manualshive.com logo in svg

Zte ZXR10 8900 Series, Руководство пользователя, Страница: 169 / 186

Поделиться
Скачать
Zte ZXR10 8900 Series Скачать руководство пользователя страница 169

C h a p t e r

17

URPF Configuration

Table of Contents

URPF Overview................................................................ 157
Configuring URPF............................................................. 158
URPF Configuration Example ............................................. 159
URPF Maintenance and Diagnosis....................................... 160

URPF Overview

URPF

serves to prevent attacks with source address spoofing to

the network. Term "Reverse" is relative to normal route search. A
router will get destination address of the packet and search for a
route to the destination once it receives a packet. It will forward
the packet if such a route is found or simply discard the packet if
there is no available route to the destination.

Working Principle

URPF gets the source address and ingress interface of the packet
and uses source address as destination address to look up in the
forwarding table and see if the interface corresponding to the
source address matches the ingress interface.

When interface

does not match the ingress interface, it will regard source address
as a false address and then discard the packet. In this way, URPF
can effectively prevent malicious attacks by modifying the source
address to the network.

Module 1

A simple network module is shown in

Figure 37

.

F

IGURE

37 S

OURCE

A

DDRESS

S

NOOPING

1

When S1 uses a packet with a false source address 2.2.2.1 to
initiate a request to Server S2 which will send the packet to real
address 2.2.2.1 (that is, S3) while responding to the request. This
illegal packet will attack both S2 and S3.

Attackers may wage an attack by randomly changing source ad-
dress in the packet. In this example, source address is one of
reserved non-global IP addresses and thus is unreachable. A legal

Confidential and Proprietary Information of ZTE CORPORATION

157

Содержание ZXR10 8900 Series

Страница 1: ...nual Basic Configuration Volume Version 2 8 02 C ZTE CORPORATION ZTE Plaza Keji Road South Hi Tech Industrial Park Nanshan District Shenzhen P R China 518057 Tel 86 755 26771900 Fax 86 755 26770801 URL http ensupport zte com cn E mail support zte com cn ...

Страница 2: ...rchantability fitness for a particular purpose title or non in fringement ZTE CORPORATION and its licensors shall not be liable for damages resulting from the use of or reliance on the information contained herein ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications covering the subject matter of this document Except as expressly provided in any...

Страница 3: ... 15 System Management 17 File System Management 17 File System Overview 17 Operating File System Management 18 FTP TFTP Connection Configuration 19 Configuring a Switch as FTP Client Terminal 20 Configuring a Switch as TFTP Client Terminal 21 File Backup and Restoration 23 Backing up Configuration File 23 Restoring Configuration File 23 Backing up System Software Version 23 Restoring System Softwa...

Страница 4: ...ssification 37 CLI Privilege Classification Overview 37 Configuring CLI Privilege Classification 38 Configuring Telnet User 38 Configuring an Enabling Password 39 Configuring Privilege Level of a Command 40 CLI Privilege Classification Configuration Example 42 Maintenance and Diagnosis of CLI Privilege Classification 42 Port Configuration 43 Port Basic Configuration 43 Port Basic Configuration Ove...

Страница 5: ...ation Example 55 Port Loop Detection Configuration 56 Port Loop Detection Overview 56 Configuring Port Loop Detection 56 Port Loop Detection Configuration Example 57 Network Protocol Configuration 59 IP Address Configuration 59 IP Address Overview 59 Configuring IP Address 61 IP Address Configuration Example 61 ARP Configuration 61 ARP Overview 61 Configuring ARP 62 ARP Configuration Example 62 AR...

Страница 6: ...guring ACLs 79 Defining ACLs 79 Defining Standard ACL 79 Defining Extended ACL 80 Defining Layer 2 ACL 81 Defining Hybrid ACL 81 Defining Standard IPv6 ACL 82 Defining Extended IPv6 ACL 82 Defining Customized ACL 83 Configuring Time Range 83 Applying ACL to Physical Port 84 Applying ACL to Virtual Port 85 Configuring Event Linkage ACL Rule 85 Applying NP Based ACL 87 ACL Configuration Example 88 A...

Страница 7: ...guring Queue Based Bandwidth Upper and Lower Threshold 103 Configuring HQoS 103 Configuring Traffic Class 103 Configuring WRED Policy 104 Configuring WFQ Policy 105 Configuring Traffic Shaping 105 Configuring HQoS Policy 106 QoS Configuration Examples 109 Typical QoS Configuration Example 109 Policy Routing Configuration Example 111 QoS Maintenance and Diagnosis 111 DOT1x Configuration 113 DOT1x O...

Страница 8: ...P Configuration Example 130 RADIUS Configuration 130 Radius Overview 130 Configuring a RADIUS Accounting Group 130 Configuring a RADIUS Authentication Group 131 Configuring RADIUS Parameters 131 Viewing RADIUS Information 132 RADIUS Configuration Example 132 SNMP Configuration 133 SNMP Overview 133 Configuring SNMP 133 SNMP Configuration Example 134 RMON Configuration 134 RMON Overview 134 Configu...

Страница 9: ...BAS Configuration Example 150 VBAS Maintenance and Diagnosis 150 CPU Attack Protection Configuration 151 CPU Attack Protection Overview 151 CPU Attack Protection Principle 152 Configuring CPU Attack Protection 152 Configuring IPv4 Protocol Protection 152 Configuring IPv6 Protocol Protection 153 Configuring Layer 2 Protocol Protection 154 CPU Attack Protection Configuration Examples 154 URPF Config...

Страница 10: ...ddress and L4 Port ID 164 Setting Source Address for Network Device Sending Packets 164 Setting Template Refresh Rate 164 Configuring TOPN 165 Template Configuration 165 Setting Template 165 Setting Data Field Contained in Template Packet 165 Deleting Template 165 Running Template 165 IPFIX Configuration Example 166 IPFIX Maintenance and Diagnosis 166 Figures 169 Tables 171 List of Glossary 173 ...

Страница 11: ...hapter describes CLI privilege classification and configuration on ZXR10 8912 8908 8905 8902 Chapter 5 Port Configuration This chapter describes the configuration of ZXR10 8912 8908 8905 8902 port parameters and port mirroring function Chapter 6 Network Protocol Configuration This chapter describes IP address configuration and ARP configuration Chapter 7 DHCP Configuration This chapter introduces ...

Страница 12: ...r introduces URPF Unicast Reverse Path Forwarding and related configuration on ZXR10 8912 8908 8905 8902 Chapter 18 UDLD Configuration This chapter describes UDLD and configu ration on ZXR10 8912 8908 8905 8902 Related Documentation The following documentation is related to this manual ZXR10 8900 Series V2 8 02 C 10 Gigabit Routing Switch Hardware Installation Manual ZXR10 8900 Series V2 8 02 C 10...

Страница 13: ...ersonal injury or equipment damage Safety precautions introduced in this manual are supplementary to the local safety codes ZTE bears no responsibility in case of universal safety oper ation requirements violation and safety standards violation in designing manufacturing and equipment usage Safety Description Contents deserving special attention during configuration of ZXR10 8900 series switch are...

Страница 14: ...ZXR10 8900 Series User Manual Basic Configuration Volume This page is intentionally blank 2 Confidential and Proprietary Information of ZTE CORPORATION ...

Страница 15: ...configuration modes as shown in Figure 1 User can select appropriate configuration mode according to the connected network FIGURE 1 CONFIGURATION MODES Serial interface connection configuration TELNET connection configuration SSH connection configuration FTP TFTP connection configuration SNMP connection configuration Confidential and Proprietary Information of ZTE CORPORATION 3 ...

Страница 16: ... 8900 series switch Serial connection configuration adopts VT100 terminal mode using the HyperTerminal tool provided by Windows OS To configure serial interface connection perform the following steps 1 Connect the computer serial port to Console port of ZXR10 8900 series switch with serial configuration cable 2 Open the HyperTerminal as shown in Figure 2 Input the con nection name such as ZXR10 an...

Страница 17: ...TERMINAL CONFIGURATION 2 4 Click Ok COM port attribute setup window appears as shown in Figure 4 Fill in the parameter values as shown in Table 3 FIGURE 4 HYPERTERMINAL CONFIGURATION 3 Confidential and Proprietary Information of ZTE CORPORATION 5 ...

Страница 18: ...l users from accessing the switch by Telnet Only the users with valid username and password could login to the device Use the following command to configure username and password Command Function ZXR10 config username username password password This configures username and password of Telnet login Configuring Telnet Connection through Management Port To configure telnet connection through manageme...

Страница 19: ...ra tion mode Note ZXR10 8900 series switch allows up to four Telnet users logging in simultaneously If appears after inputting username and password it indicates that the number of users reaches the limit please retry later or re login after logging out other users When users perform Telnet configuration through management port connecting to the switch the IP address of management port cannot be m...

Страница 20: ...P address of VLAN and VLAN interface through Con sole port 2 Configure username and password of Telnet login through Con sole port 3 Take a router connected to a switch as an example from which the IP address of VLAN interface can be pinged successfully 4 Run telnet command in the router Input the IP address of VLAN interface login to the switch For the detailed proce dures please refer to Configu...

Страница 21: ... solve the problem SSH establishes a se cure channel for remote login and other network services in the insecure network It encrypts and compresses the transmitted data that prevents people from getting secret information Two incompatible versions of SSH protocols are available SSH v1 x SSH v2 x ZXR10 8900 series switch supports SSH v2 0 It provides secure remote login function SSH falls into two ...

Страница 22: ... port of the switch Enable the host to ping the IP address of VLAN interface in the switch 3 Run SSH client terminal software in the host i Set the IP address and port number of SSH server as shown in Figure 8 FIGURE 8 SETTING IP ADDRESS AND PORT OF SSH SERVER ii Set SSH version as shown in Figure 9 10 Confidential and Proprietary Information of ZTE CORPORATION ...

Страница 23: ...adopts management based on server and client terminal Background NM server serves as the SNMP server and the fore ground network equipment ZXR10 8900 series switch serves as SNMP client terminal Foreground and background share the same MIB management database performing communication by SNMP protocol Background NM server needs installation of NM software that sup ports SNMP protocol It performs ma...

Страница 24: ...e b yname by name Global configuration mode VLAN database configuration ZXR10 vlan vlan database Privileged EXEC mode VLAN configuration ZXR10 config vlan vlan vlan id vlan name Global configuration mode VLAN interface configuration ZXR10 config if interface vlan vlan id v lan if Global configuration mode MSTP configuration ZXR10 config mstp spanning tree mst configuration Global configuration mod...

Страница 25: ...r bgp as number Global configuration mode BGP address family configuration ZXR10 config router af address family vpnv4 Route BGP configuration mode address family ipv4 vrf vrf name BGP route configuration mode PIM SM route configuration ZXR10 config router router pimsm Global configuration mode Route map configuration ZXR10 config route map route map map tag permi t deny sequence number Global con...

Страница 26: ...race Trace route to destination who List users who is logining on ZXR10 Input a question mark following character or character string the list of commands or key words with the character or character string as the prefix are displayed For example ZXR10 co configure copy ZXR10 co Note There is no space between character Character string and the question mark Press Tab after the character if the com...

Страница 27: ...ncomplete command ZXR10 At the end of the above example system prompts that com mand is incomplete This indicates requirement of other key words or parameters Note All commands in the command line operation are case insensitive Command Abbreviation ZXR10 8900 series switch allows abbreviating commands and key word to character or character string identifying the command or key word uniquely For ex...

Страница 28: ... This recalls commands in the history buffer in a forward sequence Press Ctrl N or This recalls commands in the history buffer in a backward sequence In the privileged mode use show history command to list the recently used commands 16 Confidential and Proprietary Information of ZTE CORPORATION ...

Страница 29: ...tem mapping files that is image files are stored under this directory The extended name of the image files is zar The image files are dedicated compression files Version upgrade means to change the corresponding image files under the directory Note Default name of ZXR10 8900 series switch software version file is zxr10 zar If it uses other names boot Path must be modified in boot status Otherwise ...

Страница 30: ...rm the following steps Step Command Function 1 ZXR10 copy source device source file destination device destination file This copies files between Flash and FTP TFTP server 2 ZXR10 pwd This displays current directory path 3 ZXR10 dir directory This displays files subdirectory information under a designated directory 4 ZXR10 delete filename This deletes the files under the a designated directory of ...

Страница 31: ...information and the directory ABC can be successfully added Directory of flash attribute size date time name 1 drwx 512 MAY 17 2004 14 22 10 IMG 2 drwx 512 MAY 17 2004 14 38 22 CFG 3 drwx 512 MAY 17 2004 14 38 22 DATA 4 drwx 512 MAY 17 2004 15 40 24 ABC 65007616 bytes total 48861184 bytes free ZXR10 rmdir ABC Delete the subdirectory ABC ZXR10 dir Check the current directory information and the dir...

Страница 32: ...ckground host A window appears as shown in Figure 10 FIGURE 10 WFTPD WINDOW 2 Click Security select User Rights and perform the fol lowing operations i Click New Use to create a new user such as target with password enabled ii Select user name target in the drop down list of User Name iii Input the directory saving version files or configuration files in the Home Directory box such as D IMG After ...

Страница 33: ... file and import export configuration Configuring a Switch as TFTP Client Terminal Prerequisites Enable TFTP server software in the background host and switch communication as client terminal Context To configure a switch serving as TFTP client terminal perform the following steps Steps 1 Run TFTPD software in the background host A window appears as shown in Figure 12 Confidential and Proprietary ...

Страница 34: ... appears Click Browse and select the file saving version files or configuration files such as D IMG After configuration is completed a dialog box appears as shown in Figure 13 FIGURE 13 CONFIGURATION DIALOG BOX 3 Click OK to complete setting END OF STEPS 22 Confidential and Proprietary Information of ZTE CORPORATION ...

Страница 35: ...es in FLASH to background TFTP server ZXR10 copy flash cfg startrun dat tftp 168 1 1 1 startrun dat Restoring Configuration File To restore configuration files use the following command Command Function ZXR10 copy source device source file destination de vice destination file This restores configuration files Example This example shows copy command that restores backup config uration files from ba...

Страница 36: ...n upgrade procedures are almost the same please refer to Software Version Upgrade Ststem Software Version Upgrade Software version upgrade is only made when the original version fails to support certain functions Improper operation may lead to upgrade failure and system booting failure Therefore before starting to upgrade the version read related documents to under stand principle operation and up...

Страница 37: ...R10 Boot c clear field go to previous field D quit Boot Location 0 Net 1 Flash 0 0 means booting from background FTP 1 means booting from FLASH Client IP 0 bootp 168 4 168 168 Corresponds to administrative Ethernet port address Netmask 255 255 0 0 Server IP 0 bootp 168 4 168 89 Corresponds to background FTP server address Gateway IP 168 4 168 168 Corresponds to administrative Ethernet port address...

Страница 38: ...he new version file is unavailable it indicates the file copy failure please execute step 6 to re copy the version 8 Restart ZXR10 8900 series switch and follow the methods in step 4 and boot the system from FLASH enabled at this time Boot path is changed into flash img zxr10 zar automatically Note Boot mode is changed to boot from FLASH by using nvram imgfile location local command in global conf...

Страница 39: ...e step 3 to recopy the version 5 After a normal switch boot up check the running version to confirm whether the upgrade is successful or not END OF STEPS Result The version has been updated at normality Upgrading Version without Interrupting System Prerequisites The following requirements are to be completed before users begin software version upgrade Connect the configuration port Console port of...

Страница 40: ...file is unavailable it indicates the copy failure please execute step 3 to recopy the version 5 Copy the new version file in the directory IMG in FLASH to memory with update imgfile command 6 Reboot the secondary board with reload mp slave command 7 Switch over the primary board and secondary card with redu ndancy force command 8 To reboot the interface cards one by one with reload slot board unit...

Страница 41: ...g This sets the greeting words Example This example shows how to configure welcome message upon sys tem boot ZXR10 config banner incoming Enter TEXT message End with the character Welcome to ZXR10 Router World ZXR10 config Configuring a Password of Privileged Mode To prevent an unauthorized user from modifying the configuration use the following command Command Function ZXR10 config enable secret ...

Страница 42: ... switches or when there are multiple version files in a switch the users who perform usual upgrade steps likely feel confused Besides users have to compare the memories that the version files take which is inconvenient When version file is uploading to flash users can specify the direc tory and name of version file and then select the needed version file when booting the switch This is the functio...

Страница 43: ...me and nvram default gateway com mands Example This example shows how to configure booting from local device ZXR10 config nvram imgfile location local This example shows how to configure booting from network ZXR10 config nvram imgfile location network sys img Saving Command Log File A switch can save some log files However after a switch is re booted the log files before rebooting will be lost If ...

Страница 44: ...d log Configuring Saving Time of Alarm Log Event information is kept in system buffer of a switch When the buffer is full system clears the earliest event information If sav ing time is configured system clears corresponding events auto matically when it is time When there are a lot of events and buffer is full before saving time comes events are cleared according to configuration of logging buffe...

Страница 45: ...flash start time 6 12 2008 00 00 01 end time 6 12 2008 23 59 59 This example shows how to save alarm log to flash aaa log ZXR10 config write alarmlog flash start time 06 25 2008 15 03 00 end time 06 25 2008 15 04 45 filename aaa log System Information View System information view includes the following topics Viewing Hardware and Software Versions To view hardware and software versions of the syst...

Страница 46: ...xample This example shows how to view boot information of current run ning board ZXR10 show boot MEC2 panel 1 master Bootrom Version V1 84 Creation Date 2008 6 17 Update Support YES MEC2 panel 2 slave Bootrom Version V1 84 Creation Date 2008 6 17 Update Support YES NPCI panel 12 Bootrom Version V1 83 Creation Date 2008 7 6 Update Support YES Viewing System Diagnosis Information When malfunction oc...

Страница 47: ...nformation CPU usage ratio Process information Queue information IGMP snooping information IP multicast routing table Layer 3 multicast joining information IP multicast forwarding table File information in flash Detailed information of software abnormity Resetting information of main control board Changeover information of active and standby boards Abnormal information of main control board interm...

Страница 48: ... displayed page by page The displayed information is not saved by default Parameter descriptions Parameter Description detail Display detailed system information module module name Display information of designated module begin Display configuration information beginning with designated character or character string exclude Display configuration information excluding designated character or charac...

Страница 49: ...8900 series switch supports CLI privilege classification function There are 16 levels Different users can have different privilege levels The higher privilege level users have the more commands users can use The administrators have the highest level Level 15 Therefore they can set the levels of different commands CLI privilege classification function consists of two parts privilege level maintenan...

Страница 50: ...rivilege level is the same with or higher than the privilege level of a command the user can use the command Configuring CLI Privilege Classification Configuring Telnet User Considering security the privilege level of a user only can be con figured by the administrators That is after a user logs in to the switch the user can not modify own login password and privilege level Administrators do not n...

Страница 51: ...config username test password test privilege 1 When the user telnets to log in to the switch the prompt is shown below Username test Password ZXR10 Note When a user with privilege level 2 15 logs in to the switch the prompt is When a user with privilege level 1 logs in to the switch the prompt is indicating that user should input the enabling password as shown below Username test Password ZXR10 en...

Страница 52: ...change the priv ilege level to 12 the user should input the enabling password as shown below Username test Password this password should be test ZXR10 enable 12 Password this password should be zte ZXR10 Configuring Privilege Level of a Command By configuring privilege levels of commands administrators can control the range of commands that users can use When the privilege level of a user is highe...

Страница 53: ...hen the user goes back to a lower privilege level from a higher privilege level the user does not need to input enabling password 5 View all commands beginning with show with user privilege level of 12 ZXR10 show interface Show interface property and statistics privilege Show current privilege level The result shows that show interface command is added to commands with privilege level of 12 Use sh...

Страница 54: ...s shown below ZXR10 config exit ZXR10 enable 10 ZXR10 show run Building configuration urpf log off Maintenance and Diagnosis of CLI Privilege Classification To configure maintenance and diagnosis of CLI privilege classifica tion perform the following steps Step Command Function 1 ZXR10 show privilege cur mode detail level level node command keywords This views the privilege level of commands in cu...

Страница 55: ...00M and MDI MDIX self adaptive function Default working mode is auto negotiation It negotiates work ing mode and rate with the opposite end devices Gigabit Ethernet electrical interface works in gigabit full duplex mode Duplex mode and rate of the port cannot be configured but auto negotiation mode can be configured 10 gigabit Ethernet optical interface works in 10 gigabit full duplex mode Auto ne...

Страница 56: ...To enable an Ethernet port perform the following steps Step Command Function 1 ZXR10 config interface port name byname by name This accesses port configuration mode 2 ZXR10 config if no shutdown This enables an Ethernet port 3 ZXR10 config if byname by name This sets port byname Note To disable an Ethernet port use shutdown command The shutdown command makes the physical link status of the port ch...

Страница 57: ... following steps Step Command Function 1 ZXR10 config interface port name byname by name This accesses port configuration mode 2 ZXR10 config if duplex half full This configures Ethernet port duplex mode Note Only the Ethernet electrical interface can be configured with duplex mode Before configuring the Ethernet port duplex mode disable auto negotiation function first Configuring Ethernet Port Ra...

Страница 58: ...thernet port uses traffic control to restrain the packets sent to the port in a period of time When the receiving buffer is full a port sends a pause packet notifying the remote port to suspend packet transmission for a period of time Ethernet port can also receive pause packet from other devices and execute operations according to the packet regulation Allowing Jumbo Frame To allow jumbo frame to...

Страница 59: ...his configures Ethernet port broadcast storm suppression Note It is possible to limit the volume of broadcast flow that is al lowed to pass through the Ethernet port System discards the broadcast flow exceeding the set value to lower the rate of broadcast flow to a reasonable range It suppresses broadcast storm and avoids network congestion ensuring normal opera tion of network service Broadcast s...

Страница 60: ...percent percent value value This configures unknown unicast suppression of Ethernet port Enabling Fast Port Detection Function To enable fast port detection function perform the following steps Step Command Function 1 ZXR10 config interface port name byname by name This accesses port configuration mode 2 ZXR10 config if zfid interface port list This enables fast port detection function Note This f...

Страница 61: ...esses port configuration mode 2 ZXR10 config if tcp syn protect rate limit 64 1000000 This configures TCP rate limit Configuring Switch of Optical or Electrical Port To switch optical or electrical port perform the following steps Step Command Function 1 ZXR10 config interface port name byname by name This accesses port configuration mode 2 ZXR10 config if hybrid attribute copper fiber This switch...

Страница 62: ...mode is access pvid 2 Vrpf All Discard Count 0 BW 1000000 Kbits Last clearing of show interface counters never 120 seconds input rate 0 Bps 0 pps 120 seconds output rate 0 Bps 0 pps Interface peak rate input 0 Bps output 0 Bps Interface utilization input 0 output 0 Statistic of input output transmit message including statistic of error message Input Packets 338 Bytes 41572 Unicasts 0 Multicasts 32...

Страница 63: ...t Open Open circuit Short Short circuit Mismatch Circuit impedance mismatched Good The circuit is in good condition Broken the circuit is open or short Unknown The result is unknown or undetected Fail Detection failed If the circuit is faulty test result outputs the circuit fault location If the circuit is in good condition approximate length of the normal circuit is generated To diagnose and test...

Страница 64: ...ng for example mirrored port and the monitoring port can be in different inter face boards here the switch can be configured with one port mirroring at most Monitor the data transmitted or received by the mirrored port only Configuring Port Mirroring To configure port mirroring perform the following steps Step Command Function 1 ZXR10 config monitor session session number This creates a session 2 ...

Страница 65: ...iguration mode Configuration in global configuration mode is shown below ZXR10 config monitor session 1 source gei_1 1 2 gei_2 2 direction rx destination gei_3 3 Port mirroring parameters can be deleted either one by one in in terface configuration or batch in global configuration mode Con figuration to delete the source port parameters of session 1 is shown below ZXR10 config no monitor session 1...

Страница 66: ...AN mirroring FIGURE 16 ERSPAN EXAMPLE ERSPAN implements the following functions mirroring of original traffic and GRE encapsulation on source port device common IP packet forwarding on intermediate device and mirroring on desti nation port device Function implementation on intermediate de vice is not illustrated here Source device Oirt traffic or vlan traffic can be used as source traffic of mirro...

Страница 67: ...le disable tpid 0x8100 ttl ttl_number 128 vlan id vlan id This adds source or destination port to session entry Displaying Session Details Configured by User Command Functions ZXR10 config show monitor session all session n umber This displays session details configured by user ERSPAN Configuration Example FIGURE 17 ERSPAN CONFIGURATION EXAMPLE As shown in Figure 1 set up a tunnel between Switch1 ...

Страница 68: ...ection function based on VLAN that is the switch can detect loop in the VLAN that owns the same PVID with that on the port as well as in the VLAN that users designate On a port it is up to detect loops in 8 VLANs at the same time A port sends a Layer 2 multicast message every 15 seconds If there is a loop on a port the multicast message will go back to the port through which the message is sent Co...

Страница 69: ... a port the switch takes measures according to corresponding configuration If the configuration is block the data flow breaks off The state of the port does not turn down System generates an alarm If the configuration is normal the data flow breaks off and the state of the port turns down System generates an alarm If the configuration is protect the data flow does not break off The state of the po...

Страница 70: ...R10 config loop detect interface gei_1 1 enable ZXR10 config loop detect interface gei_1 1 vlan 1 2 enable ZXR10 config loop detect reopen time 5 The information on gei_1 1 is shown below ZXR10 show loop detect interface gei_1 4 Interface Monitor State VlanRange gei_1 4 YES normal 1 2 The reopen time on gei_1 1 is shown below ZXR10 show loop detect reopen time The reopen time of loop detect 5 minu...

Страница 71: ...t in the network Address Classification IP addresses are divided into five classes A B C D and E Front three classes are commonly used Addresses of class D are net work multicast addresses and addresses of class E are reserved classes Range of each class is shown in Table 5 TABLE 5 IP ADDRESS FOR EACH CLASS Class Prefix Characteristic Bit Network Bit Host Bit Range Class A 0 8 24 0 0 0 0 to 127 25...

Страница 72: ...the host bit IP address is composed of three parts network bit subnet bit and host bit Network bit and subnet bit identify a network uniquely Subnet mask is used to decide which parts of IP address are the network bits subnet bit and host bit The part with the subnet mask being 1 corresponds to the network bit and subnet bit of the IP address Part with the subnet mask being 0 corresponds to the ho...

Страница 73: ... address MAC address when transmitting data to another network device The function of Address Resolu tion Protocol ARP is mapping IP address to physical address to ensure successful communication First the source device broadcast carries the ARP request of desti nation device IP address so all devices in the network will receive this ARP request If a device finds that the IP address in the re ques...

Страница 74: ... address mac address This configures ARP binding on a Layer 3 interface 6 ZXR10 config ip arp inspection vlan vlan id This configures dynamic ARP inspection on a Layer 3 interface 7 ZXR10 config if arp learn This enables ARP learning on a Layer 3 interface 8 ZXR10 config if arp source filtered This configures ARP source filtration on a Layer 3 interface 9 ZXR10 config if ip proxy arp This configur...

Страница 75: ...gnated external VLAN ID and internal VLAN ID use the following command Command Function ZXR10 show arp exvlanID id invlanID id This views ARP entry with designated external VLAN ID and internal VLAN ID Example This example shows how to view ARP table with external VLAN ID of 21 and internal VLAN ID of 31 ZXR10 show arp exvlanID 21 invlanID 31 Arp protect whole is disabled The count is 2 IPAddress ...

Страница 76: ...ZXR10 8900 Series User Manual Basic Configuration Volume This page is intentionally blank 64 Confidential and Proprietary Information of ZTE CORPORATION ...

Страница 77: ... first and sends a DHCP Request message to the server which indi cates it accepts the related configurations 4 Selected DHCP server returns a DHCP Ack message for ac knowledgement By now the host can use the IP address and relevant configuration obtained from the DHCP server for communication DHCP supports three mechanisms for IP address allocation DHCP assigns a permanent IP address to a client D...

Страница 78: ...gally In a DHCP service subnet hosts with legal IP addresses and masks can access this subnet DHCP server may allocate these legal ad dresses to other hosts This causes address confliction To solve the above problems ZXR10 8900 series switch uses DHCP snooping function to prevent bogus DHCP server in a subnet The port connecting with DHCP server must be set as trust port Com bining with dynamic AR...

Страница 79: ... ZXR10 config interface vlan vlan number This enters Layer 3 VLAN interface configuration mode 3 ZXR10 config if ip dhcp mode relay This configures DHCP relay on an interface 4 ZXR10 config if ip dhcp relay server ip address ip dhcp relay agent ip address This configures DHCP relay agent 5 ZXR10 config if ip dhcp relay server ip address security standard This configures IP address of external DHCP...

Страница 80: ... interface 4 ZXR10 config ip dhcp snooping binding mac ad dress vlan vlan id ip address port number expiry time This adds an entry to DHCP Snooping database 5 ZXR10 config ip arp inspection vlan vlan id This configures dynamic ARP inspection DHCP Configuration Examples DHCP Server Configuration Example The switch acts as the DHCP server and default gateway The host obtains IP address through the D...

Страница 81: ...client and server are not in the same sub network the router which connects with users works as a DHCP relay The switch enables DHCP relay function and a single server 10 10 2 2 provides DHCP server function This mode is usually adopted when a lot of hosts require the DHCP service This is shown in Figure 20 FIGURE 20 DHCP RELAY CONFIGURATION EXAMPLE Configuration on the switch ZXR10 config interfa...

Страница 82: ...port FIGURE 21 DHCP SNOOPING PREVENTING FALSE DHCP SERVER Configuration on the switch ZXR10 config interface fei_1 1 ZXR10 config if sw ac vlan 100 ZXR10 config interface fei_1 2 ZXR10 config if sw ac vlan 100 ZXR10 config vlan 100 ZXR10 config vlan ip dhcp snooping ZXR10 config ip dhcp snooping enable ZXR10 config ip dhcp snooping vlan 100 ZXR10 config ip dhcp snooping trust fei_1 1 DHCP Snooping...

Страница 83: ...DHCP server process module 2 ZXR10 show ip local pool pool name This displays configuration information of local address pools 3 ZXR10 show ip interface This displays configuration information of DHCP server relay related to an interface 4 ZXR10 show ip dhcp snooping configure This displays DHPC snooping global configuration information 5 ZXR10 show ip dhcp snooping vlan vlan id This displays conf...

Страница 84: ...information in DHCP Snooping database 8 ZXR10 show ip arp inspection vlan vlanl id This displays configuration information of VLAN that enables dynamic ARP inspection function 9 ZXR10 debug ip dhcp This tracks packet sending and receiving as well as processing on DHCP server relay 72 Confidential and Proprietary Information of ZTE CORPORATION ...

Страница 85: ...is interface address may be the address of one of router interfaces or the third party address If the interface address is used a router with the interface address acts as the master router Other routers act as the backup routers The router with high priority is used as the master router if the third party address is used If two routers have the same priority the one that sends VRRP message first ...

Страница 86: ... for sending VRRP advertisements 6 ZXR10 config if vrrp group learn This learns the time interval from primary gateway to send VRRP messages 7 ZXR10 config if vrrp group authentication string This configures authentication character string 8 ZXR10 config if vrrp group out interface interface name This configures the out interface of VRRP messages Note A VRRP group can be configured with multiple v...

Страница 87: ...55 255 0 0 ZXR10_R2 config if vrrp 1 ip 10 0 0 1 Symmetric VRRP Configuration Example Two VRRP groups are booted in this example where PC1 and PC2 use virtual router in Group 1 as default gateway with ad dress 10 0 0 1 PC3 and PC4 use virtual router in Group 2 as default gateway with address 10 0 0 2 R1 and R2 serve as mu tual backup Four hosts cannot communicate with outside world until both rout...

Страница 88: ... ZXR10_R2 config if ip address 10 0 0 2 255 255 0 0 ZXR10_R2 config if vrrp 1 ip 10 0 0 1 ZXR10_R2 config if vrrp 2 ip 10 0 0 2 VRRP Maintenance and Diagnosis To configure maintenance and diagnosis perform the following steps Step Command Function 1 ZXR10 show vrrp group brief interface interface name This displays configuration information of all VRRP groups 2 ZXR10 debug vrrp state packet event ...

Страница 89: ...ditions in an access list one by one The first match determines whether the switch accepts or rejects the packets because the switch stops testing conditions after the first match The order of conditions in the list is critical When there are no conditions matched the switch rejects the packets If there are no restrictions the switch forwards the packet otherwise the switch drops the packet Packet...

Страница 90: ... ACL Type Access List Number Standard ACL The range is from 1 to 99 The expanded range is from 1000 to 1499 Extended ACL The range is from 100 to 199 The expanded range is from 1500 to 1999 Layer 2 ACL The range is from 200 to 299 Hybrid ACL The range is from 300 to 349 Standard IPv6 ACL The range is from 2000 to 2499 Extended IPv6 ACL The range is from 2500 to 2999 User Defined ACL The range is f...

Страница 91: ...ackets should be de fined at the end of each ACL Defining Standard ACL To configure standard ACL perform the following steps Step Command Function 1 ZXR10 config acl standard number acl number name acl name alias alias name match order auto config This enters standard ACL configuration mode 2 ZXR10 config std acl rule rule no permit deny source source wildcard any time range timerange name This de...

Страница 92: ...os value dscp dscp value tcp control tcp control value time range timerange name This defines TCP based rules 2 ZXR10 config ext acl rule rule no permit deny udp source source wildcard any rule port dest dest wildcard any rule port p recedence pre value tos tos value dscp dscp value time range timerange name This defines UDP based rules 3 ZXR10 config ext acl move rule no after rule no This moves ...

Страница 93: ...to define a L2 ACL which allows ac cess of IP packets with source MAC address 00d0 d0c0 5741 and 802 1p code 5 ZXR10 config acl link number 200 ZXR10 config link acl rule 1 permit ip cos 5 ingress 10 00d0 d0c0 5741 0000 0000 0000 ZXR10 config link acl rule 2 deny 8847 Defining Hybrid ACL To configure hybrid ACL perform the following steps Step Command Function 1 ZXR10 config acl hybrid number acl ...

Страница 94: ...andard number acl number name acl name alias alias name match order auto config This enters standard IPv6 ACL configuration mode 2 ZXR10 config std v6acl rule rule no permit den y source any time range timerange name This defines ACL rule 3 ZXR10 config std v6acl move rule no after before rule no This moves a rule 4 ZXR10 config std v6acl attach time range Te range name to rule id This binds a tim...

Страница 95: ...e acl name alias alias name This enters basic ACL configuration mode 2 ZXR10 config user acl rule rule id permit deny any tag tag num offset rule string rule mask 1 4 time range timerange name This defines ACL rule 3 ZXR10 config user acl move rule no after before rule no This moves a rule 4 ZXR10 config user acl attach time range Time range name to rule id This binds a time range to a rule Exampl...

Страница 96: ...onfigure the start time and end time of the time range Configuration of periodic time range configure the start time and end time of the period Applying ACL to Physical Port To apply ACL to physical ports perform the following steps Step Command Function 1 ZXR10 config interface port name This enters port configuration mode 2 ZXR10 config if ip access group acl number i n out vfp This binds ACL to...

Страница 97: ... one interface status turns to down the other interface is enabled automatically To configure linkage ACL rule perform the following steps Step Command Function 1 ZXR10 config event list name This creates an event list 2 ZXR10 config event interface interface name ad min physical protocol down up This sets the conditions of triggering event where port management state physical state and protocol s...

Страница 98: ...Switch C ZXR10 config event list zte ZXR10 config event interface gei_1 1 protocol down ZXR10 config event exit ZXR10 config acl standard number 1 ZXR10 config std acl rule 1 permit any event zte ZXR10 config std acl rule 2 deny any ZXR10 config std acl exit ZXR10 config interface gei_1 2 ZXR10 config if ip access group 1 in When protocol on gei_1 1 is down rule 1 becomes effective Traf fic can ac...

Страница 99: ... NP based ACL to VLAN perform the following steps Step Command Function 1 ZXR10 config vlan vlan number This enters VLAN configuration mode 2 ZXR10 config vlan ip access group senior acl numbe acl name r in out This applies NP based ACL to VLAN To cancel application of NP based ACL to VLAN use no ip access group senior acl numbe acl name r in out command Applying NP Based ACL to Smartgroup Interfa...

Страница 100: ...r IP addresses as 192 168 1 100 and 192 168 2 100 respectively may access the Internet and all servers at any time The IP addresses of the servers are as follows Mail server 192 168 4 50 FTP server 192 168 4 60 VOD server 192 168 4 70 FIGURE 26 ACL CONFIGURATION EXAMPLE Switch configuration Configure a time range ZXR10 config time range enable ZXR10 config time range working time ZXR10 config tr p...

Страница 101: ... 0 0 0 0 time range working time ZXR10 config ext acl rule 4 permit ip any any Apply ACLs to the corresponding physical ports ZXR10 config interface fei_2 1 ZXR10 config if ip access group 100 in ZXR10 config if exit ZXR10 config interface fei_2 2 ZXR10 config if ip access group 101 in ZXR10 config if exit ACL Maintenance and Diagnosis To configure ACL maintenance and diagnosis perform the follow ...

Страница 102: ...ZXR10 8900 Series User Manual Basic Configuration Volume This page is intentionally blank 90 Confidential and Proprietary Information of ZTE CORPORATION ...

Страница 103: ...t work at the best effort cannot satisfy the requirement for appli cations For example user cannot use VoIP service and real time image transmission normally if packet transfer delay is too long To solve this problem provide system with capability of supporting QoS Functions When QoS is configured it selects specific network traffic prioritiz ing it according to its relative importance and use Imp...

Страница 104: ... value Traffic Monitoring Traffic monitoring involves creating a policer that specifies the bandwidth limits for the traffic Packets that exceed the limits are out of profile or nonconforming Each policer specifies the action to take for packets that are in or out of profile The following operations are specified by the policer Discard or forward Change its DSCP value Change its discard priority p...

Страница 105: ...d PBS A packet is marked in red if its size exceeds PIR A packet is marked in yellow if its size is between PIR and CIR and is marked in green if its size is less than CIR Traffic Shaping Traffic shaping is used to control the rate of output packets thus sending packets at even speed Traffic shaping is used to match packet rate with downlink equipment to avoid congestion and packet discarding Traf...

Страница 106: ...hile the weight value of WRR means the scheduled packet number of each queue Therefore DWRR does not effect much on bandwidth Data priority is contained in the 802 1P label If data entering the port is not marked with an 802 1P label a default 802 1p value will be assigned by the switch Policy Routing Redirecting is used to make the decision again about the forward ing of packets with certain feat...

Страница 107: ...ased Bandwidth Upper and Lower Threshold Due to limited queue buffer resources when network congestion occurs multiple packets will compete to use limited resources After configuring upper and lower threshold on outgoing inter face and when multiple flows compete for limited resources a cos queue flow can obtain a bandwidth which will not be less than bandwidth lower threshold or more than bandwid...

Страница 108: ...c and PIR traffic have different schedules Configuring QoS Configuring Traffic Monitoring To configure traffic monitoring use the following command Command Function ZXR10 config traffic limit acl number rule id rule no cir cir value cbs cbs value ebs ebs value pir pir value pbs pbs value mode mode drop yellow forward red remark red dp high low medium remark red dscp value rem ark yellow dp high lo...

Страница 109: ...d set the discard priority to high this part of packets will be discarded at a higher priority in queue congestion ZXR10 config acl extend number 100 ZXR10 config ext acl rule 1 permit any 168 2 5 5 ZXR10 config ext acl exit ZXR10 config traffic limit 100 rule id 1 cir 10000 cbs 2000 pir 10000 pbs 2000 mode blind ZXR10 config interface gei_5 1 ZXR10 config if ip access group 100 in Configuring Tra...

Страница 110: ... all Host ip Vlan Up rate Down rate 168 1 2 3 20 600K 168 1 2 4 20 300K Configuring Queue Scheduling ZXR10 8900 series switch supports SP and WRR queue scheduling modes When these two modes are mixed used SP has a higher priority over WRR To configure queue scheduling use the following command Command Function ZXR10 config if queue mode strict priority dwrr queue no dwrr weight 1 8 wrr queue no wr...

Страница 111: ...t acl rule 1 permit ip 168 2 5 5 0 0 0 0 any ZXR10 config ext acl rule 2 permit ip any 66 100 5 6 0 0 0 0 ZXR10 config ext acl exit ZXR10 config redirect in 100 rule id 1 interface gei_1 3 ZXR10 config redirect in 100 rule id 2 next hop1 166 88 96 56 1 ZXR10 config interface gei_1 4 ZXR10 config if ip access group 100 in Configuring Priority Mark To configure priority marking use the following com...

Страница 112: ... packets with waterline 120 and green packets with waterline 120 are discarded ZXR10 config qos tail drop 1 queue id 1 120 100 120 ZXR10 config interface gei_1 1 ZXR10 config if drop mode tail drop 1 Configuring COS Discarding Priority Mapping To configure COS discarding priority mapping perform the follow ing steps Step Command Function 1 ZXR10 config qos cos drop map cos 0 drop priorit y cos 1 d...

Страница 113: ...ty cos 4 local priority cos 5 local priori ty cos 6 local priority cos 7 local priority This configures parameters of COS local priority 2 ZXR10 config interface interface name This enters interface configuration mode 3 ZXR10 config if trust cos local enable This applies COS local priority mapping function Note To disable COS local priority mapping function use trust cos lo cal disable command Exa...

Страница 114: ...lowing command Command Function ZXR10 config traffic mirror in acl number rule id rule no cpu interface port name This configures traffic mirroring Example This example describes how to map data traffic with source IP address 168 2 5 6 on port gei_1 8 to port gei_1 4 ZXR10 config acl basic number 10 ZXR10 config basic acl rule 1 permit 168 2 5 5 ZXR10 config basic acl rule 2 permit 168 2 5 6 ZXR10...

Страница 115: ...c shape queue queue number max datarate limit rate min gua datarate rate This configures queue based bandwidth upper and lower threshold Configuring HQoS Configuring Traffic Class To configure traffic class perform the following steps 1 To create a traffic class or enter a traffic class use the following command Command Function ZXR10 config flow class class name This creates a traffic class or en...

Страница 116: ...onfiguring WRED Policy To configure WRED policy perform the following steps 1 To create or enter a WRED policy use the following command Command Function ZXR10 config wred profile profile name level 1 3 This creates or enters a WRED policy Instructions Users enter WRED policy view after inputting this com mand If the policy does not exist users should input level to create a policy Each level has ...

Страница 117: ...reate a policy Each level has a default WFQ They are default1 default2 and default3 By default level 1 can be configured up to 64 policies level 2 can be configured up to 64 policies and level 3 can be configured up to 16 policies To delete a WFQ policy use no wfq profile profile name command In global configuration mode if a view is used this view can not be deleted Default1 default2 and default3...

Страница 118: ...t be deleted Default1 default2 and default3 can not be deleted 2 To configure discarding parameters of traffic shaping policy use the following command Command Function ZXR10 config shaping cir 1 10000000 cbs 1024 1671 1680 pir 1 10000000 pbs 1024 16711680 This configures discarding parameters of traffic shaping policy By default the value of CIR and PIR is 1 Configuring HQoS Policy To configure H...

Страница 119: ...icy to a traffic class use the following com mand Command Function ZXR10 config qpolicy class wfq profile profile name This applies WFQ policy to a traffic class By default a traffic class is associated with a default WFQ pol icy of corresponding level If the WFQ policy does not exist system prompts error To cancel WFQ policy of a traffic class use no wfq profile command 6 To apply WRED policy to ...

Страница 120: ...y policy name in out shaping shaping name This applies policy to an interface The interface can be a physical port a Layer 2 VLAN port or a Smartgroup interface 10 To copy QoS policy use the following command Command Function ZXR10 config copy qos profile source profile name destination profile name overwrite This copies QoS policy If the source policy does not exist system prompts error If policy...

Страница 121: ... Policy video Class CCTV1 Match acl 1 rule 5 This example shows policy statistic information on gei_2 1 ZXR10 show qos policy statistics interface gei_2 1 in Qos policy telcom Class voice Receive Packet 10000 Reveive byte 1000000 Drop packet 100 Drop byte 10000 Class video QoS Configuration Examples Typical QoS Configuration Example Network A Network B and internal servers are connected to an Ethe...

Страница 122: ...tistics on the traffic of Network A ZXR10 config interface gei_1 1 ZXR10 config if ip access group 100 in ZXR10 config if exit Apply ACL 100 to the interface connecting to Network A ZXR10 config acl extended number 101 ZXR10 config ext acl rule 1 permit tcp 192 168 2 0 0 0 0 255 192 168 4 70 0 0 0 0 ZXR10 config ext acl rule 2 permit ip any 192 168 3 100 0 0 0 0 ZXR10 config ext acl rule 3 permit ...

Страница 123: ...se the ISP2 egress FIGURE 29 POLICY ROUTING CONFIGURATION EXAMPLE Configuration of switch ZXR10 config acl standard number 10 ZXR10 config std acl rule 1 permit 10 10 0 0 0 0 0 255 ZXR10 config std acl rule 2 permit 11 11 0 0 0 0 0 255 ZXR10 config std acl exit ZXR10 config redirect in 10 rule id 1 next hop 100 1 1 1 ZXR10 config redirect in 10 rule id 2 next hop 200 1 1 1 ZXR10 config interface g...

Страница 124: ...mple shows how to view QoS configuration information ZXR10 config acl standard number 1 ZXR10 config std acl rule 1 permit 100 1 1 1 ZXR10 config std acl exit ZXR10 config traffic limit 1 rule id 1 cir 10000 cbs 2000 ebs 2000 mode blind ZXR10 config show qos traffic limit 1 rule id 1 cir 10000 cbs 2000 ebs 2000 mode blind 112 Confidential and Proprietary Information of ZTE CORPORATION ...

Страница 125: ...em Authentication system is network equipment supporting the IEEE802 1x protocol such as the switch Corresponding to every different user port physical port or MAC address VLAN and IP of the user equipment the equipment has two logical ports composed of the controlled port and uncontrolled port Uncontrolled port is always in bidirectional connection state and delivers EAPOL protocol frames thus en...

Страница 126: ...e aaa rule id port port name vlan vlan id This creates AAA control entry 3 ZXR10 config nas aaa rule id control dot1x dot1x relay enable disable This enables disables dot1x authentication or relay 4 ZXR10 config nas aaa rule id authentication auto locl radius This selects an authentication mode 5 ZXR10 config nas aaa rule id protocol pap chap eap This selects an authentication protocol 6 ZXR10 con...

Страница 127: ...able period period disable This configures dot1x re authentication cycle 3 ZXR10 config nas dot1x quiet period period This configures quiet period of dot1x authentication 4 ZXR10 config nas dot1x tx period period This sets seconds for timeout and resending request for authentication 5 ZXR10 config nas dot1x supplicant timeout period This configures online detection timeout time of the dot1x user 6...

Страница 128: ...he user with MAC address 6 ZXR10 config nas localuser user id accounting enable disable This configures accounting attribute of users Note To delete a local user use clear localuser user id command Managing DOT1x Authentication User To manage access users of DOT1x authentication perform the fol lowing steps Step Command Function 1 ZXR10 config show client port port number v lan vlan number slot sl...

Страница 129: ... RADIUS authentication are conducted at the same time Disconnect the user and make it offline if RADIUS accounting fails Do not add the domain name after the user name during ac cess Connect the server group composed of two RADIUS servers to the switch IP addresses of these servers are 10 1 1 1 and 10 1 1 2 respectively It is required that the former serves as the master authentication slave accou...

Страница 130: ...3 ZXR10 config nas ZXR10 config nas create aaa 1 port fei_1 1 ZXR10 config nas aaa 1 control dot1x enable ZXR10 config nas aaa 1 authorization auto ZXR10 config nas aaa 1 accounting enable ZXR10 config nas aaa 1 multiple hosts enable ZXR10 config nas aaa 1 default isp zte163 net ZXR10 config nas aaa 1 fullaccount disable ZXR10 config nas aaa 1 radius server authentication 1 ZXR10 config nas aaa 1 ...

Страница 131: ...ion and Dot1x relay authentication enterprise wants to register network card address of each host When user logs in from the dot1x client only MAC address of the network card is checked User can log in only when address is legal Enterprise numbers for each MAC address and Internet access du ration of the user is based on the number A ZXR10 8908 switch works as the authenticator and it can implemen...

Страница 132: ... ZXR10 show aaa rule id This displays an AAA control entry 3 ZXR10 show aaa statistics rule id This displays statistics information of rules 4 ZXR10 show client port port name vlan vlan id slot slot id aaa rule id all index id mac macaddr vlan vlanid This displays online user information 5 ZXR10 show client statistics This displays statistics information of online users 6 ZXR10 show localuser user...

Страница 133: ...for the member switch but a private address is assigned to the member switch with similar DHCP function of the command switch Com mand switch and member switch form a cluster private network It is recommended to isolate the broadcast domain of the public network and that of the private network on the command switch and shield the direct access to the private address The command switch provides a m...

Страница 134: ...o cluster Switch which does not support member switch is called independent switch Cluster management network is formed as shown in Figure 32 FIGURE 32 CLUSTER MANAGEMENT NETWORK Switching rule of four kinds of switches in the cluster is shown in Figure 33 122 Confidential and Proprietary Information of ZTE CORPORATION ...

Страница 135: ...ally 2 ZXR10 config interface interface name This enters interface configuration mode 3 ZXR10 config if zdp enable This enable ZDP function on an interface 4 ZXR10 config if exit This exits interface configuration mode 5 ZXR10 config zdp timer time This configures time interval of transmitting ZDP packets 6 ZXR10 config zdp holdtime time This configures valid holding time of ZDP information Confid...

Страница 136: ...ing ZTP protocol packets 8 ZXR10 config ztp port delay time This sets delay in sending ZTP protocol packets on the port 9 ZXR10 config ztp start This conducts once topology collection 10 ZXR10 config ztp timer time This sets ZTP timing topology collection time Setting up a Cluster To set up a cluster perform the following steps Step Command Function 1 ZXR10 config group switch type candidate indep...

Страница 137: ... configuration on the command switch 3 ZXR10 config group erase member all member_id This deletes the member configuration file from the command switch 4 ZXR10 config group tftp server ip_addr This configures the tftp server on the cluster 5 ZXR10 config group trap host ip_addr This configures the alarm receiver of the cluster Configuring Cluster Operation Commands To configure cluster operation c...

Страница 138: ...ch type command View command switch with show group com mand 5 Configure DUT B as the member switch with group member device 1 command and then view Member 1 in the up state with the show group member command 6 Log in to Member 1 with the rlogin member 1 command in the privilege mode and log in from Member 1 to the command switch with the rlogin commander command Cluster Management Maintenance and...

Страница 139: ...quipment information 6 ZXR10 show group member member num mem_id This displays group member information Note To trace transmitting and receiving packets condition and handling condition of cluster management processes ZDP and ZTP with d ebug group command Confidential and Proprietary Information of ZTE CORPORATION 127 ...

Страница 140: ...ZXR10 8900 Series User Manual Basic Configuration Volume This page is intentionally blank 128 Confidential and Proprietary Information of ZTE CORPORATION ...

Страница 141: ...net Without adequate NTP synchronization organi zations cannot expect their network and applications to function properly ZXR10 8900 series switch acts as the NTP client Configuring NTP To configure NTP perform the following steps Step Command Function 1 ZXR10 config ntp server ip address version number This defines a time server 2 ZXR10 config ntp enable This enables NTP function 3 ZXR10 config n...

Страница 142: ...ng AAA is used to authenticate users accessing the routing switch and prevent accessing of illegal users thus enhanc ing security of the equipment What s more services like DOT1X can also use RADIUS server for authentication and accounting ZXR10 8900 series switch supports RADIUS authentication func tion to authenticate Telnet users accessing routing switch ZXR10 8900 series switch supports multip...

Страница 143: ...bin This configures algorithm of RADIUS server 3 ZXR10 config acctgrp 1 alias name str This configures byname of RADIUS server group 4 ZXR10 config acctgrp 1 calling station format Format number This defines format of calling station id field 5 ZXR10 config acctgrp 1 deadtime time This configures dead time of authentication server 6 ZXR10 config acctgrp 1 local buffer enable disable This clears lo...

Страница 144: ...us all This displays RADIUS debugging information Note To clear all information in local buffer use clear accounting loca l buffer all command RADIUS Configuration Example This example describes how to configure a RADIUS accounting group Procedure of configuring a RADIUS authentication group is the same ZXR10 config radius accounting group 1 ZXR10 config acct group 1 algorithm round robin ZXR10 co...

Страница 145: ...quipment information Community with read write authority can configure the equipment Both read only and read write are limited by the view Operations can only be conducted in the permitted view range When param eter view is omitted use default view and use parameter ro if ro rw are omitted To configure SNMP perform the following steps Step Command Function 1 ZXR10 config snmp server community comm...

Страница 146: ... request It is used to report emergent and important events For step 6 ZXR10 8900 series switch supports 5 types of con ventional traps snmp bgp ospf rmon and stalarm SNMP Configuration Example This example describes the configuration of SNMP ZXR10 config snmp server view myViewName 1 3 6 1 2 1 included ZXR10 config snmp server community myCommunity view myview rw ZXR10 config snmp host 168 1 1 1 ...

Страница 147: ...xample shows how to configure and start statistics control entries of the RMON ZXR10 config interface fei_1 1 ZXR10 config if rmon collection statistics 1 owner rmontest Assume n computers are linked to port fei_1 1 and when these computers communicate on the sub network traffic statistics can be viewed through NMS software and it can also be viewed with show command ZXR10 show rmon statistics Eth...

Страница 148: ...old is 1000 assigned to event 1 Falling threshold is 10 assigned to event 0 On startup enable rising or falling alarm Example This example describes how to configure and enable event ZXR10 config rmon event 1 log trap rmontrap description test owner rmontest After configuring an alarm control entry and wait for 10s use s how command to view the contents of the RMON event ZXR10 show rmon event Even...

Страница 149: ...ol processing 8 ZXR10 config syslog level level This sets a log level for SysLog protocol processing 9 ZXR10 config syslog server vrf vrf name mng ip address fport fport lport lport This sets the parameters of the background SysLog server 10 ZXR10 config show logging alarm typeid type start date date end date date level level This displays log information Note In step 10 types of supported alarmed...

Страница 150: ...hbor discovery protocol providing a standard for devices in Ethernet such as switches routers and wireless LAN access points It helps the devices to tell the neighbors its existence and saves discovery information of the neighbors Information such as configuration and device identifier can be notified by LLDP LLDPDU LLDP defines a universal advertisement set a protocol for notify ing advertisement...

Страница 151: ...ldp holdtime multiple This configures the aging time of LLDPDU The product of parameters multiple and hellotime is aging time 4 ZXR10 config interface interface name This enters interface configuration mode 5 ZXR10 config if lldp setAdminStatus enabledtxrx rxonly txonly disabled This configures the management state of LLDP LLDP Configuration Example This example shows how to configure LLDP As show...

Страница 152: ...H Host I IGMP r Repeater P Phone W W LAN Access Point Local Intrfce Device ID Holdtime Capability Platform Port ID gei_1 3 00d0d0c7ffe0 120 B S ZXR10 ROS Version gei_1 2 V4 08 23 ZX gei_1 2 00d0d0c7ffe0 120 B S ZXR10 ROS Version gei_1 3 V4 08 23 ZX gei_1 5 00d0d0c7ffe0 120 B S ZXR10 ROS Version gei_1 Showing interface neighbor information Zxr10 show lldp neighbor interface gei_1 1 c Capability Cod...

Страница 153: ...d exchanging files si multaneously IPTV uses a two way broadcast signal that is sent through the service provider s backbone network and servers It allows the viewers to select content on demand and take advan tage of other interactive TV options IPTV can be used through PC or IP machine box TV Configuring IPTV Configuring IPTV Global Parameters To configure IPTV global parameters perform the foll...

Страница 154: ...tv prw auto reset time HH MM SS This configures the auto reset time of preview 4 ZXR10 config iptv prw recognition time recog time This configures recognition time of preview 5 ZXR10 config iptv prw overcout cdr enable disable This configures whether to generate CDR record when maximum preview times are over Configuring IPTV CDR Parameters To configure CDR parameters perform the following steps St...

Страница 155: ...teps Step Command Function 1 ZXR10 config iptv channel mvlan vlan id group group ip name channel name id channel id count count value prename prename str This creates channels of IPTV 2 ZXR10 config iptv channel name old name rename new name This sets the name of a channel 3 ZXR10 config iptv channel name idlist channel name viewfile name viewfile name viewfile id viewfile id This configures a pre...

Страница 156: ...es a preview configuration file 2 ZXR10 config iptv view profile name viewfile na me count view count This configures the maximum preview times 3 ZXR10 config iptv view profile name viewfile na me duration view duration This configures the maximum duration for single preview 4 ZXR10 config iptv view profile name viewfile na me blackout view interval This configures the minimum preview interval 5 Z...

Страница 157: ...lan id vlan id vlan name vlan name package name package name idlist package idlist This deletes package allocated to rule Configuring IPTV Fast Leave To configure IPTV fast leave perform the following steps Step Command Function 1 ZXR10 config iptv fast leave mvlan mvlan id This enables IPTV fast leave function To enable this function igmp snooping function must be enabled in mvlan 2 ZXR10 config ...

Страница 158: ...ig iptv channel id list 0 viewfile name vw1 ZXR10 config interface gei_1 1 ZXR10 config if iptv vlan 1 service start ZXR10 config if iptv vlan 1 control channel ZXR10 config if iptv vlan 1 channel id 0 Example Port gei_1 1 only allows receiving the querying packets of multi cast group 224 1 1 1 Vlan ID of this multicast group is 100 There is only one channel with ID of 0 Configuration is shown bel...

Страница 159: ...iewfile name This shows the information of view profile ZXR10 show iptv rule port port name vlan id vlan i d vlan name vlan name channel package This shows CRC rules ZXR10 show iptv rule statistics rule id rule id This shows CRC rule statistics ZXR10 show iptv client port port NPC slot no vlan id vlan id vlan name vlan name This shows online IPTV users ZXR10 show iptv channel statistics channel id...

Страница 160: ...ZXR10 8900 Series User Manual Basic Configuration Volume This page is intentionally blank 148 Confidential and Proprietary Information of ZTE CORPORATION ...

Страница 161: ...S protocol that is mapping to corresponding DSLAM accord ing to the VLAN in user band BAS start user line identifier inquiry to DSLAM DSLAM give user line identifier response to BAS In this manual the switches are DSLAMs VBAS function is implemented by sending VBAS messages be tween BAS and DSLAM Configuring VBAS To configure VBAS perform the following steps Step Command Function 1 ZXR10 config vb...

Страница 162: ...VBAS function on Switches Configure VBAS and enable vlan as vlan1 configure fei_1 1 as trust port its type is user ZXR10 config vbas enable ZXR10 config vlan 1 ZXR10 config vlan vbas enable ZXR10 config vlan exit ZXR10 config interface fei_1 1 ZXR10 config if vbas trust ZXR10 config if vbas port type user VBAS Maintenance and Diagnosis To configure of maintenance and diagnosis use the following co...

Страница 163: ...ack ets When discovering packets with abnormal upward rate sys tem makes alarm This prompts network management that there may be packets attacking CPU Network management system de cides whether to discard this kind of packet or not according to situations Or network management system filters unreasonable packets CPU Attack Protection Working Principle If IPv4 or IPv6 protocol protection function i...

Страница 164: ... sent to CPU during a cycle is compared with a configured threshold value For example the number of protocol messages sent to CPU within 30 seconds is bigger than the configured threshold value system sends a piece of alarm information in format of Receive too many packets of protocol message type from port port number This indicates the user that there may be attack of some type of proto col mess...

Страница 165: ... include ospf pim igmp vrrp icmp arpreply arprequest group mng vbase vrrp arp dhcp rip bgp telnet ldp_tcp ldp_udp ttl 1 bpdu snmp msdp and radius Configuring IPv6 Protocol Protection To configure IPv6 protocol protection perform the following steps Step Command Function 1 ZXR10 config if ipv6 protocol protect mode protocolname enable disable This sets IPv6 protocol protection function 2 ZXR10 conf...

Страница 166: ...ol protect average rate mode protocol name 10 600 This configures the average rate of Layer 2 protocols 4 ZXR10 config if l2 protocol protect peak rate mode protocol name 100 1000 This configures the peak rate of Layer 2 protocols Note Layer 2 protocol supported by CPU attack protection is LLDP CPU Attack Protection Configuration Examples Example This example shows how to enable OSPF protection fu...

Страница 167: ...CPU Attack Protection Configuration ZXR10 config if ipv6 protocol protect mode icmp enable ZXR10 config if ipv6 protocol protect alarm mode icmp 3200 Confidential and Proprietary Information of ZTE CORPORATION 155 ...

Страница 168: ...ZXR10 8900 Series User Manual Basic Configuration Volume This page is intentionally blank 156 Confidential and Proprietary Information of ZTE CORPORATION ...

Страница 169: ... table and see if the interface corresponding to the source address matches the ingress interface When interface does not match the ingress interface it will regard source address as a false address and then discard the packet In this way URPF can effectively prevent malicious attacks by modifying the source address to the network Module 1 A simple network module is shown in Figure 37 FIGURE 37 SO...

Страница 170: ...lex scenario is that TCP SYN flooding attack will cause TCP SYN ACK data packet to be sent to many hosts completely independent of the attack and such hosts will become victims As a result attacker may spoof one or more systems at the same time Similarly UDP and ICMP may be used to implement flooding at tacks All these attacks will severely lower the system performance or even cause system to cras...

Страница 171: ...source IP ad dress can find route and the route is not by default it will be processed in the normal way Otherwise it will be discarded URPF Configuration Example URPF network topology is shown in Figure 39 FIGURE 39 URPF CONFIGURATION EXAMPLE Strict URPF is configured on interface fei_1 2 on S1 so as to pre vent the users behind network 192 168 0 0 24 from maliciously attacking networks behind S1...

Страница 172: ...maintenance and diagnosis of URPF perform the fol lowing steps Step Command Function 1 ZXR10 show interface This shows statistical count of URPF on an interface 2 ZXR10 show ip traffic This shows the statistical count of URPF in the system 160 Confidential and Proprietary Information of ZTE CORPORATION ...

Страница 173: ...system can distin guish all flows in the entire network and correctly record transmit time of each flow occupied network port transmit source desti nation address and size of data flows traffic and flow direction of all communications in the entire carrier network can be analyzed and performed with statistics By telling differences among different flows in network it is avail able to judge if two ...

Страница 174: ...ce can per form data aggregation to original statistics in various modes and send the summary statistics result to upper layer man agement server The latter one can reduce the data quantity output by network device thus decreasing requirement to con figuration of upper layer management server and promoting scalability and working efficiency of upper layer management system IPFIX outputs data in fo...

Страница 175: ...data flows according to template Configuring IPFIX Basic Configuration Enabling Disabling IPFIX Module Command Functions ZXR10 config ip stream enable disable This enables disables IPFIX module Setting IPFIX Memory Entries Command Functions ZXR10 config ip stream cache entries number This sets the number of data flow entries stored in IPFIX module 4096 by default Setting Aging Time of Active Strea...

Страница 176: ...ing rate Setting NM Server Address and L4 Port ID Command Functions ZXR10 config ip stream export destination ip address udp port This sets the address and port id of NM server to which packets are sent Setting Source Address for Network Device Sending Packets Command Functions ZXR10 config ip stream export source ip address This sets source address for network device sending packets Setting Templ...

Страница 177: ...et Server resolves data contained in subsequent data flow according to these fields The fields include source IP destination IP source port destination port the number of bytes contained in data flow the number of packets contained in data flow type of L3 protocol TOS field start time of data flow end time of data flow data flow ingress index data flow egress index and TCP flag Deleting Template C...

Страница 178: ...1 config ip stream topn 10 sort by packets ZXR10_R1 config ip stream template test ZXR10_R1 config stream tempalte match srcaddr ZXR10_R1 config stream tempalte match dstaddr ZXR10_R1 config stream tempalte match srcport ZXR10_R1 config stream tempalte match dstsrcport ZXR10_R1 config stream tempalte exit ZXR10_R1 config ip stream run template test IPFIX Maintenance and Diagnosis For the convenien...

Страница 179: ...flow ingress egress source address destination address source port destination port L3 protocol type the number of packets or the number of bytes corresponding to TOPNS setting 3 To show template configuration execute the following com mand show ipstream template This shows configuration of template that is fields contained in template Confidential and Proprietary Information of ZTE CORPORATION 16...

Страница 180: ...ZXR10 8900 Series User Manual Basic Configuration Volume This page is intentionally blank 168 Confidential and Proprietary Information of ZTE CORPORATION ...

Страница 181: ...55 Figure 18 Port Loop Detection Configuration Example 58 Figure 19 DHCP Server Configuration Example 68 Figure 20 DHCP Relay Configuration Example 69 Figure 21 DHCP Snooping Preventing False DHCP Server 70 Figure 22 DHCP Snooping Preventing Static IP 71 Figure 23 Basic VRRP Configuration Example 75 Figure 24 Symmetric VRRP Configuration Example 76 Figure 25 Configuring Event Linkage ACL Rule 86 F...

Страница 182: ...ion Example 130 Figure 36 LLDP Configuration Example 139 Figure 37 Source Address Snooping 1 157 Figure 38 Source Address Snooping 2 158 Figure 39 URPF Configuration Example 159 Figure 40 IPFIX Configuration Example 166 170 Confidential and Proprietary Information of ZTE CORPORATION ...

Страница 183: ... Table 1 CHAPTER SUMMARY i Table 3 Parameter Values 6 Table 4 Command Modes 12 Table 5 IP Address for Each Class 59 Table 6 ACL Descriptions 78 Confidential and Proprietary Information of ZTE CORPORATION 171 ...

Страница 184: ...ZXR10 8900 Series User Manual Basic Configuration Volume This page is intentionally blank 172 Confidential and Proprietary Information of ZTE CORPORATION ...

Страница 185: ...AN EBS Excess Burst Size FTP File Transfer Protocol ICMP Internet Control Message Protocol IP Internet Protocol IPTV Internet Protocol Television LLDP Link Layer Discovery Protocol LLDPDU Link Layer Discovery Protocol Data Unit MAC Media Access Control MIB Management Information Base NMS Network Management System NTP Network Time Protocol PBS Peak Burst Size PIR Peak Information Rate PVID Port VLA...

Страница 186: ...l File Transfer Protocol TLV Type Length Value ToS Type Of Service UDLD UniDirectional Link Detection UDP User Datagram Protocol URPF Unicast Reverse Path Forwarding VBAS Virtual Broadband Access Server VLAN Virtual Local Area Network VRRP Virtual Router Redundancy Protocol WRR Weighted Round Robin 174 Confidential and Proprietary Information of ZTE CORPORATION ...

Отзывы:

Нет отзывов