface type interface number Enter the corresponding view Enter port group view port group manual port group name aggregation agg id Required Use eit...

Страница 725: ...st Required Disabled by default II Configuring fast leave processing on a port or a group of ports Follow these steps to configure fast leave processing on a port or a group of ports To do Use the com...

Страница 726: ...ending periodic MLD general queries so that all Layer 3 multicast devices can establish and maintain multicast forwarding entries thus to forward multicast traffic correctly at the network layer This...

Страница 727: ...port to the corresponding IPv6 multicast group An appropriate setting of the maximum response time for MLD queries allows hosts to respond to queries quickly and avoids burstiness of MLD traffic on th...

Страница 728: ...ional 1 second by default Caution Make sure that the MLD query interval is greater than the maximum response time for MLD general queries otherwise undesired deletion of IPv6 multicast members may occ...

Страница 729: ...available to different users In an actual application when a user requests a multicast program the user s host initiates an MLD report Upon receiving this report message the switch checks the report...

Страница 730: ...ured by default namely hosts can join any IPv6 multicast group 3 6 3 Configuring Dropping Unknown IPv6 Multicast Data Unknown IPv6 multicast data refers to IPv6 multicast data for which no forwarding...

Страница 731: ...k Follow these steps to configure MLD report suppression To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Enable MLD report suppression report aggregati...

Страница 732: ...d the number configured for the switch or the port In addition in some specific applications an IPv6 multicast group newly joined on the switch needs to replace an existing IPv6 multicast group automa...

Страница 733: ...sure to configure the maximum number of IPv6 multicast groups allowed on a port refer to Configuring Maximum Multicast Groups that that Can Be Joined on a Port before configuring IPv6 multicast group...

Страница 734: ...2 and to Switch A through Ethernet 1 0 1 Router A is the MLD querier on the subnet Perform the following configuration so that multicast data can be forwarded through Ethernet 1 0 3 and Ethernet 1 0...

Страница 735: ...et 1 0 1 through Ethernet 1 0 4 to this VLAN and enable MLD Snooping in the VLAN SwitchA vlan 100 SwitchA vlan100 port ethernet 1 0 1 to ethernet 1 0 4 SwitchA vlan100 mld snooping enable SwitchA vlan...

Страница 736: ...outer Port Configuration I Network requirements z As shown in Figure 3 4 Router A connects to an IPv6 multicast source Source through Ethernet 1 0 2 and to Switch A through Ethernet 1 0 1 z MLD is to...

Страница 737: ...C Switch B Eth1 01 E t h 1 0 2 E t h 1 0 3 E t h 1 0 1 Eth1 0 2 E t h 1 0 1 Eth1 0 2 Host C Host B Host A Receiver Receiver E t h 1 0 3 E t h 1 0 4 Eth1 0 5 Figure 3 4 Network diagram for static rout...

Страница 738: ...0 3 mld snooping static router port vlan 100 SwitchA Ethernet1 0 3 quit 4 Configure Switch B Enable MLD Snooping globally SwitchB system view SwitchB mld snooping SwitchB mld snooping quit Create VLA...

Страница 739: ...1 D 00 01 30 Eth1 0 3 S IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Attribute Host Port Host port s total 1 port Eth1 0 2 D 00 03 23 MAC group s MAC...

Страница 740: ...1 and Ethernet 1 0 2 to VLAN 100 SwitchA vlan 100 SwitchA vlan100 port ethernet 1 0 1 ethernet 1 0 2 Enable MLD Snooping in VLAN 100 and configure the MLD Snooping querier feature SwitchA vlan100 mld...

Страница 741: ...Received MLD general queries 3 Received MLDv1 specific queries 0 Received MLDv1 reports 4 Received MLD dones 0 Sent MLDv1 specific queries 0 Received MLDv2 reports 0 Received MLDv2 reports with right...

Страница 742: ...st group policy is not correctly applied z Certain ports have been configured as static member ports of IPv6 multicasts groups and this configuration conflicts with the configured IPv6 multicast group...

Страница 743: ...N This results in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 4 1 Before and after multicast VLAN is enabled on the Layer 2 device To solve this problem you...

Страница 744: ...VLANs of the multicast VLAN must not be multicast VLANs z The VLANs to be configured as the sub VLANs of the multicast VLAN must not be sub VLANs of another multicast VLAN z The number of sub VLANs of...

Страница 745: ...required on Switch A Router A is the IGMP querier z Switch A s Ethernet 1 0 1 belongs to VLAN 1024 Ethernet 1 0 2 through Ethernet 1 0 4 belong to VLAN 11 through VLAN 13 respectively and Host A thro...

Страница 746: ...2 RouterA Ethernet1 0 2 pim dm RouterA Ethernet1 0 2 quit 3 Configure Switch A Enable IGMP Snooping globally SwitchA system view SwitchA igmp snooping SwitchA igmp snooping quit Create VLAN 11 and as...

Страница 747: ...Operation Manual Multicast Protocol H3C S3610 S5510 Series Ethernet Switches Chapter 4 Multicast VLAN Configuration 4 5 SwitchA display multicast vlan multicast vlan 1024 s subvlan list Vlan 11 13...

Страница 748: ...w As a TCP IP protocol responsible for IP multicast group member management the Internet Group Management Protocol IGMP is used by IP hosts to establish and maintain their multicast group memberships...

Страница 749: ...ired to determine which router will act as the IGMP querier on the subnet In IGMPv1 the designated router DR elected by a multicast routing protocol such as PIM serves as the IGMP querier Note For mor...

Страница 750: ...the G1 and G2 multicast forwarding entries exist on the IGMP router the router forwards the multicast data to the local subnet and then the receivers on the subnet receive the data As IGMPv1 does not...

Страница 751: ...One of the remaining members if any on the subnet of the group being queried should send a membership report within the maximum response time set in the query messages 4 If the querier receives a mem...

Страница 752: ...ed as S2 G Thus only multicast data from Source 1 will be delivered to Host B II Enhancements in query and report capabilities 1 Query message carrying the source addresses IGMPv3 supports not only ge...

Страница 753: ...list z BLOCK indicates that the Source Address fields in this Group Record contain a list of the sources that the system no longer wishes to hear from for packets sent to the specified multicast addr...

Страница 754: ...ing the basic functions of IGMP complete the following tasks z Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer z Configure PIM DM or PIM...

Страница 755: ...llow these steps to configure an IGMP version on an interface To do Use the command Description Enter system view system view Enter Ethernet port view interface interface type interface number Configu...

Страница 756: ...IGMP view are effective on all interfaces while configurations performed in Ethernet port view are effective on the current interface only z If the same feature is configured in both IGMP view and Et...

Страница 757: ...essages are directly passed to the upper layer protocol no matter whether the IGMP messages carry the Router Alert option or not z To enhance the device performance and avoid unnecessary costs and als...

Страница 758: ...et losses on a network Therefore a greater value of the robustness variable makes the IGMP querier more robust but results in a longer multicast group timeout time Upon receiving an IGMP query general...

Страница 759: ...default Configure the IGMP last member query interval Last member query inte rval interval Optional 1 second by default Configure the other querier present interval timer other querier present interv...

Страница 760: ...other querier present interval is greater than the IGMP query interval otherwise the IGMP querier may change frequently on the network z Make sure that the IGMP query interval is greater than the max...

Страница 761: ...g entries of static joins Caution The reset igmp group command may cause an interruption of receivers reception of multicast data 5 6 IGMP Configuration Example I Network requirements z Receivers rece...

Страница 762: ...e switches Ensure the network layer interoperation among Switch A Switch B and Switch C on the PIM network and dynamic update of routing information among the switches through a unicast routing protoc...

Страница 763: ...iguration and running status on each switch interface For example View IGMP information on VLAN interface 200 of Switch B SwitchB display igmp interface vlan interface 200 Vlan interface200 10 110 2 1...

Страница 764: ...ce is abnormal Typically this is because the shutdown command has been executed on the interface or the interface connection is incorrect or no correct IP address has been configured on the interface...

Страница 765: ...rrent configuration command to view the IGMP configuration information on the interfaces 2 Carry out the display igmp interface command on all routers on the same subnet to check the IGMP related time...

Страница 766: ...es generated by any unicast routing protocol such as routing information protocol RIP open shortest path first OSPF intermediate system to intermediate system IS IS or border gateway protocol BGP Inde...

Страница 767: ...periodically that is pruned branches resume multicast forwarding when the pruned state times out and then data is re flooded down these branches and then are pruned again z When a new receiver on a pr...

Страница 768: ...Then nodes without receivers downstream are pruned A router having no receivers downstream sends a prune message to the upstream node to tell the upstream node to delete the corresponding interface f...

Страница 769: ...s a multicast group to reduce the join latency PIM DM uses a graft mechanism to resume data forwarding to that branch The process is as follows 1 The node that needs to receive multicast data sends a...

Страница 770: ...224 0 0 13 through the interface on which the packet was received The assert message contains the following information the multicast source address S the multicast group address G and the preference...

Страница 771: ...d to a specific multicast group the router connected to this receiver sends a join message to the RP corresponding to that multicast group The path along which the message goes hop by hop to the RP fo...

Страница 772: ...messages to the RP the DR at the multicast source side sends register messages to the RP Note z A DR is elected on a multi access subnet by means of comparison of the priorities and IP addresses carri...

Страница 773: ...To lessen the RP burden and optimize the topological structure of the RPT each multicast group should have its own RP Therefore a bootstrap mechanism is needed for dynamic RP election For this purpose...

Страница 774: ...en a receiver joins a multicast group G it uses an IGMP message to inform the directly connected DR 2 Upon getting the receiver information the DR sends a join message which is hop by hop forwarded to...

Страница 775: ...gistration The purpose of multicast source registration is to inform the RP about the existence of the multicast source Figure 6 6 Multicast registration As shown in Figure 6 6 the multicast source re...

Страница 776: ...r forwarding table and thus an SPT branch is established 2 Subsequently the receiver side DR sends a prune message hop by hop to the RP Upon receiving this prune message the RP forwards it toward the...

Страница 777: ...cope region must be geographically independent of every other one as shown in Figure 6 7 Figure 6 7 Relationship between BSR admin scope regions and the global scope zone in geographic space BSR admin...

Страница 778: ...al scope zone are as follows z The global scope zone and each BSR admin scope region have their own C RPs and BSR These devices are effective only in their respective admin scope regions Namely the BS...

Страница 779: ...multicast source discovery protocol MSDP for discovering sources in other PIM domains Compared with the ASM model the SSM model only needs the support of IGMPv3 and some subsets of PIM SM The operatio...

Страница 780: ...th the source S as its root and receivers as its leaves This SPT is the transmission channel in PIM SSM z If not the PIM SM process is followed the DR needs to send a G join message to the RP and a mu...

Страница 781: ...er Before configuring PIM DM prepare the following data z The interval between state refresh messages z Minimum time to wait before receiving a new refresh message z TTL value of state refresh message...

Страница 782: ...timeout of pruned interfaces the router directly connected with the multicast source periodically sends an S G state refresh message which is forwarded hop by hop along the initial multicast flooding...

Страница 783: ...e refresh messages state refresh ttl ttl value Optional 255 by default 6 2 6 Configuring PIM DM Graft Retry Period In PIM DM graft is the only type of message that uses the acknowledgment mechanism In...

Страница 784: ...a BSR Configuring global C BSR parameters Optional Configuring a static RP Optional Configuring a C RP Optional Enabling auto RP Optional Configuring an RP Configuring C RP timers Optional Configurin...

Страница 785: ...SM enabled a router sends hello messages periodically to discover PIM neighbors and processes messages from PIM neighbors When deploying a PIM SM domain you are recommended to enable PIM SM on all int...

Страница 786: ...as a C BSR make sure that router is PIM SM enabled The BSR election process is as follows z Initially every C BSR assumes itself to be the BSR of this PIM SM domain and uses its interface IP address a...

Страница 787: ...address range and thus this kind of attacks can be prevented The above mentioned preventive measures can partially protect the security of BSRs in a network However if a legal BSR is controlled by an...

Страница 788: ...s are elected from multitudinous C BSRs to serve different multicast groups The C RPs in a BSR admin scope region send C RP Adv messages to only the corresponding BSR The BSR summarizes the advertisem...

Страница 789: ...s throughout the network periodically Any C BSR that receives a bootstrap message maintains the BSR state for a configurable period of time BSR state timeout during which no BSR election takes place W...

Страница 790: ...er is manually configured the system will use the configured value Caution In configuration make sure that the bootstrap interval is smaller than the bootstrap timeout time 6 3 5 Configuring an RP An...

Страница 791: ...lculate the mappings between specific group ranges and the corresponding RPs based on the RP set We recommend that you configure C RPs on backbone routers To guard against C RP spoofing you need to co...

Страница 792: ...P auto rp enable Optional Disabled by default IV Configuring C RP timers To enable the BSR to distribute the RP set information within the PIM SM domain C RPs must periodically send C RP Adv messages...

Страница 793: ...n the entire register messages However to reduce the workload of encapsulating data in register messages and for the sake of interoperability this method of checksum calculation is not recommended Whe...

Страница 794: ...Optional 60 seconds by default Configure the probe time probe interval interval Optional 5 seconds by default Note Typically you need to configure the above mentioned parameters on the receiver side...

Страница 795: ...carry out these configurations on the routers that may win the DR election and on the C RPs that may win RP elections 6 4 Configuring PIM SSM Note The PIM SSM model needs the support of IGMPv3 Therefo...

Страница 796: ...routing multicast routing enable Required Disable by default Enter Ethernet port view interface interface type interface number Enable PIM SM pim sm Required Disabled by default Caution All the inter...

Страница 797: ...member of a multicast group in the SSM group range sends an IGMPv1 or IGMPv2 report message the device does not trigger a G join 6 5 Configuring PIM Common Information Note For the configuration task...

Страница 798: ...value z Prune delay global value interface level value z Prune override interval global value interface level value z Hello interval global value interface level value z Maximum delay between hello me...

Страница 799: ...er times out if the router has received no hello message from a neighbor it assumes that this neighbor has expired or become unreachable You can configure this parameter on all routers in the PIM doma...

Страница 800: ...hat the status of the upstream neighbor is lost or the upstream neighbor has changed In this case it triggers a join message for state update If you disable join suppression namely enable neighbor tra...

Страница 801: ...onfiguring PIM Common Timers PIM routers discover PIM neighbors and maintain PIM neighboring relationships with other routers by periodically sending out hello messages Upon receiving a hello message...

Страница 802: ...ime holdtime join prune interval Optional 210 seconds by default Configure the multicast source lifetime source lifetime interval Optional 210 seconds by default II Configuring PIM common timers on an...

Страница 803: ...se the command Remarks Enter system view system view Enter PIM view pim Configure the maximum size of a join prune message jp pkt size packet size Optional 8 100 bytes by default Configure the maximum...

Страница 804: ...ing table group address mask mask length mask source address mask mask length mask incoming interface interface type interface number register outgoing interface include exclude match interface type i...

Страница 805: ...t 1 0 2 V l a n i n t 1 0 3 V l a n i n t 1 0 3 Device Interface IP address Device Interface IP address Switch A Vlan int100 10 110 1 1 24 Switch D Vlan int300 10 110 5 1 24 Vlan int103 192 168 1 1 2...

Страница 806: ...and Switch C is similar to that on Switch A Enable IP multicast routing on Switch D and enable PIM DM on each interface SwitchD system view SwitchD multicast routing enable SwitchD interface vlan int...

Страница 807: ...flooding Switches on the SPT path Switch A and Switch D have their S G entries Host A registers with Switch A and a G entry is generated on Switch A You can use the display pim routing table command...

Страница 808: ...ulticast The receiver groups of different organizations form stub networks and one or more receiver hosts exist in each stub network The entire PIM domain operates in the sparse mode not divided into...

Страница 809: ...24 Figure 6 11 Network diagram for PIM SM domain configuration III Configuration procedure 1 Configure the interface IP addresses and unicast routing protocol for each switch Configure the IP address...

Страница 810: ...BSR and a C RP Configure the service scope of RP advertisements and the positions of the C BSR and C RP on Switch E SwitchE system view SwitchE acl number 2005 SwitchE acl basic 2005 rule permit sourc...

Страница 811: ...rity 0 Hash mask length 30 State Elected Scope Not scoped Uptime 00 00 18 Next BSR message scheduled at 00 01 52 Candidate BSR Address 192 168 9 2 Priority 0 Hash mask length 30 State Pending Scope No...

Страница 812: ...PIM routing table information on Switch A SwitchA display pim routing table Total 1 G entry 1 S G entry 225 1 1 1 RP 192 168 9 2 Protocol pim sm Flag WC UpTime 00 13 46 Upstream interface Vlan interfa...

Страница 813: ...l pim sm UpTime 00 13 16 Expires 00 03 22 6 7 3 PIM SSM Configuration Example I Network requirements z Receivers receive VOD information through multicast The receiver groups of different organization...

Страница 814: ...2 2 24 Switch C Vlan int200 10 110 2 2 24 Vlan int102 192 168 9 2 24 Vlan int104 192 168 3 1 24 Vlan int105 192 168 4 1 24 Figure 6 12 Network diagram for PIM SSM configuration III Configuration proc...

Страница 815: ...is also similar to that on Switch A except that it is not necessary to enable IGMP on the corresponding interfaces on these two switches 3 Configure the SSM group range Configure the SSM group range...

Страница 816: ...100 232 1 1 1 Protocol pim ssm Flag UpTime 00 13 25 Upstream interface Vlan interface101 Upstream neighbor 192 168 1 2 RPF prime neighbor 192 168 1 2 Downstream interface s information Total number o...

Страница 817: ...nabled on the router s RPF interface to the multicast source the router cannot create S G entries z When a multicast router receives a multicast packet it searches the existing unicast routing table f...

Страница 818: ...onfigurations are correct 6 8 2 Multicast Data Abnormally Terminated on an Intermediate Router I Symptom An intermediate router can receive multicast data successfully but the data cannot reach the la...

Страница 819: ...formation Use the display pim rp info command to check whether the RP information is consistent on all routers 3 Check the configuration of static RPs Use the display pim rp info command to check whet...

Страница 820: ...RP and the BSR and whether a route is available between the RP and the BSR Make sure that each C RP has a unicast route to the BSR the BSR has a unicast route to each C RP and all the routers in the...

Страница 821: ...ulticast source information in other PIM SM domains In the basic PIM SM mode a multicast source registers only with the RP in the local PIM SM domain and the multicast source information of a domain i...

Страница 822: ...SM router MSDP peers created on PIM SM routers that assume different roles function differently 1 MSDP peers on RPs z Source side MSDP peer the MSDP peer nearest to the multicast source Source typica...

Страница 823: ...ically elected from C RPs To enhance network robustness a PIM SM network typically has more than one C RP As the RP election result is unpredictable MSDP peering relationships should be built among al...

Страница 824: ...e address S the multicast group address G and the address of the RP which has created this SA message namely RP 1 3 On MSDP peers each SA message is subject to a reverse path forwarding RPF check and...

Страница 825: ...lies on RPs in other PIM SM domains The receivers can override the RPs in other domains and directly join the multicast source based SPT III RPF check rules for SA messages As shown in Figure 7 3 ther...

Страница 826: ...SA message is from an MSDP peer RP 2 in the same AS and the MSDP peer is the next hop on the optimal path to the source side RP RP 3 accepts the message and forwards it to other peers RP 4 and RP 5 3...

Страница 827: ...MSDP peers Anycast RP refers to such an application that enables load balancing and redundancy backup between two or more RPs within a PIM SM domain by configuring the same IP address for and establis...

Страница 828: ...the SPT rooted at Source The significance of Anycast RP is as follows z Optimal RP path A multicast source registers with the nearest RP so that an SPT with the optimal path is built a receiver joins...

Страница 829: ...st Messages Optional Configuring an SA Message Filtering Rule Optional Configuring SA Messages Related Parameters Configuring SA Message Cache Optional 7 3 Configuring Basic Functions of MSDP Note All...

Страница 830: ...e local MSDP peer and that of the remote MSDP peer An MSDP peer connection must be created on both devices that are a pair of MSDP peers Follow these steps to create an MSDP peer connection To do Use...

Страница 831: ...te the following tasks z Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer z Configuring basic functions of MSDP Before configuring an MSD...

Страница 832: ...or multiple MSDP peers you can create a mesh group with these MSDP peers Follow these steps to create an MSDP mesh group To do Use the command Remarks Enter system view system view Enter MSDP view msd...

Страница 833: ...in the domain are interoperable at the network layer z Configuring basic functions of MSDP Before configuring SA message delivery prepare the following data z ACL as a filtering rule for SA request m...

Страница 834: ...RPF check Follow these steps to configure the SA message content To do Use the command Remarks Enter system view system view Enter MSDP view msdp Enable encapsulation of a register message encap data...

Страница 835: ...on in the SA messages z By configuring a filtering rule for receiving or forwarding SA messages you can enable the router to filter the S G forwarding entries to be advertised when receiving or forwar...

Страница 836: ...s MSDP peer in the next cycle z If there is an SA message in the cache the router will obtain the information of all active sources directly from the SA message and join the corresponding SPT To prote...

Страница 837: ...peer reset msdp statistics peer address Available in user view 7 7 MSDP Configuration Examples 7 7 1 Example of Leveraging BGP Routes I Network requirements z Two ISPs maintain their ASs AS 100 and AS...

Страница 838: ...Figure 7 5 Network diagram for configuration leveraging BGP routes III Configuration procedure 1 Configure the interface IP addresses and unicast routing protocol for each switch Configure the IP addr...

Страница 839: ...witch C 3 Configure the position of interface Loopback 0 C BSR and C RP Configure the position of Loopback 0 C BSR and C RP on Switch C SwitchC interface loopback 0 SwitchC LoopBack0 ip address 1 1 1...

Страница 840: ...the information about BGP peering relationships on Switch C SwitchC display bgp peer BGP local router ID 1 1 1 1 Local AS number 100 Total number of peers 1 Peers in established state 1 Peer V AS Msg...

Страница 841: ...1 1 1 1 32 192 168 1 1 0 0 100 i 2 2 2 2 32 192 168 3 2 0 100 0 3 3 3 3 32 0 0 0 0 0 0 192 168 1 0 0 0 0 0 0 0 192 168 1 1 0 0 100 192 168 1 1 32 0 0 0 0 0 0 192 168 1 2 32 0 0 0 0 0 0 192 168 1 1 0...

Страница 842: ...ion about MSDP peering relationships on Switch D SwitchD display msdp brief MSDP Peer Brief Information Configured Up Listen Connect Shutdown Down 2 2 0 0 0 0 Peer s Address State Up Down time AS SA C...

Страница 843: ...outgoing SA messages 0 0 Incoming outgoing SA requests 0 0 Incoming outgoing SA responses 0 0 Incoming outgoing data packets 0 0 7 7 2 Anycast RP Configuration Example I Network requirements z The PI...

Страница 844: ...1 1 32 Loop0 2 2 2 2 32 Loop1 3 3 3 3 32 Loop1 4 4 4 4 32 Loop10 10 1 1 1 32 Loop10 10 1 1 1 32 Figure 7 6 Network diagram for anycast RP configuration III Configuration procedure 1 Configure the int...

Страница 845: ...ce loopback 10 SwitchC LoopBack10 ip address 10 1 1 1 255 255 255 255 SwitchC LoopBack10 pim sm SwitchC LoopBack10 quit SwitchC pim SwitchC pim c bsr loopback 1 SwitchC pim c rp loopback 10 SwitchC pi...

Страница 846: ...Vlan interface200 Protocol pim sm UpTime 00 03 32 Expires 4 Configure Loopback 0 and MSDP peers Configure an MSDP peer on Loopback 0 of Switch C SwitchC interface loopback 0 SwitchC LoopBack0 ip addre...

Страница 847: ...ASs AS 100 and AS 200 respectively OSPF is running within each AS and BGP is running between the two ASs z PIM SM 1 belongs to AS 100 while PIM SM 2 and PIM SM 3 belong to AS 200 z Each PIM SM domain...

Страница 848: ...nfiguration procedure 1 Configure the interface IP addresses and unicast routing protocol for each switch Configure the IP address and subnet mask for each interface as per Figure 7 7 Detailed configu...

Страница 849: ...ch D and Switch F is similar to the configuration on Switch C 3 Configure the position of interface Loopback 0 C BSR and C RP Configure the position of Loopback 0 C BSR and C RP on Switch C SwitchC ro...

Страница 850: ...relationships between the switches If the command gives no output information a BGP peering relationship has not been established between the switches When the multicast source S1 sends multicast inf...

Страница 851: ...er address configured on the router z If no route is available between the MSDP peers the TCP connection setup will also fail III Solution 1 Check that a route is available between the routers Carry o...

Страница 852: ...tries with one another in the Anycast RP application II Analysis z In the Anycast RP application RPs in the same PIM SM domain are configured to be MSDP peers to achieve load balancing among the RPs z...

Страница 853: ...Operation Manual Multicast Protocol H3C S3610 S5510 Series Ethernet Switches Chapter 7 MSDP Configuration 7 33 4 Verify that the C BSR address is different from the anycast RP address...

Страница 854: ...ticast Routing and Forwarding In multicast implementations multicast routing and forwarding are implemented by three types of tables z Each multicast routing protocol has its own multicast routing tab...

Страница 855: ...existing S G entry this means that the S G entry is correct but the packet arrived from a wrong path The packet is to be discarded z If the result of the RPF check shows that the RPF interface is not...

Страница 856: ...the RPF interface and the RPF neighbor 2 Then the router selects one from these two optimal routes as the RPF route The selection is as follows z If configured to use the longest match principle the...

Страница 857: ...et actually arrived The RPF check succeeds and the packet is forwarded 8 1 3 Multicast Static Routes If the topology structure of a multicast network is the same as that of a unicast network receivers...

Страница 858: ...h B and then to Switch C 8 1 4 Multicast Traceroute The multicast traceroute utility is used to trace the path that a multicast stream flows down from the multicast source to the last hop router I Con...

Страница 859: ...te a response packet and then sends the completed packet via unicast to the multicast traceroute querier 8 2 Configuration Task List Complete these tasks to configure multicast routing and forwarding...

Страница 860: ...ry addresses even if configured on interfaces For details about primary and secondary IP addresses refer to IP Addressing and Performance Configuration 8 3 3 Configuring Multicast Static Routes Based...

Страница 861: ...ing an interface by means of the interface type interface number command argument combination if the interface type of that router is Loopback or VLAN interface instead you can designate an RPF neighb...

Страница 862: ...orward multicast packets including packets sent from the local device or receive multicast packets Follow these steps to configure a multicast forwarding range To do Use the command Remarks Enter syst...

Страница 863: ...rding table size To do Use the command Remarks Enter system view system view Configure the maximum number of downstream nodes for a single route in the multicast forwarding table multicast forwarding...

Страница 864: ...ss mask mask mask length group address mask mask mask length incoming interface interface type interface number register outgoing interface exclude include match interface type interface number regist...

Страница 865: ...st forwarding table z When a forwarding entry is deleted from the multicast forwarding table the corresponding route entry will also be deleted from the multicast routing table 8 5 Configuration Examp...

Страница 866: ...and subnet mask for each interface as per Figure 8 3 The detailed configuration steps are omitted here Enable OSPF on Switch A Switch B and Switch C Ensure the network layer interoperation among the s...

Страница 867: ...RPF information about source 10 110 5 100 RPF interface Vlan interface100 RPF neighbor 10 110 1 1 Referenced route mask 10 110 5 0 24 Referenced route type igp Route selection rule preference preferre...

Страница 868: ...specify the next hop address to configure the outgoing interface when you configure the multicast static route 4 Check that the multicast static route matches the specified routing protocol If a proto...

Страница 869: ...cast Protocol H3C S3610 S5510 Series Ethernet Switches Chapter 8 Multicast Routing and Forwarding Configuration 8 16 3 In the case of PIM SM use the display current configuration command to check the...

Страница 870: ...g a Guest VLAN 1 17 1 3 1 Configuration Prerequisites 1 17 1 3 2 Configuration Procedure 1 17 1 4 Displaying and Maintaining 802 1x 1 18 1 5 802 1x Configuration Example 1 18 1 6 Guest VLAN Configurat...

Страница 871: ...4 2 1 MAC Authentication Timers 4 2 4 2 2 Quiet MAC Address 4 2 4 2 3 VLAN Assigning 4 3 4 2 4 ACL Assigning 4 3 4 3 Configuring MAC Authentication 4 3 4 3 1 Configuration Prerequisites 4 3 4 3 2 Conf...

Страница 872: ...et as a common port access control mechanism As a port based network access control protocol 802 1x authenticates and controls accessing devices at the level of port A device connected to an 802 1x en...

Страница 873: ...a Remote Authentication Dial in User Service RADIUS server maintains user information like username password VLAN that the user belongs to committed access rate CAR parameters priority and ACLs The ab...

Страница 874: ...st the traffic from the supplicant Note Currently the devices support only denying the traffic from the supplicant 1 1 2 Operation of 802 1x The 802 1x authentication system employs the Extensible Aut...

Страница 875: ...akes the value 0x888E z Protocol version Version of the EAPOL protocol supported by the EAPOL frame sender z Type Type of the EAPOL frame Table 1 1 shows the defined types of EAPOL frames Table 1 1 Ty...

Страница 876: ...eld II EAP Packet Format An EAPOL frame of the type of EAP Packet carries an EAP packet in its Packet body field The format of the EAP packet is shown in Figure 1 4 Figure 1 4 EAP packet format z Code...

Страница 877: ...bytes it can be fragmented and encapsulated into multiple EAP Message attributes Figure 1 6 Encapsulation format of the EAP Message attribute II Message Authenticator Figure 1 7 shows the encapsulatio...

Страница 878: ...urity and PEAP Protected Extensible Authentication Protocol z EAP MD5 EAP MD5 authenticates the identity of a supplicant The RADIUS server sends an MD5 challenge through an EAP Request MD5 Challenge p...

Страница 879: ...me and password the 802 1x client software generates an EAPOL Start frame and sends it to the authenticator to initiate an authentication process 2 Upon receiving the EAPOL Start frame the authenticat...

Страница 880: ...o grant the access request of the supplicant After the supplicant gets online the authenticator periodically sends handshake requests to the supplicant to check whether the supplicant is still online...

Страница 881: ...mode Different from the authentication process in EAP relay mode it is the authenticator that generates the random challenge for encrypting the user password information in EAP termination authenticat...

Страница 882: ...e from the server it retransmits the request z Handshake timer handshake period After a supplicant passes authentication the authenticator sends to the supplicant handshake requests at this interval t...

Страница 883: ...the message The device depending on the link type of the port used to log in adds the port to the assigned VLAN according to the following rules z If the port link type is Access the port leaves its...

Страница 884: ...way as described in VLAN assigning When a supplicant added into the guest VLAN initiates another authentication process if the authentication is not successful the supplicant stays in the guest VLAN...

Страница 885: ...t to lan access For detailed configuration of the RADIUS client refer to AAA RADIUS HWTACACS Configuration 1 2 2 Configuring 802 1x Globally Follow these steps to configure 802 1x globally To do Use t...

Страница 886: ...xies globally dot1x supp proxy check logoff trap interface interface list Optional Disabled by default Note that z For 802 1x to take effect on a port you must enable it both globally in system view a...

Страница 887: ...e the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Set the port access control mode for the port dot1x port control authorized...

Страница 888: ...of RADIUS packets and sends the packets to the RADIUS server for authentication In this case you can configure the user name format command but it does not take effect For information about the user n...

Страница 889: ...from a user side device include VLAN tags and 802 1x and guest VLAN are enabled on the access port you are recommended to configure different VLAN IDs for the Voice VLAN the default port VLAN and the...

Страница 890: ...rver and to send real time accounting packets to the accounting server every 15 minutes z Specify the switch to remove the domain name from the username before passing the username to the RADIUS serve...

Страница 891: ...r the device to exchange packets with the authentication server Sysname radius radius1 key authentication name Specify the shared key for the device to exchange packets with the accounting server Sysn...

Страница 892: ...ame interface Ethernet 1 0 1 Sysname Ethernet1 0 1 dot1x Sysname Ethernet1 0 1 quit Set the port access control method Optional The default answers the requirement Sysname dot1x port method macbased i...

Страница 893: ...AC Authentication H3C S3610 S5510 Series Ethernet Switches Chapter 1 802 1x Configuration 1 22 II Network diagrams Figure 1 11 Network diagram for guest VLAN configuration Figure 1 12 Network diagram...

Страница 894: ...ey authentication abc Sysname radius 2000 key accounting abc Sysname radius 2000 user name format without domain Sysname radius 2000 quit Configure domain system and specify to use RADIUS scheme 2000...

Страница 895: ...vlan 10 command in the following cases to verify whether the configured guest VLAN functions z When no users log in z When a user fails the authentication z When a user goes offline 1 7 ACL Assigning...

Страница 896: ...sp 2000 authentication default radius scheme 2000 Sysname isp 2000 authorization default radius scheme 2000 Sysname isp 2000 accounting default radius scheme 2000 Sysname isp 2000 quit Configure ACL 3...

Страница 897: ...Operation Manual 802 1x HABP MAC Authentication H3C S3610 S5510 Series Ethernet Switches Chapter 1 802 1x Configuration 1 26...

Страница 898: ...nctions to implement fast deployment of EAD scheme To support the fast deployment of EAD schemes 802 1x provides the following two mechanisms 1 Limit on accessible network resources Before successful...

Страница 899: ...onfigured by default Note z Currently MAC authentication and port security cannot work together with EAD fast deployment Once MAC authentication or port security is enabled globally the EAD fast deplo...

Страница 900: ...t When there are a large number of users you can shorten the timeout time to improve the ACL usage efficiency Follow these steps to set the EAD rule timeout time To do Use the command Remarks Enter sy...

Страница 901: ...rt EAD fast deployment Configure the IP addresses of the interfaces omitted Configure the free IP Sysname system view Sysname dot1x free ip 192 168 1 0 24 Configure the redirect URL for client softwar...

Страница 902: ...ser the user is not redirected to the specified URL Analysis z The address is in the string format In this case the operating system of the host regards the string a website name and tries to have it...

Страница 903: ...and MAC authentication allowing communication among switches HABP is built on the client server model Typically the HABP server sends HABP requests to the client periodically to collect the MAC addre...

Страница 904: ...BP to work in client mode on a device connected to the administrative device Since HABP is enabled and works in client mode by default this configuration task is optional Follow these steps to configu...

Страница 905: ...ion Dial In User Service RADIUS based MAC authentication z Local MAC authentication For detailed information about RADIUS authentication and local authentication refer to AAA RADIUS HWTACACS Configura...

Страница 906: ...ers 4 2 Related Concepts 4 2 1 MAC Authentication Timers The following timers function in the process of MAC authentication z Offline detect timer At this interval the device checks to see whether an...

Страница 907: ...the user can access those restricted network resources 4 2 4 ACL Assigning ACLs assigned by an authorization server are referred to as authorization ACLs which are designed to control access to netwo...

Страница 908: ...Enter system view system view Enable MAC authentication globally mac authentication Required Disabled by default mac authentication interface interface list Enable MAC authentication for specified por...

Страница 909: ...MAC authentication enabled port into an aggregation group nor enable MAC authentication on a port added into an aggregation group 4 4 Displaying and Maintaining MAC Authentication To do Use the comman...

Страница 910: ...r aaa quit Configure ISP domain aabbcc net and specify to perform local authentication Device domain aabbcc net Device isp aabbcc net authentication lan access local Device isp aabbcc net quit Enable...

Страница 911: ...cess 1 failed 0 Current online user number is 1 MAC ADDR Authenticate state AuthIndex 00e0 fc12 3456 MAC_AUTHENTICATOR_SUCCESS 29 4 5 2 RADIUS Based MAC Authentication Configuration Example I Network...

Страница 912: ...eme 2000 Device isp 2000 quit Enable MAC authentication globally Device mac authentication Enable MAC authentication for port Ethernet 1 0 1 Device mac authentication interface ethernet 1 0 1 Specify...

Страница 913: ...AC authentication to access the Internet z Configure the RADIUS server to assign ACL 3000 z Enable MAC authentication on port Ethernet 1 0 1 of the switch and configure ACL 3000 After the host passes...

Страница 914: ...CL 3000 to deny packets destined for 10 0 0 1 Sysname acl number 3000 Sysname acl adv 3000 rule 0 deny ip destination 10 0 0 1 0 Sysname acl adv 3000 quit Enable MAC authentication globally Sysname ma...

Страница 915: ...Authentication Authorization Servers 1 23 1 4 3 Configuring the RADIUS Accounting Servers and Relevant Parameters 1 24 1 4 4 Setting the Shared Key for RADIUS Packets 1 26 1 4 5 Setting the Maximum Nu...

Страница 916: ...aying and Maintaining RADIUS 1 39 1 6 3 Displaying and Maintaining HWTACACS 1 40 1 7 AAA RADIUS HWTACACS Configuration Examples 1 40 1 7 1 AAA for Telnet Users by a HWTACACS Server 1 40 1 7 2 AAA for...

Страница 917: ...section covers these topics z Introduction to AAA z Introduction to ISP Domain z Introduction to RADIUS z Introduction to HWTACACS 1 1 1 Introduction to AAA Authentication Authorization and Accounting...

Страница 918: ...after RADIUS authentication is successful The authorization information is carried in the RADIUS authentication response z HWTACACS authorization Users are authorized using a HWTACACS server III Acco...

Страница 919: ...d remote user access are required For example it is often used for managing a large number of geographically dispersed dial in users that use Modems The RADIUS service involves three components z Prot...

Страница 920: ...as PPP based PAP and CHAP II Basic message exchange process of RADIUS Information exchanged between the RADIUS client and the RADIUS server is authenticated through a shared key for security The RADIU...

Страница 921: ...ue of Status Type being start 5 The RADIUS server returns a start accounting response Accounting Response 6 The subscriber accesses the network resources 7 The RADIUS client sends a stop accounting re...

Страница 922: ...e accounting 5 Accounting Response From the server to the client The server sends to the client a packet of this type to notify that it has received the Accounting Request and has correctly recorded t...

Страница 923: ...d IP Address 30 Called Station Id 9 Framed IP Netmask 31 Calling Station Id 10 Framed Routing 32 NAS Identifier 11 Filter ID 33 Proxy State 12 Framed MTU 34 Login LAT Service 13 Framed Compression 35...

Страница 924: ...ferences between HWTACACS and RADIUS HWTACACS RADIUS Uses TCP providing more reliable network transmission Uses UDP Encrypts the entire packet except for the HWTACACS header Encrypts only the password...

Страница 925: ...ation 1 9 Figure 1 5 Network diagram for a typical HWTACACS application II Basic message exchange process of HWTACACS The following takes Telnet user as an example to describe how HWTACACS performs us...

Страница 926: ...to the HWTACACS server 2 The HWTACACS server sends back an authentication response requesting for the username Upon receiving the request the HWTACACS client asks the user for the username 3 After re...

Страница 927: ...rver 11 The HWTACACS server sends back an accounting response indicating that it has received the start accounting request 12 When the user logs off the HWTACACS client sends a stop accounting request...

Страница 928: ...garding RADIUS Servers Optional Configuring RADIUS Accounting on Optional Configuring an IP Address for the Security Policy Server Optional Enabling the Listening Port of the RADIUS Client Optional II...

Страница 929: ...mplement authentication authorization and accounting For HWTACACS scheme configuration refer to Configuring HWTACACS 1 3 2 Creating an ISP Domain For the NAS each accessing user belongs to an ISP doma...

Страница 930: ...ion function and specify the URL of the self service server for changing user password self service url disable enable url string Optional Disabled by default Note A self service RADIUS server for exa...

Страница 931: ...cess modes or service types Follow these steps to configure an AAA authentication scheme for an ISP domain To do Use the command Remarks Enter system view system view Create an ISP domain and enter IS...

Страница 932: ...he same level as authentication and accounting Its responsibility is to send authorization requests to the specified authorization server and to send authorization information to users authorized Auth...

Страница 933: ...local none radius scheme radius scheme name local Optional local by default Specify the authorization scheme for command line users authorization command hwtacacs scheme hwtacacs scheme name Optional...

Страница 934: ...with the authorization response message therefore you cannot specify a separate RADIUS server If you use RADIUS for authorization and authentication you must use the same scheme setting for authorizat...

Страница 935: ...login hwtacacs scheme hwtacacs scheme name local local none radius scheme radius scheme name local Optional The default accounting scheme is used by default Note z With the accounting optional comman...

Страница 936: ...user is configured by default Configure a password for the local user password cipher simple password Required Place the local user to the state of active or blocked state active block Optional When c...

Страница 937: ...et attributes for a LAN access user attribute access limit max user number idle cut minute ip ip address location port slot number subslot number port number mac mac address vlan vlan id Optional If t...

Страница 938: ...the level of the commands that a user can use after logging in depends on the priority of the user or the priority of user interface level as with other authentication methods For an SSH user using R...

Страница 939: ...s In another words the attributes of a RADIUS scheme mainly include IP addresses of primary and secondary servers shared key and RADIUS server type Actually the RADIUS protocol configurations only set...

Страница 940: ...r Optional The defaults are as follows 0 0 0 0 for the IP address and 1812 for the port Note z In practice you may specify two RADIUS servers as the primary and secondary authentication authorization...

Страница 941: ...ddress and UDP port of the secondary RADIUS accounting server secondary accounting ip address port number Optional The defaults are as follows 0 0 0 0 for the IP address and 1813 for the port Enable t...

Страница 942: ...ser when the number of accounting request transmission attempts for the user reaches the limit but it still receives no response to the accounting request z The IP addresses of the primary and seconda...

Страница 943: ...iew Create a RADIUS scheme and enter RADIUS scheme view radius scheme radius scheme name Required Not defined by default Set the number of retransmission attempts of RADIUS packets retry retry times O...

Страница 944: ...primary server fails the primary server turns into the state of block and the device turns to the secondary server In this case z If the secondary server is available the device triggers the primary...

Страница 945: ...rver to the active state so that the secondary server can perform authentication If the secondary server is still in the blocked state the primary secondary switchover cannot take place z If one serve...

Страница 946: ...to a RADIUS server z If a RADIUS scheme defines that the username is sent without the ISP domain name do not apply the RADIUS scheme to more than one ISP domain thus avoiding the confused situation wh...

Страница 947: ...y default Set the quiet timer for the primary server timer quiet minutes Optional 5 minutes by default Set the real time accounting interval timer realtime accounting minutes Optional 12 minutes by de...

Страница 948: ...ired Disabled by default Set the number of accounting on packet retransmission attempts accounting on enable send send times Optional 5 times by default Set the retransmission interval of accounting o...

Страница 949: ...w these steps to enable the listening port of the RADIUS client To do Use the command Remarks Enter system view system view Enable the listening port of the RADIUS client radius client enable Optional...

Страница 950: ...IP address and 49 for the TCP port Configure the IP address and port of the secondary HWTACACS authentication server secondary authentication ip address port number Required The defaults are as follo...

Страница 951: ...ote z The IP addresses of the primary and secondary authorization servers cannot be the same Otherwise the configuration fails z You can remove an authorization server only when no active TCP connecti...

Страница 952: ...cannot be the same Otherwise the configuration fails z You can remove an accounting server only when no active TCP connection for sending accounting packets is using it z Currently HWTACACS does not s...

Страница 953: ...ACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Specify the format of the username to be sent to a HWTACACS server user name format with domain without domain Op...

Страница 954: ...stem view Create a HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Set the TACACS server response timeout timer timer response timeo...

Страница 955: ...Display information about specified or all local users display local user domain isp name idle cut disable enable service type ftp lan access ssh telnet terminal state active block user name user nam...

Страница 956: ...server name statistics Available in any view Display information about buffered stop accounting requests that get no responses display stop accounting buffer hwtacacs scheme hwtacacs scheme name Avail...

Страница 957: ...resses of various interfaces omitted Enable the Telnet server on the switch Switch system view Switch telnet server enable Configure the switch to use AAA for Telnet users Switch user interface vty 0...

Страница 958: ...s shown in Figure 1 8 configure the switch to provide local authentication HWTACACS authorization and RADIUS accounting services to Telnet users The user name and the password for Telnet users are bot...

Страница 959: ...hentication mode scheme Switch ui vty0 4 quit Configure the HWTACACS scheme Switch hwtacacs scheme hwtac Switch hwtacacs hwtac primary authorization 10 1 1 2 49 Switch hwtacacs hwtac key authorization...

Страница 960: ...and the RADIUS server 2 The username is not in the format of userid isp name or no default ISP domain is specified for the NAS 3 The user is not configured on the RADIUS server 4 The password of the...

Страница 961: ...henticated and authorized but accounting for the user is not normal Analysis 1 The accounting port number is not correct 2 Configuration of the authentication authorization server and the accounting s...

Страница 962: ...s 1 5 1 2 4 Enabling the ARP Entry Check 1 5 1 2 5 ARP Configuration Example 1 6 1 3 Configuring Gratuitous ARP 1 6 1 3 1 Introduction to Gratuitous ARP 1 6 1 3 2 Configuring Gratuitous ARP 1 7 1 4 Co...

Страница 963: ...address of a host at the network layer To send a network layer packet to a destination host the device must know the data link layer address such as the MAC address of the destination host To this end...

Страница 964: ...is being sent to 1 1 3 ARP Address Resolution Process Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B as show in Figure 1 2 The resolution process is as...

Страница 965: ...able contains ARP entries which fall into two categories dynamic and static 1 A dynamic entry is automatically created and maintained by ARP It can get aged be updated by a new ARP packet or be overwr...

Страница 966: ...deleted and if non permanent and resolved will become unresolved Follow these steps to configure a static ARP entry To do Use the command Remarks Enter system view system view Configure a permanent st...

Страница 967: ...them from the ARP mapping table You can adjust the aging time for dynamic ARP entries according to the actual network condition Follow these steps to set aging time for dynamic ARP entries To do Use t...

Страница 968: ...t 1 0 10 of VLAN 10 II Configuration procedure Sysname system view Sysname arp check enable Sysname arp timer aging 10 Sysname vlan 10 Sysname vlan10 port Ethernet 1 0 10 Sysname vlan10 quit Sysname i...

Страница 969: ...gratuitous arp learning enable Required Disabled by default 1 4 Configuring ARP Source Suppression 1 4 1 Introduction to ARP Source Suppression If a host attacks the device on a network by sending lar...

Страница 970: ...play arp all dynamic static vlan vlan id interface interface type interface number verbose begin exclude include text count Available in any view Display the ARP entries for a specified IP address dis...

Страница 971: ...lements Layer 3 communication between VLAN interfaces isolated at Layer 2 or located on different networks In one of the following cases you need to enable the local proxy ARP z Devices connected to d...

Страница 972: ...face vlan id Available in any view 2 4 Proxy ARP Configuration Examples 2 4 1 Proxy ARP Configuration Example I Network requirements Host A and Host D have IP addresses of the same network segment Hos...

Страница 973: ...168 20 99 255 255 255 0 Switch Vlan interface2 proxy arp enable Switch Vlan interface2 quit 2 4 2 Local Proxy ARP Configuration Example in Case of Port Isolation I Network requirements z Host A and Ho...

Страница 974: ...3 quit Configure an IP address of VLAN interface 2 Switch interface vlan interface 2 Switch Vlan interface2 ip address 192 168 10 100 255 255 0 0 Ping Host B on Host A to verify that the two hosts ca...

Страница 975: ...Server on an Interface 2 4 2 5 Configuring an Address Pool for the DHCP Server 2 5 2 5 1 Configuration Task List 2 5 2 5 2 Creating a DHCP Address Pool 2 5 2 5 3 Configuring an Address Allocation Mod...

Страница 976: ...iguration 3 9 3 5 DHCP Relay Agent Configuration Example 3 10 3 6 Troubleshooting DHCP Relay Agent Configuration 3 11 Chapter 4 DHCP Client Configuration 4 1 4 1 Introduction to DHCP Client 4 1 4 2 En...

Страница 977: ...Operation Manual DHCP H3C S3610 S5510 Series Ethernet Switches Table of Contents iii 6 4 BOOTP Client Configuration Example 6 3...

Страница 978: ...while with the wide application of wireless networks the frequent movement of laptops across networks requires that the IP addresses be changed accordingly Therefore related configurations on hosts be...

Страница 979: ...assigned address to the client z Automatic allocation DHCP assigns a permanent IP address to a client z Dynamic allocation DHCP assigns an IP address to a client for a limited period of time which is...

Страница 980: ...IP addresses offered by other DHCP servers are assignable to other clients 1 2 3 IP Address Lease Extension The IP address dynamically allocated by a DHCP server to a client has a lease After the leas...

Страница 981: ...he BROADCAST B flag If this flag is set to 0 the DHCP server sent a reply back by unicast if this flag is set to 1 the DHCP server sent a reply back by broadcast The remaining bits of the flags field...

Страница 982: ...n It specifies the DNS server IP address to be assigned to the client z Option 51 IP address lease option z Option 53 DHCP message type option It identifies the type of the DHCP message z Option 55 Pa...

Страница 983: ...padding formats vary with vendors Currently the device supports two padding formats normal and verbose 1 Normal padding format The padding contents for sub options in the normal padding format are z s...

Страница 984: ...t an IP address along with specified voice parameters from the DHCP server Option 184 involves the following sub options z Sub option 1 IP address of the primary network calling processor which is a s...

Страница 985: ...apter 1 DHCP Overview 1 8 1 5 Protocols and Standards z RFC2131 Dynamic Host Configuration Protocol z RFC2132 DHCP Options and BOOTP Vendor Extensions z RFC1542 Clarifications and Extensions for the B...

Страница 986: ...tion Examples z Troubleshooting DHCP Server Configuration Note z The DHCP server configuration is supported only on VLAN interfaces and loopback interfaces The secondary IP address pool configuration...

Страница 987: ...ild has no such configuration or z Overridden if the lower level child has such configuration Note The IP address lease does not enjoy the inheritance attribute II Principles for selecting an address...

Страница 988: ...of the DHCP server resides to avoid wrong IP address allocation 2 1 3 IP Address Allocation Sequence A DHCP server assigns an IP address to a client according to the following sequence 1 The IP addres...

Страница 989: ...he subaddress keyword is valid only when the server and client are on the same subnet If a DHCP relay agent exists in between regardless of subaddress the DHCP server will select an IP address from th...

Страница 990: ...n Name Suffix for the Client Configuring DNS Servers for the Client Configuring WINS Servers and NetBIOS Node Type for the Client Configuring the BIMS Server Information for the Client Configuring Gat...

Страница 991: ...en the client with the MAC address or ID requests an IP address the DHCP server will find the IP address from the binding for the client A DHCP address pool now supports only one static binding which...

Страница 992: ...st be identical to the ID displayed by using the display dhcp client verbose command on the client Otherwise the client cannot obtain an IP address II Configuring dynamic address allocation You need t...

Страница 993: ...ess pool on the DHCP server to provide the clients with the domain name suffix With this suffix assigned the client needs only input part of a domain name and the system will add the domain name suffi...

Страница 994: ...node The b node client sends the destination name in a broadcast message The destination returns its IP address to the client after receiving the message z p peer to peer node The p node client sends...

Страница 995: ...ure the BIMS server IP address port number and shared key in the DHCP address pool To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool nam...

Страница 996: ...then can initiate a call using parameters in Option 184 Follow these steps to configure option 184 parameters in the DHCP address pool To do Use the command Remarks Enter system view system view Enter...

Страница 997: ...ration file To implement auto configuration you need to specify the IP address and name of a TFTP server and the bootfile name in the DHCP address pool on the DHCP server but you do not need to perfor...

Страница 998: ...ess pool To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Configure a self defined DHCP option option code ascii ascii string hex...

Страница 999: ...the DHCP address pool 2 6 2 Enabling Unauthorized DHCP Server Detection There are unauthorized DHCP servers on networks which reply DHCP clients with wrong IP addresses With this feature enabled when...

Страница 1000: ...tion To do Use the command Remarks Enter system view system view Specify the number of ping packets dhcp server ping packets number Optional One ping packet by default The value 0 indicates that no pi...

Страница 1001: ...Support Option 82 for related configuration details 2 8 Displaying and Maintaining the DHCP Server To do Use the command Remarks Display information about IP address conflicts display dhcp server conf...

Страница 1002: ...9 DHCP Server Configuration Examples DHCP networking involves two types z The DHCP server and client are on the same subnet and exchange messages directly z The DHCP server and client are not on the...

Страница 1003: ...ace 1 should be less than 122 and that of clients connected to VLAN interface 2 less than 124 II Network diagram Figure 2 1 DHCP network diagram III Configuration procedure Specify IP addresses for VL...

Страница 1004: ...55 128 SwitchA dhcp pool 2 expired day 5 SwitchA dhcp pool 2 gateway list 10 1 1 254 2 10 Troubleshooting DHCP Server Configuration I Symptom A client s IP address obtained from the DHCP server confli...

Страница 1005: ...figuration is supported only VLAN interfaces z DHCP Snooping must be disabled on the DHCP relay agent 3 1 Introduction to DHCP Relay Agent 3 1 1 Application Environment Since DHCP clients request IP a...

Страница 1006: ...ocation Process The following describes the forwarding process on the DHCP relay agent Figure 3 2 DHCP relay agent work process As shown in the figure above the DHCP relay agent works as follows 1 Aft...

Страница 1007: ...at The DHCP relay agent will Drop Random Drop the message Keep Random Forward the message without changing Option 82 normal Forward the message after replacing the original Option 82 with the Option 8...

Страница 1008: ...se the command Remarks Enter system view system view Enter interface view Interface interface type interface number Enable the DHCP relay agent on the current interface dhcp select relay Required With...

Страница 1009: ...servers and those of relay agent s interfaces cannot be on the same subnet Otherwise the client cannot obtain an IP address z A DHCP server group can correlate with one or multiple DHCP relay agent in...

Страница 1010: ...can manually configure IP to MAC bindings on the DHCP relay agent so that users can access external network using fixed IP addresses For avoidance of invalid IP address configuration you can configur...

Страница 1011: ...ent uses the IP address of a client and the MAC address of the DHCP relay interface to regularly send a DHCP REQUEST message to the DHCP server z If the server returns a DHCP ACK message or does not r...

Страница 1012: ...fter the recorded information of a DHCP server is cleared a new record will be put for the DHCP server 3 3 6 Configuring the DHCP Relay Agent to Support Option 82 I Prerequisites You need to complete...

Страница 1013: ...n 82 is padded with the device name sysname of a node the device name must contain no spaces Otherwise the DHCP relay agent will drop the message 3 4 Displaying and Maintaining DHCP Relay Agent Config...

Страница 1014: ...lients reside The IP address of VLAN interface 1 is 10 10 1 1 24 and IP address of VLAN interface 2 is 10 1 1 2 24 that communicates with the DHCP server 10 1 1 1 24 As shown in the figure below Switc...

Страница 1015: ...t subnets routes in between must be reachable 3 6 Troubleshooting DHCP Relay Agent Configuration I Symptom DHCP clients cannot obtain any configuration parameters via the DHCP relay agent II Analysis...

Страница 1016: ...to obtain an IP address 4 1 Introduction to DHCP Client With the DHCP client enabled on an interface the interface will use DHCP to obtain configuration parameters such as an IP address from the DHCP...

Страница 1017: ...n will overwrite the previous configuration z After the DHCP client is enabled on an interface no secondary IP address is configurable for the interface z If the IP address assigned by the DHCP server...

Страница 1018: ...address II Network diagram See Figure 2 1 III Configuration procedure The following is the configuration on Switch B shown in Figure 2 1 Enable the DHCP client on VLAN interface 1 SwitchB system view...

Страница 1019: ...een the DHCP client and relay agent or between the DHCP client and server z The DHCP Snooping enabled device cannot be a DHCP server or DHCP relay agent z You are not recommended to enable the DHCP cl...

Страница 1020: ...rator can locate the DHCP client to further implement security control and accounting For more information refer to Relay agent option Option 82 If DHCP snooping supports Option 82 it will handle a cl...

Страница 1021: ...iew interface interface type interface number Specify the port as trusted dhcp snooping trust Required Untrusted by default Note z You need to specify the ports connected to the valid DHCP servers as...

Страница 1022: ...me user defined node identifier Optional normal by default Note z To support Option 82 it is required to perform related configuration on both the DHCP server and the device enabled with DHCP Snooping...

Страница 1023: ...dress bindings in DHCP REQUEST messages and DHCP ACK messages received from trusted ports z Switch B supports Option 82 After receiving a DHCP request from the client Switch B adds Option 82 padded in...

Страница 1024: ...82 on Ethernet 1 0 2 SwitchB Ethernet1 0 2 dhcp snooping information format verbose node identifier sysname SwitchB Ethernet1 0 2 quit Configure DHCP Snooping to support Option 82 on Ethernet 1 0 3 Sw...

Страница 1025: ...his section covers these topics z BOOTP Application z Obtaining an IP Address Dynamically z Protocols and Standards 6 1 1 BOOTP Application After you specify an interface of a device as a BOOTP client...

Страница 1026: ...receives the request and searches the configuration file for the corresponding IP address according to the MAC address of the BOOTP client The BOOTP server then returns a BOOTP response to the BOOTP...

Страница 1027: ...w 6 4 BOOTP Client Configuration Example I Network requirement Switch B s port belonging to VLAN 1 is connected to the LAN VLAN interface 1 obtains an IP address from the DHCP server by using BOOTP II...

Страница 1028: ...dure 2 1 2 1 2 Configuration Examples 2 2 2 2 Configuring a Basic IPv4 ACL 2 3 2 2 1 Configuration Prerequisites 2 3 2 2 2 Configuration Procedure 2 3 2 2 3 Configuration Examples 2 4 2 3 Configuring...

Страница 1029: ...ples 3 3 3 3 Configuring an Advanced IPv6 ACL 3 3 3 3 1 Configuration Prerequisites 3 3 3 3 2 Configuration Procedure 3 3 3 3 3 Configuration Examples 3 5 3 4 Copying an IPv6 ACL 3 5 3 4 1 Configurati...

Страница 1030: ...llegal users from accessing networks and to control network traffic and save network resources Access control lists ACL are often used to filter packets with configured matching rules ACLs are sets of...

Страница 1031: ...ers the device denies all packets that do not match the ACL 1 2 IPv4 ACL This section covers these topics z IPv4 ACL Classification z IPv4 ACL Naming z IPv4 ACL Match Order z IP Fragments Filtering wi...

Страница 1032: ...order in which they are configured z auto where depth first match is performed The term depth first match has different meanings for different types of ACLs I Depth first match for a basic IPv4 ACL T...

Страница 1033: ...ows how your device performs depth first match in an Ethernet frame header ACL 1 Sort rules by source MAC address mask first and compare packets against the rule configured with more ones in the sourc...

Страница 1034: ...other Layer 3 or Layer 4 protocol header fields Advanced ACLs are numbered 3000 through 3999 1 3 2 IPv6 ACL Naming When creating an IPv6 ACL you can specify a unique name for it Afterwards you can ide...

Страница 1035: ...with the protocol carried on IPv6 specified prior to other rules 2 If two rules are present with the same protocol range look at source IPv6 address wildcard in addition Then compare packets against t...

Страница 1036: ...takes effect only in specified time ranges Only after a time range is configured and the system time is within the time range can an ACL rule take effect Two types of time ranges are available z Peri...

Страница 1037: ...mber 31 2004 23 59 you may use the time range test 12 00 to 14 00 wednesday from 00 00 01 01 2004 to 23 59 12 31 2004 command z You may create individual time ranges identified with the same name They...

Страница 1038: ...view system view Create and enter basic IPv4 ACL view acl number acl number name acl name match order auto config Required The default match order is config If you specify a name for an IPv4 ACL when...

Страница 1039: ...ed in an ACL If the match order for this ACL is auto rules are displayed in the depth first match order rather than by rule number Caution z You can modify the match order of an IPv4 ACL with the acl...

Страница 1040: ...v4 ACL To do Use the command Remarks Enter system view system view Create and enter advanced IPv4 ACL view acl number acl number name acl name match order auto config Required The default match order...

Страница 1041: ...rrent highest rule ID For example if the rule numbering step is 5 and the current highest rule ID is 28 the next rule will be numbered 30 For detailed information about step refer to the step command...

Страница 1042: ...ange command first 2 4 2 Configuration Procedure Follow these steps to configure an Ethernet frame header ACL To do Use the command Remarks Enter system view system view Create and enter Ethernet fram...

Страница 1043: ...p is 5 and the current highest rule ID is 28 the next rule will be numbered 30 For detailed information about step refer to the step command z You may use the display acl command to verify rules confi...

Страница 1044: ...Prerequisites If you want to reference a time range to a rule define it with the time range command first 2 5 2 Configuration Procedure Follow these steps to configure a user defined ACL To do Use th...

Страница 1045: ...atically assign rule IDs starting with 0 and increasing in rule numbering steps of five A rule ID thus assigned is greater than the current highest rule ID For example if the current highest rule ID i...

Страница 1046: ...an existing IPv4 ACL to generate a new one of the same type acl copy source acl number name source acl name to dest acl number name dest acl name Required Caution z The source IPv4 ACL and the destin...

Страница 1047: ...sident s office 192 168 2 0 24 192 168 3 0 24 192 168 1 0 24 Figure 2 1 Network diagram for IPv4 ACL configuration 2 8 3 Configuration Procedure 1 Create a time range for office hours Create a periodi...

Страница 1048: ...match acl 3001 Switch classifier c_market quit Configure traffic behavior b_ market to deny matching packets Switch traffic behavior b_market Switch behavior b_market filter deny Switch behavior b_mar...

Страница 1049: ...uring a Basic IPv6 ACL Basic IPv6 ACLs filter packets based on source IPv6 address They are numbered in the range 2000 to 2999 3 2 1 Configuration Prerequisites If you want to reference a time range t...

Страница 1050: ...if the ACL match order is set to auto rather than config you cannot modify ACL rules z When defining ACL rules you need not assign them IDs The system can automatically assign rule IDs starting with 0...

Страница 1051: ...00 named none 2 rules ACL s step is 5 rule 0 permit source 2030 5060 9050 64 rule 5 deny source FE80 5060 8050 96 3 3 Configuring an Advanced IPv6 ACL Advanced ACLs filter packets based on the source...

Страница 1052: ...range time name Required To create multiple rules repeat this step Set a rule numbering step step step value Optional The default step is 5 Create an ACL description description text Optional By defau...

Страница 1053: ...3 Configuration Examples Create IPv6 ACL 3000 to permit the TCP packets with the source address 2030 5060 9050 64 to pass Sysname system view Sysname acl ipv6 number 3000 Sysname acl6 adv 3000 rule p...

Страница 1054: ...ame of the source IPv6 ACL 3 5 Displaying and Maintaining IPv6 ACLs To do Use the command Remarks Display information about a specified or all IPv6 ACLs display acl ipv6 acl6 number all name acl6 name...

Страница 1055: ...ackets matching IPv6 ACL 2000 Switch traffic classifier c_rd Switch classifier c_rd if match acl ipv6 2000 Switch classifier c_rd quit Configure traffic behavior b_rd to deny matching packets Switch t...

Страница 1056: ...address source TCP port and destination TCP port Then only the ACL rules that contain no other information items than the above ones can be applied correctly on the port for packet filtering QoS and...

Страница 1057: ...smac sport tcp flag tos Create a flow template Create an extended flow template flow template flow template name extend start offset max value length max value ipv4 offset max value length max value...

Страница 1058: ...ation MAC IP port binding selective QinQ and voice VLAN And also you are not recommended to use these functions after you apply a flow template on the port The S3610 and S5510 Series Ethernet Switches...

Страница 1059: ...cos Service 802 1p COS field 0 service vlan id Service VLAN ID field 0 sip Source IP address field in IP head 0 sipv6 Source IPv6 address field in IPv6 head 0 smac Source MAC address field in ethernet...

Страница 1060: ...eate basic flow template aaa Sysname system view Sysname flow template aaa basic customer cos smac customer vlan id Reference flow template aaa on interface Ethernet 1 0 1 Sysname interface Ethernet 1...

Страница 1061: ...template interface Interface Ethernet1 0 1 user defined flow template basic name aaa index 1 total reference counts 1 fields smac customer vlan id customer cos Interface Ethernet1 0 2 user defined flo...

Страница 1062: ...Traffic Classification 2 1 2 1 2 Priority 2 2 2 2 TP and TS Overview 2 5 2 3 Traffic Evaluation and the Token Bucket 2 5 2 3 1 Token bucket 2 5 2 3 2 Evaluating the traffic with the token bucket 2 6...

Страница 1063: ...rerequisites 5 5 5 3 2 Configuration Procedure 5 5 5 3 3 Configuration Examples 5 5 5 4 Configuring Port Priority Trust Mode 5 6 5 4 1 Configuration Prerequisites 5 6 5 4 2 Configuration Procedure 5 6...

Страница 1064: ...onfiguration Prerequisites 8 1 8 2 2 Configuration Procedure 8 2 8 3 Displaying and Maintaining VLAN Policy 8 2 8 4 VLAN Policy Configuration Examples 8 2 8 4 1 Network Requirements 8 2 8 4 2 Configur...

Страница 1065: ...ermined by the order in which packets arrive All the packets share the resources of the network Network resources available to the packets completely depend on the time they arrive This service policy...

Страница 1066: ...y need to be further improved 1 4 Occurrence and Influence of Congestion and the Countermeasures QoS issues that traditional networks face are mainly caused by congestion Congestion means reduced serv...

Страница 1067: ...it cannot solve all the problems that cause network congestion A more effective way to solve network congestion problems is to enhance the function of the network layer in traffic control and resourc...

Страница 1068: ...congestion avoidance mechanism will drop packets and regulate traffic to solve the overload of the network z TS TS is a traffic control measure to regulate the output rate of the traffic actively TS r...

Страница 1069: ...ification is generally based on the information in the packet header and rarely based on the content of the packet The classification result is unlimited in range They can be a small range specified b...

Страница 1070: ...he range of 0 to 15 z RFC2474 re defines the ToS field in the IP packet header which is called the DS field The first six bit 0 to bit 5 bits of the DS field indicate DSCP precedence in the range of 0...

Страница 1071: ...CS class This class comes from the IP ToS field and includes eight subclasses z Best Effort BE class This class is a special class without any assurance in the CS class The AF class can be degraded to...

Страница 1072: ...alue is 8100 and a 2 byte Tag Control Information TCI TPID is a new class defined by IEEE to indicate a packet with an 802 1Q tag Figure 2 3 describes the detailed contents of an 802 1Q tag header Fig...

Страница 1073: ...ow obtains only the resources committed to it within a certain period of time network congestion due to excessive burst traffic can be avoided TP and TS are traffic control policies for limiting traff...

Страница 1074: ...nd a number of tokens equivalent to the packet forwarding authority must be taken out otherwise this means too many tokens have been used the traffic is in excess of the specification 2 3 3 Complicate...

Страница 1075: ...or a non conforming packet with a new DSCP precedence value and forwarding the packet 2 3 5 TS TS is a policy used to adjust the rate of outbound traffic actively A typical TS implementation is to co...

Страница 1076: ...re queue based TS Configure TS on ports Configure TS for all traffic Configure TS on ports 2 4 1 Configuring TP TP configuration includes the following two tasks the first task is to define the charac...

Страница 1077: ...ter system view Sysname system view Enter port view Sysname interface Ethernet 1 0 1 Configure TP parameters Sysname Ethernet1 0 1 qos car inbound acl 2000 cir 1000 red discard 2 4 2 Configuring TS TS...

Страница 1078: ...w or port group view Enter port group view port group manual port group name aggregation agg id Perform either of the two operations The configuration performed in Ethernet port view applies to the cu...

Страница 1079: ...on 2 11 2 5 Displaying TP TS To do Use the command Remarks Display the configuration and statistics about TP on a port display qos car interface interface type interface number Display the configurati...

Страница 1080: ...les You can use commands to define a series of rules to classify packets Additionally you can use commands to define the relationship among classification rules and and or z and The devices considers...

Страница 1081: ...define the class as required for the policy to be associated with car Traffic filtering Use the if match match criteria command to define the class as required for the policy to be associated with fil...

Страница 1082: ...ble forms of this argument Table 3 2 The form of the match criteria argument Form Description acl access list number Specifies an ACL to match packets The access list number argument is in the range 2...

Страница 1083: ...nt IP precedence is in the range 0 to 7 protocol protocol name Specifies to match the packets of a specified protocol The protocol name argument can be IP IPv6 or Bittorrent The S3610 and S5510 series...

Страница 1084: ...you want to define a primap behavior you need to define a priority mapping table as required Refer to Priority Mapping for more information I Configuration procedure Follow these steps to define a tra...

Страница 1085: ...erface interface type interface number next hop ipv4 add ipv4 add ipv6 add interface type interface number ipv6 add interface type interface number Remark DSCP value for packets remark dscp dscp value...

Страница 1086: ...lusive with the nest command II Configuration example 1 Network requirements Create a traffic behavior named test configuring TP action for it with the CAR being 100 kbps 2 Configuration procedure Ent...

Страница 1087: ...t port view applies to the current port only The configuration performed in port group view applies to all the ports in the port group Apply an associated policy qos apply policy policy name inbound R...

Страница 1088: ...about a class and the corresponding actions associated by a policy display qos policy user defined policy name classifier classifier name Display the information about the policies applied on a port d...

Страница 1089: ...y cause the transmitting device to retransmit the packets because the lost packets time out which causes a malicious cycle The core of congestion management is how to schedule the resources and determ...

Страница 1090: ...h are queue7 queue6 queue5 queue4 queue3 queue2 queue1 and queue0 Their priorities decrease in order In queue scheduling SP sends packets in the queue with higher priority strictly following the prior...

Страница 1091: ...50 30 10 10 50 30 10 and 10 corresponding to w7 w6 w5 w4 w3 w2 w1 and w0 respectively In this way the queue with the lowest priority can be assured of 5 Mbps of bandwidth at least thus avoiding the di...

Страница 1092: ...p 2 The SP scheduling algorithm is adopted for WRR groups For example queue 0 queue 1 queue 2 and queue 3 are in WRR group 1 and queue 4 queue 5 queue 6 and queue 7 are in group 2 Round robin is perfo...

Страница 1093: ...1 qos wrr 1 group 1 weight 2 Sysname Ethernet1 0 1 qos wrr 2 group 1 weight 4 Sysname Ethernet1 0 1 qos wrr 3 group 1 weight 6 Sysname Ethernet1 0 1 qos wrr 4 group 1 weight 8 Sysname Ethernet1 0 1 qo...

Страница 1094: ...configuration performed in port group view applies to all the ports in the port group Configure SP queue scheduling qos wrr queue id group sp Required Configure WRR queue scheduling qos wrr queue id g...

Страница 1095: ...0 1 qos wrr 1 group sp Sysname Ethernet1 0 1 qos wrr 2 group 1 weight 20 Sysname Ethernet1 0 1 qos wrr 3 group 1 weight 70 Sysname Ethernet1 0 1 qos wrr 4 group 1 weight 100 Sysname Ethernet1 0 1 qos...

Страница 1096: ...higher the drop precedence the more likely a packet is dropped For packets without 802 1q tags the switch uses the priority of the receiving port as the 802 1p precedence of the received packets and...

Страница 1097: ...cp lp mapping column lists the default target local precedence values available only for IP packets z The dscp dp mapping lists the default target drop precedence values available only for IP packets...

Страница 1098: ...only when the priority mapping action is configured in the associated traffic behavior specified by a policy For the detailed information about configuring traffic behavior refer to section 3 4 3 Def...

Страница 1099: ...quirements Modify the dot1p lp mapping table as those listed in Table 5 3 Table 5 3 The specified dot1p lp mapping 802 1p priority Local precedence 0 0 1 0 2 1 3 1 4 2 5 2 6 3 7 3 II Configuration pro...

Страница 1100: ...2 Configuration Procedure Follow these steps to configure port priority To do Use the command Remarks Enter system view system view Enter port view interface interface type interface number Enter por...

Страница 1101: ...face interface type interface number Enter port view or port group view Enter port group view port group manual port group name aggregation agg id Perform either of the two operations The configuratio...

Страница 1102: ...Mapping To do Use the command Remarks Display the information about a specified priority mapping table display qos map table dot1p lp dot1p dp dscp lp dscp dp dscp dot1p dscp dscp Display the priorit...

Страница 1103: ...nism on the source end can maximize throughput and utilization rate of the network and minimize packet loss and delay I Traditional packet drop policy Tail drop is adopted in the traditional packet dr...

Страница 1104: ...is avoided When packets in a TCP connection are dropped and sent at a low rate packets in other TCP connections are still sent at a high rate In this way packets in a part of connections are sent at a...

Страница 1105: ...ort only Configuration performed in port group view applies to all the ports in the port group Enable WRED qos wred enable Required 6 2 3 Configuration Example I Network requirements Enable WRED on Et...

Страница 1106: ...eue id length queue length 1 8 Required 6 3 3 Configuration Example I Network requirements Set the queue length of queue 1 and queue 3 to 8 and 32 on Ethernet 1 0 1 II Configuration procedure Enter sy...

Страница 1107: ...defined in the aggregation CAR 7 2 Applying Aggregation CAR on Ports 7 2 1 Configuration Prerequisites z Parameter values of the aggregation CAR are determined z Ports where aggregation CAR is applie...

Страница 1108: ...ter port group view port group manual port group name aggregation agg id Perform either of the two operations The configuration performed in port view applies to the current port only Configuration pe...

Страница 1109: ...Use the command Remarks Enter system view system view Enter traffic behavior view traffic behavior behavior name Required Reference aggregation CAR in the traffic behavior car name global car name Req...

Страница 1110: ...ing Aggregation CAR To do Use the command Remarks Clear the statistics information of the specified aggregation CAR reset qos car name global car name Available in user view Display the configuration...

Страница 1111: ...VLAN policies can facilitate the application and management of QoS policies on the switch VLAN policies are not effective on dynamic VLANs VLAN policies will not be applied to dynamic VLANs For exampl...

Страница 1112: ...the QoS policy applied to the VLAN the port belongs to 8 3 Displaying and Maintaining VLAN Policy To do Use the command Remarks Display the VLAN policy display qos vlan policy name policy name vlan vl...

Страница 1113: ...te a traffic behavior and enter traffic behavior view Sysname traffic behavior be1 Configure the traffic behavior Sysname behavior be1 car cir 64 Sysname behavior be1 quit Create a QoS policy and ente...

Страница 1114: ...nt to a destination port that is a mirroring port z Mirroring to CPU The desired traffic on a mirrored port is replicated and sent to the CPU on the board of the port for further analysis z Mirroring...

Страница 1115: ...ring group you cannot configure the two ports at the same time For the detailed information about local port mirroring group refer to the Port Mirroring module in this manual 9 2 2 Mirroring Traffic t...

Страница 1116: ...figuring traffic mirroring to a port 9 4 2 Configuration Procedure Configure Switch Enter system view Sysname system view Configure basic IPv4 ACL 2000 to match packets with the source IP address 192...

Страница 1117: ...qos policy 1 Sysname policy 1 classifier 1 behavior 1 Sysname policy 1 quit Apply the policy in the inbound direction of Ethernet1 0 1 Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 qos apply...

Страница 1118: ...t Mirroring 1 2 1 1 3 Other Functions Supported by Port Mirroring 1 3 1 2 Configuring Local Port Mirroring 1 3 1 3 Configuring Remote Port Mirroring 1 5 1 3 1 Configuring a Remote Source Mirroring Gro...

Страница 1119: ...g specified ports to the destination mirroring port As destination mirroring ports usually have data monitoring devices connected to them you can analyze the packets duplicated to the destination mirr...

Страница 1120: ...are in the same local port mirroring group Packets passing through the source ports are duplicated and then are forwarded to the destination port II Remote port mirroring Remote port mirroring is ach...

Страница 1121: ...group If yes the destination device forwards the packet to the monitoring device through the destination mirroring port Note z With the S3610 and S5510 series you can configure either one local mirror...

Страница 1122: ...m view mirroring group group id monitor port monitor port id interface interface type interface number Add a port to the mirroring group as the destination port In interface view mirroring group group...

Страница 1123: ...er mirroring group group id mirroring port both inbound outbound Add ports to the mirroring group as source ports In interface view quit You can add ports to a source port mirroring group in either sy...

Страница 1124: ...or port only when it operates with the following settings being the defaults operation mode half duplex full duplex port speed MDI setting Conversely these settings cannot be modified once a port is c...

Страница 1125: ...is a hybrid port port hybrid vlan rprobe vlan id tagged untagged Perform one of these three operations according to the port type Note z A destination port cannot be a member port of the current mirro...

Страница 1126: ...and sent from the R D department and the marketing department through the data monitoring device Use the local port mirroring function to meet the requirement Perform the following configurations on S...

Страница 1127: ...witch B connects to Ethernet 1 0 1 of Switch C z The data monitoring device is connected to Ethernet 1 0 2 of Switch C The administrator wants to monitor the packets sent from Department 1 and 2 throu...

Страница 1128: ...ng VLAN of the remote port mirroring group Add port Ethernet 1 0 1 and Ethernet1 0 2 to the remote port mirroring group as source ports Configure port Ethernet 1 0 4 as the reflector port SwitchA mirr...

Страница 1129: ...witchC system view SwitchC interface Ethernet 1 0 1 SwitchC Ethernet1 0 1 port link type trunk SwitchC Ethernet1 0 1 port trunk permit vlan 2 SwitchC Ethernet1 0 1 quit Create a remote destination por...

Страница 1130: ...1 12 1 3 8 Configuring Communication Between the Management Device and the Member Devices Within a Cluster 1 14 1 3 9 Configuring Cluster Member Management 1 14 1 4 Configuring the Member Devices 1 15...

Страница 1131: ...aining Cluster Management z Cluster Management Configuration Examples 1 1 Cluster Management Overview 1 1 1 Cluster Management Definition A cluster is an aggregation of a group of communication device...

Страница 1132: ...z Allowing simultaneous software upgrading and parameter configuring on multiple devices free of topology and distance limitations 1 1 2 Roles in a Cluster The devices in a cluster play different role...

Страница 1133: ...e after being added to a cluster z A member device becomes a candidate device after it is removed from the cluster z A management device becomes a candidate device only after the cluster is removed 1...

Страница 1134: ...ponding entry in the NDP table is updated otherwise only the holdtime of the entry is updated If no NDP information from the neighbor is received within the holdtime the corresponding entry is removed...

Страница 1135: ...to control the speed of the NTDP topology collection request advertisement z Upon receiving an NTDP topology collection request the device does not forward it instead it waits for a period of time and...

Страница 1136: ...nterval three times of the interval to send handshake packets it changes the status of the member device from Active to Connect Likewise if a member device fails to receive the handshake packets from...

Страница 1137: ...and the member candidate devices Therefore z If the packets from the management VLAN cannot pass a port the device connected with the port cannot be added to the cluster Therefore if the ports includi...

Страница 1138: ...agement Device Configuring Cluster Member Management Optional Enabling NDP Globally and for Specific Ports Optional Enabling NTDP Globally and for Specific Ports Optional Manually Collecting NTDP Info...

Страница 1139: ...rmally you must enable NDP both globally and on the specified port z If the subtending port or the port connecting the management device to a member candidate device is a port of a member in an aggreg...

Страница 1140: ...e port ntdp enable Optional NTDP is enabled on all ports by default Caution z For NTDP to work normally you must enable NTDP both globally and on the specified port z The NTDP function is mutually exc...

Страница 1141: ...r hop delay time Optional 200 ms by default Configure the port delay to forward topology collection request ntdp timer port delay time Optional 20 ms by default 1 3 5 Manually Collecting NTDP Informat...

Страница 1142: ...the routing table the candidate device will be added to and removed from the cluster repeatedly Caution z You can only specify a management VLAN before establishing a cluster After a device has been...

Страница 1143: ...gn a name to it build name Required By default the device is not the management device II Automatically establishing a cluster In addition to establishing a cluster manually you are also provided with...

Страница 1144: ...ement device and member devices communicate by sending handshake packets to maintain connection between them You can configure interval of sending handshake packets and the holdtime of a device on the...

Страница 1145: ...ou can control them remotely on the management device For example you can reboot a member device that operates improperly and specify to delete the booting configuration file when the member device re...

Страница 1146: ...nfigure manage and monitor the member devices through the management device You can manage member devices in a cluster through switching from the operation interface of the management device to that o...

Страница 1147: ...ing management device and member devices of the cluster otherwise the switch may fail because of authentication failure z When you switch the management device to a member device if member n does not...

Страница 1148: ...ins the MAC addresses of devices If a blacklist device is connected to network through another device not included in the blacklist the MAC address and access port of the latter are also included in t...

Страница 1149: ...you can configure FTP TFTP server NM host and log host for the cluster on the management device z After you configure an FTP TFTP server for a cluster the members in the cluster access the FTP TFTP se...

Страница 1150: ...er logging host ip address Required By default no log host is configured for a cluster Configure the SNMP NM host shared by the member devices in the cluster snmp host ip address community string read...

Страница 1151: ...mation display cluster base topology mac address mac address member id member number View the current blacklist of the cluster display cluster black list View the information of candidate devices disp...

Страница 1152: ...management device belongs to VLAN 2 whose interface IP address is 163 172 55 1 24 The network management interface of the management device is VLAN interface 2 VLAN 2 is the network management NM int...

Страница 1153: ...r function Switch cluster enable 2 Configuring the management device Enable NDP globally and for the Ethernet 1 0 2 and Ethernet 1 0 3 ports Switch system view Switch ndp enable Switch interface Ether...

Страница 1154: ...port connecting the management device to candidate devices as a Trunk port and allow packets from the management VLAN to pass Switch interface Ethernet 1 0 2 Switch Ethernet1 0 2 port link type trunk...

Страница 1155: ...figure the network management interface aabbcc_0 Switch vlan 2 aabbcc_0 Switch vlan2 port Ethernet 1 0 1 aabbcc_0 Switch quit aabbcc_0 Switch interface vlan interface 2 aabbcc_0 Switch Vlan interface2...

Страница 1156: ...s Ethernet Switches Table of Contents i Table of Contents Chapter 1 UDP Helper Configuration 1 1 1 1 Introduction to UDP Helper 1 1 1 2 Configuring UDP Helper 1 2 1 3 Displaying and Maintaining UDP He...

Страница 1157: ...er functions as a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified destination server With UDP Helper enabled the device decides whether to forward...

Страница 1158: ...ble the forwarding of packets with the specified UDP destination port number s udp helper port port number dns netbios ds netbios ns tacacs tftp time Optional By default the UDP helper enabled device...

Страница 1159: ...ers or the corresponding parameters For example udp helper port 53 and udp helper port dns specify the same UDP port number z When you view the configuration information by using the display current c...

Страница 1160: ...itch A to the network segment 10 2 0 0 16 is available Enable Switch A to receive directed broadcasts SwitchA system view SwitchA ip forward broadcast Enable UDP Helper SwitchA udp helper enable Enabl...

Страница 1161: ...Enabling SNMP Logging 1 5 1 4 Trap Configuration 1 6 1 4 1 Configuration Prerequisites 1 6 1 4 2 Configuration Procedure 1 6 1 5 Displaying and Maintaining SNMP 1 8 1 6 SNMP Configuration Example 1 9...

Страница 1162: ...alizes automatic management of products from different manufacturers Offering only the basic set of functions SNMP makes the management tasks independent of both the physical features of the managed d...

Страница 1163: ...will simply be discarded A community name performs a similar role as a key word and can be used to regulate access from NMS to Agent SNMPv3 offers an authentication that is implemented with a User Ba...

Страница 1164: ...tion version all v1 v2c v3 Optional The defaults are as follows Hangzhou H3C Technologies Co Ltd for contact Hangzhou China for location and SNMP v3 for the version Configure an SNMP agent group snmp...

Страница 1165: ...llows Hangzhou H3C Technologies Co Ltd for contact Hangzhou China for location and SNMP v3 for the version Config ure directl y Config ure a comm unity name snmp agent community read write community n...

Страница 1166: ...uring SNMP Logging 1 3 1 Introduction to SNMP Logging SNMP logs the GET and SET operations that NMS performs to SNMP Agent When the GET operation is performed Agent logs the IP address of NMS node nam...

Страница 1167: ...nformation and the information center refer to the Information Center Configuration part of the manual 1 4 Trap Configuration SNMP Agent sends Traps to NMS to alert the latter of critical and importan...

Страница 1168: ...ssion parameters Follow these steps to configure Trap To do Use the command Remarks Enter system view system view Configure target host attribute for Traps snmp agent target host trap address udp doma...

Страница 1169: ...ent system information including the contact location and version of the SNMP display snmp agent sys info contact location version Display SNMP agent statistics display snmp agent statistics Display t...

Страница 1170: ...the SNMP agent group and SNMP agent user Sysname system view Sysname snmp agent community read public Sysname snmp agent community write private Sysname snmp agent mib view included internet 1 3 6 1 S...

Страница 1171: ...ure the authentication mode authentication password privacy mode privacy password In addition the time out time and number of retries should also be configured The user can inquire and configure the s...

Страница 1172: ...following log information is displayed on the terminal when NMS performs the GET operation to Agent Jan 1 02 49 40 566 2006 Sysname SNMP 6 GET seqNO 10 srcIP 1 1 1 2 op get node sysName 1 3 6 1 2 1 1...

Страница 1173: ...e is a string of characters and the string contains characters not in the range of ASCII 0 to 127 or invisible characters the string is displayed in hexadecimal For example value 81 43 hex Note The sy...

Страница 1174: ...or remote network devices in a more proactive and effective way It reduces traffic between network management station NMS and agent facilitating large network management RMON comprises two parts NMSs...

Страница 1175: ...he private alarm group The events can be handled in one of the following ways z Logging events in the event log table z Sending traps to NMSs z Both logging and sending traps z No action II Alarm grou...

Страница 1176: ...can cause an alarm event That is the rising alarm and falling alarm are alternate IV History group The history group controls the periodic statistical sampling of data such as bandwidth utilization n...

Страница 1177: ...ry number buckets number interval sampling interval owner text Optional Create an entry in the statistics table rmon statistics entry number owner text Optional Exit Ethernet port view quit Create an...

Страница 1178: ...ported by the device the entry will be created However the validated value of the buckets number argument corresponding with the entry is the history table size supported by the device Table 2 1 Restr...

Страница 1179: ...on display rmon prialarm entry number Available in any view Display RMON events configuration information display rmon event entry number Available in any view Display RMON event log information displ...

Страница 1180: ...of resources 0 Packets received according to length in octets 64 644 65 127 518 128 255 688 256 511 101 512 1023 3 1024 1518 0 Create an event to start logging after the event is triggered Sysname sy...

Страница 1181: ...ring the Interface to Send NTP Messages 1 12 1 4 2 Disabling an Interface from Receiving NTP Messages 1 13 1 4 3 Configuring the Maximum Number of Dynamic Sessions Allowed 1 13 1 5 Configuring Access...

Страница 1182: ...nchronizes timekeeping among distributed time servers and clients NTP runs over the User Datagram Protocol UDP using UDP port 123 The purpose of using NTP is to keep consistent timekeeping among all c...

Страница 1183: ...d between the backup server and all the clients Advantages of NTP z NTP uses a stratum to describe the clock precision and is able to synchronize time among all devices within the network z NTP suppor...

Страница 1184: ...m T2 z When the NTP message leaves Device B Device B timestamps it The timestamp is 11 00 02 am T3 z When Device A receives the NTP message the local time of Device A is 10 00 03 am T4 Up to now Devic...

Страница 1185: ...refer to NTP clock synchronization messages A clock synchronization message is encapsulated in a UDP message in the format shown in Figure 1 2 Figure 1 2 Clock synchronization message format Main fie...

Страница 1186: ...the primary reference source z Reference Identifier Identifier of the particular reference source z Reference Timestamp the local time at which the local clock was last set or corrected z Originate T...

Страница 1187: ...mmetric active the device that receives this message automatically enters the symmetric passive mode and sends a reply with the Mode field in the message set to 2 symmetric passive By exchanging messa...

Страница 1188: ...configured to the default NTP multicast address 224 0 1 1 with the Mode field in the messages set to 5 multicast mode Clients listen to the multicast messages from servers After a client receives the...

Страница 1189: ...8 associations at the same time including static associations and dynamic associations A static association refers to an association that a user has manually created by using an NTP command while a dy...

Страница 1190: ...ddress must be a host address rather than a broadcast address a multicast address or the IP address of the local clock z When the interface sending the NTP packet is specified by the source interface...

Страница 1191: ...When the interface used to send NTP messages is specified by the source interface argument the source IP address of the NTP message will be configured as the primary IP address of the specified inter...

Страница 1192: ...terface view interface interface type interface number Enter the interface used to send NTP broadcast messages Configure the device to work in the NTP broadcast server mode ntp service broadcast serve...

Страница 1193: ...ew interface interface type interface number Enter the interface used to send NTP multicast message Configure the device to work in the NTP multicast server mode ntp service multicast server ip addres...

Страница 1194: ...eiving NTP Messages To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Disable the interface from receiving NTP messages ntp ser...

Страница 1195: ...peer device to perform synchronization and control query to the local device and also permits the local device to synchronize its clock to the peer device From the highest NTP service access control...

Страница 1196: ...cation function cannot be normally enabled z For the server client mode or symmetric mode you need to associate the specified authentication key on the client symmetric active peer if in the symmetric...

Страница 1197: ...er ip address peer name authentication keyid keyid Required You can associate a non existing key with an NTP server To enable NTP authentication you must configure the key and specify it as a trusted...

Страница 1198: ...iate a non existing key with an NTP server To enable NTP authentication you must configure the key and specify it as a trusted key after associating the key with the NTP server Note The procedure of c...

Страница 1199: ...as the reference source with the stratum level of 2 DeviceA system view DeviceA ntp service refclock master 2 2 Configuration on Device B View the NTP status of Device B before clock synchronization...

Страница 1200: ...session information of Device B which shows that an association has been set up between Device B and Device A DeviceB display ntp service sessions source reference stra reach poll now offset delay dis...

Страница 1201: ...n Device C after Device B is synchronized to Device A Specify the local clock as the reference source with the stratum level of 1 DeviceC system view DeviceC ntp service refclock master 1 Configure De...

Страница 1202: ...association has been set up between Device B and Device C DeviceB display ntp service sessions source reference stra reach poll now offset delay disper 245 3 0 1 31 127 127 1 0 2 15 64 24 10535 0 19...

Страница 1203: ...ges through VLAN interface 2 SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service broadcast server 2 Configuration on Switch D Configure Switch D to work in the broadcast client mode...

Страница 1204: ...witch D is 3 while that of Switch C is 2 View the NTP session information of Switch D which shows that an association has been set up between Switch D and Switch C SwitchD display ntp service sessions...

Страница 1205: ...ver mode and send multicast messages through VLAN interface 2 SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service multicast server 2 Configuration on Switch D Configure Switch D to...

Страница 1206: ...ource peer 3 selected 4 candidate 5 configured Total associations 1 3 Configuration on Switch B Because Switch A and Switch C are on different subnets you must enable IGMP on Switch B before Switch A...

Страница 1207: ...itch C is 2 View the NTP session information of Switch A which shows that an association has been set up between Switch A and Switch C SwitchA display ntp service sessions source reference stra reach...

Страница 1208: ...keyid 42 authentication mode md5 aNiceKey Specify the key as key as a trusted key DeviceB ntp service reliable authentication keyid 42 Specify Device A as the NTP server DeviceB ntp service unicast s...

Страница 1209: ...B which shows that an association has been set up Device B and Device A DeviceB display ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 127 127 1 0 2 63 64...

Страница 1210: ...ation SwitchC ntp service authentication enable SwitchC ntp service authentication keyid 88 authentication mode md5 123456 SwitchC ntp service reliable authentication keyid 88 Specify Switch C as an N...

Страница 1211: ...cy 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 7 Clock offset 0 0000 ms Root delay 31 00 ms Root dispersion 8 31 ms Peer dispersion 34 30 ms Reference time 16 01 51 713 UTC Apr 20 2007...

Страница 1212: ...in Name Resolution 1 1 1 2 Configuring Domain Name Resolution 1 3 1 2 1 Configuring Static Domain Name Resolution 1 3 1 2 2 Configuring Dynamic Domain Name Resolution 1 3 1 3 Displaying and Maintainin...

Страница 1213: ...S server translate them into correct IP addresses There are two types of DNS services static and dynamic After a user specifies a name the device checks the local static name resolution table for an I...

Страница 1214: ...fferent devices while the DNS server and the DNS client usually must run on different devices Dynamic domain name resolution allows the DNS client to store latest mappings between domain names and IP...

Страница 1215: ...ymbol Currently the device supports static and dynamic DNS services Note If an alias is configured for a domain name on the DNS server the device can resolve the alias into the IP address of the host...

Страница 1216: ...do Use the command Remarks Display the static domain name resolution table display ip host Available in any view Display DNS server information display dns server dynamic Available in any view Display...

Страница 1217: ...TRL_C to break Reply from 10 1 1 2 bytes 56 Sequence 1 ttl 255 time 1 ms Reply from 10 1 1 2 bytes 56 Sequence 2 ttl 255 time 4 ms Reply from 10 1 1 2 bytes 56 Sequence 3 ttl 255 time 3 ms Reply from...

Страница 1218: ...device and the host and configurations are done on both the device and the host For the IP addresses of the interfaces see Figure 1 3 z This configuration may vary with different DNS servers The foll...

Страница 1219: ...NS Configuration 1 7 Figure 1 4 Create a zone Create a mapping between the host name and IP address Figure 1 5 Add a host In Figure 1 5 right click zone com and then select New Host to bring up a dial...

Страница 1220: ...he ping host command on the device to verify that the communication between the device and the host is normal and that the corresponding destination IP address is 3 1 1 1 Sysname ping host Trying DNS...

Страница 1221: ...amic domain name resolution the user cannot get the correct IP address II Solution z Use the display dns dynamic host command to verify that the specified domain name is in the cache z If there is no...

Страница 1222: ...onfiguration File for Next Startup 1 9 1 3 Displaying and Maintaining Device Configuration 1 10 Chapter 2 FTP Configuration 2 1 2 1 FTP Overview 2 1 2 1 1 Introduction to FTP 2 1 2 1 2 Implementation...

Страница 1223: ...h the path excluded to indicate a file in the current path The filename can be 1 to 91 characters in length 1 1 File System Management This section covers these topics z File System Overview z Directo...

Страница 1224: ...z The directory to be removed must be empty meaning before you remove a directory you must delete all the files and the subdirectory under this directory For file deletion refer to the delete command...

Страница 1225: ...ew Enter system view system view Execute the batch file execute filename Optional Note You can create a file by copying or downloading or using the save command Caution z Empty the recycle bin timely...

Страница 1226: ...of the second is cfb and so on z If storage device partitioning is supported on the device the name of the partition device is composed of the physical device name and partition number The serial num...

Страница 1227: ...ta loss z quiet where the system does not do that in any cases To prevent undesirable consequence resulted from misoperations the alert mode is preferred To do Use the command Remarks Enter system vie...

Страница 1228: ...figuration z Erasing the Startup Configuration File z Specifying a Configuration File for Next Startup z Backing up Restoring the Configuration File for Next Startup 1 2 1 Configuration File Overview...

Страница 1229: ...tion You can modify the configuration on your device at the command line interface CLI To use the modified configuration for your subsequent startups you must save it using the save command as a confi...

Страница 1230: ...the default path or enter a filename to specify a new path but the suffix of the filename must be cfg and the path must be the path of the storage device on the AMB active main board 1 2 3 Erasing th...

Страница 1231: ...ation file for next startup through operations at the CLI TFTP is used for intercommunication between the device and the server The backup function enables you to backup a configuration file to the TF...

Страница 1232: ...up command in user view to verify if the filename of the startup configuration file is the same with the filename argument and use the dir command to verify if the restored file exists 1 3 Displaying...

Страница 1233: ...510 Series Ethernet Switches Chapter 1 File System Management Configuration 1 11 Note For detailed description of the display this and display current configuration commands refer to the System Mainta...

Страница 1234: ...text file transmission 2 1 2 Implementation of FTP FTP adopts the server client model Your switch can function either as client or as server as shown in Figure 2 1 They work in the following way z Whe...

Страница 1235: ...essfully access the FTP server You can specify one by configuring the source address of the packets of the FTP client to meet the requirement of the security policy of the FTP client You can configure...

Страница 1236: ...iew quit Log onto the remote FTP server directly in user view ftp server address service port source interface interface type interface number ip source ip address ftp Log onto the remote FTP server i...

Страница 1237: ...command Optional Enable information display in a detailed manner verbose Optional Enabled by default Use other username to relog after logging onto the FTP server successfully user username password O...

Страница 1238: ...al to the disconnect command Disconnect with the FTP server and exit to user view bye Optional Terminate the connection with the remote FTP server and exit to user view quit Optional Available in FTP...

Страница 1239: ...e to be downloaded Sysname dir Directory of flash 0 drw Dec 07 2005 10 00 57 filename 1 drw Jan 02 2006 14 27 51 logfile 2 rw 1216 Jan 02 2006 14 28 59 config cfg 3 rw 1216 Jan 02 2006 16 27 26 backup...

Страница 1240: ...manual 2 3 Configuring the FTP Server 2 3 1 Configuring FTP Server Operating Parameters The FTP server uses two modes to update files when you upload files use the put command to the FTP server z In...

Страница 1241: ...to the directories and associating the username and password with the account Follow these steps to configure authentication and authorization for FTP server To do Use the command Remarks Enter syste...

Страница 1242: ...k directory and level commands and the AAA related configuration refer to the AAA RADIUS HWTACACS Configuration part of the manual 2 3 3 FTP Server Configuration Example I Network requirements z Use y...

Страница 1243: ...drw Jan 02 2006 15 20 21 ftp 2540 KB total 2511 KB free Sysname delete unreserved flash back cfg 2 Configure the PC FTP Client Upload the startup file to the FTP server and save it under the root dir...

Страница 1244: ...root directory For description of the corresponding command refer to the System Maintaining and Debugging part of the manual 2 4 Displaying and Maintaining FTP To do Use the command Remarks Display th...

Страница 1245: ...ication Therefore it is more suitable where complex interaction is not needed between client and server TFTP uses the UDP port 69 for data transmission For TFTP basic operation refer to RFC 1350 In TF...

Страница 1246: ...start up because the original system file is not overwritten This mode is securer but consumes more memory You are recommended to use the latter mode or use a filename not existing in the current dire...

Страница 1247: ...er ip source ip address Optional A device uses the source address determined by the routing protocol to communicate with the TFTP server by default Return to user view quit Download or upload a file i...

Страница 1248: ...ed for the client z On your device VLAN interface 1 is assigned an IP address 1 1 1 1 16 Make sure that the port connected to PC belongs to the same VLAN z TFTP a startup file from PC for upgrading an...

Страница 1249: ...ory is available Sysname tftp 1 2 1 1 get aaa bin bbb bin Upload a configuration file config cfg to the TFTP server Sysname tftp 1 2 1 1 put config cfg configback cfg Specify the main startup file for...

Страница 1250: ...ng to Output System Information to a Monitor Terminal 1 9 1 2 4 Setting to Output System Information to a Log Host 1 10 1 2 5 Setting to Output System Information to the Trap Buffer 1 11 1 2 6 Setting...

Страница 1251: ...information center offers a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems Note By default the information center is enabl...

Страница 1252: ...nformation of all severities will be output III Ten channels and six output directions of system information The system supports six information output directions including the console monitor logbuff...

Страница 1253: ...ote Configurations for the six output directions function independently and take effect only after the information center is enabled IV Outputting system information by source module The system is com...

Страница 1254: ...n exchange protocol module LAGG Link Aggregation module LINE Line module MSDP Multicast Source Discovery Protocol module MSTP Multiple Spanning Tree Protocol module NAT Network Address Translation mod...

Страница 1255: ...all required in the above format z Before the priority may have or followed with a space indicating log alarm or debug information respectively Below is an example of the format of log information to...

Страница 1256: ...vels based on its severity from 0 to 7 Refer to Table 1 1 for definition and description of these severity levels Note that there is a forward slash between the levels severity and digest fields VI Di...

Страница 1257: ...o Table 1 2 for default channel names Configure the channel through which system information can be output to the console info center console channel channel number channel name Optional System inform...

Страница 1258: ...ble d informat ional Enable d warning s Disable d debuggi ng Log buffer default all module s Enable d warning s Disable d debuggi ng Disable d debuggi ng SNMP NMS default all module s Disable d debugg...

Страница 1259: ...nable Optional Enabled by default Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default channel names Configure...

Страница 1260: ...terminal logging Optional Enabled by default Enable the display of trap information on a monitor terminal terminal trapping Optional Enabled by default 1 2 4 Setting to Output System Information to a...

Страница 1261: ...ult Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default channel names Configure the channel through which syst...

Страница 1262: ...by default with channel 4 known as logbuffer as the default channel and a default buffer size of 512 Configure the output rules of the system information info center source module name default channel...

Страница 1263: ...imestamp info center timestamp debugging log trap boot date none Optional The time stamp for log trap and debug information is date by default Note To ensure that system information can be output to t...

Страница 1264: ...put will be displayed in a new line 1 3 Displaying and Maintaining Information Center To do Use the command Remarks Display channel information for a specified channel display channel channel number c...

Страница 1265: ...severity higher than informational will be output to the log host z The source modules are ARP and IP II Network diagram Figure 1 1 Network diagram for outputting log information to a Unix log host II...

Страница 1266: ...has similar configurations to the Unix operating systems implemented by other vendors Step 1 issue the following commands as a root user mkdir var log MyDevice touch var log MyDevice information Step...

Страница 1267: ...higher than informational will be output to the log host z All modules can output log information II Network diagram Figure 1 2 Network diagram for outputting log information to a Linux log host III...

Страница 1268: ...evice touch var log MyDevice information Step 2 Edit the file etc syslog conf as a root user and add the following selector action pair MyDevice configuration messages local7 info var log MyDevice inf...

Страница 1269: ...ith a severity higher than informational will be output to the console z The source modules are ARP and IP II Network diagram Figure 1 3 Network diagram for sending log information to the console III...

Страница 1270: ...te of a channel Enable system information output for the ARP and IP modules with information severity ranging from emergencies to informational Sysname info center source arp channel console log level...

Страница 1271: ...5 Chapter 2 System Maintaining and Debugging 2 1 2 1 System Maintaining and Debugging Overview 2 1 2 1 1 Introduction to System Maintaining and Debugging 2 1 2 1 2 Introduction to System Debugging 2 2...

Страница 1272: ...ering Exiting System View z Configuring the Device Name z Configuring the System Clock z Configuring a Banner z Configuring CLI Hotkeys z Configuring User Levels and Command Levels z Displaying and Ma...

Страница 1273: ...user view II Displaying the system clock The system clock is displayed by system time stamp which is the same as that displayed by the display clock command The system clock is decided by the command...

Страница 1274: ...time 3 00 2007 3 3 Display 03 00 00 zone time Sat 03 03 2007 If the original system clock is not in the summer time range the original system clock is displayed Configure clock summer time ss one off...

Страница 1275: ...the summer time range date time is displayed Configure clock summer time ss one off 1 00 2007 1 1 1 00 2007 8 8 2 and clock datetime 3 00 2007 1 1 Display 03 00 00 ss Mon 01 01 2007 Configure clock t...

Страница 1276: ...in the summer time range date time is displayed Configure clock timezone zone time add 1 clock summer time ss one off 1 00 2008 1 1 1 00 2008 8 8 2 and clock datetime 1 30 2008 1 1 Display 23 30 00 z...

Страница 1277: ...re not part of the banner information In this case the input text together with the command keywords cannot exceed 510 characters The other is to input all the banner information in multiple lines by...

Страница 1278: ...lines by default Display hotkeys display hotkey Available in any view Refer to Table 1 2 for hotkeys reserved by the system Note By default the Ctrl G Ctrl L and Ctrl O hotkeys are configured with com...

Страница 1279: ...or to the leading character of the continuous string to the left Esc D Deletes all the characters of the continuous string at the current cursor position and to the right of the cursor Esc F Moves the...

Страница 1280: ...nage level 3 Manage FTP TFTP XMODEM and file system operation commands Follow these steps to configure user level and command level To do Use the command Remarks Switch the user level super level Opti...

Страница 1281: ...1 1 7 Displaying and Maintaining Basic Configurations To do Use the command Remarks Display information on system version display version Display information on the system clock display clock Display...

Страница 1282: ...d Lines z Display Features z History Command z Command Line Error Information z Edit Features 1 2 1 Introduction to CLI CLI is an interaction interface between devices and users Through CLI you can co...

Страница 1283: ...le dir List files on a file system display Display current system information omitted 2 Enter a command and a separated by a space If is at the position of a keyword all the keywords are given with a...

Страница 1284: ...unction Press Space when information display pauses Continues to display information of the next screen page Press Enter when information display pauses Continues to display information of the next li...

Страница 1285: ...00X and XP Terminal or Telnet However the up arrow and down arrow keys are invalid in Windows 9X HyperTerminal because they are defined in a different way You can use Ctrl P and Ctrl N instead 1 2 5 C...

Страница 1286: ...ght Backspace key Deletes the character to the left of the cursor and move the cursor back one character Left arrow key or Ctrl B The cursor moves one character space to the left Right arrow key or Ct...

Страница 1287: ...If the network is functioning properly the destination device responds by sending an ICMP echo reply to the source device after receiving the ICMP echo request 3 If there is network failure the sourc...

Страница 1288: ...a TTL expired ICMP message which gives the source device the address of the second router 5 The above process continues until the ultimate destination device is reached In this way the source device...

Страница 1289: ...s For details refer to Information Center Configuration 2 2 System Maintaining and Debugging 2 2 1 System Maintaining To do Use the command Remarks ping ip a source ip c count f h ttl i interface type...

Страница 1290: ...t parameter in the command when configuring the ping command z Only the directly connected segment address can be pinged if the outgoing interface is specified with the i argument 2 2 2 System Debuggi...

Страница 1291: ...al debugging and terminal monitor commands refer to the Information Center Commands part of the manual 2 3 System Maintaining Example I Network requirements z The IP address of the destination device...

Страница 1292: ...ng path The file name without a path consists of 1 to 91 characters 3 1 Device Management Overview Through the device management function you can view the current working state of a device configure r...

Страница 1293: ...delay commands can reboot a device As a result the ongoing services will be interrupted Be careful to use these commands z If a primary boot file fails or does not exist the device cannot be rebooted...

Страница 1294: ...e path of it to the root directory 3 2 3 Upgrading Boot ROM During the operation of the device you can use Boot ROM in the storage device to upgrade Boot ROM programs that are running on the device Fo...

Страница 1295: ...card or logical interface is removed If you repeatedly insert and remove different subcards or interface cards to create or delete a large amount of logical interface the interface indexes will be use...

Страница 1296: ...s Yes GBIC GigaBit Interface Converter Generally used for 1000M Ethernet interfaces Yes Yes XFP 10 Gigabit small Form factor Pluggable Generally used for 10G Ethernet interfaces Yes No XENPAK 10 Gigab...

Страница 1297: ...rd during device debugging or test The information includes name of the card device serial number and vendor name or vendor name specified III Diagnosing pluggable transceivers The system outputs alar...

Страница 1298: ...n any view Display the usage of the memory of a device display memory Available in any view Display the power state of a device display power power id Available in any view Display the reboot type of...

Страница 1299: ...iew FTP Server ftp server enable Set the FTP username to aaa and password to hello FTP Server local user aaa FTP Server luser aaa password cipher hello Configure the user to have access to the aaa dir...

Страница 1300: ...get aaa bin ftp get boot btm Clear the FTP connection and return to user view ftp bye Device Upgrade the Boot ROM file of the device Device bootrom update file boot btm Specify the application progra...

Страница 1301: ...DHCP Test 1 6 1 2 3 Configuring the FTP Test 1 8 1 2 4 Configuring the HTTP Test 1 11 1 2 5 Configuring the Jitter Test 1 13 1 2 6 Configuring the SNMP Query Test 1 16 1 2 7 Configuring the TCP Test 1...

Страница 1302: ...twork quality analyzer is an enhanced Ping tool used for testing the performance of protocols running on networks Besides the Ping functions NQA can provide the following functions z Detecting the ava...

Страница 1303: ...ltiple TCP or UDP listening services on the NQA server with each listening service corresponding to a specified destination address and port number 1 1 3 NQA Test Operation NQA can test multiple proto...

Страница 1304: ...sponding services of this known port will be unavailable This section covers these topics z Configuring the ICMP Test z Configuring the DHCP Test z Configuring the FTP Test z Configuring the HTTP Test...

Страница 1305: ...multiple VPNs you need to use this command to specify a VPN instance for test Specify the IP address of an interface as the source IP address of an ICMP test request packet source interface interface...

Страница 1306: ...count 10 SwitchA nqa admin icmp timeout 5 Enable the ICMP test SwitchA nqa admin icmp test enable View the test results with the display nqa results command SwitchA nqa admin icmp display nqa results...

Страница 1307: ...ration part of the manual II Configuration procedure Follow these steps to configure the DHCP test To do Use the command Remarks Enter system view system view Enable the NQA client nqa agent enable Re...

Страница 1308: ...a admin dhcp test type dhcp SwitchA nqa admin dhcp source interface ethernet 1 0 Enable the DHCP test SwitchA nqa admin dhcp test enable View the test results with the display nqa results command Swit...

Страница 1309: ...st To do Use the command Remarks Enter system view system view Enable the NQA client nqa agent enable Required Create an NQA test group and enter its view nqa admin name operation tag Set the test typ...

Страница 1310: ...operation the file obtained from the FTP server will not be saved on the device either If there is no such file name file on the FTP server the FTP test will fail z When you perform a put operation a...

Страница 1311: ...tion put SwitchA nqa admin ftp username admin SwitchA nqa admin ftp password nqa SwitchA nqa admin ftp filename config txt Enable the FTP test SwitchA nqa admin ftp test enable View the test results w...

Страница 1312: ...e http Required Configure a destination address for a test destination ip ip address Required Here it is the IP address of the HTTP server Configure the HTTP operation type http operation get post Opt...

Страница 1313: ...tchA nqa admin http test type http SwitchA nqa admin http destination ip 10 2 2 2 SwitchA nqa admin http http operation get SwitchA nqa admin http http string index htm HTTP 1 0 Enable the HTTP test S...

Страница 1314: ...en sends it back to the source port After the source port receives the data packet the delay jitter can be calculated To improve the accuracy of the statistics results you must send multiple test pack...

Страница 1315: ...QA test group and enter its view nqa admin name operation tag Set the test type to jitter test type jitter Required Configure a destination address for a test destination ip ip address Required The de...

Страница 1316: ...to test the delay jitter of packet transmission between the local port Switch A and the specified destination port Switch B 2 Network diagram Figure 1 6 Network diagram for the jitter test 3 Configur...

Страница 1317: ...o Sequence Error 0 Failures due to Internal Error 0 Failures due to Other Errors 0 Jitter result RTT Number 10 SD Maximal delay 4 DS Maximal delay 4 Min Positive SD 1 Min Positive DS 0 Max Positive SD...

Страница 1318: ...estination ip ip address Required Configure common optional parameters Refer to Configuring Optional Parameters for NQA Tests Optional Enable the NQA test test enable Required View the test results di...

Страница 1319: ...ew SwitchA nqa agent enable SwitchA nqa admin snmp SwitchA nqa admin snmp test type snmpquery SwitchA nqa admin snmp destination ip 10 2 2 2 Enable the SNMP query test SwitchA nqa admin snmp test enab...

Страница 1320: ...ination port needs to be configured on the client but TCP port 7 used for listening needs to be configured on the server Even if a port is configured on the client the port does not take effect z For...

Страница 1321: ...stening IP address on the NQA server Configure a destination port destination port port number If the test type is TCP Public no port needs to be configured If the test type is TCP Private a port must...

Страница 1322: ...n tcpprivate test type tcpprivate SwitchA nqa admin tcpprivate destination ip 10 2 2 2 SwitchA nqa admin tcpprivate destination port 9000 Enable the TCP test SwitchA nqa admin tcpprivate test enable V...

Страница 1323: ...lient but port 7 for listening needs to be configured on the server Even if a port is configured on the client the port does not take effect z For the UDP Private test a connection setup request is in...

Страница 1324: ...P Private a port must be configured and it must be the listening port configured on the NQA server Configure the size of test packets sent datasize size Optional 100 bytes by default Configure a strin...

Страница 1325: ...n udpprivate test type udpprivate SwitchA nqa admin udpprivate destination ip 10 2 2 2 SwitchA nqa admin udpprivate destination port 8000 Enable the TCP test SwitchA nqa admin udpprivate test enable V...

Страница 1326: ...set up between the NQA client and the specified device and the DLSw function must be enabled on the specified device II Configuration procedure Follow these steps to configure the DLSw test To do Use...

Страница 1327: ...hA nqa admin dlsw test type dlsw SwitchA nqa admin dlsw destination ip 10 2 2 2 Enable the DLSw test SwitchA nqa admin dlsw test enable View the test results with the display nqa results command Switc...

Страница 1328: ...rap Delivery 1 3 1 Configuring Optional Parameters Common to NQA Follow these steps to configure optional parameters common to NQA To do Use the command Remarks Enter system view system view Configure...

Страница 1329: ...e the NQA probe time out time timeout time Optional Three seconds by default If no response packet is received within the time out time of a request packet the probe fails Configure the maximum number...

Страница 1330: ...invalid for the DHCP test Configure the source port of a test request packet source port port number Optional You can specify a port as the source port of a test request packet Otherwise the system a...

Страница 1331: ...onfigure Trap To do Use the command Remarks Enter system view system view Create an NQA test group and enter its view nqa admin name operation tag Required Enable trap debugging to send a trap message...

Страница 1332: ...he command Remarks Display history information of tests display nqa history admin name operation tag Available in any view Display the results of the last NQA jitter test display nqa jitter admin name...

Страница 1333: ...s 1 14 1 2 7 Displaying and Maintaining VRRP for IPv4 1 15 1 3 Configuring VRRP for IPv6 1 15 1 3 1 VRRP for IPv6 Configuration Task List 1 15 1 3 2 Enabling Users to Ping Virtual IPv6 Addresses 1 15...

Страница 1334: ...s that VRRP involves can only be VLAN interfaces unless otherwise specified 1 1 Introduction to VRRP 1 1 1 VRRP Overview Normally as shown in Figure 1 1 you can configure a default route with the gate...

Страница 1335: ...default links without changing configurations such as dynamic routing protocols route discovery protocols when a device fails and prevent network interruption due to a single link failure There are t...

Страница 1336: ...the master switch to act as the gateway and the other two are backup switches Caution z The IP address of the virtual router can be either an unused IP address on the segment where the standby group...

Страница 1337: ...thentication mode in a network facing possible security problems A switch sending a packet fills the authentication key into the packet and the switch receiving the packet compares its local authentic...

Страница 1338: ...case it regards itself as the master and sends VRRP advertisements to start a new master switch election in a standby group 1 1 4 Format of VRRP Packets VRRP uses multicast packets The switch acting...

Страница 1339: ...d is 0 for any other authentication modes II IPv6 based VRRP packet format Version Type Virtual Rtr ID Priority Count IPv6 Addrs Auth Type Adver Int Checksum IPv6 address 1 Authentication data 1 Authe...

Страница 1340: ...with that of its own If its priority is higher it becomes the master otherwise it remains a backup z In non preemption mode the switch in the standby group remains as a master or backup as long as the...

Страница 1341: ...he state of listening If Switch A fails Switch B and Switch C will elect for the new master The new master takes over the forwarding task to provide services to hosts on the LAN II Load balancing You...

Страница 1342: ...andby group 3 Switch C is the master Switch A and Switch B are the backups For load balancing among Switch A Switch B and Switch C hosts on the LAN need to be configured to use standby group 1 2 and 3...

Страница 1343: ...tween Virtual IP Address and MAC Address After the virtual IP address of a standup group is associated with a MAC address the master switch takes the configured MAC address as the source MAC address o...

Страница 1344: ...ual MAC address is associated with the virtual IP address by default Caution You should configure this function before creating a standby group Otherwise you cannot modify the mapping between the virt...

Страница 1345: ...e effect z The virtual IP address of the virtual router can be either an unused IP address on the segment where the standby group resides or the IP address of an interface on a switch in the standby g...

Страница 1346: ...terface interface type interface number Configure switch priority in the standby group vrrp vrid virtual router id priority priority value Optional 100 by default Configure the switch in the standby g...

Страница 1347: ...de md5 simple key Optional Authentication is not performed by default Configure the time interval for the Master in the standby group to send VRRP advertisement vrrp vrid virtual router id timer adver...

Страница 1348: ...onfigure VRRP for IPv6 Task Remarks Enabling Users to Ping Virtual IPv6 Addresses Optional Configuring the Association Between Virtual IPv6 Address and MAC Address Optional Creating Standby Group and...

Страница 1349: ...r a standby group after the standby group is created and the virtual IPv6 address is associated with the virtual MAC address With such association adopted the hosts in the internal network need not up...

Страница 1350: ...P standby group I Configuration prerequisites Before creating standby group and configuring virtual IPv6 address you should first configure the IPv6 address of the interface and ensure that the virtua...

Страница 1351: ...an decide which switch in the standby group serves as the Master Follow these steps to configure standby group priority preemption mode and interface tracking To do Use the command Remarks Enter syste...

Страница 1352: ...interface interface type interface number Configure the authentication mode and authentication key when the standby groups send and transmit VRRP packets vrrp ipv6 vrid virtual router id authenticatio...

Страница 1353: ...mber vrid virtual router id Available in user view 1 4 IPv4 Based VRRP Configuration Examples This section provides these configuration examples z Single VRRP Standby Group Configuration Example z VRR...

Страница 1354: ...SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 202 38 160 1 255 255 255 0 Create standby group 1 and set its virtual IP address to be 202 38 160 111 SwitchA Vlan interface2 vrrp...

Страница 1355: ...n Status UP State Master Config Pri 110 Run Pri 110 Preempt Mode YES Delay Time 5 Auth Type NONE Virtual IP 202 38 160 111 Virtual MAC 0000 5e00 0101 Master IP 202 38 160 1 Display detailed informatio...

Страница 1356: ...by Switch B 1 4 2 VRRP Interface Tracking Configuration Example I Network requirements z Host A needs to access Host B on the Internet using 202 38 160 111 24 as its default gateway z Switch A and Sw...

Страница 1357: ...ation mode simple hello Set the interval for Master to send VRRP advertisement to five seconds SwitchA Vlan interface2 vrrp vrid 1 timer advertise 5 Set the interface to be tracked SwitchA Vlan interf...

Страница 1358: ...witchB Vlan interface2 display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1 Adver Timer 5 Admin Status UP State Backup Config Pr...

Страница 1359: ...Vlan interface2 VRID 1 Adver Timer 5 Admin Status UP State Master Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 0 Auth Type SIMPLE TEXT Key hello Virtual IP 202 38 160 111 Virtual MAC 0000 5...

Страница 1360: ...interface2 ip address 202 38 160 1 255 255 255 0 Create a standby group 1 and set its virtual IP address to 202 38 160 111 SwitchA Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Configure the p...

Страница 1361: ...tailed information of the standby group on Switch A SwitchA Vlan interface2 display vrrp verbose IPv4 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vlan interface2 VRID 1...

Страница 1362: ...tch A in standby group 2 Switch A is the backup Switch B is the master and the host with the default gateway of 202 38 160 112 24 accesses the Internet through Switch B 1 5 IPv6 Based VRRP Configurati...

Страница 1363: ...et 2 0 5 SwitchA vlan2 quit SwitchA interface vlan interface 2 SwitchA Vlan interface2 ipv6 address fe80 1 link local SwitchA Vlan interface2 ipv6 address 1 1 64 Create a standby group 1 and set its v...

Страница 1364: ...pv6 command to verify the configuration Display detailed information of standby group 1 on Switch A SwitchA Vlan interface2 display vrrp ipv6 verbose IPv6 Standby Information Run Method VIRTUAL MAC Vi...

Страница 1365: ...Vlan interface2 VRID 1 Adver Timer 100 Admin Status UP State Master Config Pri 100 Run Pri 100 Preempt Mode YES Delay Time 0 Auth Type NONE Virtual IP FE80 10 Virtual MAC 0000 5e00 0201 Master IP FE8...

Страница 1366: ...ink local SwitchA Vlan interface2 ipv6 address 1 1 64 Create a standby group 1 and set its virtual IP address to FE80 10 SwitchA Vlan interface2 vrrp ipv6 vrid 1 virtual ip fe80 10 link local Set the...

Страница 1367: ...ipv6 vrid 1 authentication mode simple hello Set the VRRP advertisement interval to 500 centiseconds SwitchB Vlan interface2 vrrp ipv6 vrid 1 timer advertise 500 Set Switch B to work in preemption mo...

Страница 1368: ...through Host B on Host A You can use the display vrrp ipv6 command to view the detailed information of the standby group If Switch A is in work but its interface VLAN interface 3 is not available the...

Страница 1369: ...t becomes the backup Switch B becomes the master and packets sent from Host A to Host B are forwarded by Switch B 1 5 3 Multiple VRRP Standby Group Configuration Example I Network requirements z In th...

Страница 1370: ...witchB vlan2 port GigabitEthernet 2 0 5 SwitchB vlan2 quit SwitchB interface vlan interface 2 SwitchB Vlan interface2 ipv6 address fe80 2 link local SwitchB Vlan interface2 ipv6 address 1 2 64 Create...

Страница 1371: ...80 2 Display detailed information of the standby group on Switch B SwitchB Vlan interface2 display vrrp ipv6 verbose IPv6 Standby Information Run Method VIRTUAL MAC Virtual IP Ping Enable Interface Vl...

Страница 1372: ...requently Analysis This error is probably due to the inconsistent configuration of the other switch in the standby group or that a device is attempting to send illegitimate VRRP packets Solution z In...

Страница 1373: ...Ethernet Switches Chapter 1 VRRP Configuration 1 40 III Symptom 3 Frequent VRRP state transition Analysis The VRRP advertisement interval is set too short Solution Increase the interval to sent VRRP a...

Страница 1374: ...SSH Client 1 12 1 3 3 Configuring First time Authentication 1 12 1 3 4 Establishing a Connection Between SSH Client and Server 1 13 1 4 Displaying and Maintaining SSH 1 14 1 5 SSH Server Configuratio...

Страница 1375: ...Operation Manual SSH H3C S3610 S5510 Series Ethernet Switches Table of Contents ii 2 3 6 Terminating the Connection to the Remote SFTP Server 2 6 2 4 SFTP Configuration Example 2 7...

Страница 1376: ...e can not only work as an SSH server to support connections with SSH clients but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server Ca...

Страница 1377: ...encryption and signature 1 1 3 SSH Operating Process The session establishment between an SSH client and the SSH server involves the following five stages Table 1 1 Stages in establishing a session be...

Страница 1378: ...n z The server and the client send key algorithm negotiation packets to each other which include the supported public key algorithm list encryption algorithm list MAC algorithm list and compression al...

Страница 1379: ...erver a public authentication request containing its user name public key and algorithm The server validates the public key If the public key is invalid the authentication fails otherwise the server g...

Страница 1380: ...otherwise the server may not be able to perform the commands z If the text exceeds 2000 bytes you can upload the configuration file to the server and use the configuration file to restart the server...

Страница 1381: ...ew system view Enter single user interface view or multi user interface view user interface type keyword number ending number Required Set the login authentication method to scheme authentication mode...

Страница 1382: ...server host key is in the range 512 to 2048 bits With SSH2 however some clients require that the keys generated by the server must not be less than 768 bits II Exporting the RSA key pair You can displ...

Страница 1383: ...key to a string coded using the PKCS standard Before importing the public key you must upload the public key file in binary to the server through FTP or TFTP Caution z When the device functions as th...

Страница 1384: ...a public key file public key peer keyname import sshkey filename Required 1 2 6 Configuring an SSH User This configuration allows you to create an SSH user and specify the service type and authentica...

Страница 1385: ...service type to stelnet or all on the server Otherwise the client will fail to log in successfully z The working folder of an SFTP user is subject to the user authentication method For a user using o...

Страница 1386: ...t the SSH server can work with SSH1 x clients Set the RSA server key pair update interval ssh server rekey interval hours Optional 0 by default that is the RSA server key pair is not updated Set the S...

Страница 1387: ...pe interface number Required By default the address of the interface decided by the routing is used to access the SSH server 1 3 3 Configuring First time Authentication When the device connects to the...

Страница 1388: ...low these steps to disable first time authentication To do Use the command Remarks Enter system view system view Disable first time authentication support undo ssh client first time Optional By defaul...

Страница 1389: ...yption algorithms and HMAC algorithms for them ssh2 ipv6 server port number prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group1...

Страница 1390: ...re directly connected through the Ethernet interfaces z The host runs SSH client software to securely log on to the switch for configuration z Password authentication is used II Network diagram Figure...

Страница 1391: ...mple aabbcc Switch luser client001 service type ssh level 3 Switch luser client001 quit Specify the service type for user client001 as Stelnet and the authentication method as password Switch ssh user...

Страница 1392: ...onfiguration 1 17 Figure 1 3 SSH client configuration interface From the window shown in Figure 1 3 click Open The following SSH client interface appears If the connection is normal you will be prompt...

Страница 1393: ...are directly connected through the Ethernet interfaces z The host runs SSH client software to securely log on to the switch for configuration z Publickey authentication is used the algorithm is RSA II...

Страница 1394: ...and privilege level to 3 Switch ui vty0 4 user privilege level 3 Switch ui vty0 4 quit Note Before performing the following tasks you must generate an RSA key pair using the client software on the cli...

Страница 1395: ...Configuration 1 20 Figure 1 6 Generate a client key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1 7 Otherwise...

Страница 1396: ...S5510 Series Ethernet Switches Chapter 1 SSH Configuration 1 21 Figure 1 7 Generate a client key pair 2 After the key pair is generated click Save public key to save the key in a file by entering a f...

Страница 1397: ...ops up to prompt you whether to save the private key without any protection Click Yes and enter the name of the file for saving the key private in this case Figure 1 9 Generate a client key 4 Note Aft...

Страница 1398: ...the SSH server Launch PuTTY exe to enter the following interface In the Host Name or IP address text box enter the IP address of the server 192 168 1 40 Figure 1 10 SSH client configuration interface...

Страница 1399: ...n 1 24 Figure 1 11 SSH client configuration interface 2 From the window shown in Figure 1 11 click Open The following SSH client interface appears If the connection is normal you will be prompted to e...

Страница 1400: ...s shown in Figure 1 13 Switch A the SSH client needs to log on to Switch B the SSH server through the SSH protocol z The username of the SSH client is client001 and the password is aabbcc Password aut...

Страница 1401: ...chB luser client001 service type ssh level 3 SwitchB luser client001 quit Specify the service type for user client001 as Stelnet and the authentication method as password SwitchB ssh user client001 se...

Страница 1402: ...FA256699B3BF871221CC9C5D F257523777D033BEE77FC378145F2AD SwitchA pkey key code D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F71 01F7C62621216D5A572C379A32AC290 SwitchA pkey key code E55B394A217DA38B6...

Страница 1403: ...an RSA key pair and enable SSH server SwitchB system view SwitchB public key local create rsa SwitchB ssh server enable Configure an IP address for VLAN interface 1 which the SSH client will use as t...

Страница 1404: ...authentication type publickey assign publickey Switch001 2 Configure the SSH client Configure an IP address for VLAN interface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan int...

Страница 1405: ...guration 1 30 The Server is not authenticated Continue Y N y Do you want to save the server public key Y N n Copyright c 2004 2007 Hangzhou H3C Tech Co Ltd All rights reserved Without the owner s prio...

Страница 1406: ...lso server as an SFTP client enabling a user to login from the device to a remote device for secure file transfer 2 2 Configuring an SFTP Server 2 2 1 Configuration Prerequisites z You have configured...

Страница 1407: ...connection exceeds the specified threshold the system automatically tears the connection down so that a user cannot occupy a connection for nothing Follow these steps to configure the SFTP connection...

Страница 1408: ...remote SFTP server and enter SFTP client view Follow these steps to enable the SFTP client To do Use the command Remarks Establish a connection to the remote IPv4 SFTP server and enter SFTP client vie...

Страница 1409: ...a1 sha1 96 Required Execute the command in user view Change the working directory of the remote SFTP server cd remote path Optional Return to the upper level directory cdup Optional Display the curren...

Страница 1410: ...in user view Change the name of a specified file on the SFTP server rename old name new name Optional Download a file from the remote server and save it locally get remote file local file Optional Up...

Страница 1411: ...ist of all commands or the help information of an SFTP client command help all command name Required 2 3 6 Terminating the Connection to the Remote SFTP Server Follow these steps to terminate the conn...

Страница 1412: ...chB public key local create rsa SwitchB ssh server enable Configure an IP address for VLAN interface 1 which the SSH client uses as the destination for SSH connection SwitchB interface Vlan interface...

Страница 1413: ...A Vlan interface1 quit SwitchA quit Establish a connection to the remote SFTP server and enter SFTP client view SwitchA sftp 192 168 0 1 Input Username client001 Trying 192 168 0 1 Press CTRL K to abo...

Страница 1414: ...ogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 30 new1 Rename directory new1 to new...

Страница 1415: ...ig cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new...

Страница 1416: ...e Exchange between a MCE and a Site 2 4 2 2 1 Configuring Route Exchange between a MCE and a Site 2 4 2 2 2 Configuring to Use Static Routes between a MCE and a Site 2 5 2 2 3 Configuring to Use RIP b...

Страница 1417: ...ovides flexible networking modes excellent scalability and convenient support for MPLS QoS and MPLS TE Hence it is widely used The BGP MPLS VPN model consists of three kinds of devices z Customer edge...

Страница 1418: ...ected rather than all VPN routing information on the provider network A P router maintains only routes to PEs It does not need to know anything about VPN routing information When VPN traffic travels o...

Страница 1419: ...e Each VPN instance contains the VPN membership and routing rules of the corresponding site If a user at a site belongs to multiple VPNs at the same time the VPN instance of the site contains informat...

Страница 1420: ...c IPv4 address prefix you make it a globally unique VPN IPv4 address prefix An RD can be related to an autonomous system AS number in which case it is the combination of an AS number and a discretiona...

Страница 1421: ...through a CE as shown in Figure 1 1 With the users increasing demand for service segmentation and security a private network may be divided into multiple VPNs and the users of different VPN are usual...

Страница 1422: ...to also to bind the interfaces sub interfaces to the VPNs on PE 1 in the same way as those on the MCE device The MCE device is connected to PE 1 through a trunk which permits packets of VLAN 2 and VLA...

Страница 1423: ...cesses to VPN instances With the same binding configured on CE and site private network routes of different VPNs can be exchanged between CEs and sites through different RIP processes thus isolating a...

Страница 1424: ...s for different VPN instances on each MCE It is recommended that a VPN be assigned the same route tag on multiple MCEs IV IS IS Similar to those in OSPF IS IS processes can be bound to VPN instances f...

Страница 1425: ...t VPN routing information can be transmitted by performing relatively simple configurations between CE and PE such as importing the VPN routing entries on MCE devices to the routing table of the routi...

Страница 1426: ...h to MCE Create a VPN instance Required See 2 1 3 Creating a VPN Instance Associate the VPN instance with an interface Required See 2 1 4 Associating an VPN Instance with an Interface Configure the ro...

Страница 1427: ...onship between the VPN instance and a VPN Table 2 3 Create a VPN instance Operation Command Description Enter system view system view Create a VPN instance and enter VPN instance view ip vpn instance...

Страница 1428: ...vertising VPN routes is as follows z When the switch learns a VPN route from a site and injects it into BGP BGP associates the route with a VPN target extended community attribute list which is normal...

Страница 1429: ...N target specified for a VPN instance on the MCE device must be same as that specified for the VPN instance on the PE device 2 2 Configuring Route Exchange between a MCE and a Site 2 2 1 Configuring R...

Страница 1430: ...rmal static route 2 2 3 Configuring to Use RIP between a MCE and a Site A RIP process can be bound to only one VPN instance RIP processes not bound to any VPN instances belong to the public network Ta...

Страница 1431: ...ional By default the OSPF domain ID is 0 This operation is performed on the MCE device As for the corresponding configuration on the site you can just enable OSPF as usual Note z Router IDs of the pub...

Страница 1432: ...ring to Use EBGP between a MCE and a Site 1 Configuration on the MCE device Table 2 11 Configure an MCE device Operation Command Description Enter system view system view Enter BGP view bgp as number...

Страница 1433: ...TH attribute can be used for route loop detect With EBGP running between a MCE and a site the routes advertised by an MCE device to the site carry the local AS number So do the routes advertised by th...

Страница 1434: ...E 2 3 1 Configuring Route Exchange between a MCE and a PE Table 2 13 Configure route exchange between a MCE and a PE Operation Description Related section Define a static route for a VPN instance See...

Страница 1435: ...ion text Required By default for a static route the preference value is 60 the tag value is 0 and no description information is configured Set the default preference value of static routes ip route st...

Страница 1436: ...e tag tag Required By default RIP does not import routes from other protocols 2 3 4 Configuring to Use OSPF between a MCE and a PE When configuring to use OSPF between a MCE and a PE you need to confi...

Страница 1437: ...importing routes of other protocols you can specify the default cost value for the imported routes as well You can also apply filter policies for imported routes Table 2 17 Configure IS IS to import...

Страница 1438: ...id med med value route policy route policy name Required The MCE device must import routes of the local site to the VPN routing table in order to advertise these routes to the PE device Apply a filter...

Страница 1439: ...the BGP VPNv4 routing information of a specified VPN instance display bgp vpnv4 vpn instance vpn instance name routing table network address mask mask length longer prefixes as path acl as path acl nu...

Страница 1440: ...displayed For information about the commands used to display routing protocol configuration see relevant chapters in the IPv4 Routing module of this manual 2 5 MCE Configuration Example 2 5 1 MCE Con...

Страница 1441: ...the MCE device with the RD values of the two VPN instances being 10 1 and 20 1 Configure the VPN target values of the two VPN instances as 10 1 and 20 1 for both the import and export extended commun...

Страница 1442: ...bled You can configure to use static routes between MCE and a site Configuration on VR1 Assume VR1 is an S3610 switch configure IP address 10 214 10 2 24 for the interface connecting to MCE and IP add...

Страница 1443: ...0 VR2 rip 20 network 192 168 10 0 VR2 rip 20 network 10 0 0 0 Display the information about the routes of VPN2 on MCE MCE rip 20 display ip routing table vpn instance vpn2 Routing Tables vpn2 Destinat...

Страница 1444: ...ss to VPN1 and set the OSPF domain ID to 10 MCE Ethernet1 0 3 quit MCE ospf 10 router id 101 101 10 1 vpn instance vpn1 MCE ospf 10 domain 10 Advertise the network segment 10 214 10 0 within Area0 and...

Страница 1445: ...es the configuration PE display ip routing table vpn instance vpn2 display ip routing table vpn instance vpn2 Routing Tables vpn2 Destinations 6 Routes 6 Destination Mask Proto Pre Cost NextHop Interf...

Страница 1446: ...e procedure of enabling OSPF in the two VPN instances and advertising the network segments is the same as that in normal OSPF and is omitted Create OSPF process 10 for MCE and bind OSPF process 10 to...

Страница 1447: ...tHop Interface 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 10 100 20 0 24 Direct 0 0 10 100 20 1 Vlan3 10 100 20 1 32 Direct 0 0 127 0 0 1 InLoop0 172 16 20 0 24...

Страница 1448: ...100 10 2 Vlan2 For VPN2 perform the configurations similar to the above on MCE and PE to import the OSPF routing information of VPN2 to the EBGP routing table Configuration procedures are omitted here...

Страница 1449: ...M Connection Establishment 1 2 1 1 3 Standards and Protocols 1 4 1 2 OAM Configuration 1 5 1 2 1 OAM Configuration Task List 1 5 1 2 2 Configuring Basic OAM Basic Functions 1 5 1 2 3 Configuring the P...

Страница 1450: ...e last mile By enabling Ethernet OAM on two devices connected by a point to point connection you can monitor the link status of the link between the two devices Ethernet OAM provides the following fun...

Страница 1451: ...Us are used for link monitoring They are sent as an alarm in case a failure occurs to the link connecting the local OAM entity and a remote OAM entity z Loopback control OAMPDUs are used for remote lo...

Страница 1452: ...esponding to Loopback Control OAMPDUs Available if both sides operate in active OAM mode Available Transmitting organization specific OAMPDUs Available Available After an OAM connection is established...

Страница 1453: ...radually The flag field defined in OAMPDUs allows an OAM entity to send error information to its peer It can identify the following link faults z Link Fault Peer link signal is lost z Dying Gasp An un...

Страница 1454: ...view system view Enter Ethernet port view interface interface type interface number Set OAM operating mode oam mode active passive Optional The default is active OAM mode Enable OAM on the current por...

Страница 1455: ...cond Configure the threshold for error frame event detection oam errored frame threshold threshold value Optional The default is 1 Configure the period for frame percentage error event detection oam e...

Страница 1456: ...stem first uses the following expression to convert the period for frame percentage error event detection to the maximum number of 64 byte frames that can be transmitted through an Ethernet port in th...

Страница 1457: ...is disabled all the ports involved will be shut down and then brought up z OAM loopback testing is disabled when you execute the undo oam enable command to disable OAM when you execute the undo oam l...

Страница 1458: ...1 0 1 to operate in passive OAM mode and enable OAM for it DeviceA system view DeviceA interface ethernet 1 0 1 DeviceA Ethernet1 0 1 oam mode passive DeviceA Ethernet1 0 1 oam enable DeviceA Ethernet...

Страница 1459: ...stem view DeviceB interface ethernet 1 0 1 DeviceB Ethernet1 0 1 oam enable DeviceB Ethernet1 0 1 quit Display OAM link error event statistics DeviceB display oam link event remote Port Ethernet1 0 1...

Страница 1460: ...DLDP Mode 1 11 1 2 3 Setting the Interval for Sending Advertisement Packets 1 11 1 2 4 Setting the DelayDown Timer 1 12 1 2 5 Setting the Port Shutdown Mode 1 13 1 2 6 Configuring DLDP Authentication...

Страница 1461: ...DLDP z DLDP Configuration Example z Troubleshooting 1 1 Overview A special kind of links namely unidirectional links may occur in a network When a unidirectional link appears the local device can rec...

Страница 1462: ...ut down the related port automatically or prompt users to take measures as configured to avoid network problems As a data link layer protocol DLDP cooperates with physical layer protocols to monitor t...

Страница 1463: ...normally with all its neighbors in both directions or DLDP remains in active state for more than five seconds It is the normal state where no unidirectional link is detected Probe A device enters this...

Страница 1464: ...r an enhanced detect is launched When the Echo waiting timer expires and no Echo packet is received from a neighbor device the link is set as a unidirectional link and the device transits to the Disab...

Страница 1465: ...Inactive state when it detects a port down event When a device transits to this state the DelayDown timer is triggered The setting of the timer ranges from 1 to 5 in seconds A device in DelayDown sta...

Страница 1466: ...DLDP mode however Port A tests Port B after the Entry timer concerning Port B expires Port A then transits to the Disable state if it receives no Echo packet from Port A when the Echo timer expires A...

Страница 1467: ...ation In this mode before sending a packet the sending side encrypts the user configured password using MD5 algorithm assigns the digest to the Authentication field and sets the Authentication type fi...

Страница 1468: ...no process is performed Flush packet Determines whether or not the local port is in Disable state If not removes the corresponding neighbor entry if any If the corresponding neighbor entry does not e...

Страница 1469: ...he neighbor Processing procedure In normal mode no echo packet is received when the Echo timer expires In enhanced mode no echo packet is received when the enhanced timer expires DLDP transits to the...

Страница 1470: ...DP State Optional Note that z DLDP works only when the link is up z To ensure unidirectional links can be detected make sure these settings are the same on the both sides DLDP state enabled disabled t...

Страница 1471: ...d in Ethernet port view applies to the current port only The configuration performed in port group view applies to all the ports in the port group Enable DLDP dldp enable Required Disabled on a port b...

Страница 1472: ...able DLDP to operate properly make sure the intervals for sending Advertisement packets on both sides of a link are the same 1 2 4 Setting the DelayDown Timer On some ports when the Tx line fails the...

Страница 1473: ...t shutdown mode To do Use the command Remarks Enter system view system view Set port shutdown mode dldp unidirectional shutdown auto manual Optional auto by default Caution z On a port with both remot...

Страница 1474: ...after you reset DLDP state for it That is it can be in Inactive state if the port is physically down or in Active state if the port is physically up after you reset DLDP state for it Caution z The co...

Страница 1475: ...P state dldp reset Required 1 3 Displaying and Maintaining DLDP To do Use the command Remarks Display the DLDP configuration of a port display dldp interface type interface number Available in any vie...

Страница 1476: ...viceA GigabitEthernet1 1 1 dldp enable DeviceA GigabitEthernet1 1 1 interface gigabitethernet 1 1 2 DeviceA GigabitEthernet1 1 2 dldp enable DeviceA GigabitEthernet1 1 2 quit Set the interval for send...

Страница 1477: ...sable state and the links are down which means unidirectional links are detected and the two ports are thus shut down Reset DLDP state for the ports shut down by DLDP DeviceA dldp reset 2 Configuratio...

Страница 1478: ...s Chapter 1 DLDP Configuration 1 18 z DLDP authentication modes passwords on Device A and Device B are not the same Solution Make sure the interval for sending Advertisement packets the authentication...

Страница 1479: ...iguration Example 1 12 1 4 Configuring Transit Node 1 12 1 4 1 Configuration Procedure 1 12 1 4 2 Transit Node Configuration Example 1 13 1 5 Configuring Edge Node 1 14 1 5 1 Configuration Procedure 1...

Страница 1480: ...aintaining RRPP z RRPP Typical Configuration Examples 1 1 RRPP Overview Rapid Ring Protection Protocol RRPP is an Ethernet ring specific link layer protocol It can not only prevent data loop from caus...

Страница 1481: ...cially designed to transfer RRPP packets The ports accessing an RRPP ring on devices belong to the control VLAN of the ring and only these ports can join this VLAN IP address configuration is prohibit...

Страница 1482: ...ll logically deny data VLANs and permit only the packets of the control VLANs z When an RRPP ring is in disconnect state the secondary port of the master node will permit data VLANs that is forward pa...

Страница 1483: ...ring transits into disconnect state until the secondary port receives the Health packet again Note z In an RRPP domain a transit node learns the Hello timer value and the Fail timer value on the mast...

Страница 1484: ...kets to examine the links of the primary ring between the edge node and the assistant edge node Major Fault Assistant edge node initiates Major Fault packets to notify the edge node of a failure when...

Страница 1485: ...node Ring 2 Figure 1 3 Multi domain tangent rings There are two or more rings in the network topology and only one common node between rings In this case you need define an RRPP domain for each ring I...

Страница 1486: ...s case you only need to define an RRPP domain and set one ring as the primary ring and other rings as subrings V Multi domain intersecting rings Device A Device B Device C Device D Device E Master nod...

Страница 1487: ...domain is down Upon the receipt of a Link Down packet the master node releases the secondary port from blocking data VLAN while sending Common Flush FDB packet to notify all the transit nodes the edge...

Страница 1488: ...ge port is activated only when the edge node ensures that no loop will be brought forth when the edge port is activated 1 1 5 Protocols and Standards Related standard RFC 3619 1 2 RRPP Configuration T...

Страница 1489: ...n intersection common port and the two ports that access the same node to the same RRPP ring must not be configured as multi domain intersection common ports at the same time z When configuring multi...

Страница 1490: ...figuration Procedure Follow these steps to configure master node To do Use the command Remarks Enter system view system view Create an RRPP domain and enter its view rrpp domain domain id Required Spe...

Страница 1491: ...ary port and Ethernet 1 0 2 as the secondary port z Set the Hello timer value to 2 seconds and the Fail timer value to 7 seconds II Configuration procedure Sysname system view Sysname rrpp domain 1 Sy...

Страница 1492: ...gured for an RRPP domain must be a new one z Control VLAN configuration is required for configuring an RRPP ring z To use the undo rrpp domain command to remove an RRPP domain you must ensure the RRPP...

Страница 1493: ...d specify the primary port and the secondary port ring ring id node mode transit primary port interface type interface number secondary port interface type interface number level level value Required...

Страница 1494: ...working requirements z Specify the device in RRPP domain 1 z Set VLAN 4092 as the control VLAN z Specify the device as the transit node of primary ring 1 in RRPP domain 1 Ethernet 1 0 1 as the primary...

Страница 1495: ...mode transit primary port interface type interface number secondary port interface type interface number level level value Required Specify the current device as the assistant edge node of the subring...

Страница 1496: ...6 2 Assistant Edge Node Configuration Example I Networking requirements z Specify the device in RRPP domain 1 z Set VLAN 4092 as the control VLAN z Specify the device as the transit node of primary r...

Страница 1497: ...pical Configuration Examples This section covers these topics z Configuring Single Ring Topology z Configuring Intersecting Ring Topology 1 8 1 Configuring Single Ring Topology I Networking requiremen...

Страница 1498: ...ng on the device z Enable the RRPP ring z Enable RRPP III Configuration procedure 1 Perform the following configuration on Device A Device A system view Device A rrpp domain 1 Device A rrpp domain1 co...

Страница 1499: ...to view RRPP configuration 1 8 2 Configuring Single Domain Intersecting Ring Topology I Networking requirements z Device A Device B Device C and Device D constitute RRPP domain 1 z VLAN 4092 is the co...

Страница 1500: ...omain z Specify the node mode of a device on an RRPP ring and the ports accessing the RRPP ring on the device z Enable these two RRPP rings z Enable RRPP III Configuration procedure 1 Perform the foll...

Страница 1501: ...e common port ethernet 1 0 1 edge port ethernet 1 0 3 Device C rrpp domain1 ring 1 enable Device C rrpp domain1 ring 2 enable Device C rrpp domain1 quit Device C rrpp enable 4 Perform the following co...

Страница 1502: ...et 1 0 2 is a multi domain intersection common port z Device C is a transit node on primary ring 1 in RRPP domain 1 and a transit node on primary ring 2 in RRPP domain 2 and Ethernet 1 0 2 is a multi...

Страница 1503: ...g configuration on Device B Device B system view Device B rrpp domain 1 Device B rrpp domain1 control vlan 4090 Device B rrpp domain1 ring 1 node mode transit primary port ethernet 1 0 1 secondary por...

Страница 1504: ...pp domain1 quit Device D rrpp enable 5 Perform the following configuration on Device E Device E system view Device E rrpp domain 2 Device E rrpp domain2 control vlan 4092 Device E rrpp domain2 ring 2...

Страница 1505: ...licy 1 5 1 4 1 Configuration Prerequisites 1 5 1 4 2 Configuration Procedure 1 6 1 5 Displaying and Maintaining SSL 1 6 1 6 Troubleshooting SSL 1 6 1 6 1 SSL Handshake Failure 1 6 Chapter 2 HTTPS Conf...

Страница 1506: ...d during the handshake phase z Authentication SSL supports authenticating both the server and the client through certificates with the authentication of the client being optional z Reliability SSL use...

Страница 1507: ...server and the SSL client Complete the following tasks to configure SSL Task Remarks Configuring an SSL Server Policy Required Configuring an SSL Client Policy Optional 1 3 Configuring an SSL Server P...

Страница 1508: ...t wait by default Set the maximum number of cached sessions and the caching timeout time session cachesize size timeout time Optional The defaults are as follows 500 for the maximum number of cached s...

Страница 1509: ...name system view Sysname pki entity en Sysname pki entity en common name http server1 Sysname pki entity en fqdn ssl security com Sysname pki entity en quit Create a PKI domain and configure it Sysnam...

Страница 1510: ...sname ip https ssl server policy myssl Enable HTTPS service Sysname ip https enable 4 Verify your configuration Launch IE on the host and enter https 10 1 1 1 in the address bar You should be able to...

Страница 1511: ...refer cipher rsa_aes_128_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha Optional rsa_rc4_128_md5 by default Specify the SSL protocol version for the SSL client policy version ssl3 0 tls1 0 Op...

Страница 1512: ...m z If the SSL server has no certificate request one for it z If the server certificate cannot be trusted install on the SSL client the root certificate of the CA that issues the local certificate to...

Страница 1513: ...yer SSL protocol The SSL protocol of HTTPS enhances the security of the device in the following ways z Uses the SSL protocol to ensure the legal clients to access the device securely and prohibit the...

Страница 1514: ...cy policy name Required Not associated by default Note z If the ip https ssl server policy command is executed repeatedly the HTTPS service is only associated with the last specified SSL server policy...

Страница 1515: ...ication process takes much time the SSL negotiation may fail and the HTTPS service cannot be started normally Therefore the ip https enable command must be executed for multiple times to ensure normal...

Страница 1516: ...in at least one permit rule Otherwise no HTTPS client can log onto the device z For the configuration of an SSL server policy refer to PKI Configuration 2 6 Associating the HTTPS Service with an ACL A...

Страница 1517: ...n this configuration example Windows Server serves as CA and you need to install Simple Certificate Enrollment Protocol SCEP component II Network diagram Figure 2 1 Network diagram for HTTPS configura...

Страница 1518: ...y enable Switch ssl server policy myssl quit 3 Configure certificate access control policy Configure certificate attribute group Switch pki certificate attribute group mygroup1 Switch pki cert attribu...

Страница 1519: ...s Chapter 2 HTTPS Configuration 2 7 Launch the IE explorer on Host and enter https 10 1 1 1 You can log onto Switch and control it Note z For details of PKI commands refer to PKI Commands z For detail...

Страница 1520: ...in Auto Mode 1 8 1 5 2 Submitting a Certificate Request in Manual Mode 1 9 1 6 Retrieving a Certificate Manually 1 10 1 7 Configuring PKI Certificate Validation 1 11 1 8 Destroying a Local RSA Key Pai...

Страница 1521: ...ion and public keys PKI allows users to request certificates use certificates and revoke certificates By leveraging digital certificates and relevant services like certificate distribution and blackli...

Страница 1522: ...nd function an effective way for checking the validity of certificates A CA may publish multiple CRLs when the number of revoked certificates is so large that publishing them in a single CRL may degra...

Страница 1523: ...es keys CRLs and logs while providing a simple query function LDAP is a protocol for accessing and managing PKI information An LDAP server stores user information and digital certificates from the RA...

Страница 1524: ...n and issues a certificate 4 The RA receives the certificate from the CA sends it to the LDAP server to provide directory navigation service and notifies the entity that the certificate is successfull...

Страница 1525: ...where www is a host name and whatever com a domain name z IP address of the entity z Locality where the entity resides z Organization to which the entity belongs z Unit of the entity in the organizati...

Страница 1526: ...he data length of a certificate request If the entity DN in a certificate request goes beyond a certain limit the server does not respond to the certificate request 1 4 Configuring a PKI Domain Before...

Страница 1527: ...deployed to store certificates and CRLs If this is the case you need to configure the IP address of the LDAP server z Fingerprint for root certificate validation Upon receiving the root certificate o...

Страница 1528: ...No fingerprint is configured by default Note z Currently up to two PKI domains can be created on a device z The CA name is required only when you retrieve a CA certificate It is not used when in loca...

Страница 1529: ...erating an RSA key pair is an important step in certificate request The key pair includes a public key and a private key The private key is kept by the user while the public key is transferred to the...

Страница 1530: ...icate stored locally z When it is impossible to request a certificate from the CA through SCEP you can save the request information by using the pki request certificate domain command with the pkcs10...

Страница 1531: ...cate and local certificate first z The pki retrieval certificate configuration will not be saved in the configuration file 1 7 Configuring PKI Certificate Validation A certificate needs to be validate...

Страница 1532: ...eval crl domain domain name Required Verify the validity of a certificate pki validate certificate ca local domain domain name Required II Configuring CRL checking disabled PKI certificate validation...

Страница 1533: ...ire you can destroy the old RSA key pair and then create a pair to request a new certificate Follow these steps to destroy a local RSA key pair To do Use the command Remarks Enter system view system v...

Страница 1534: ...alt subject name fqdn ip issuer name subject name dn fqdn ip ctn equ nctn nequ attribute value Optional There is no restriction on the issuer name certificate subject name and alternative subject nam...

Страница 1535: ...ired when you use the Windows Server as the CA In this case when configuring the PKI domain you need to use the certificate request from ra command to specify that the entity requests a certificate fr...

Страница 1536: ...iction configuration page of the CA server This includes selecting the proper extension profiles enabling the SCEP autovetting function and adding the IP address list for SCEP autovetting 3 Configure...

Страница 1537: ...rsa certificate request entity aaa Configure the URL for the CRL distribution point Switch pki domain torsa crl url http 4 4 4 133 447 myca crl Switch pki domain torsa quit 3 Generate a local key pair...

Страница 1538: ...Use the following command to view information about the local certificate acquired Switch display pki certificate local domain torsa Certificate Data Version 3 0x2 Serial Number 9A96A48F 9A509FD7 05F...

Страница 1539: ...B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C You can also use some other display commands to view detailed information about the CA certificate and CRLs Refer to the parts related to display pki certificate...

Страница 1540: ...rules The first rule defines that the DN of the subject name includes the string aabbcc and the second rule defines that the IP address of the certificate issuer is 10 0 0 1 Switch pki certificate att...

Страница 1541: ...e Switch ip https certificate access control policy myacp Enable HTTPS service Switch ip https enable 1 13 Troubleshooting PKI 1 13 1 Failed to Retrieve a CA Certificate I Symptom Failed to retrieve a...

Страница 1542: ...e required parameters of the entity DN are not configured III Solution z Make sure that the network connection is physically proper z Retrieve a CA certificate z Regenerate a key pair z Specify a trus...

Страница 1543: ...tches Chapter 1 PKI Configuration 1 23 III Solution z Make sure that the network connection is physically proper z Retrieve a CA certificate z Specify the IP address of the LADP server z Specify the U...

Страница 1544: ...Operation Manual Appendix H3C S3610 S5510 Series Ethernet Switches Table of Contents i Table of Contents Appendix A Acronyms A 1...

Страница 1545: ...ackup Designated Router C CAR Committed Access Rate CLI Command Line Interface CoS Class of Service D DHCP Dynamic Host Configuration Protocol DLDP Device Link Detection Protocol DR Designated Router...

Страница 1546: ...Edge MIB Management Information Base N NBMA Non Broadcast MultiAccess NIC Network Information Center NMS Network Management System NVRAM Nonvolatile RAM O OAM Operation Administration and Maintenance...

Страница 1547: ...ets Layer STP Spanning Tree Protocol T TCP IP Transmission Control Protocol Internet Protocol TFTP Trivial File Transfer Protocol ToS Type of Service TTL Time To Live U UDP User Datagram Protocol V VL...

Результаты поиска

Содержание S3610-28F

Отзывы:

Похожие инструкции для S3610-28F

Бренды по названию

Популярные бренды

H3C S3610-28F, Руководство по эксплуатации

Результаты поиска

Содержание S3610-28F

Отзывы:

Похожие инструкции для S3610-28F

Бренды по названию

Популярные бренды