Page 1: Configuration Guide
® 3Com Switch 7750 Family Configuration Guide Switch 7750 Switch 7754 Switch 7757 Switch 7758 www.3Com.com Part Number: 10015462 Rev. AD Published: December 2007...
Page 2 LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.
Page 3: Table Of Contents
Introduction Logging in through the Console Port Console Port Login Configuration Console Port Login Configuration with Authentication Mode Being None Console Port Login Configuration with Authentication Mode Being Password Console Port Login Configuration with Authentication Mode Being Scheme OGGING IN THROUGH...
Page 4 Enabling/Disabling the WEB Server OGGING IN THROUGH Introduction Connection Establishment Using NMS ONTROL Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Controlling Web Users by Source IP Address ONFIGURATION ANAGEMENT Introduction to Configuration File Configuration File-Related Operations VLAN O...
Page 5 IP Performance Overview IP Performance Configuration Configuring TCP Attributes Configuring to Send Special IP Packets to CPU Enabling Forwarding of Directed Broadcasts to a Directly Connected Network Disabling ICMP Error Message Sending Displaying and Debugging IP Performance Troubleshooting IPX C...
Page 6 Ethernet Port Configuration Ethernet Port Configuration Example Troubleshooting Ethernet Port Configuration GGREGATION ONFIGURATION Overview Link Aggregation Configuration Displaying and Maintaining Link Aggregation Configuration Link Aggregation Configuration Example SOLATION ONFIGURATION Port Isolation Overview Configuring Port Isolation Displaying Port Isolation Configuration Port Isolation Configuration Example...
Page 7 MAC A ENTRALIZED DDRESS UTHENTICATION ONFIGURATION Centralized MAC Address Authentication Overview Centralized MAC Address Authentication Configuration Displaying and Debugging Centralized MAC Address Authentication Centralized MAC Address Authentication Configuration Example MSTP C ONFIGURATION MSTP Overview Root Bridge Configuration Leaf Node Configuration...
Page 8 Integrated IS-IS Configuration Example BGP C ONFIGURATION BGP Overview BGP Configuration Tasks Basic BGP Configuration Configuring the Way to Advertise/Receive Routing Information Configuring BGP Route Attributes Adjusting and Optimizing a BGP Network Configuring a Large-Scale BGP Network Displaying and maintaining BGP Configuration Example...
Page 9 Displaying and Maintaining IGMP Snooping IGMP Snooping Configuration Example Troubleshooting IGMP Snooping OMMON ULTICAST ONFIGURATION Overview Common Multicast Configuration Tasks Displaying Common Multicast Configuration MAC A TATIC ULTICAST DDRESS ABLE ONFIGURATION Overview Configuring a Multicast MAC Address Entry Displaying Multicast MAC Address...
Page 10 ONFIGURATION Overview Configuration Tasks AAA Configuration RADIUS Configuration HWTACACS Configuration Displaying and Maintaining AAA & RADIUS & HWTACACS Information AAA & RADIUS & HWTACACS Configuration Example Troubleshooting AAA & RADIUS & HWTACACS Configuration EAD C ONFIGURATION Introduction to EAD Typical Network Application of EAD...
Page 11 Protocols and Standards DHCP S ERVER ONFIGURATION Introduction to DHCP Server Global Address Pool-Based DHCP Server Configuration Interface Address Pool-Based DHCP Server Configuration DHCP Security Configuration Displaying and Maintaining a DHCP Server DHCP Server Configuration Example Troubleshooting a DHCP Server...
Page 12 ACL Configuration Example ONFIGURATION Overview QoS Supported by the Switch 7750 Setting Port Priority Configuring Priority to Be Used When a Packet Enters an Output Queue Configuring Priority Remark Configuring Rate Limit on Ports Configuring TP Configuring Redirect Configuring Queue-scheduling...
Page 13 Contents Management Device Configuration Member Device Configuration Intra-Cluster Configuration Displaying and Maintaining a Cluster Cluster Configuration Example ONFIGURATION PoE Overview PoE Configuration Displaying PoE Configuration PoE Configuration Example E PSU S UPERVISION ONFIGURATION Introduction to PoE PSU Supervision AC Input Alarm Thresholds Configuration...
Page 14 ONFIGURATION FTP Configuration TFTP Configuration NFORMATION ENTER Information Center Overview Information Center Configuration Displaying and Debugging Information Center Configuration Information Center Configuration Examples DNS C ONFIGURATION DNS Overview Configuring Static DNS Resolution Configuring Dynamic DNS Resolution Displaying and Maintaining DNS...
Page 15 Network Connectivity Test EVICE ANAGEMENT Introduction to Device Management Device Management Configuration Configuring Pause Frame Protection Mechanism Configuring Layer 3 Connectivity Detection Configuring Queue Traffic Monitoring Configuring Error Packets Monitoring Displaying the Device Management Configuration Remote Switch Update Configuration Example...
Page 16 Introduction to Monitor Link Configuring Monitor Link Displaying Monitor Link Configuration Monitor Link Configuration Example ONFIGURING ARDWARE EPENDENT OFTWARE Configuring Boot ROM Upgrade with App File Configuring Inter-Card Link State Adjustment Configuring Internal Channel Monitoring Configuring Switch Chip Auto-reset Configuring CPU Usage Threshold...
Page 17: About This Guide
(LAN) operations and familiarity with communication protocols that are used to interconnect LANs. Always download the Release Notes for your product from the 3Com World Wide Web site and check for the latest updates to software and product documentation: http://www.3com.com...
Page 18 If information in this guide differs from information in the release notes, use the information in the Release Notes. These documents are available in Adobe Acrobat Reader Portable Document Format (PDF) on the CD-ROM that accompanies your router or on the 3Com World Wide Web site: http://www.3com.com/...
Page 19: Cli Overview
Users logging into a switch also fall into four levels, each of which corresponding to one of the above command levels. Users at a specific level can only use the commands of the same level and those of the lower levels.
Page 20 For security purpose, the password a user enters when switching to a higher ■ user level is not displayed. A user will remain at the original user level if the user has tried three times to enter the correct password but fails to do this.
Page 21 CLI Views CLI views are designed for different configuration tasks. They are interrelated. You will enter user view once you log into a switch successfully, where you can perform operations such as displaying operation status and statistical information. In addition, by executing the system-view command, you can enter system view, where you can enter other views by executing the corresponding commands.
Page 22 Netstream source and destination aggregation view ■ Smart-link group view ■ Table 4 lists information about CLI views (including the operations you can performed in these views, how to enter these views, and so on). Table 4 CLI views Available...
Page 23 0/0/0 command in system view. system view. Execute the return command to return to user view. VLAN view Configure [SW7750-vlan1] Execute the vlan 1 Execute the quit VLAN command in command to return to parameters system view. system view. Execute the return command to return to user view.
Page 24 1: CLI O HAPTER VERVIEW Table 4 CLI views Available Prompt View operation example Enter method Quit method Loopback Configure [SW7750-LoopB Execute the Execute the quit interface Loopback ack0] interface command to return to view interface loopback 0 system view.
Page 25 Command Level/Command View Table 4 CLI views Available Prompt View operation example Enter method Quit method MSDP Configure [SW7750-msdp] Execute the msdp Execute the quit domain view MSDP domain command in command to return to parameters system view. system view.
Page 26 1: CLI O HAPTER VERVIEW Table 4 CLI views Available Prompt View operation example Enter method Quit method OSPF area Configure [SW7750-ospf-1 Execute the area 1 Execute the quit view OSPF area -area-0.0.0.1] command in OSPF command to return to...
Page 27 Command Level/Command View Table 4 CLI views Available Prompt View operation example Enter method Quit method Layer 2 ACL Define the [SW7750-acl-lin Execute the acl Execute the quit view sub-rules of k-4000] number 4000 command to return to Layer 2 ACLs, command in system view.
Page 28 1: CLI O HAPTER VERVIEW Table 4 CLI views Available Prompt View operation example Enter method Quit method RprGE view Configure [SW7750-RprGE Execute the Execute the quit RprGE logical 1/0/1] interface RprGE command to return to interface 1/0/1 command in system view.
Page 29: Cli Features
They assist you with your configuration. Complete online help Enter a “?” character in any view on your terminal to display all the commands available in the view and their brief descriptions. The following takes user view as an example.
Page 30 “?” character. You can execute the command without providing any other information. Partial online help Enter a string followed directly by a “?” character on your terminal to display all the commands beginning with the string. For example: <SW7750>pi? ping Enter a command, a space, and a string followed by a “?”...
Page 31 Windows 9x, these two keys can be used to recall history commands only in terminals running Windows 3.x or Telnet running in Windows 3.x. You can press <Ctrl + P> or <Ctrl + N> in Windows 9x to achieve the same purpose. Error Messages If the command you enter passes the syntax check, it will be successfully executed;...
Page 32 1: CLI O HAPTER VERVIEW...
Page 33: Logging Into An Ethernet Switch
Each switch can accommodate up to SSH users five VTY users. The AUX port and the Console port of a 3Com switch are the same port. You will be in the AUX user interface if you log in through this port. User Interface Number Two kinds of user interface index exist: absolute user interface index and relative user interface index.
Page 34 The auto-execute command command may cause you unable to perform ■ common configuration in the user interface, so use it with caution. Before executing the auto-execute command command and save your ■ configuration, make sure you can log into the switch in other modes and cancel the configuration.
Page 35: Logging In Through The Console Port
ONSOLE Introduction To log in through the Console port is the most common way to log into a switch. It is also the prerequisite to configure other login methods. Normally, you can log into a Switch 7750 Ethernet switch through its Console port.
Page 36: Ogging In Through The
3: L HAPTER OGGING IN THROUGH THE ONSOLE Figure 2 Create a connection Figure 3 Specify the port used to establish the connection...
Page 37: Console Port Login Configuration
Console Port Login Configuration Figure 4 Set port parameters 3 Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <SW7750>) appears after you press the Enter key.
Page 38 The default timeout time is 10 minutes. CAUTION: Changing of Console port configuration terminates the connection to the Console port. To establish the connection again, you need to modify the configuration of the termination emulation utility running on your PC accordingly.
Page 39: Console Port Login Configuration With Authentication Mode Being None
Console port login Configuration” on page 37 for more. Changes of the authentication mode of Console port login will not take effect unless you quit the command-line interface and then enter it again. Console Port Login Configuration with Authentication Mode...
Page 40 3: L HAPTER OGGING IN THROUGH THE ONSOLE Table 14 Console port login configuration with the authentication mode being none Operation Command Description Configure the Set the baud rate speed speed-value Optional Console port The default baud rate of an AUX port (also the Console port) is 9,600 bps.
Page 41 Note that the command level available to users logging into a switch through the None authentication mode depends on both the authentication-mode none command and the user privilege level level command, as listed in the following table.
Page 42: Console Port Login Configuration With Authentication Mode Being Password
[SW7750] user-interface aux 0 # Specify not to authenticate users logging in through the Console port. [SW7750-ui-aux0] authentication-mode none # Specify commands of level 2 are available to users logging into the AUX user interface. [SW7750-ui-aux0] user privilege level 2 # Set the baud rate of the Console port to 19,200 bps.
Page 43 Console Port Login Configuration with Authentication Mode Being Password Table 16 Console port login configuration with the authentication mode being password Operation Command Description Enter AUX user interface user-interface aux 0 view Configure to authentication-mode Required authenticate users using password...
Page 44 Note that the command level available to users logging into a switch through the password authentication mode depends on both the authentication-mode password and the user privilege level level command, as listed in the following table.
Page 45 [SW7750-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text). [SW7750-ui-aux0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging into the AUX user interface. [SW7750-ui-aux0] user privilege level 2 # Set the baud rate of the Console port to 19,200 bps.
Page 46: Console Port Login Configuration With Authentication Mode Being Scheme
OGGING IN THROUGH THE ONSOLE Console Port Login Configuration with Authentication Mode Being Scheme Configuration Procedure Table 18 Console port login configuration with the authentication mode being scheme Operation Command Description Enter system view system-view Config Enter the default ISP domain...
Page 47 Console Port Login Configuration with Authentication Mode Being Scheme Table 18 Console port login configuration with the authentication mode being scheme Operation Command Description Configure to authenticate users locally authentication-mode Required or remotely scheme [ command- The specified AAA authorization ]...
Page 48 0 command to disable the timeout function. Note that the command level available to users logging into a switch through the scheme authentication mode depends on the authentication-mode scheme [ command-authentication ] command and the service-type terminal [ level level ] command, as listed in Table 19.
Page 49 [SW7750] local-user guest # Set the authentication password to 1234567890 (in plain text). [SW7750-luser-guest] password simple 1234567890 # Set the service type of the local user to Terminal, with the available command level being 2. [SW7750-luser-guest] service-type terminal level 2 [SW7750-luser-guest] quit # Enter AUX user interface view.
Page 50 3: L HAPTER OGGING IN THROUGH THE ONSOLE [SW7750-ui-aux0] history-command max-size 20 # Set the timeout time of the AUX user interface to 6 minutes. [SW7750-ui-aux0] idle-timeout 6...
Page 51: Ogging In Through Telnet
OGGING IN THROUGH ELNET Introduction You can manage and maintain a switch remotely by Telneting to the switch. To achieve this, you need to configure both the switch and the Telnet terminal accordingly. Table 20 Requirements for Telnet to a switch...
Page 52: Telnet Configuration With Authentication Mode Being None
Refer to Table 21. configuration configuration Telnet Configuration with Authentication Mode Being None Configuration Procedure Table 23 Telnet configuration with the authentication mode being none Operation Command Description Enter system view system-view Enter one or more VTY user user-interface vty...
Page 53 0 command to disable the timeout function. Note that if you configure not to authenticate the users, the command level available to users logging into a switch depends on both the authentication-mode none command and the user privilege level level...
Page 54 4: L HAPTER OGGING IN THROUGH ELNET Table 24 Determine the command level when users logging into switches are not authenticated Scenario Authentication mode User type Command Command level None VTY users The user privilege level level Level 0 (authentication-...
Page 55: Telnet Configuration With Authentication Mode Being Password
Telnet Configuration with Authentication Mode Being Password # Specify commands of level 2 are available to users logging into VTY 0. [SW7750-ui-vty0] user privilege level 2 # Configure Telnet protocol is supported. [SW7750-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30.
Page 56 Configuration Example Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging into VTY 0: Authenticate users logging into VTY 0 using the local password. ■...
Page 57 # Set the local password to 123456 (in plain text). [SW7750-ui-vty0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging into VTY 0. [SW7750-ui-vty0] user privilege level 2 # Configure Telnet protocol is supported.
Page 58: Telnet Configuration With Authentication Mode Being Scheme
ELNET # Set the timeout time to 6 minutes. [SW7750-ui-vty0] idle-timeout 6 Telnet Configuration with Authentication Mode Being Scheme Configuration Procedure Table 27 Telnet configuration with the authentication mode being scheme Operation Command Description Enter system view system-view Configure Enter the...
Page 59 You can use the idle-timeout 0 command to disable the timeout function. Note that if you configure to authenticate the users in the scheme mode, the command level available to users logging into a switch depends on the authentication-mode scheme [ command-authentication ] command, the user privilege level level command, and the service-type | telnet [ level level ] command, as listed in Table 28.
Page 60 The user privilege level level Determined by command is executed, and the service-type command specifies the service-type available command level. command Refer to “AAA & RADIUS & HWTACACS Configuration Example” on page 537 and “SSH Terminal Services” on page 773.
Page 61 Set the authentication password of the local user to 1234567890 (in plain ■ text). Set the service type of VTY users to Telnet, and the available command level to ■ Configure to authenticate users logging into VTY 0 in scheme mode.
Page 62: Telneting To A Switch
Telneting to a Switch from a Terminal 1 Assign an IP address to the interface of the VLAN of a switch. This can be achieved by executing the ip address command in VLAN interface view after you log in through the Console port.
Page 63 Server Workstation running Telnet 4 Launch Telnet on your PC, with the IP address of the VLAN interface of the switch as the parameter, as shown in Figure 13. Figure 13 Launch Telnet 5 Enter the password when the Telnet window displays “Login authentication” and prompts for login password.
Page 64 3 Execute the following command on the switch operating as the Telnet client: <SW7750> telnet xxxx Where xxxx is the IP address or the host name of the switch operating as the Telnet server. You can use the ip host to assign a host name to a switch.
Page 65: Ogging In Using Modem
To log into a switch in this way, you need to configure the administrator side and the switch properly, as listed in the following table.
Page 66: Modem Connection Establishment
Refer to the user manual of the modem when performing the above configuration. Switch Configuration After logging into a switch through its Console port by using a modem, you will enter the AUX user interface. Note the following when you perform the corresponding configuration on the switch When you log in through the Console port using a modem, the baud rate of ■...
Page 67 82882285 Console port 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in Figure 16 and Figure 17. Note that you need to set the telephone number to that of the modem directly...
Page 68: Modem Attributes Configuration
5 Provide the password when prompted. If the password is correct, the prompt (such as <SW7750>) appears. You can then configure or manage the switch. You can also enter the character ? at anytime for help. Refer to the related modules in the command manual for detailed configuration commands.
Page 69 30 seconds by default. off-hook during call-in connection setup Configuration Example # Enable Modem call-in and call-out, set the answer mode to auto answer, and set the timeout time to 45 seconds. <SW7750> system-view [SW7750] user-interface aux 0 [SW7750-ui-aux0] modem both...
Page 70 5: L HAPTER OGGING IN SING ODEM...
Page 71: Logging In Through The
ANAGEMENT YSTEM Introduction A Switch 7750 has a Web server built in. It enables you to log into a Switch 7750 through a Web browser and then manage and maintain the switch intuitively by interacting with the built-in Web server.
Page 72: Configuring The Login Banner
4 Log into the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch in the address bar. (Make sure the route between the Web-based network management terminal and the switch is available.) 5 When the login authentication interface (as shown in Figure 19) appears, enter the user name and the password configured in step 2 and click <Login>...
Page 73: Enabling/Disabling The Web Server
After the above-mentioned configuration, if you enter the IP address of the switch in the address bar of the browser running on the user terminal and press <Enter>, the browser will display the banner page, as shown in Figure 21.
Page 74 Disable the Web server undo ip http Required shutdown To improve security and prevent attack to the unused Sockets, TCP 80 port (which is for HTTP service) is enabled/disabled after the corresponding configuration. Enabling the Web server (by using the undo ip http shutdown command) ■...
Page 75: Logging In Through
SNMP (simple network management protocol) is applied between the NMS ■ and the agent. To log into a switch through an NMS, you need to perform related configuration on both the NMS and the switch. Table 34 Requirements for logging into a switch through an NMS...
Page 76 7: L HAPTER OGGING IN THROUGH...
Page 77: User Control
ONTROL Introduction A switch provides ways to control different types of login users, as listed in Table 35. Table 35 Ways to control different types of login users Login mode Control method Implementation Related section Telnet By source IP address Through basic ACL “Controlling Telnet Users by...
Page 78 Telnet to other switches from the current switch. Controlling Telnet Users Controlling Telnet users by source and destination IP addresses is achieved by by Source and applying advanced ACLs, which are numbered from 3000 to 3999. Refer to Destination IP Addresses “Defining Advanced ACLs”...
Page 79: Controlling Network Management Users By Source Ip Addresses
Applying the ACL to control users accessing the switch through SNMP ■ Prerequisites The controlling policy against network management users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying). Controlling Network Controlling network management users by source IP addresses is achieved by Management Users by applying basic ACLs, which are numbered from 2000 to 2999.
Page 80: Controlling Web Users By Source Ip Address
[SW7750-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [SW7750-acl-basic-2000] rule 3 deny source any [SW7750-acl-basic-2000] quit # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to access the switch. [SW7750] snmp-agent community read aaa acl 2000...
Page 81 Controlling Web Users by Source IP Address You need to perform the following two operations to control Web users by source IP addresses. Defining an ACL ■ Applying the ACL to control Web users ■ Prerequisites The controlling policy against Web users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying).
Page 82 <SW7750> system-view [SW7750] acl number 2030 [SW7750-acl-basic-2030] rule 1 permit source 10.110.100.52 0 [SW7750-acl-basic-2030] quit # Apply ACL 2030 to only permit the Web users sourced from the IP address of 10.110.100.52 to access the switch. [SW7750] ip http acl 2030...
Page 83: Configuration File-Related Operations
■ that are of the same command view are grouped into one section. Sections are separated by empty lines or comment lines. (A line is a comment line if it starts with the character “#”.) The sections are listed in this order: system configuration section, logical ■...
Page 84 In this mode, the configuration files are saved slowly. However, the original configuration files will be saved in the Flash if the device is restarted or the power is off when the configuration files are being saved.
Page 85 Configuration File-Related Operations You are recommended to adopt the fast saving mode in the conditions of stable power and adopt the safe mode in the conditions of unstable power or remote maintenance. You are recommended to use the save command to save the configuration ■...
Page 86 9: C HAPTER ONFIGURATION ANAGEMENT...
Page 87: Vlan Overview
MAC address table of the switch, it will forward the packet to all the ports except the inbound port of the packet. In this case, a host in the network receives a lot of packets whose destination is not the host itself. Thus, plenty of bandwidth resources are wasted, causing potential serious security problems.
Page 88 VLAN B A VLAN can span across multiple switches, or even routers. This enables hosts in a VLAN to be dispersed in a looser way. That is, hosts in a VLAN can belong to different physical network segment. Compared with the traditional Ethernet, VLAN enjoys the following advantages.
Page 89: Port-Based Vlan
VLAN ID is a 12-bit field, indicating the ID of the VLAN to which this packet ■ belongs. It is in the range of 0 to 4,095. Generally, 0 and 4,095 is not used, so the field is in the range of 1 to 4,094.
Page 90 Ethernet port can forward the packets of the specified VLAN, so that the VLAN on this switch can intercommunicate with the same VLAN on the peer switch. An access port can only be added to one VLAN, while hybrid and trunk ports can be added to multiple VLANs.
Page 91: Protocol-Based Vlan
CAUTION: You are recommended to set the default VLAN ID of the local Hybrid or Trunk ports to the same value as that of the Hybrid or Trunk ports on the peer switch. Otherwise, packet forwarding may fail on the ports.
Page 92 SSAP(1) Control ( 1) Data The DSAP field and the SSAP field in the LLC part are used to identify the upper layer protocol. For example, the two fields are both 0xE0, meaning that the upper layer protocol is IPX protocol.
Page 93 DSAP field and the SSAP field. When the OUI is 00-00-00 in 802.2 SNAP encapsulation, the PID field has the same meaning as the type field in Ethernet II encapsulation, which both refer to globally unique protocol number.
Page 94 After configuring the protocol template, you must add a port to the protocol-based VLAN and associate this port with the protocol template. This port will add VLAN tags to the packets based on protocol types. The port in the protocol-based VLAN must be connected to a client. However, a common client cannot process VLAN-tagged packets.
Page 95: Vlan Configuration
Required Create all VLANs vlan all Optional CAUTION: As the default VLAN, VLAN 1 needs not to be created and cannot be removed. Configuring VLAN You can use the following command to set the maximum volume of allowed Broadcast Storm broadcast traffic through a VLAN.
Page 96 By default, a VLAN interface is enabled. In this scenario, the VLAN interface’s status is determined by the status of its ports, that is, if all the ports of the VLAN interface are down, the VLAN interface is down (disabled); if one or more ports of...
Page 97: Configuring A Port-Based Vlan
Configuring a Port-Based VLAN If a VLAN interface is disabled, its status is not determined by the status of its ports. Displaying VLAN After the configuration above, you can execute the display command in any view Configuration to display the running status after the configuration, so as to verify the configuration.
Page 98 VLAN 1 to pass. To configure a Trunk port into a Hybrid port (or vice versa), you need to use the ■ Access port as a medium. For example, the Trunk port has to be configured as an Access port first and then a Hybrid port.
Page 99 Configuring a Port-Based VLAN The default VLAN IDs of the Trunk ports on the local and peer devices must be ■ the same. Otherwise, packets cannot be transmitted properly. Displaying and Maintaining Port-Based To do... Use the command... Remarks VLAN...
Page 100: Configuring A Protocol-Based Vlan
CAUTION: In a VLAN, it is not allowed to configure two templates with the same protocol type and encapsulation format. If any parameter in a user-defined...
Page 101 [ ip-address [ net-mask ] ] defines IPv4-based VLAN. If you want to define ■ the VLANs based on IP or other encapsulation formats, use mode { ethernetii [ etype etype-id ] } and snap [ etype etype-id ], in which, etype-id is 0x0800. Associating a Port with Configuration prerequisites...
Page 102 If a protocol in a VLAN has been associated with a module, the protocol cannot ■ be removed from the VLAN. For a given type of packets, if the protocol VLAN bound to a port is different ■ from the protocol VLAN applied on the module that provides the port, the board-associated protocol VLAN configuration supersedes the port-associated protocol VLAN configuration.
Page 103 # Configure the port to be a hybrid port. [SW7750-Ethernet2/0/5] port link-type hybrid # Add the port to VLAN 5 and add VLAN 5 to the untagged VLAN list of the port. [SW7750-Ethernet2/0/5] port hybrid vlan 5 untagged # Associate the port with protocol-index 1.
Page 104 # Configure Ethernet2/0/7 as a hybrid port. [SW7750-Ethernet2/0/7] port link-type hybrid # Add the port to VLAN 7, and add VLAN 7 to the list of untagged VLANs permitted to pass through the port. [SW7750-Ethernet2/0/7] port hybrid vlan 7 untagged # Associate the port with the two indexes of VLAN 7.
Page 105: Voice Vlan Overview
00e0-bb00-0000 3com phone You can create multiple voice VLANs and bind each voice VLAN to a port. In this way, the voice traffic received by a port can be transmitted in the voice VLAN bound to the port. This feature allows you to manage voice traffic flexibly.
Page 106 In manual mode: you need to execute related configuration commands to add ■ a voice port to the voice VLAN or remove a voice port from the voice VLAN. Tagged packets from IP voice devices are forwarded based on their tagged VLAN IDs, whether the automatic or manual mode is used.
Page 107 CAUTION: If the voice stream transmitted by an IP voice device is with VLAN tag and the port which the IP voice device is attached to is enabled with 802.1x authentication and 802.1x guest VLAN, assign different VLAN IDs for the voice VLAN bound to the port, the default VLAN of the port, and the 802.1x guest...
Page 108: Voice Vlan Configuration
Create the corresponding VLAN before configuring a voice VLAN. ■ Prerequisites As the default VLAN, VLAN 1 cannot be bound to a port as a voice VLAN. ■ Configuring a Voice Table 59 Configure a voice VLAN to operate in automatic mode...
Page 109 Set aging time for the voice VLAN voice vlan aging minutes Optional The default aging time is 1,440 minutes. CAUTION: If the Link Aggregation Control Protocol (LACP) is enabled for a port, the voice ■ VLAN feature can not be enabled for it.
Page 110: Displaying And Maintaining Voice Vlan Configuration
(such as 802.1x authentication packets), will be dropped. So, do not transmit both voice data and service data in a voice VLAN. If you have to do so, make sure the voice VLAN do not operate in the security mode.
Page 111 Voice VLAN Configuration Example <SW7750> system-view [SW7750] vlan 2 # Configure Ethernet2/0/1 port to be a Trunk port, with VLAN 6 as the default VLAN, and permit packets of VLAN 6 to pass through the port. [SW7750-vlan2] quit [SW7750] interface Ethernet 2/0/1...
Page 112 Voice Vlan aging time: 1440 minutes Current voice vlan enabled port mode: PORT MODE STATUS Voice Vlan ID -------------------------------------------------------------------- Ethernet2/0/3 MANUAL ENABLE # Remove Ethernet2/0/3 port from the voice VLAN. [SW7750] interface Ethernet2/0/3 [SW7750-Ethernet2/0/3] undo port trunk permit vlan 3...
Page 113: Isolate -User -Vlan Configuration
Configure port Ethernet2/0/4 as a hybrid port, with the default VLAN ID being ■ 3. At the same time, this port belongs to VLAN 3 and VLAN 5, and performs untag operation (removing of VLAN tag) on the packets from VLAN 3 and VLAN 5.
Page 114: Isolate-User-Vlan Configuration
VLAN tag of VLAN 3 is automatically added to the packets. 2 Switch B learns the MAC address of the PC, and adds it to the MAC address forwarding table of VLAN 3, and at the same time copies the entry to the MAC address forwarding table of VLAN 5.
Page 115 The isolate-user-VLAN function and super VLAN function cannot be enabled ■ simultaneously for a VLAN. If a VLAN is specified as an isolate-user-VLAN or a secondary VLAN, you cannot configure it as a super VLAN or a sub VLAN additionally.
Page 116: Displaying Isolate-User-Vlan Configuration
CAUTION: When you use the port hybrid pvid vlan command to configure the default VLAN ID for a port, you need to specify the vlan-id as a secondary VLAN for a downlink port and specify the vlan-id an isolate-user-VLAN for an uplink port.
Page 117 # Add port Ethernet2/0/2 to the isolate-user-VLAN and the secondary VLAN, and configure the port to untag the VLAN packets. Because all ports are added to VLAN 1 by default, you need to remove the port from VLAN 1 to avoid broadcast. [SwitchB-vlan2] quit...
Page 118 [SwitchB-Ethernet2/0/5] port hybrid pvid vlan 2 [SwitchB-Ethernet2/0/5] undo port hybrid vlan 1 # Add port Ethernet2/0/1 to the isolate-user-VLAN and the secondary VLAN, and configure the port to untag the VLAN packets. Remove the port from VLAN 1. [SwitchB-Ethernet2/0/5] quit [SwitchB] interface Ethernet 2/0/1...
Page 119 After the above configurations, Switch A can receive packets from Switch B and Switch C, and they are all packets without VLAN tag. Each VLAN 3 configured on Switch B and Switch C cannot communicate with each other because the packets from them are stripped off the original VLAN tags before reaching Switch A and then be encapsulated with the VLAN tag set on Switch A.
Page 120 13: I -VLAN C HAPTER SOLATE ONFIGURATION...
Page 121: Super Vlan
You can configure multiple super VLANs for a switch. You can use the following VLAN commands to specify a VLAN as a super VLAN. After a VLAN is configured as a super VLAN, the configuration of corresponding VLAN interfaces and IP addresses...
Page 122 CAUTION: The port command is only used to add the access port to a sub VLAN. If you want to add a trunk port or a hybrid port to a sub VLAN, you must execute the port trunk permit vlan command and the port hybrid vlan command in Ethernet port view.
Page 123: Displaying Super Vlan
With the DHCP relay function enabled on the VLAN interface of the super VLAN, the host of the sub VLAN that maps the interface and the DHCP host in another network segment can forward the DHCP packets to each other, so as to assist the hosts in the sub VLANs to finish the dynamic configuration of IP address.
Page 124: Super Vlan Configuration Example
[SW7750] interface Vlan-interface 10 [SW7750-Vlan-interface10] ip address 10.110.1.1 255.255.255.0 Super VLAN Supporting Network requirements DHCP Relay Example Create VLAN 6 as a super VLAN, and create VLAN 2 and VLAN 3 as the sub ■ VLANs which map VLAN 6.
Page 125 Super VLAN Configuration Example Configure the IP address of the VLAN 6 as 10.1.1.1, and the sub network mask ■ as 255.255.255.0. Enable the DHCP relay function on the VLAN interface of VLAN 6, and establish ■ the mapping between VLAN 6 and the remote DHCP server group 2 to make the hosts in VLAN 2 and VLAN 3 being able to dynamically obtain IP addresses from the DHCP server group 2.
Page 126 14: S VLAN HAPTER UPER...
Page 127: Ip Address
Figure 37 Five classes of IP addresses 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31...
Page 128 1s and 0s. A mask is defined as follows: the bits of the network number and subnet number are set to 1, and the bits of the host number are set to 0. The mask divides the IP address into two parts: subnet address and host address. In an...
Page 129: Configuring An Ip Address For A Vlan Interface
If there is no subnet division, the subnet mask uses the default value and the length of 1s in the mask is equal to the net-id length. Therefore, for IP addresses of classes A, B and C, the default values of the corresponding subnet masks are 255.0.0.0, 255.255.0.0 and 255.255.255.0 respectively.
Page 130: Displaying Ip Address Configuration
■ whether the VLAN has been configured with the VLAN interface. Then check whether the IP addresses of the VLAN interface and the host are on the same network segment. If the configuration is correct, enable ARP debugging on the switch, and check ■...
Page 131: Ip Performance Configuration
IP performance configuration mainly refers to TCP attribute configuration. The Attributes TCP attributes that can be configured include: synwait timer: This timer is started when TCP sends a syn packet. If no response ■ packet is received before the timer times out, the TCP connection will be terminated.
Page 132: Configuring Tcp Attributes
(255.255.255.255). A directed broadcast packet is a packet whose destination IP Connected Network address is the network broadcast address of a subnet, but the source IP address is not in the subnet. When a switch forwards a directed broadcast packet, it cannot tell whether the packet is a broadcast packet if the switch is not connected with the subnet.
Page 133: Disabling Icmp Error Message Sending
Sending a lot of ICMP packets will increase network traffic. ■ If receiving a lot of malicious packets that cause a device to send ICMP error ■ packets, the device’s performance will be reduced.
Page 134: Troubleshooting
Display the summary of the display fib fib-rule forwarding information base (FIB) entry matching the specified rule Use the reset command in user view to clear the IP, TCP, and UDP traffic statistics. Table 82 Debug IP performance Configuration Command Description...
Page 135 Troubleshooting Then the TCP packets received or sent will be displayed in the following format in real time: TCP output packet: Source IP address:202.38.160.1 Source port:1024 Destination IP Address 202.38.160.1 Destination port: 4296 Sequence number :4185089 Ack number: 0 Flag...
Page 136 16: IP P HAPTER ERFORMANCE ONFIGURATION...
Page 137: Ipx Protocol Overview
A node address identifies a node on the network. Like a MAC address, it is six bytes long and written with the bytes being separated into three 2-byte parts by “-”. The node address cannot be a broadcast or multicast address.
Page 138: Ipx Configuration
After the undo ipx enable command is executed, the IPX configurations are ■ cannot be recovered with the ipx enable command. After IPX is enabled, you must assign a network number to a VLAN interface to ■ enable IPX on this VLAN interface. One network number can be assigned to only one VLAN interface.
Page 139 0xFFFFFFFE are default routes Configuring an IPX route limit In IPX, you can configure in the routing table the maximum number of the dynamic routes and equivalent routes to the same destination. These two limit settings are independent.
Page 140 RIP update interval. The aging period of IPX RIP is a multiple of the IPX RIP update interval. You can set multiple update intervals as an aging period. If a routing entry is not updated after three RIP update intervals, it will be deleted from the routing table.
Page 141 SAP update interval to avoid the situation where the switches mistake an operating server for a failed one. The aging period of IPX SAP is a multiple of the IPX RIP update interval. You can set multiple update intervals as an aging period.
Page 142 If no NetWare server is available on the segment, the switch responds. You can enable the switch to handle a SAP GNS request in one of the following ways: Respond with the information of the nearest server (the server with the ■...
Page 143 Generally, clients can only use the services that are advertised by NetWare servers and saved on the switch. To make a service always available to the clients, you can manually add it into the server information table as a static entry. If the route for the static service entry is invalid or deleted, the broadcast of the static service entry is disabled until the switch finds a valid route for the service entry.
Page 144 IPX RIP and SAP periodically broadcast update packets. If the periodical broadcast forwarding is not desired, you can enable triggered update on the VLAN interfaces of the switch. This allows the switch to broadcast update packets only when route or service information changes, thus avoiding broadcast flooding.
Page 145: Displaying And Debugging Ipx
There is a server installed with NetWare 4.1 and assigned the network number of 2. On the server, the packet encapsulation format is set to Ethernet_II. The client is a PC with the network number of 3 and the packet encapsulation format of SNAP.
Page 146: Network Diagram
1 Configure Switch A. # Enable IPX. <Switch> system-view [Switch] ipx enable # Assign the network number 2 to VLAN interface 2 to enable IPX on the VLAN interface. [Switch] interface Vlan-interface 2 [Switch-Vlan-interface2] ipx network 2 # Set the packet encapsulation format to Ethernet_II on VLAN interface 2.
Page 147: Troubleshooting Ipx
Troubleshooting IPX # Assign the network number 3 to VLAN interface 2 to enable IPX on the VLAN interface. [Switch] interface Vlan-interface 2 [Switch-Vlan-interface2] ipx network 3 # Set the packet encapsulation format to Ethernet_SNAP on VLAN interface 2. [Switch-Vlan-interface2] ipx encapsulation snap...
Page 148 Symptom 2: Try to import a static route to IPX RIP, but no static route is sent out. Solutions: Use the display ipx routing-table command to check whether the static route ■...
Page 149 ■ SAP service entries is under the limit. IPX can support 10,240 service entries with 5,120 service types. Check whether the MTU of SAP packets is less than or equal to the MTU at the ■ physical layer. Symptom 4: No update packet is received on the VLAN interface.
Page 150 Use the display ipx interface command to check whether SAP is enabled. ■ Check whether the hop count of the active route to the server is smaller than ■ Use the display current-configuration command to check whether the update ■...
Page 151 SAP preference. Troubleshooting IPX routing management Symptom 1: The current switch receives the routing information from a neighbor device, but the route cannot be found on the current switch with the display ipx routing-table verbose command. Solutions: Use the display current-configuration command to view the maximum number ■...
Page 152 17: IPX C HAPTER ONFIGURATION...
Page 153: Introduction To Garp And Gvrp
VLAN and multicast addresses. GARP dose not exist in a switch as an entity. A GARP participant is called GARP application. The main GARP applications at present are GVRP and GMRP. GVRP is described in the “GVRP Mechanism”...
Page 154 Join: To transmit the Join messages reliably to other entities, a GARP participant ■ sends each Join message two times. The Join timer is used to define the interval between the two sending operations of each Join message. Leave: When a GARP participant expects to unregister a piece of attribute ■...
Page 155 Introduction to GARP and GVRP distinguishes them by their destination MAC addresses and delivers them to different GARP application (for example, GVRP) for further processing. GVRP Packet Format The GVRP packets are in the following format: Figure 41 Format of GVRP packets...
Page 156: Gvrp Configuration
The timeout ranges of the timers vary depending on the timeout values you set for other timers. If you want to set the timeout time of a timer to a value out of the current range, you can set the timeout time of the associated timer to another...
Page 157: Displaying And Maintaining Gvrp
GARP LeaveAll timer: 12000 centiseconds (2 minutes). ■ Displaying and After the above configuration, you can use the display commands in any view to Maintaining GVRP display the configuration information and operating status of GVRP/GARP, and thus verify your configuration. You can use the reset command in user view to clear GARP statistics.
Page 158: Gvrp Configuration Example
# Enable GVRP globally. <SW7750> system-view [SW7750] gvrp GVRP is enabled globally. # Configure port Ethernet2/0/1 to be a trunk port and to permit the packets of all the VLANs. [SW7750] interface Ethernet2/0/1 [SW7750-Ethernet2/0/1] port link-type trunk [SW7750-Ethernet2/0/1] port trunk permit vlan all # Enable GVRP on the trunk port.
Page 159: Qin
In public networks, packets of this type are transmitted by their outer VLAN tags (that is, the VLAN tags of public networks). And those of private networks which are encapsulated in the VLAN tags of public networks are shielded.
Page 160: Qinq Configuration
User Priority CFI VLAN ID The user priority field is the 802.1p priority of the tag. This 3-bit field is in the range of 0 to 7. Through configuring inner-to-outer tag priority mapping for a QinQ-enabled port, you can assign different priority for the outer tag of a packet according to its inner tag priority.
Page 161: Displaying Qinq
The Voice VLAN feature is mutually exclusive with the QinQ feature for a port. When you use the specific command to enable the Voice VLAN feature for a ■ QinQ-enabled port, the switch will prompt errors.
Page 162 1 Configure Switch A and Switch C. As the configuration performed on Switch A and Switch C is the same, configuration on Switch C is omitted. # Configure Ethernet2/0/2 port as a trunk port. Add the port to VLAN 10. <SwitchA> system-view [SwitchA] vlan 10...
Page 163 Ethernet2/0/2 port of Switch C. Switch C forwards the packet in VLAN 10 to its Ethernet2/0/1 port. As Ethernet2/0/1 port is an access port, the outer VLAN tag of the packet is stripped off and the packet restores the original one.
Page 164 19: Q HAPTER ONFIGURATION...
Page 165: Selective Qin
VLAN tag of the packet with a specified VLAN tag so that the packet will be forwarded as per the new outer VLAN tag, with the inner VLAN tag unchanged.
Page 166: Configuring Outer Tag Replacement
QinQ is not applicable to ports with the Voice VLAN feature enabled. ■ CAUTION: Type-A I/O Modules do not support the selective QinQ feature. Type A I/O ■ Modules include: 3C16860, 3C16861, LS81FS24A, 3C16858, 3C16859, and 32Gbps and 64Gbps Switch Fabrics.
Page 167: Selective Qinq Configuration Example
Enable QinQ on GigabitEthernet2/0/1 port. Set the PVID of the port to 8. ■ Insert the tag of VLAN 10 to packets of VLAN 8 through VLAN 15 as the outer ■ VLAN tag. Insert the tag of VLAN 100 to packets of VLAN 20 through VLAN 25 as the outer VLAN tag.
Page 168 # Enable QinQ. [SwitchA-GigabitEthernet2/0/1] vlan-vpn enable # Specify the outer VLAN tag to be inserted to packets of VLAN 10, and specify the upstream port of the tag to be GigabitEthernet2/0/1 which does not remove the outer VLAN tags of packets when transmitting these packets.
Page 169: Vlan Configuration
VLAN tag besides the default VLAN tag to the packets. Thus, when packets from the service provider to customers are forwarded, broadcast arises because each of these packets fails to find its destination MAC address in the MAC table of its outer VLAN.
Page 170: Shared Vlan Configuration
MAC address table of the shared VLAN. So you need to add the ports of all the packets to be forwarded to the shared VLAN. The operation of adding ports to the shared VLAN is the same as the operation of adding ports to a common VLAN.
Page 171: Shared Vlan Configuration Example
[SW7750] vlan 100 [SW7750-vlan100] quit [SW7750] shared-vlan 100 slot 2 # Add the ports of all the packets forwarded on the module in slot 2 to VLAN 100. Refer to “Configuring a Port-Based VLAN” on page 97 for detailed configuration.
Page 172 21: S VLAN C HAPTER HARED ONFIGURATION...
Page 173: Port
[ jumboframe-value ] By default, jumbo frames that are larger than 1518 bytes and smaller than 1536 bytes are allowed to pass through the port. Use the following two tables when setting the duplex mode and rate of an Ethernet port.
Page 174 Its rate can be set to 10,000 Mbps only. Management port Its rate cannot be set. Configuring Port You can configure an auto-negotiation speed for a port by using the speed auto Auto-Negotiation Speed command. Take a 10/100/1000 Mbps port as an example.
Page 175 Unicast threshold you set, the system drops the packets exceeding the traffic limit to Suppression reduce the traffic ratio of this type to the reasonable range, so as to keep normal network service. Table 109 Configure broadcast/multicast/unknown unicast suppression...
Page 176 You can address the problem by introducing a delay for reporting the physically down event of a port. With this delay, a port reports a physically down event after the delay expires rather than doing that immediately upon occurrence of the down event.
Page 177 If you specify a destination aggregation group ID, the configuration of the ■ source port will be copied to all ports in the aggregation group and all ports in the group will have the same configuration as that of the source port.
Page 178 Enabling the System to You can enable the system to test the cable connected to a specific port. The test Test Connected Cable result will be returned in five minutes. The system can test these attributes of the cable: Receive and transmit directions (RX and TX), short circuit/open circuit or not, the length of the faulty cable.
Page 179 By default, this interval is 300 traffic seconds. Setting Speedup for a Perform the following configuration to speed up the hardware in a port or out of Port a port. Table 116 Set speedup for a port Operation...
Page 180: Ethernet Port Configuration Example
Switch A and Switch B are connected to each other through two trunk port ■ Example (Ethernet2/0/1). Configure the default VLAN ID of both Ethernet2/0/1 to 100. ■ Allow the packets of VLAN 2, VLAN 6 through VLAN 50 and VLAN 100 to pass ■ both Ethernet2/0/1.
Page 181: Troubleshooting Ethernet Port Configuration
Use the display interface or display port command to check if the port is a ■ trunk port or a hybrid port. If not, configure it to a trunk port or a hybrid port. Configure the default VLAN ID. ■...
Page 182 22: P HAPTER ASIC ONFIGURATION...
Page 183: Link Aggregation
IEEE802.3ad. It uses link aggregation control protocol data units (LACPDUs) for information exchange between LACP-enabled devices. After LACP is enabled on a port, the port sends LACPDUs to notify the remote system of its system LACP priority, system MAC address, port LACP priority, port number, and operational key.
Page 184 LACP on such a port will not take effect. Port status in manual aggregation group A port in a manual aggregation group can be in one of the two states: selected or standby. The selected port with the minimum port number serves as the master port of the group, and other selected ports serve as member ports of the group.
Page 185 Port status of static aggregation group A port in a static aggregation group can be in one of the two states: selected or standby. Both the selected and the standby ports can transceive LACPDUs however, the standby ports cannot forward user packets.
Page 186 Port status of dynamic aggregation group A port in a dynamic aggregation group can be in one of the two states: selected or standby. In a dynamic aggregation group, both the selected and the standby ports can transceive LACPDUs, however, the standby ports cannot forward user packets.
Page 187 If devices at one side of the link aggregation group use type-A modules and devices at the other side of the group use modules other than Type A, when the number of ports exceeds eight and the number of selected ports reaches to eight in the link aggregation group, packets may be lost.
Page 188 I/O Module Aggregation Group Depending on whether or not load sharing is implemented, aggregation groups Categories can be load-sharing or non-load-sharing aggregation groups. In general, the system only provides limited load-sharing aggregation resources, so the system needs to reasonably allocate the resources among different aggregation groups.
Page 189: Link Aggregation Configuration
(unless the latter contains special ports while the former does not). For two aggregation groups of the same kind, the one that might gain higher ■ speed if resources were allocated to it has higher priority than the other one.
Page 190 When you change a dynamic/static group to a manual group, the system will ■...
Page 191 For example, suppose port 1 of the local device is connected to port 2 of the peer device. To avoid cross-connecting cables, do not connect port 2 of the local device to port 1 of the peer device. Otherwise, packets may be lost. Note that: LACP cannot be enabled on an existing port in a manual aggregation group.
Page 192: Displaying And Maintaining Link Aggregation Configuration
Note that if a manual aggregation group or a static aggregation group contains only one port, this port cannot be removed from the aggregation group. Instead, it can be removed from the aggregation group only in the way of removing the aggregation group.
Page 193: Link Aggregation Configuration Example
] ] Link Aggregation Network requirements Configuration Switch A connects to Switch B with three ports Ethernet 2/0/1 to Ethernet ■ Example 2/0/3. It is required that incoming/outgoing load between the two switch can be shared among the three ports.
Page 194 [SW7750-Ethernet2/0/1] interface ethernet2/0/2 [SW7750-Ethernet2/0/2] lacp enable [SW7750-Ethernet2/0/2] interface ethernet2/0/3 [SW7750-Ethernet2/0/3] lacp enable Note that the three LACP-enabled ports can be aggregated into a dynamic aggregation group to implement load sharing only when they have the same basic configuration, rate and duplex mode.
Page 195: Port Isolation
Port Isolation Overview Introduction to Port Through the port isolation feature, you can add the ports to be controlled into an Isolation isolation group to isolate Layer 2 and Layer 3 data between ports in the isolation group. Thus, it can improve network security and deliver flexible networking solutions.
Page 196: Displaying Port Isolation Configuration
PC2, PC3 and PC4 connect to the switch ports Ethernet2/0/2, Ethernet2/0/3, ■ Example and Ethernet2/0/4 respectively. It is desired that PC2, PC3 and PC4 are isolated from each other so that they ■ cannot communicate with each other. Network diagram...
Page 197 Port Isolation Configuration Example [SW7750-port-isolate-group1] port Ethernet2/0/2 to Ethernet2/0/4 # Display information about the ports in the isolation group. [SW7750-port-isolate-group1] display isolate port Isolate group ID: 1 Isolated port(s) in group 1: Ethernet2/0/2 Ethernet2/0/3 Ethernet2/0/4...
Page 198 24: P HAPTER SOLATION ONFIGURATION...
Page 199: Port Security
Port Security Overview Introduction Port security is a security mechanism for network access control. It is an expansion to the current 802.1x and MAC address authentication. Port security defines various security modes that allow devices to learn legal source MAC addresses, in order for you to implement different network security management as needed.
Page 200 After the port security mode is changed to the secure mode, illegal packet. only those packets whose source MAC addresses are security MAC addresses learned configured can pass through the port.
Page 201 MAC authentication and 802.1x authentication fail. When a port works in the userlogin-secure-oui mode, intrusion protection ■ will not be triggered even if the port receives a frame with an OUI value that is not the specified one.
Page 202: Port Security Configuration
■ Address Authentication Configuration” on page 233. Setting the Maximum Port security allows more than one user to be authenticated on a port. The Number of MAC number of authenticated users allowed, however, cannot exceed the configured Addresses Allowed on a upper limit.
Page 203 After you set the port security mode to autolearn, you cannot configure any ■ static or blackhole MAC addresses on the port. To change the security mode of a port that is not in the normal forwarding ■ state, you need to perform the undo port-security port-mode command or disable port security at first.
Page 204 After an 802.1x user or MAC-authenticated user passes Remote Authentication Authorization Dial-In User Service (RADIUS) authentication, the RADIUS server delivers the Information from the authorization information to the device. You can configure a port to ignore the RADIUS Server authorization information from the RADIUS server.
Page 205 Security MAC addresses are special MAC addresses that never age out. One MAC Addresses security MAC address can be added to only one port in the same VLAN so that you can bind a MAC address to one port in the same VLAN.
Page 206: Displaying Port Security Configuration
Allow a maximum of 80 users to access the port without authentication and ■ permit the port to learn and add the MAC addresses of the users as security MAC addresses. To ensure that Host can access the network, add the MAC address ■...
Page 207 Port Security Configuration Example # Set the maximum number of MAC addresses allowed on the port to 80. [SW7750-GigabitEthernet2/0/1] port-security max-mac-count 80 # Set the port security mode to autolearn. [SW7750-GigabitEthernet2/0/1] port-security port-mode autolearn [SW7750-GigabitEthernet2/0/1] quit # Add the MAC address 0001-0002-0003 of Host as a security MAC address to the port in VLAN 1.
Page 208 25: P HAPTER ECURITY ONFIGURATION...
Page 209: Port Binding
Port binding enables the network administrator to bind the MAC address and IP address of a user with a specific port. After the binding, the switch forwards only the packets received on the port whose MAC address and IP address are identical with the bound MAC address and IP address.
Page 210: Port Binding Configuration Example
Port Binding Network requirements Configuration It is required to bind the MAC and IP addresses of Host A to Ethernet 2/0/1 on Example switch A, so that Ethernet 2/0/1 can only forward packets coming from or going to Host A.
Page 211: Overview
Device link detection protocol (DLDP) can detect the link status of an optical fiber cable or copper twisted pair (such as super category 5 twisted pair). If DLDP finds a unidirectional link, it disables the related port automatically or prompts you to disable it manually according to the configurations, to avoid network problems.
Page 212: Dldp Fundamentals
DLDP identifies peer devices and unidirectional links, and disables unreachable ports. Even if both ends of links can work normally at the physical layer, DLDP can ■ detect whether these links are connected correctly and whether packets can be exchanged normally at both ends.
Page 213 If yes, the link between the local port and the neighbor is regarded as bidirectional. Disable Disable packets are used to notify the peer end that the local end is in the disable state. Disable packets carry only the local port information instead of the neighbor information. When a port detects a unidirectional link and enters the disable state, the port sends disable packets to the neighbor.
Page 214 1 If the DLDP-enabled link is up, DLDP sends DLDP packets to the peer device, and analyzes/processes the DLDP packets received from the peer device. DLDP packets sent in different DLDP states are of different types.
Page 215 DLDP sends RSY messages and removes the corresponding neighbor entries. DLDP Status A link can be in one of these DLDP states: initial, inactive, active, advertisement, probe, disable, and delaydown. Table 146 DLDP status Status...
Page 216 If no echo packet is received from the neighbor when the Echo waiting timer expires, the state of the local end is set to unidirectional link (one-way audio) and the state machine turns into the disable state. DLDP outputs log and tracking information, sends flush packets.
Page 217 DLDP Neighbor State A DLDP neighbor can be in one of these two states: two way and unknown. You can check the state of a DLDP neighbor by using the display dldp command. Table 149 Description on the two DLDP neighbor states...
Page 218: Dldp Configuration
HAPTER ONFIGURATION Link Auto-recovery If the shutdown mode of a port is set to auto shutdown, the port is set to the Mechanism DLDP down state when DLDP detects the link connecting to the port is a unidirectional link. A port in DLDP down state does not forward service packets or receive/send protocol packets except DLDPDUs.
Page 219 Optional delaydown-time By default, delaydown timer expires after 1 second it is triggered. Set the DLDP handling mode when an unidirectional dldp Optional link is detected unidirectional-shutdo By default, wn { auto | manual } handling mode is auto...
Page 220 DLDP will not operate properly. Resetting DLDP Status Only after the ports are DLDP down due to the detection of unidirectional links can you use the dldp reset command to reset the DLDP status of these ports to retrieve DLDP probes.
Page 221 CAUTION: This command only applies to the ports in DLDP down status. ■ If a port is DLDP down, it can return to the up state automatically. You do not ■ need to reset DLDP on the port. Precautions During DLDP DLDP does not work on a port where you configure duplex and rate forcibly, ■...
Page 222: Dldp Network Example
DLDP Network Network requirements Example As shown in Figure 57: Switch A and Switch B are connected through two pairs of fibers. Both of them ■ support DLDP; Suppose the fibers between Switch A and Switch B are cross-connected. DLDP ■...
Page 223 Suppose the port works in the mandatory full duplex mode and the connection at both ends of the link is normal. After DLDP is enabled, if the optical fiber in one end is not connected, DLDP will report that the link is a unidirectional link.
Page 224 27: DLDP C HAPTER ONFIGURATION...
Page 225: Mac Address Table Management
Ethernet switch. When an Ethernet switch learns a MAC address, the following occurs: When a switch receives a packet from one of its ports (referred to as Port 1), the switch extracts the source MAC address (referred to as MAC-SOURCE) of the packet and considers that the packets destined for MAC-SOURCE can be forwarded through Port 1.
Page 226 If it finds a match, it directly forwards the packet. ■ If it finds no match, it forwards the packet to all ports, except the receiving ■ port, within the VLAN to which the receiving port belongs. Normally, this is referred to as broadcasting the packet.
Page 227: Configuring Mac Address Table Management
Learning MAC Addresses” on page 229. Configuring a MAC You can add, modify, or remove one MAC address entry, remove all the MAC Address Entry address entries (unicast MAC addresses only) concerning a specific port, or remove a specific type of MAC address entries (dynamic or static).
Page 228 Setting aging time properly helps implement effective MAC address aging. The for MAC Address Entries aging time that is too long or too short results in a large amount of broadcast packets wandering across the network and decreases the performance of the switch.
Page 229 ■ the mac-address max-mac-count command. Configuring MAC If there are multiple chips on a module, each chip can learn only the MAC Address Learning addresses of the data flow it handles. If a chip receives a packet whose MAC Synchronization address entry is stored in another chip, it broadcasts the packet.
Page 230: Displaying And Maintaining Mac Address Configuration
HiGig ports to the ports of other module chips, those chips will learn the MAC address entry whose source MAC address matches the ingress port and synchronize the entry back to the chip of the ingress port through MAC address learning synchronization between module chips.
Page 231: Configuration Example
MAC address table Configuration Example Network requirements Log in to the switch through the Console port and enable address table ■ configuration. Set the aging time of dynamic MAC address entries to 500 seconds. ■ Add a static MAC address entry 000f-e235-dc71 for Ethernet2/0/2 port ■...
Page 232 28: MAC A HAPTER DDRESS ABLE ANAGEMENT...
Page 233: Centralized Mac Address Authentication Configuration
As for Switch 7750 Ethernet switches, authentication can be performed locally or through a RADIUS server. 1 When a RADIUS server is used for authentication, the switch serves as a RADIUS client. Authentication is carried out through the cooperation of switches and the RADIUS server.
Page 234: Centralized Mac Address Authentication Configuration
If a port is already enabled with the centralized MAC address authentication ■ function, you cannot add the port to a link aggregation group. And, if the port is already in a aggregation group, you are not allowed to enable the centralized MAC address authentication function on the port.
Page 235 By default, centralized MAC specified ports address authentication is disabled on a port. Table 164 Enable centralized MAC address authentication for a port in Ethernet port view Operation Command Description Enter system view system-view Enter Ethernet port view...
Page 236 RADIUS server to stop the accounting on the user. Quiet timer, which sets the quiet period for a switch. After a user fails to pass ■ the authentication performed by a switch, the switch quiets for a specific period (the quiet period) before it authenticates users again.
Page 237: Displaying And Debugging Centralized Mac Address Authentication
MAC address authentication, the re-authentication operation will be ignored. Displaying and After the above configuration, you can execute the display command in any view Debugging to display system running of centralized MAC address authentication Centralized MAC configuration, and to verify the effect of the configuration.
Page 238 In MAC address mode, MAC address of user authenticated by RADIUS server ■ need to be configured as both user name and password on the RADIUS server. Network requirement As shown in the following figure, a user workstation (Supplicant) is connected with Ethernet 2/0/1 of the Ethernet device (Authenticator).
Page 239 Centralized MAC Address Authentication Configuration Example [SW7750] mac-authentication timer offline-detect 180 [SW7750] mac-authentication timer quiet 30 For domain-related configuration, refer to the “802.1x Configuration Example” on page 404.
Page 240 29: C MAC A HAPTER ENTRALIZED DDRESS UTHENTICATION ONFIGURATION...
Page 241: Mstp Overview
It costs two times of the forward delay for a port to transit to the forwarding state even if the port is on a point-to-point link or the port is an edge port. This slows down the spanning tree convergence of STP.
Page 242 VLAN mapping table of region A0 is: VLAN 1 is mapped to MSTI 1; VLAN 2 is mapped to MSTI 2; and other VLANs are mapped to CIST. In an MST region, load balancing is achieved by the VLAN mapping table.
Page 243 The blocked port is a backup port. In Figure 61, switch A, B, C, and D form an MST region. Port 1 and port 2 on switch A connect upstream to the common root. Port 5 and port 6 on switch C...
Page 244 The role a region edge port plays is consistent with the role it plays in the CIST. ■ For example, port 1 on switch A in Figure 61 is a region edge port, and it is a master port in the CIST. So it is a master port in all MSTIs in the region.
Page 245 Through configuration BPDU comparing, the switch that is of the highest priority in the network is chosen as the root of the CIST. In each MST region, an IST is figured out by MSTP. At the same time, MSTP regards each MST region as a switch to figure out the CST of the network.
Page 246: Root Bridge Configuration
BPDU and the path cost of the root port, the ID of the designated bridge being replaced with that of the switch, and the ID of the designated port being replaced with that of the port.
Page 247 MSTP VLAN mapping table (The CIST of a network is the spanning tree instance numbered 0.) Prerequisites The status of the switches in the spanning trees are determined. That is, the status (root, branch, or leaf) of each switch in each spanning tree instance is determined. MST Region...
Page 248 To reduce network topology jitter caused by the configuration, MSTP does not regenerate spanning trees immediately after the configuration; it does this only after you perform one of the following operations, and then the configuration can really takes effect: Activating the new MST region-related settings by using the active ■...
Page 249 A switch can play different roles in different spanning tree instances. That is, it can be the root bridges in a spanning tree instance and be a secondary root bridge in another spanning tree instance at the same time. But in one spanning tree instance, a switch cannot be the root bridge and the secondary root bridge simultaneously.
Page 250 You can also configure the current switch as the root bridge by setting the ■ priority of the switch to 0. Note that once a switch is configured as the root bridge or a secondary root bridge, its priority cannot be modified.
Page 251 With such a mechanism, the maximum hops configured on the switch operating as the root bridge of the IST or an MSTI in a MST region becomes the network diameter of the spanning tree, which limits the size of the spanning tree in the current MST region.
Page 252 30: MSTP C HAPTER ONFIGURATION Configuration example # Configure the maximum hops of the MST region to be 30 (assuming that the current switch operates as the region root). <SW7750> system-view [SW7750] stp max-hops 30 Network Diameter In a switched network, any two switches can communicate with each other Configuration through a path, on which there may be some other switches.
Page 253 BPDUs being sent frequently, which increases the work load of the switches and wastes network resources. The default is recommended. As for the Max age parameter, if it is too small, network congestions may be ■ falsely regarded as link problems, which results in spanning trees being frequently regenerated.
Page 254 Hello time parameter to test the links. Normally, a switch regards its upstream switch faulty if the former does not receive any protocol packets from the latter in a period three times of the Hello time and then initiates the spanning tree regeneration process.
Page 255 After a port is configured as an edge port, rapid transition is applicable to the port. That is, when the port changes from blocking state to forwarding state, it does not have to wait for a delay.
Page 256 Configuration transit to the forwarding state rapidly by exchanging synchronization packets, eliminating the forwarding delay. You can specify whether or not the link connected to a port is a point-to-point link in one of the following two ways.
Page 257 After you configure the link of a port as a point-to-point link, the configuration applies to all spanning tree instances. If the actual physical link of a port is not a point-to-point link and you forcibly configure the link as a point-to-point link,...
Page 258 To enable a switch to operate more flexibly, you can disable MSTP on specific ports. As MSTP-disabled ports do not participate in spanning tree generation, this operation saves CPU resources. Other MSTP-related settings can take effect only after MSTP is enabled on the switch.
Page 259: Leaf Node Configuration
MSTP VLAN mapping table (The CIST of a network is the spanning tree instance numbered 0.) Prerequisites The status of the switches in the spanning trees is determined. That is, the status (root, branch, or leaf) of each switch in each spanning tree instance is determined.
Page 260 Refer to “Edge Port Configuration” on page 255. Path Cost Configuration The path cost parameters reflects the link rates on ports. For a port on an MSTP-enabled switch, the path cost may differ with spanning tree instance. You can enable flows of different VLANs to travel along different physical links by configuring appropriate path costs on ports, so that load balancing can be achieved by VLANs.
Page 261 Aggregated link 3 ports Aggregated link 4 ports Normally, the path cost of a port operating in full-duplex mode is slightly less than that of the port operating in half-duplex mode. When calculating the path cost of an aggregated link, the 802.1D-1998 standard does not take the number of the ports on the aggregated link into account, whereas the 802.1T standard does.
Page 262 Changing the path cost of a port may change the role of the port and put it in state transition. Executing the stp cost command with the instance-id argument being 0 sets the path cost on the CIST for the port.
Page 263: The Mcheck Configuration
A smaller port priority value indicates a higher possibility for the port to become the root port. If all the ports of a switch have the same port priority value, the port priorities are determined by the port indexes. Changing the priority of a port will cause spanning tree regeneration.
Page 264: Protection Function Configuration
MSTP-enabled switch, the port cannot automatically transit to the MSTP operation mode. It remains in the STP-compatible mode. In this case, you can force the port to transit to the MSTP mode by performing the mCheck operation on the port.
Page 265 Root protection A root bridge and its secondary root bridges must reside in the same region. A CIST and its secondary root bridges are usually located in the high-bandwidth core region. Configuration errors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge, which causes new root bridge to be elected and network topology jitter to occur.
Page 266 MAC address table for the times equal to the specified upper threshold. For example, if you set the upper threshold for the times for the switch to remove its MAC address table to 100 in the specific period, while the switch receives 200 TC-BPDUs in the period.
Page 267 Protection Function Configuration Table 200 Enable the root guard function in Ethernet port view Operation Command Description Enter system view system-view Enter Ethernet port Interface interface-type view interface-number Enable the root guard stp root-protection Required function on current The root guard function is port disabled by default.
Page 268: Digest Snooping Configuration
This problem can be overcome by implementing the digest snooping feature. If a port on a Switch 7750 is connected to a partner’s switch that has the same MST region-related configuration as its own but adopts a proprietary spanning tree protocol, you can enable digest snooping on the port.
Page 269: Rapid Transition Configuration
Rapid Transition Configuration the BPDUs to be send to the partner’s switch. In this way, the Switch 7750s can interwork with the partners’ switches in the same MST region. Digest Snooping Configure the digest snooping feature on a switch to enable it to interwork with...
Page 270 A RSTP upstream switch does not send agreement packets to the downstream ■ switch. Figure 62 and Figure 63 illustrate the RSTP and MSTP rapid transition mechanisms. Figure 62 The RSTP rapid transition mechanism Upstream switch Downstream switch Proposal for rapid transition...
Page 271 The network operates normally. The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports. Port 1 is a designated port. The downstream switch is running MSTP. Port 2 is the root port.
Page 272: Bpdu Tunnel Configuration
As shown in Figure 65, the upper part is the operator’s network, and the lower part is the user network. The operator’s network comprises packet ingress/egress devices, and the user’s network has networks A and B.
Page 273 To enable the BPDU Tunnel function, make sure the links between operator’s ■ networks are trunk links. If a fabric port exists on a switch, you cannot configure VLAN-VPN function on ■ any port of the switch. As the VLAN-VPN function is unavailable on ports with 802.1x, GVRP, GMRP, ■...
Page 274: Stp Maintenance Configuration
In a large-scale network with MSTP enabled, there may be many MSTP instances, and so the status of a port may change frequently. In this case, maintenance personnel may expect that log/trap information is output to the log host when particular ports fail, so that they can check the status changes of those ports through alarm information.
Page 275: Mstp Implementation Example
In this network, Switch A and Switch B operate on the distribution layer; Switch C and Switch D operate on the access layer. VLAN 10 and VLAN 30 are limited in the distribution layer and VLAN 40 is limited in the access layer. Switch A and Switch B are configured as the root bridges of spanning tree instance 1 and spanning tree instance 3 respectively.
Page 276 30: MSTP C HAPTER ONFIGURATION # Specify Switch A as the root bridge of spanning tree instance 1. [SW7750] stp instance 1 root primary 2 Configure Switch B. # Enter MST region view. <SW7750> system-view [SW7750] stp region-configuration # Configure the MST region.
Page 277: Bpdu Tunnel Configuration Example
[SW7750-mst-region] active region-configuration BPDU Tunnel Network requirements Configuration Switch 7750s operate as the access devices of the operator’s network, that is, ■ Example Switch C and Switch D in the network diagram. S2000 series switches operate as the access devices of the user’s network, that ■...
Page 278 # Add port Ethernet1/0/1 to VLAN 10. [SW7750] vlan 10 [SW7750-Vlan10] port Ethernet 1/0/1 [SW7750-Vlan10] quit # Disable STP on port Ethernet1/0/1 and then enable the VLAN-VPN function on it. [SW7750] interface Ethernet 1/0/1 [SW7750-Ethernet1/0/1] port access vlan 10 [SW7750-Ethernet1/0/1] stp disable...
Page 279 BPDU Tunnel Configuration Example # Disable STP on port Ethernet1/0/2 and then enable the VLAN-VPN function on it. [SW7750] interface Ethernet 1/0/2 [SW7750-Ethernet1/0/2] port access vlan 10 [SW7750-Ethernet1/0/2] stp disable [SW7750-Ethernet1/0/2] vlan-vpn enable [SW7750-Ethernet1/0/2] quit # Configure port Ethernet1/0/1 as a trunk port.
Page 280 30: MSTP C HAPTER ONFIGURATION...
Page 281: Ip Routing Protocol Overview
Table IP Route Routers are used for route selection on the Internet. As a router receives a packet, it selects an appropriate route (through a network) according to the destination address of the packet and forwards the packet to the next router. The last router on the route is responsible for delivering the packet to the destination host.
Page 282 ■ destination resides. In order to avoid an oversized routing table, you can set a default route. All the packets for which the router fails to find a matching entry in the routing table will be forwarded through this default route.
Page 283: Routing Management Policy
Different routing protocols may discover different routes to the same destination, Preferences but only one route among these routes and the static routes is optimal. In fact, at any given moment, only one routing protocol can determine the current route to a specific destination.
Page 284 Normally, the router sends data through the main route. When line failure occurs on the main route, the main route will hide itself and the router will choose the one whose preference is the highest among the remaining backup routes as the path to send data.
Page 285: Static Route
Simply put, a default route is a route used only when no matching entry is found in the routing table. That is, the default route is used only when there is no proper route. In a routing table, both the destination address and mask of the default route are 0.0.0.0.
Page 286: Static Route Configuration
OUTE ONFIGURATION the packet; in this case, if there is no default route, the packet will be discarded, and an Internet control message protocol (ICMP) packet will be returned to inform the source host that the destination host or network is unreachable.
Page 287: Static Route Configuration Example
} Static Route Network requirements Configuration As shown in Figure 69, it is required that all the hosts/Layer 3 switches in the Example figure can communicate with each other by configuring static routes. Network diagram Figure 69 Static route configuration Host A 1.1.5 .2/24...
Page 288: Troubleshooting A Static Route
Symptom: The switch is not configured with a dynamic routing protocol. Both the Static Route physical status and the link layer protocol status of an interface are UP, but IP packets cannot be normally forwarded on the interface. Solution: Perform the following procedure.
Page 289: Rip Overview
0, and that to a network which can be reached through another router is 1, and so on. To restrict the time to converge, RIP prescribes that the cost is an integer ranging from 0 and 15. The hop count equal to or exceeding 16 is defined as infinite;...
Page 290: Introduction To Rip Configuration Tasks
RIP is commonly used by most IP router suppliers. It can be used in most campus networks and the regional networks that are simple and less dispersive. For larger and more complicated networks, RIP is not recommended.
Page 291: Basic Rip Configuration
“Setting RIP-2 authentication mode packet authentication mode” on page Configuring a RIP Optional “Configuring a RIP neighbor neighbor” on page Basic RIP Configuration Configuration Before configuring basic RIP functions, perform the following tasks: Prerequisites Configuring the link layer protocol ■...
Page 292 RIP can be enabled on an interface only after it has been enabled globally. ■ RIP operates on the interface of a network segment only when it is enabled on ■ the interface. When RIP is disabled on an interface, it does not operate on the interface, that is, it neither receives/sends routes on the interface nor forwards its interface route.
Page 293: Rip Route Control
Additional routing metric is the routing metric (hop count) added to the original metrics of RIP routes on an interface. It does not change the metric value of a RIP route in the routing table, but will be added for incoming or outgoing RIP routes on the interface.
Page 294 Disabling the receiving of host routes In some special cases, the router can receive a lot of host routes from the same segment, and these routes are of little help in route addressing but consume a lot of network resources.
Page 295 Configuring RIP to filter or advertise the received routes The route filtering function provided by a router enables you to configure inbound/outbound filter policy by specifying an ACL or address prefix list to make RIP filter incoming/outgoing routes. Besides, you can configure RIP to receive only the RIP packets from a specific neighbor.
Page 296: Rip Network Adjustment And Optimization
] [ cost value | another protocol route-policy route-policy-name ]* The allow-ibgp keyword is used to redistribute iBGP routes. Because the AS-PATH attribute of redistributed iBGP routes is discarded, routing loops may occur. Therefore, use this keyword with caution.
Page 297 RIP-1 packets. Some fields in a RIP-1 packet must be 0, and they are known as zero fields. For RIP-1, zero field check is performed on incoming packets, those RIP-1 packets with nonzero value in a zero filed will not be processed further. As a RIP-2 packet has no zero fields, this configuration is invalid for RIP-2.
Page 298: Displaying And Maintaining Rip Configuration
After the above configuration, you can use the display command in any view to Maintaining RIP display the running status of RIP and verify the RIP configuration. You can use the Configuration reset command in RIP view to reset the system configuration related to RIP.
Page 299: Rip Configuration Example
RIP Configuration Network requirements Example As shown in Figure 70, SwitchC is connected to subnet 117.102.0.0 through an Ethernet port. SwitchA and SwitchB are connected to networks 155.10.1.0 and 196.38.165.0 respectively through Ethernet ports. SwitchC, SwitchA and SwitchB are interconnected through Ethernet 110.11.2.0. It is required to configure RIP correctly to ensure the interworking between the networks connected to SwitchC, SwitchA and SwitchB.
Page 300: Troubleshooting Rip Configuration
Use the display current-configuration configuration rip command to verify ■ RIP is enabled on the interface with the network command. Use the display this command in VLAN interface view to verify the undo rip ■ work command was not executed on the interface connected to the peer.
Page 301: Ospf Overview
Introduction to OSPF Open shortest path first (OSPF) is a link state-based interior gateway protocol developed by IETF. At present, OSPF version 2 (RFC 2328) is used, which has the following features: High applicability: OSPF supports networks of various sizes and can support up ■...
Page 302 A router uses the shortest path first (SPF) algorithm to calculate the shortest ■ path tree with itself as the root. The tree shows the routes to the nodes in the autonomous system. External routes are leaf nodes, which are marked with the routers from which they are advertised to record information outside the AS.
Page 303 A type 7 LSA is generated by an ASBR (autonomous system boundary router) in a NSSA area. A type 7 LSA reaching an ABR in the NSSA area is transformed into an AS-external LSA, which is then advertised to other areas.
Page 304 An NBMA network is fully connected, non-broadcast, and multi-accessible, ■ whereas a P2MP network is not necessarily fully connected. DR and BDR are required to be elected on an NBMA network but not on a ■ P2MP network. NBMA is a default network type. A P2MP network, however, must be ■...
Page 305 OSPF Overview In fact, a BDR provides backup for a DR. DR and BDR are elected at the same time. Adjacencies are also established between the BDR and all the other routers on the segment, and routing information is also exchanged between them. Once the DR becomes invalid, the BDR becomes a DR.
Page 306 OSPF uses five types of packets: Hello packet Hello packets are most commonly used OSPF packets, which are periodically sent by a router to its neighbors. A Hello packet contains the values of some timers, the DR, the BDR and the known peers. DD packet When two routers synchronize their databases, they use database description (DD) packets to describe their own LSDBs, including the digest of each LSA.
Page 307: Introduction To Ospf Configuration Tasks
(including the backbone area). OSPF Features Switch 7750 support the following OSPF features: Stub area: Stub area is defined to reduce the cost for the routers in the area to ■ receive ASE routes.
Page 308 34: OSPF C HAPTER ONFIGURATION Table 230 OSPF configuration tasks Related Configuration Task Description section OSPF Network Type Configuration Configuring the Optional “Configuring Network Type of an the Network OSPF Interface Type of an OSPF Interface” on page 312 Setting an NBMA Optional “Setting an...
Page 309: Basic Ospf Configuration
Management Management System (NMS) System (NMS)” on page 320 Basic OSPF Before you can configure other OSPF features, you must first enable OSPF and Configuration specify the interface and area ID. Configuration Before configuring OSPF, perform the following tasks: Prerequisites Configuring the link layer protocol ■...
Page 310 ONFIGURATION configure router IDs manually, make sure each router ID is uniquely used by one router in the AS. A common practice is to set the router ID to the IP address of an interface on the router. Enabling OSPF ■...
Page 311: Ospf Area Attribute Configuration
Configuration OSPF scalability. To further reduce routing table size and the number of LSAs in some non-backbone areas on the edge of the AS, you can configure these areas as stub areas. A stub area cannot import any external route. For this reason the concept of NSSA area is introduced.
Page 312: Ospf Network Type Configuration
You must use the stub command on all the routers connected to a stub area to ■ configure the area with the stub attribute. You must use the nssa command on all the routers connected to an NSSA area ■...
Page 313: Ospf Route Control
If you specify the priority to 0 when configuring a neighbor, the local router will believe that the neighbor has no right to vote and sends no Hello packet to it. This configuration can reduce the number of Hello packets on the network during the election of DR and BDR.
Page 314 | By default, OSPF does not gateway ip-prefix-name } filter received routing import information. OSPF is a dynamic routing protocol based on link state, with routing information hidden in LSAs. Therefore, OSPF cannot filter any advertised or received LSA. In...
Page 315 Priority problem of route sharing and selection between various routing protocols arises. The system sets a priority for each routing protocol (which you can change manually), and when more than one route to the same destination is discovered by different protocols, the route with the highest priority will take preference over other routes.
Page 316: Ospf Network Adjustment And Optimization
In a network with high security requirements, you can enable OSPF ■ authentication to enhance OSPF network security. In addition, OSPF supports network management. You can configure the ■ binding of the OSPF MIB with an OSPF process and configure the Trap message transmission and logging functions.
Page 317 The Hello intervals for OSPF neighbors must be consistent. The value of Hello interval is in inverse proportion to route convergence speed and network load. The dead time on an interface must be at least four times of the Hello interval on the same interface.
Page 318 The transmission of OSPF packets on a link also takes time. Therefore, a transmission delay should be added to the aging time of LSAs before the LSAs are transmitted. For a low-speed link, pay close attention on this configuration.
Page 319 OSPF Network Adjustment and Optimization After an OSPF interface is set to be in silent status, the interface can still ■ advertise its direct route. However, the Hello packets from the interface will be blocked, and no neighboring relationship can be established on the interface.
Page 320: Displaying Ospf Configuration
]* Displaying OSPF After the above configuration, you can use the display command in any view to Configuration display and verify the OSPF configuration. You can use the reset command in user view to reset the OSPF counter or connection.
Page 321: Ospf Configuration Example
Set the priority of SwitchC to 2 (the second highest priority) so that SwitchC is elected as the BDR. Set the priority of SwitchB to 0 so that SwitchB cannot be elected as the DR. No priority is set for SwitchD so it has a default priority of 1.
Page 322 34: OSPF C HAPTER ONFIGURATION Network diagram Figure 73 DR election based on OSPF priority Switch A Switch D Vlan- int1 Vlan -int1 Vlan- int1 Vlan-int1 Switch B Switch C Device Interface IP address Router ID Interface DR priority Switch A Vlan-int1 196.1.1.1/24...
Page 323 On SwitchA, run the display ospf peer command to display its OSPF peers. Note that the priority of SwitchB has been changed to 200, but it is still not the DR. The DR is changed only when the current DR turn offline. Shut down SwitchA, and run the display ospf peer command on SwitchD to display its peers.
Page 324 34: OSPF C HAPTER ONFIGURATION Network diagram Figure 74 OSPF virtual link configuration Switch A Vlan-int1 Area 0 Vlan-int1 Vlan-int2 Switch B Area 1 Virtual link Vlan-int2 Switch C Vlan-int1 Area 2 Device Interface IP address Router ID Switch A Vlan-int1 196.1.1.1/24...
Page 325: Troubleshooting Ospf Configuration
(p2p or virtually linked segments can have different segments and masks). Ensure that the dead timer value is at least four times of the hello timer value ■ on the same interface.
Page 326 If the network type is broadcast or NBMA, ensure that there is at least one ■ interface with a priority greater than zero. If an area is set to a stub area, ensure that the area is set to a stub area for all ■ the routers connected to this area.
Page 327: Is-Is Overview
Link state database (LSDB). All link states in the network consist of the LSDB. ■ There is at least one LSDB in each IS. The IS uses SPF algorithm and LSDB to generate its own routes. Link state protocol data unit or link state packet (LSP). In the IS-IS routing ■...
Page 328 3 Level-1-2 router A router functions as a Level-1 and a Level-2 router is called a Level-1-2 router. It can form the Level-1 neighbor relationships with the Level-1 and Level-1-2 routers in the same area, or form Level-2 neighbor relationships with the Level-2 and Level-1-2 routers in the same area or in different areas.
Page 329 Figure 77 shows another IS-IS network topology. The Level-1-2 routers connect the Level-1 and Level-2 routers, and form the IS-IS backbone together with the Level-2 routers. There is no area defined as the backbone in this topology. The backbone is composed of all contiguous Level-2 and Level-1-2 routers which can reside in different areas.
Page 330 As shown in Figure 78, an NSAP address consists of the initial domain part (IDP) and the domain specific part (DSP). The IDP is equal to the network id field in the IP address, and the DSP is equal to the subnet and host id field.
Page 331 Level-1-2 router. The network entity title (NET) is an NSAP with SEL of 0. It indicates the network layer information of the IS itself. SEL=0 means it provides no transport layer information.
Page 332: Introduction To Is-Is Configuration
35: IS-IS C HAPTER ONFIGURATION Introduction to IS-IS Table 251 IS-IS configuration tasks Configuration Configuration Task Description Related section Integrated IS-IS Enable IS-IS. Required “Enabling IS-IS” on page configuration Configure a NET Required “Configuring a NET” on page 334 Enable IS-IS on the Required “Enabling IS-IS on the...
Page 333: Is-Is Basic Configuration
Optional “Resetting Configuration data of an IS-IS peer Data of an IS-IS Peer” on page 345 IS-IS Basic All configuration tasks, except enabling IS-IS, are optional. Configuration This section covers the following topics: 1 IS-IS basic configuration Enabling IS-IS ■...
Page 334 ■ Clearing IS-IS specific neighbor ■ Enabling IS-IS IS-IS can be enabled only after you create an IS-IS routing process and enable this routing process on the interfaces that may be associated with other routers. Table 252 Enabling IS-IS Operation...
Page 335 IS-IS Basic Configuration higher priority a DIS has, the more likely it is to be chosen. If two or more routers with the highest priorities exist on the broadcast network, the router that has the greatest MAC address will be chosen. For adjacent routers that have the same priority of 0, the router that has the greatest MAC address will still be chosen.
Page 336 The filter-policy export command will not work if you do not configure the import-route command to import non-IS-IS routes. If you do not specify which type of routes are to be filtered with the ■ filter-policy export command, all the routes imported with the...
Page 337 By default, the system performs no route summarization. Configuring Default In an IS-IS routing domain, a Level-1 router maintains the LSDB for the local area Route Generation only and generates the routes within the local area only. A Level-2 router maintains the LSDB for the backbone within the IS-IS routing domain and generates the routes for the backbone only.
Page 338 The default priority of IS-IS routes is Configuring a Cost Style In IS-IS routing protocol, routing cost of a link can be expressed in one of the following two modes: Narrow: In this mode, routing cost ranges from 1 to 63.
Page 339 33 milliseconds. Configuring the LSP retransmitting interval on an interface On a point-to-point link, if there is no response for the sent LSP, the LSP is considered lost or discarded and the sending router retransmits the LSP. Table 270 Configure LSP retransmitting interval...
Page 340 In IS-IS, Hello packets are sent and received to maintain router neighbor relationships. If a router does not receive any Hello packet from a neighboring router in a certain period of time (Holddown time in IS-IS), the neighbor is considered dead.
Page 341 To enable IS-IS MD5 authentication between the switch and the switches of other manufacturers, you must use the following commands to configure IS-IS to use an MD5 algorithm compatible with the switches of other manufacturers. Table 274 Configure IS-IS to use an MD5 algorithm compatible with the switches of other manufacturers Operation...
Page 342 Configuring Overload A failure of a router in an IS-IS domain will cause errors in the routing of the whole domain. To avoid this, you can configure the overload for the routers. When the overload tag is set, other routers will not ask the router to forward packets.
Page 343 900 seconds, namely, 15 minutes. Assigning an LSP An LSP is given a maximum aging value when it is generated by the router. When Maximum Aging Time the LSP is sent to other routers, its maximum aging value goes down gradually. If the router does not get the update for the LSP before the maximum aging value reaches 0, the LSP will be deleted from the LSDB.
Page 344 Configuring SPF to release CPU resources automatically In IS-IS, SPF calculation may occupy system resources for a long time and slow down console response. To avoid this, you can configure SPF to automatically release CPU resources each time a specified number of routes are processed and continue to calculate the remaining routes after one second.
Page 345: Displaying Integrated Is-Is Configuration
IS-IS the display command in any Display IS-IS link state database display isis lsdb [ [ l1 | l2 | level-1 | view. level-2 ] | [ [ lsp-id | local ] | verbose ]* ]* Display IS-IS SPF logs...
Page 346 35: IS-IS C HAPTER ONFIGURATION Network diagram Figure 79 Network diagram for IS-IS basic configuration Vlan- int101 Vlan-int102 Switch A Switch B 100.0.0.1 /24 200.0.0.1 /24 Vlan -int100 Vlan-int100 1 00.10.0 .1/24 100.10.0.2/24 Vlan-int102 Vlan -int101 100.20.0.1 /24 200 .10 .0 .1/24...
Page 347 Integrated IS-IS Configuration Example [SwitchC-Vlan-interface101] isis enable [SwitchC] interface vlan-interface 100 [SwitchC-Vlan-interface100] ip address 200.20.0.1 255.255.255.0 [SwitchC-Vlan-interface100] isis enable # Configure Switch D. [SwitchD] isis [SwitchD-isis] network-entity 86.0001.0000.0000.0008.00 [SwitchD] interface vlan-interface 102 [SwitchD-Vlan-interface102] ip address 100.20.0.2 255.255.255.0 [SwitchD-Vlan-interface102] isis enable [SwitchD] interface vlan-interface 100 [SwitchD-Vlan-interface100] ip address 100.30.0.1 255.255.255.0...
Page 348 35: IS-IS C HAPTER ONFIGURATION...
Page 349: Bgp Overview
BGP speakers. When a BGP speaker receives a route from other AS, if the route is better than the existing routes or the route is new to the BGP speaker, the BGP speaker advertises the route to all other BGP speakers in the AS it belongs to.
Page 350 Marker: 16 bytes in length. This filed is used for BGP authentication. When no ■ authentication is performed, all the bits of this field are 1. Length: 2 bytes in length. This filed indicates the size (in bytes) of a BGP packet, ■ with the packet header counted in.
Page 351 BGP Identifier: The IP address of a BGP router. ■ Opt Parm Len: The length of the optional parameters. A value of 0 indicates no ■ optional parameter is used. Optional Parameters: Optional parameters used for BGP authentication or ■...
Page 352 BGP speakers. When a BGP speaker receives a route from another AS and finds this is a new route (a route it does not know) or a route superior than any of its known routes, the BGP speaker advertises the route to all other BGP speakers in the AS.
Page 353 A BGP speaker advertises the routes obtained from IBGP to its EBGP peers (in ■ Switch 7750, BGP and IGP does not synchronize with each other); Once a BGP speaker sets up a connection to a new peer, it advertises all its BGP ■ routes to the new peer.
Page 354: Bgp Configuration Tasks
Load Balance” on page 361 Configuring BGP route attributes Optional “Configuring BGP Route Attributes” on page 361 Adjusting and optimizing a BGP network Optional “Adjusting and Optimizing a BGP Network” on page 363 Configure a large-scale Configuring a BGP peer Required “Configuring BGP...
Page 355: Basic Bgp Configuration
Required view Commands are configured in a similar way in multicast address family view and in BGP view. Unless otherwise specified, follow the configuration in BGP view. For details, see the corresponding command manual. All the following uses the configuration in BGP view for example.
Page 356: Configuring The Way To Advertise/Receive Routing Information
CAUTION: A router must be assigned a router ID in order to run BGP protocol. A router ID ■ is a 32-bit unsigned integer. It uniquely identifies a router in an AS. A router ID can be configured manually. If no router ID is configured, the ■...
Page 357 ASs. However, the interior routing information is not generated by BGP, it is obtained by importing IGP routing information to BGP routing table. Once IGP routing information is imported to BGP routing table, it is advertised to BGP peers.
Page 358 With the peer default-route-advertise command executed, no matter whether the default route is in the local routing table or not, a BGP router sends a default route, whose next hop address is the local address, to the specified peer or peer group.
Page 359 ■ A peer group member uses the same outbound route filtering policy as that of ■ the peer group it belongs to. That is, a peer group adopts the same outbound route filtering policy. Configuring BGP Route Table 295 Configure BGP route receiving policy...
Page 360 CPU time, and even decreases network performance. Assessing the stability of a route is based on the behavior of the route in the previous time. Once a route flaps, it receives a certain penalty value. When the penalty value reaches the suppression threshold, this route is suppressed.
Page 361: Configuring Bgp Route Attributes
Required By default, the system does not adopt BGP load balance. Configuring BGP Route Attributes Configuring BGP Route BGP possesses many route attributes for you to control BGP routing policies. Attributes Table 299 Configure BGP route attributes Operation Command Description...
Page 362 After BGP load balance is configured, no matter whether the peer ■ next-hop-local command is executed or not, the local router changes the next hop IP address to its own IP address before advertising a route to its IBGP peers/peer group.
Page 363: Adjusting And Optimizing A Bgp Network
BGP peers send Keepalive messages to each other periodically through the connections between them to make sure the connections operate properly. If a router does not receive the Keepalive or any other message from its peer in a specific period (know as Holdtime), the router considers the BGP connection operates improperly and thus disconnects the BGP connection.
Page 364 BGP load balance. CAUTION: The reasonable maximum interval for sending Keepalive message is one third ■ of the Holdtime, and the interval cannot be less than 1 second, therefore, if the Holdtime is not 0, it must be 3 seconds at least.
Page 365: Configuring A Large-Scale Bgp Network
ASs where peers reside, the peer groups fall into IBGP peer groups and EBGP peer groups. For the EBGP peer group, it can also be divided into pure EBGP peer group and hybrid EBGP peer group according to whether the peers in the EBGP group belong to the same exterior AS or not.
Page 366 It is not required to specify an AS number for creating an IBGP peer group. ■ If there already exists a peer in a peer group, you can neither change the AS ■ number of the peer group, nor delete a specified AS number through the undo command.
Page 367 RR from a client to another client. If an RR and a client are fully connected, you can disable the reflection between clients to reduce the cost. Normally, there is only one RR in a cluster. In this case, the router ID of the RR is ■...
Page 368: Displaying And Maintaining Bgp
Displaying and maintaining BGP Displaying BGP After the above configuration, you can use the display command in any view to display the BGP configuration and thus verify the configuration effect. Table 305 Display BGP Operation...
Page 369: Configuration Example
Configuration Example BGP Connection Reset When a BGP routing policy or protocol changes, if you need to make the new configuration effective through resetting the BGP connection, perform the following configuration in user view. Table 306 Reset BGP connection Operation...
Page 370: Network Requirements
Network requirements SwitchB receives an update packet passing through the EBGP, and transfers the packet to SwitchC. SwitchC is configured as an RR with two clients SwitchB and SwitchD. After SwitchC receives the routing update information, it reflects the message to SwitchD. You need not to establish IBGP connection between SwitchB...
Page 371 Configuration Example Network diagram Figure 85 Diagram for configuring a BGP RR Router Reflector VLAN-int100 Switch C Switch A VLAN -int4 VLAN -int3 VLAN-int2 AS 100 AS 200 Switch D Switch B Device Interface IP address Switch A Vlan-int 100 1.1.1.1/8...
Page 372 Network requirements Routing BGP is applied to all switches, and OSPF is applied to the IGP in AS200. SwitchA is in AS100, and SwitchB, SwitchC, and SwitchD are in AS200. EBGP is running between SwitchA and SwitchB, and between SwitchA and SwitchC. IBGP is...
Page 373 [SwitchA] interface Vlan-interface 3 [SwitchA-Vlan-interface3] ip address 193.1.1.1 255.255.255.0 # Enable BGP [SwitchA] bgp 100 # Specify the destination network for BGP routes. [SwitchA-bgp] network 1.0.0.0 # Configure BGP peers. [SwitchA-bgp] group ex192 external [SwitchA-bgp] peer 192.1.1.2 group ex192 as-number 200 [SwitchA-bgp] group ex193 external [SwitchA-bgp] peer 193.1.1.2 group ex193 as-number 200...
Page 374 36: BGP C HAPTER ONFIGURATION Create an access control list to permit routing information sourced from the network 1.0.0.0. [SwitchA] acl number 2000 [SwitchA-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255 [SwitchA-acl-basic-2000] rule deny source any Define two routing policies, named apply_med_50 and apply_med_100 respectively.
Page 375 [SwitchC] bgp 200 [SwitchC-bgp] peer 193.1.1.1 route-policy localpref import In this case, because the local preference value of the route 1.0.0.0 learnt by Switch C is 200, which is greater than that of the route 1.0.0.0 learnt by Switch B...
Page 376: Bgp Error Configuration Example
10.1.1.0/24 exists in the routing table, if a route to 10.0.0.0/8 or other similar segment is imported, an import error will occur. If OSPF is used, when you use the network command to import a bigger network segment, the router will change the route according to the actual interface network segment.
Page 377: Ip Routing
The matching objects are some attributes of routing information. The relationship among the if-match statements for a node is “AND”. As a result, a matching test against a node is successful only when all the matching conditions specified by the if-match statements in the node are satisfied.
Page 378: Ip Routing Policy Configuration
ACL. But it is more flexible than ACL and easier to understand. When ip-prefix is applied to filtering routing information, its matching object is the destination address information field of routing information.
Page 379 If not, the system goes on the test of the next node.
Page 380 The relationship among the if-match clauses in a route-policy node is logical ■ “AND”. That is, a piece of route information can pass the filter of a node and the actions in apply clauses will be taken on it only when all the matching conditions specified by the if-match clauses in the node are satisfied.
Page 381 Note that, if the apply cost-type internal clause is defined for a route-policy node, when all the matching conditions of the node are met, IGP cost will be used as the BGP MED value when the system advertises IGP routes to EBGP peers. The apply cost clause takes precedence over the apply cost-type internal clause, while the latter takes precedence over the default med command.
Page 382 OLICY ONFIGURATION Among the items defined in an IP prefix list, at least one item should be in permit mode. The items in deny mode can be used to quickly filter out undesired routing information. But if all the items are in deny mode, no route will pass the filter of the IP prefix list.
Page 383: Displaying Ip Routing Policy
Displaying IP Routing Policy routing costs of the source routing protocol, you should specify a routing cost for the imported routes. The import-route command (used to import routes) is somewhat different in form in different routing protocol views. Refer to the import-route command description under the required routing protocol in the command manual.
Page 384 [SwitchA] ip route-static 20.0.0.1 255.0.0.0 12.0.0.2 [SwitchA] ip route-static 30.0.0.1 255.0.0.0 12.0.0.2 [SwitchA] ip route-static 40.0.0.1 255.0.0.0 12.0.0.2 # Enable the OSPF protocol and specify the ID of the area to which the interface 10.0.0.1 belongs. <SwitchA> system-view [SwitchA] router id 1.1.1.1...
Page 385: Troubleshooting Ip Routing Policy
At least one item in an ip-prefix list should be in permit mode. The items in deny mode can be defined first to rapidly filter out the routing information not meeting...
Page 386 OLICY ONFIGURATION the condition. However, if all the items are in the deny mode, no route will pass the ip-prefix filtering. You can define the item “permit 0.0.0.0 0 less-equal 32” after multiple items in the deny mode for all other routes to pass the filtering (if...
Page 387: Route Capacity Configuration
7750 routes only but not to static and RIP routes. When the free memory of the switch is equal to or lower than the lower limit, OSPF or BGP connection will be disconnected and OSPF or BGP routes will be removed from the routing table.
Page 388: Displaying Route Capacity Configuration
Therefore, do not disable this function if not necessary. Displaying Route After the above configuration, you can use the display command in any view to Capacity display and verify the route capacity configuration.
Page 389: Introduction To 802.1X
LAN/ WLAN The supplicant system is an entity residing at one end of the LAN segment and ■ is authenticated by the authenticator system connected to the other end of the LAN segment. The supplicant system is usually a user terminal device. An 802.1x authentication is initiated when a user launches client program on the...
Page 390 EAPoL packets to ensure that a supplicant system can send and receive authentication requests. The controlled port can be used to pass service packets when it is in authorized ■ state. It is blocked when not in authorized state. In this case, no packets can pass through it.
Page 391 The format of an EAPoL packet Messages EAPoL is a packet encapsulation format defined in 802.1x. To enable EAP protocol packets to be transmitted between supplicant systems and authenticator systems through LANs, EAP protocol packets are encapsulated in EAPoL format. The following figure illustrates the structure of an EAPoL packet.
Page 392 Identifier, Length, and Data fields. The Data field differs with the Code field. ■ A Success or Failure packet does not contain the Data field, so has the Length field of 4. Figure 92 shows the Data field of Request and Response type packet.
Page 393 The Type field specifies the EAP authentication type. A Type value of 1 indicates ■ Identity and that the packet is used to query the identity of the peer. A type value of 4 represents MD5-Challenge (similar to PPP CHAP) and indicates that the packet includes query information.
Page 394 A supplicant system launches an 802.1x client to initiate an access request ■ through the sending of an EAPoL-start packet to the switch, with its user name and password provided. The 802.1x client program then forwards the packet to the switch to start the authentication process.
Page 395 In EAP relay mode, packets are not modified during transmission. Therefore if one of the three ways are used (that is, PEAP, EAP-TLS, or EAP-MD5) to authenticate, ensure that the authenticating ways used on the supplicant system and the RADIUS server are the same.
Page 396 The authentication procedure in EAP terminating mode is the same as that in the EAP relay mode except that the randomly-generated key in the EAP terminating mode is generated by the switch, and that it is the switch that sends the user name, the randomly-generated key, and the supplicant system-encrypted password to the RADIUS server for further authentication.
Page 397 If you set the number of retries to N by using the dot1x retry command, an online user is considered offline when the switch does not receive response packets from it in a period N times of the handshake-period.
Page 398 By default, an 802.1x client program allows use of multiple network adapters, a proxy server, and an IE proxy server. If CAMS is configured to disable use of multiple network adapters, proxies, or IE proxies, it prompts the 802.1x client to disable use of multiple network adapters, proxies, or IE proxies through messages after the supplicant system passes the authentication.
Page 399: 802.1X Configuration
Configure the AAA scheme (a local authentication scheme or the RADIUS ■ scheme) to be adopted in the ISP domain. If you specify to use the RADIUS scheme, that is to say the supplicant systems ■ are authenticated by a remote RADIUS server, you need to configure the related user names and passwords on the RADIUS server and perform RADIUS client-related configuration on the switches.
Page 400 RADIUS server. Upon receiving an Access-Accept packet, with Termination-Action attribute value set to 1, from the server, the switch performs authentication at an interval of the session-timeout value of the Access-Accept packet. In actual authentication, the switch uses the latest time value obtained as the authentication interval.
Page 401: X-Related Parameter Configuration
■ specifying the interface-list argument, the command applies to all ports. You can also use this command in port view. In this case, this command applies to the current port only and the interface-list argument is not needed. As for the configuration of 802.1x timers, the default values are ■...
Page 402 ■ modules, a proxy server, or an IE proxy. By default, the use of multiple network modules, proxy server, and IE proxy are allowed on 802.1x client. If you specify CAMS to disable use of multiple network modules, proxy server, and IE proxy, CAMS sends messages to 802.1x client to request the latter to disable the use of multiple network modules, proxy server, and IE proxy when a user passes the authentication.
Page 403: Displaying And Debugging 802.1X
As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports. You can also use this command in port view. In this case, this command applies to the current port only and the interface-list argument is not needed.
Page 404: Configuration Example
A connection is terminated if the total size of the data passes through it during a period of 20 minutes is less than 2,000 bytes. All connected clients belong to the same default domain: aabbcc.net, which accommodates up to 30 clients.
Page 405 Configuration Example Configure the number of times that a switch resends packets to the RADIUS server to be 5. Configure the switch to send real-time counting packets to the RADIUS server every 15 minutes with the domain names removed from the user name beforehand.
Page 406 [SW7750-radius-radius1] key accounting money # Set the interval and the number of retries for the switch to send packets to the RADIUS servers. # Set the timer and the number of times that a switch will resend packets to the RADIUS server...
Page 407 Configuration Example # Create a local access user account. [SW7750] local-user localuser [SW7750-luser-localuser] service-type lan-access [SW7750-luser-localuser] password simple localpass...
Page 408 39: 802.1 HAPTER ONFIGURATION...
Page 409: Introduction To Habp
To address this problem, 3Com authentication bypass protocol (HABP) has been developed. An HABP packet carries the MAC addresses of the attached switches with it. It can bypass the 802.1x authentications when traveling between HABP-enabled switches, through which management devices can obtain the MAC addresses of the attached switches and thus the management of the attached switches is feasible.
Page 410: Habp Client Configuration
HABP clients reside on switches attached to HABP servers. After you enable HABP Configuration for a switch, the switch operates as an HABP client by default. So you only need to enable HABP on a switch to make it an HABP client.
Page 411 [SW7750]interface GigabitEthernet 2/0/2 [SW7750-GigabitEthernet2/0/2]dot1x 802.1x is enabled on port GigabitEthernet2/0/2. 2 Configure Switch A # Enable HABP globally. <SW7750>system-view System View: return to User View with Ctrl+Z. [SW7750]habp enable Verify the configuration on the server. [SW7750]display habp table Holdtime Receive Port...
Page 412 40: HABP C HAPTER ONFIGURATION...
Page 413: Multicast Overview
ULTICAST VERVIEW “Router” or a router icon in this document refers to a router in a generic sense or an Ethernet switch running a routing protocol. This will not be otherwise described in this manual. Multicast Overview With development of networks on the Internet, more and more interaction services such as data, voice, and video services are running on the networks.
Page 414 Therefore, the limited bandwidth becomes the bottleneck in information transmission.
Page 415 Assume that users B, D and E need the information. To transmit the information to the right users, it is necessary to group users B, D and E into a receiver set. The routers on the network duplicate and distribute the information based on the distribution of the receivers in this set.
Page 416: Multicast Architecture
A router providing multicast routing is a multicast router. The multicast router ■ can be a member of one or multiple multicast groups, and it can also manage members of the multicast groups. CAUTION: A multicast source does not necessarily belong to a multicast group. A multicast source sends packets to a multicast group, and it is not necessarily a receiver.
Page 417 Internet Assigned Numbers Authority (IANA) categorizes IP addresses into five classes: A, B, C, D, and E. Unicast packets use IP addresses of Class A, B, and C based on network scales. Class D IP addresses are used as destination addresses of multicast packets.
Page 418 The IP addresses of a permanent multicast group keep unchanged, while the ■ members of the group can be changed. There can be any number of, or even zero, members in a permanent multicast ■ group. Those IP multicast addresses not assigned to permanent multicast groups can ■...
Page 419 As stipulated by IANA, the high-order 24 bits of a multicast MAC address are 0 x 01005e, while the low-order 23 bits of a MAC address are the low-order 23 bits of the multicast IP address.
Page 420: Forwarding Mechanism Of Multicast Packets
Multicast Packets destination address field of an IP data packet. Unlike a unicast model, a multicast model must forward data packets to multiple external interfaces so that all receiver sites can receive the packets.
Page 421 If the router resides on a shortest path tree (SPT), the interface that multicast packets should reach points to the multicast source.
Page 422 41: M HAPTER ULTICAST VERVIEW...
Page 423: Gmrp Overview
GMRP-supporting device in the same switching network. A host sends a GMRP Join message, if it is interested in joining a multicast group. After receiving the message, the switch adds the port on which the message was received to the multicast group, and broadcasts the message throughout the VLAN where the receiving port resides.
Page 424: Displaying And Maintaining Gmrp
ONFIGURATION Displaying and After the above-described configuration, execute the display command in any Maintaining GMRP view to display the running of the GMRP configuration, and to verify the effect of the configuration. Table 332 Display and debug GMRP Operation Command...
Page 425 GMRP Configuration Example [SW7750] interface Ethernet 2/0/1 [SW7750-Ethernet2/0/1] gmrp GMRP is enabled on port Ethernet 2/0/1.
Page 426 42: GMRP C HAPTER ONFIGURATION...
Page 427: Igmp Snooping
Internet group management protocol snooping (IGMP Snooping) is a multicast Fundamentals control mechanism running on Layer 2 switch. It is used to manage and control multicast groups. When the IGMP messages transferred from the hosts to the router pass through the Layer 2 switch, the switch uses IGMP Snooping to analyze and process the IGMP messages, as shown in Table 333.
Page 428 I G M P -enabl e d R out e r I G MP M essage I G M P S noopi n g - enabl e d S w i t c h I G M P M essage To implement Layer 2 multicast, the switch processes four different types of IGMP messages it received, as shown in Table 335.
Page 429 Add the port to the MAC multicast ■ group and start the aging timer of the port. Add all router ports in the VLAN ■ owning this port to the MAC multicast group.
Page 430: Igmp Snooping Configuration
CAUTION: An IGMP-Snooping-enabled Switch 7750 Ethernet switch judges whether the multicast group exists when it receives an IGMP leave packet sent by a host in a multicast group. If this multicast group does not exist, the switch will drop the IGMP leave packet instead of forwarding it.
Page 431 Optional “Configuring Multicast VLAN” on page Enabling IGMP Snooping You can use the command here to enable IGMP Snooping so that it can establish and maintain MAC multicast group forwarding tables at layer 2. Table 337 Enable IGMP Snooping Operation...
Page 432 If the switch receives no general IGMP query message from a router within the ■ aging time of the router port, the switch removes the router port from the port member lists of all MAC multicast groups. If the switch receives no IGMP host report message, it sends an IGMP ■...
Page 433 If the IGMP fast leave feature is enabled, when receiving an IGMP Leave message, the switch immediately removes the port from the multicast group. When a port has only one user, enabling the IGMP fast leave feature on the port can save bandwidth.
Page 434 One port can belong to multiple VLANs. Only one ACL rule can be configured ■ on each of the VLANs to which the port belongs. If the port does not belong to the VLAN where the command is configured, the ■ configured ACL rule does not take effect.
Page 435 Layer 3 switch Messages that is connected to it. In this way, a Layer 3 switch will receive the same IGMP host report messages from multiple hosts in a multicast group when there are multiple hosts in this multicast group.
Page 436 If hosts fail to respond for some reason, the multicast router may consider Joining that there is no member of the multicast group on the local subnet and remove the corresponding path. To avoid this from happening, you can configure a port of the IGMP-enabled VLAN interface as a multicast group member.
Page 437: Displaying And Maintaining Igmp Snooping
In the current multicast mode, when users in different VLANs order the same VLAN multicast packet, the multicast stream is copied to each of the VLANs. This mode wastes a lot of bandwidth. By configuring a multicast VLAN, adding switch ports to the multicast VLAN and enabling IGMP Snooping, you can make users in different VLANs share the same multicast VLAN.
Page 438: Igmp Snooping Configuration Example
Configure IGMP Network requirements Snooping on a switch Connect the router port on the switch to the router, and other non-router ports which belong to VLAN 10 to user PCs. Enable IGMP Snooping on the switch. Network diagram Figure 108 Network diagram for IGMP Snooping configuration...
Page 439 VLAN 5 to VLAN 7 port. where the IGMP snooping function is enabled. Configure VLAN 1024 as a multicast VLAN and configure VLAN 2 to VLAN 7 as multicast sub-VLANs. Network diagram Figure 109 Network diagram for multicast VLAN configuration RouterA...
Page 440: Troubleshooting Igmp Snooping
VLAN. If it is disabled globally, use the igmp-snooping enable command in both system view and VLAN view to enable it both globally and on the corresponding VLAN at the same time. If it is only disabled on the corresponding VLAN, use the igmp-snooping enable command in VLAN view only to enable it on the corresponding VLAN.
Page 441: Common
Layer 3 switches or routers. In order to prevent plenty of multicast route entries from consuming all the memory of the Layer 3 switches or routers, you can configure limit on the number of route entries to prevent too many route entries from being sent to Layer 3 switches or routers.
Page 442 44: C HAPTER OMMON ULTICAST ONFIGURATION Enabling Multicast Table 353 Enable multicast routing and configure limit on the number of multicast route Routing and Configuring entries Limit on the Number of Multicast Route Entries Operation Command Description Enter system view...
Page 443 30; if you set the seconds argument to 31, the system sets the holdtime to 45, and so on. When the holdtime is set to 0, the report of CPU packets to the CPU is not ■ suppressed.
Page 444 Required interface interface-type interface-number CAUTION: You can configure static router ports in Ethernet port view or VLAN view, but you can view the related configuration information in Ethernet port view only. Clearing the Related Use the reset command in user view to clear the related statistics information Multicast Entries about the common multicast configuration.
Page 445: Displaying Common Multicast Configuration
Displaying Common Multicast Configuration Displaying Common After the configuration above, you can execute the display command to verify Multicast the configuration by checking the displayed information. Configuration The multicast forwarding table is mainly used for debugging. Generally, you can get the required information by checking the core multicast routing table.
Page 446 MAC multicast groups in one VLAN or all the VLANs on the switch Three kinds of tables affect data transmission. The correlations of them are: Each multicast routing protocol has its own multicast routing table. ■ The multicast routing information of all multicast routing protocols is ■...
Page 447: Static Multicast Mac Address
MAC address entry manually. Generally, when receiving a multicast packet whose multicast address has not yet been registered on the switch, the switch will broadcast the packet in the VLAN to which the port belongs. However, you can configure a static multicast MAC address entry to avoid this case.
Page 448 45: S MAC A HAPTER TATIC ULTICAST DDRESS ABLE ONFIGURATION Table 361 Display the multicast MAC addresses Operation Command Description Display the static multicast display mac-address You can use the display MAC addresses multicast [ count ] command in any view.
Page 449 IGMP Version IGMP has three versions until now, including: IGMP Version 1 defined by RFC1112, IGMP Version 2 defined by RFC2236 and RFC Version 3. IGMP Version 2 is the most widely used currently. Compared with IGMP Version 2, the advantages of IGMP Version 2 are: Multicast router election mechanism on a shared network segment A shared network segment is a network segment with multiple multicast routers.
Page 450 Only when a query message times out can the multicast router know that a host has left the group. In IGMP Version 2, when a host replying to the last membership query message decides to leave a multicast group, it will send a leave group message to the multicast router.
Page 451 All hosts in the network receive the query messages. If some hosts (such as ■ Host B and Host C) are interested in the multicast group G1, Host B and Host C will multicast IGMP host report messages (carrying the address of the multicast group G1) to declare that they will join in the multicast group G1.
Page 452 This adds to the leave latency. In IGMPv2, on the other hand, when a host leaves a multicast group: 1 This host sends a Leave Group message (often referred to as leave message) to all routers (the destination address is 224.0.0.2) on the local subnet.
Page 453 Overview 3 switch in the leaf network (Switch B in the figure). The Layer 3 switch will then forward IGMP join or IGMP leave messages sent by the connected hosts. After the configuration of IGMP Proxy, the leaf switch is no longer a PIM neighbor but a host for the external network.
Page 454: Igmp Configuration Tasks
IGMP version 2 is used by default. CAUTION: Each IGMP version cannot be switched to each other automatically. So all the Layer 3 switches on a subnet must be configured to use the same IGMP version. Configuring IGMP Query IGMP general query messages...
Page 455 IGMP querier. The maximum query time of IGMP packets When the host receives a query message, it will set a timer for each of its multicast groups. The timer value is selected from 0 to the maximum response time at random.
Page 456 Limit the range of multicast groups that the interface serves ■ Limiting the number of joined multicast groups If the number of joined IGMP groups on the multicast routing interface of the switch is not limited, the memory of the switch may be used out and the routing...
Page 457 IGMP Configuration Tasks interface of the switch may fail when plenty of multicast groups join in the routing interface. You can configure limit on the number of IGMP multicast groups on the interface of the switch. Thus, when users are ordering the programs of multicast groups, the network bandwidth can be controlled because the number of multicast groups is limited.
Page 458 If the number of existing IGMP multicast groups has exceeded the configured ■ limit on the number of joined multicast groups on the interface, the system will delete some existing multicast groups automatically until the number of multicast groups on the interface is conforming to the conferred limit.
Page 459 After the configuration of IGMP Proxy on the Layer 3 switch of the leaf network, the leaf Layer 3 switch is just a host for the external network. Only when the Layer 3 switch has directly connected members, can it receive the multicast data of corresponding groups.
Page 460: Displaying Igmp
IGMP host report messages is disabled. Removing the Joined You can remove all the joined IGMP groups on all ports of the router or all the IGMP Groups from the joined IGMP groups on the specified interfaces, or remove a specified IGMP group Interface address or group address network segment on the specified interface.
Page 461: Pim Overview
In order to reduce the delay time for a pruned branch to be restored to the forwarding status, PIM-DM uses the graft mechanism to restore the multicast packet forwarding automatically.
Page 462 ■ router through incorrect interfaces, the router just discards the packets. After this process, the router will create a (S, G) entry for every host in PIM-DM domain. If there is no multicast group member in the downstream nodes, the router will send a prune message to the upstream nodes to inform them not to forward data any more.
Page 463 When a pruned downstream node needs to be restored to the forwarding state, it may send a graft packet to inform the upstream node. As shown in Figure 113, user A receives multicast data again. Graft messages will be sent hop by hop to the multicast source S.
Page 464 In the shared network such as Ethernet, the same packets may be sent repeatedly. For example, the LAN network segments contains many multicast routers, A, B, C, and D. They each have their own receiving path to the multicast source S. As shown in Figure 113:...
Page 465 DR must be elected only if the network is a shared network. The DR in the receiving end sends Join messages to RP and the DR in the multicast source side sends Register messages to RP, as shown in Figure 114:...
Page 466 Each router on the shared network sends Hello messages with the DR priority option to each other. The router with the highest DR priority is elected as the DR in the network. If the priority is the same, the router with the highest IP address is elected as the DR.
Page 467 IP address. When the priority is the same, the candidate BSR with a higher IP address is considered to be better. If the former is better, the candidate BSR will replace its own BSR address with the new BSR address and does not consider itself as BSR any more.
Page 468 Multicast packets Host C Each router on the path from the leaf router to RP will generate (*, G) entries in the forwarding table. The routers on the path forms a branch of RPT. A (*, G) entry represents the information from any source to the multicast group G. RP is the root of RPT and the receivers are leaves of RPT.
Page 469: Common Pim Configuration
RPT, and on the other hand, it will send (S, G) join messages to S hop by hop. The passed routers constitute a branch of SPT. The multicast source S is the root of SPT and RP is the destination of RP.
Page 470 When PIM-DM is enabled on an interface, PIM-SM cannot be enabled on the ■ interface any more, and vice versa. When PIM-DM is enabled on an interface of the switch, only PIM-DM can be ■ enabled on the other interfaces of the switch, and vice versa.
Page 471 Common PIM Configuration Configuring PIM In order to prevent plenty of PIM neighbors from using out the memory of the Neighbors router, which may result in router failure, you can limit the number of PIM neighbors on the router interface. However, the total number of PIM neighbors of a router is defined by the system, and you cannot modify it through commands.
Page 472: Pim-Dm Configuration
IP addresses of some multicast groups in ACL. CAUTION: If you configure basic ACLs, the source address match is performed on all the ■ received multicast packets. The packets failing to match are discarded. If you configure advanced ACLs, the source address and group address match ■...
Page 473 If you use static RPs, all routers in the PIM domain must adopt the same ■ configuration. If the configured static RP address is the address of an UP interface on the local ■ switch, the switch will serve as RP.
Page 474 The PIM protocol need not be enabled on the interface of static RPs. ■ The limit on the range of valid BSRs is to prevent the valid BSRs in the network ■ being replaced maliciously. The other BSR information except the range will not be received by the Layer 3 switch, and thus the security of BSRs in the network is protected.
Page 475: Displaying And Debugging Pim
DR. CAUTION: If a source group entry (S, G) is denied in ACL, or no operation on the entry is ■ defined in the ACL, or ACLs are not defined, RP will send RegisterStop messages to DR to stop the registration process of the multicast data flow.
Page 476: Pim Configuration Examples
Example Lanswitch 1 is connected to Multicast Source through Vlan-interface 10, to Lanswitch 2 through Vlan-interface 11 and to Lanswitch3 through Vlan-interface 12. Through PIM-DM, multicast is implemented among Receiver 1, Receiver 2 and Multicast Source. Network diagram Figure 118 Network diagram for PIM-DM configuration...
Page 477 ■ Vlan-interface 11 and to LS_A through Vlan-interface 12. Host A is the receiver of the multicast group whose multicast IP address is 225.0.0.1. Host B begins to send data to the destination 225.0.0.1 and LS_A receives the multicast data from Host B through LS_B.
Page 478 PIM-SM domain. Detailed configuration steps are omitted here. 2 Enable IP multicast routing, and enable PIM-SM on each interface Configure LS_A ■ # Enable multicast routing, enable PIM-SM on each interface, and enable IGMP on Vlan-interface 11. <SW7750> system-view [SW7750] multicast routing-enable...
Page 479: Troubleshooting Pim
# Configure a PIM domain boundary. [SW7750] interface Vlan-interface 12 [SW7750-Vlan-interface12] pim bsr-boundary When Vlan-interface 12 is configured as the PIM domain boundary, LS_D cannot receive BSR information from LS_B any mote, that is, LS_D is excluded from the PIM domain. Configure LS_C ■...
Page 480 47: PIM C HAPTER ONFIGURATION...
Page 481: Msdp C
(PIM-SM) domains. It is used to discover multicast source information in other PIM-SM domains. In the basic PIM-SM mode, a multicast source registers only with the RP in the local PIM-SM domain, and the multicast source information of a domain is isolated from that of another domain.
Page 482 PIM-SM 3 MSDP peers Receiver RP 3 As shown in Figure 120, an MSDP peer can be created on any PIM-SM router. MSDP peers created on PIM-SM routers that assume different roles function differently. 1 MSDP peers on RPs Source-side MSDP peer: the MSDP peer nearest to the multicast source ■...
Page 483 1 When the multicast source in PIM-SM 1 sends the first multicast packet to multicast group G, DR 1 encapsulates the multicast data within a register message and sends the register message to RP 1. Then, RP 1 gets aware of the information related to the multicast source.
Page 484 RPs. RP 3, RP 4 and RP 5 are in an MSDP mesh group. On RP 7, RP 6 is configured as its static RPF peer. If only one MSDP peer exists in a PIM-SM domain, this PIM-SM domain is also called a stub domain.
Page 485 IP address) Although RP 4 and RP 5 are in the same SA (AS 3) and both are MSDP peers of RP 6, because RP 5 has a higher IP address, RP 6 accepts only the SA message from RP...
Page 486 RP 1, with its multicast data encapsulated in the register message. When the register message arrives at RP 1, RP 1 decapsulates the message. 2 Receivers send join messages to the nearest RP to join the RPT rooted as this RP. In this example, Receiver joins the RPT rooted at RP 2.
Page 487: Configuring Msdp Basic Functions
Before configuring static RPF peers, you must create an MSDP peering connection. If you configure only one MSDP peer on a router, the MSDP peer will act as a static RPF peer. If you configure multiple static RPF peers, you need to handle them by using different rules according to whether the rp-policy keyword is used to configure the filtering policies.
Page 488: Configuring Connection Between Msdp Peers
Enable BGP or MBGP on a MSDP-enabled router. You are recommended to ■ assign the same address for a BGP peer or MBGP peer as the MSDP peer on a router. If a router interface serves as one end of a MSDP peer and BGP peer ■...
Page 489 By default, an MSDP peer has no description text. Configuring Anycast RP If you configure RPs with the same address for two routers in the same PIM-SM Application domain, the two routers will be MSDP peers to each other. To prevent failure of RPF check on SA messages between MSDP peers, you must configure the RP address to be carried in the SA messages.
Page 490: Configuring Sa Message Transmission
By default, when a new receiver joins, a router does not send any SA request message to its MSDP peer but has to wait for the next SA message. This defers the reception of the multicast information by the receiver. In order for the new receiver to know about the currently active multicast source as quickly as possible, the router needs to send SA request messages to the MSDP peer.
Page 491 SA request message, the router will get immediately a response from all active multicast sources. By default, the router does not send any SA request message to its MSDP peers upon receipt of a Join message; instead, it waits for the next SA message.
Page 492 (S, G) entries in the multicast routing table that satisfy the filtering rule when the MSDP creates the SA message; that is, to control the (S, G) entries to be imported from the multicast routing table to the PIM-SM domain. If the import-source command is executed without the acl keyword, no source will be advertised in the SA message.
Page 493: Displaying And Debugging Msdp Configuration
The maximum number of cached SA messages on each MSDP peer and on all the MSDP peers on a router is limited by the system. To protect a router against Deny of Service (DoS) attacks, you can manually configure the maximum number of SA messages cached on the router.
Page 494: Msdp Configuration Example
An MSDP peering relationship is established between the RPs based on BGP routes within each PIM-SM network. Loopback 0 on Switch C, Switch D and Switch E functions as the C-BSR and C-RP of its own PIM-SM domain respectively. An MSDP peering relationship is...
Page 495 Switch C in the PIM-SM 1 domain are interoperable on the network layer, Switch D and Switch E in the PIM-SM 2 domain are interoperable on the network layer, and Switch F and Switch G in the PIM-SM 3 domain are interoperable on the network layer.
Page 496 # Configure the PIM domain boundary on Switch C, Switch D and Switch F respectively. Switch C is taken for example. The configuration procedures on Switch D and Switch F are similar to that on Switch C. The details are omitted here.
Page 497 [SwitchF-bgp] import-route ospf [SwitchF-bgp] quit # Carry out the display bgp peer command to view the BGP peering relationships between the switches. The information about BGP peering relationships between Switch C, Switch D and Switch F is displayed as follows:...
Page 498 [SwitchD-msdp] quit When the multicast source S1 in PIM-SM1 sends multicast information, receivers in PIM-SM2 and PIM-SM3 can receive the multicast data. You can use the display msdp brief command to view the brief information of MSDP peering relationships between the switches. The brief information about MSDP peering...
Page 499 (S) and receivers. With Anycast RP configured in each PIM-SM domain, when a new member joins the multicast group, the switch directly connected to the receiver can send a Join message to the nearest RP on the topology.
Page 500 Switch D can receive multicast information. Carry out the display pim routing-table command to view PIM routes on the switch. The information about PIM routes on Switch C and Switch D is displayed as follows: [SwitchC] display pim routing-table...
Page 501 C-BSR and C-RP of the respective PIM-SM domain. The static RPF peers of Switch C are Switch D and Switch F, while Switch C is the only RPF peer of Switch D and Switch F. Any switch can receive the SA messages sent by its static RPF...
Page 502 2 Enable multicast and enable PIM-SM on each interface. # Enable multicast on all the switches, and enable PIM-SM on each interface. The configuration procedures on the other switches are similar to the configuration procedure on Switch C. So the configuration procedures on the other switches are omitted.
Page 503 [SwitchC-msdp] static-rpf-peer 192.168.1.2 rp-policy list-df [SwitchC-msdp] quit # Configure Switch C as static an RPF peer of Switch D and Switch F. The configuration procedure on Switch F is similar to the configuration procedure on Switch D, so the configuration procedure on Switch F is omitted.
Page 504: Troubleshooting Msdp Configuration
An MSDP fails to send (S, G) forwarding entries through an SA message. Analysis You can use the import-source command to send the (S, G) entries of the local multicast domain to the neighboring MSDP peer through SA messages. The acl...
Page 505 Troubleshooting MSDP Configuration keyword is optional. If you do not use this keyword, all (S, G) entries will be filtered out by default, that is, none of the (S, G) entries in the local multicast domain will be advertised. Before the import-source command is executed, the system will send all (S, G) entries in the local multicast domain.
Page 506 48: MSDP C HAPTER ONFIGURATION...
Page 507: Aaa & Radius & Hwtacacs Configuration
Introduction to AAA AAA is shortened from the three security functions: authentication, authorization and accounting. It provides a uniform framework for you to configure the three security functions to implement the network security management. The network security mentioned here mainly refers to access control. It mainly...
Page 508 Introduction to ISP An Internet service provider (ISP) domain is a group of users who belong to the Domain same ISP. For a user name in the format of userid@isp-name, the isp-name following the @ character is the ISP domain name.
Page 509 Users Clients Clients In addition, the RADIUS server can act as the client of some other AAA server to provide the authentication or accounting proxy service. Basic message exchange procedure of RADIUS The messages exchanged between a RADIUS client (a switch, for example) and the RADIUS server are verified by using a shared key.
Page 510 The basic message exchange procedure of RADIUS is as follows: 1 The user enters the user name and password. 2 The RADIUS client receives the user name and password, and then sends an authentication request (Access-Request) to the RADIUS server.
Page 511 Figure 129 RADIUS packet structure Code Identifier Length Authenticator Attribute 1 The Code field decides the type of the RADIUS packet, as shown in Table 395. Table 395 Description on major values of the Code field Code Packet type Packet description Access-Request Direction: client->server.
Page 512 Figure 130 depicts the structure of attribute 26. The Vendor-ID field representing the code of the vendor occupies four bytes. The first byte is 0, and the other three bytes are defined in RFC1700. Here, the vendor can encapsulate multiple...
Page 513 Not support. commands. In a typical HWTACACS application, a dial-up or terminal user needs to log in to the device for operations. As the client of HWTACACS in this case, the switch sends the username and password to the TACACS server for authentication. After passing authentication and being authorized, the user can log in to the switch to perform operations, as shown in Figure 131.
Page 514 HWTACACS server Basic message exchange procedure in HWTACACS For example, use HWTACACS to implement authentication, authorization, and accounting for a telnet user. Figure 132 illustrates the basic message exchange procedure: Figure 132 The AAA implementation procedure for a telnet user...
Page 515 11 The TACACS server sends back an accounting response, indicating that it has received the accounting start request. 12 The user logs out; the TACACS client sends an accounting stop request to the TACACS server. 13 The TACACS server sends back an accounting stop packet, indicating that the...
Page 516: Configuration Tasks
49: AAA & RADIUS & HWTACACS C HAPTER ONFIGURATION Configuration Tasks Table 398 Configuration tasks Operation Description Related section Create an ISP Required “Creating an ISP Domain” configuration domain on page 518 Configure the Optional “Configuring the attributes of the ISP...
Page 517 “Creating a RADIUS configuration scheme Scheme” on page 525 Configure RADIUS Required “Configuring RADIUS authentication/auth Authentication/Authorizati orization servers on Servers” on page 525 Configure RADIUS Required “Configuring RADIUS accounting servers Accounting Servers” on page 526 Configure shared Optional “Configuring Shared Keys keys for RADIUS for RADIUS Packets”...
Page 518: Aaa Configuration
AAA Configuration The goal of AAA configuration is to protect network devices against unauthorized access and at the same time provide network access services to authorized users. If you need to use ISP domains to implement AAA management on access users, you need to configure the ISP domains.
Page 519 On a Switch 7750, each access user belongs to an ISP domain. You can ■ configure up to 16 ISP domains on the switch. When a user logs in, if no ISP domain name is carried in the user name, the switch assumes that the user belongs to the default ISP domain.
Page 520 Configuring a bound AAA scheme Domain You can use the scheme command to specify an AAA scheme. If you specify a RADIUS or HWTACACS scheme, the authentication, authorization and accounting will be uniformly implemented by the RADIUS server or TACACS server specified in the RADIUS or HWTACACS scheme.
Page 521 } scheme is configured. If a bound AAA scheme is configured as well as the separate authentication, ■ authorization and accounting schemes, the separate ones will be adopted in precedence. RADIUS scheme and local scheme do not support the separation of ■...
Page 522 ID assigned by the RADIUS authentication server, the switch compares the ID with existing VLAN names on the switch. If it finds a match, it adds the port to the corresponding VLAN. Otherwise, the VLAN assignment fails and the user cannot pass the authentication.
Page 523 VLAN ID: the switch transforms the string to an integer value and judges if the value is in the valid VLAN ID range; if it is, the switch adds the authenticated port to the VLAN with the integer value as the VLAN ID (VLAN 1024, for example).
Page 524 For SSH users, when they use RSA shared keys for authentication, the commands they can access are determined by the levels set on their user interfaces.
Page 525: Radius Configuration
IP addresses) in a RADIUS scheme. After creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme. These RADIUS servers fall into two types: authentication/authorization, and accounting.
Page 526 The IP address and port number of the primary authentication server used by ■ the default RADIUS scheme “system” are 127.0.0.1 and 1645.
Page 527 The two parties verify the validity of the exchanged packets by using the shared keys that have been set on them, and can accept and respond to the packets sent from each other only if both of them have the same shared keys.
Page 528 When the switch fails to communicate with the primary server due to some server trouble, the switch will actively exchange packets with the secondary server. After the time the primary server keeps in the block state exceeds the time set with the timer quiet command, the switch will try to communicate with the primary server again when it receives a RADIUS request.
Page 529 RADIUS servers cannot accept the user names that carry ISP domain names. In this case, it is necessary to remove the domain names carried in the user names before sending the user names to the RADIUS server. For this...
Page 530 RADIUS Servers request (authentication/authorization request or accounting request) and waiting for a period of time, it should retransmit the packet to ensure that the user can obtain the RADIUS service. This wait time is called response timeout time of RADIUS servers;...
Page 531 The function applies to the environment where the RADIUS authentication/accounting server is CAMS. In an environment with a CAMS server, if the switch reboots after an exclusive user (a user whose concurrent online number is set to 1 on the CAMS) gets...
Page 532: Hwtacacs Configuration
4 Once the switch receives the response from the CAMS, it stops sending other Accounting-On packets. 5 If the switch does not receives any response from the CAMS after the number of the Accounting-On packets it has sent reaches the configured maximum number, it does not send any more Accounting-On packets.
Page 533 The primary and secondary authentication servers cannot use the same IP ■ address. Otherwise, the system will prompt unsuccessful configuration. You can remove a server only when it is not used by any active TCP connection ■ for sending authentication packets.
Page 534 ■ for sending accounting packets. Configuring Shared Keys When using a TACACS server as an AAA server, you can set a key to improve the for RADIUS Packets communication security between the router and the TACACS server. The TACACS client and server adopt MD5 algorithm to encrypt the exchanged HWTACACS packets.
Page 535 Where, isp-name behind the @ character represents the ISP domain name. If the TACACS server does not accept the user name carrying isp domain name, it is necessary to remove the domain name from the user names before they are sent to the TACACS server.
Page 536: Displaying And Maintaining Aaa & Radius & Hwtacacs Information
HAPTER ONFIGURATION information of online users to the TACACS accounting server at intervals of this value. Even if the server does not respond, the device does not cut down the online user. The interval must be a multiple of 3.
Page 537: Aaa & Radius & Hwtacacs Configuration Example
Telnet users as example. Network requirements In the network environment shown in Figure 133, you are required to configure the switch so that the Telnet users logging into the switch are authenticated by the RADIUS server.
Page 538 On the switch, set the shared key that is used to exchange packets with the ■ authentication RADIUS server to “expert”. You can use a CAMS server as the RADIUS server. If you use a third-party RADIUS server, you can select standard or extended as the server type in the RADIUS scheme.
Page 539 [SW7750] domain cams [SW7750-isp-cams] scheme radius-scheme cams A Telnet user logging into the switch by a name in the format of userid @cams belongs to the cams domain and will be authenticated according to the configuration of the cams domain.
Page 540 A TACACS server with IP address 10.1.1.1 is connected to the switch. This server will be used as the AAA server. On the switch, set the shared key that is used to exchange packets with the AAA TACACS server to “expert”. Configure the switch to strip off the domain name in the user name to be sent to the TACACS server.
Page 541: Troubleshooting Aaa & Radius & Hwtacacs Configuration
■ RADIUS server is disconnected/blocked - Take measures to make the links connected/unblocked. None or incorrect RADIUS server IP address is set on the switch - Be sure to set ■ a correct RADIUS server IP address. One or all AAA UDP port settings are incorrect - Be sure to set the same UDP ■...
Page 542 Symptom 3: The user passes the authentication and gets authorized, but the accounting information cannot be transmitted to the RADIUS server. Possible reasons and solutions: The accounting port number is not properly set - Be sure to set a correct port ■ number for RADIUS accounting.
Page 543: Ead C
Figure 136. Figure 136 EAD basic principle Typical Network The EAD scheme checks the security status of the user, and implements the user Application of EAD access control policy forcibly according to the result. Therefore, those...
Page 544: Ead Configuration
ACL control packets to the switch to control which addresses the client can access. After the client is patched and compliant with the required security standard, the security policy server reissues an ACL to the switch to assign the access right to the client. EAD Configuration Configuration EAD is implemented typically in RADIUS scheme.
Page 545: Ead Configuration Example
RADIUS server and EAD control is achieved through security policy server. The following are the configuration tasks: Connect the RADIUS authentication server to the switch. The IP address of the ■ server is 10.110.91.164, and the switch adopts the port with port number 1812 to communicate with the authentication server.
Page 546 User Security policy servers Virus patch servers 10.110.91.166 /16 10.110.91.168/16 Configuration procedure # Configure 802.1X on the switch. Refer to the “802.1x Configuration” on page 399 for detailed description. # Configure domain. <SW7750> system-view [SW7750] domain system [SW7750-isp-system] quit # Configure RADIUS scheme.
Page 547: Traffic Accounting Configuration
802.1x users based on time or traffic. Traffic accounting enables the switch where the users are authenticated to account for the traffic generated when the users are online and send traffic accounting results to the accounting server to charge the online users.
Page 548: Configuring Traffic Accounting
The following details the traffic accounting procedure: 1 After a user passes the 802.1x authentication, the user goes online successfully. 2 The authenticator device acquires the online IP address of the user and starts to account for the traffic of the user.
Page 549: Displaying Traffic Accounting
Currently, only single rate is supported, and multi-rate is not supported. ■ Displaying Traffic After the above configuration, you can execute the display command in any view Accounting to display the operation status of traffic accounting and verify your configuration.
Page 550: Traffic Accounting Configuration Example
[SW7750-traffic-group-somegroup] network 11.127.1.0 24 [SW7750-traffic-group-somegroup] network 12.127.1.0 24 [SW7750-traffic-group-somegroup] quit # Enter the user’s domain view (suppose the user belongs to domain aaa), set the accounting mode to traffic accounting and configure the domain to use the traffic group. [SW7750] domain aaa...
Page 551 Traffic Accounting Configuration Example [SW7750-isp-aaa] traffic-group somegroup rate 1 [SW7750-isp-aaa] quit # Configure the traffic accounting module, specify the traffic collection module, and enable the traffic accounting function. [SW7750] traffic-accounting accounting-slot 2 [SW7750-accounting-slot-2] traffic-slot 3 [SW7750-accounting-slot-2] accounting enable...
Page 552 51: T HAPTER RAFFIC CCOUNTING ONFIGURATION...
Page 553: Vrrp Overview
Virtual router redundancy protocol (VRRP) is a fault-tolerant protocol. As shown in Figure 141, in general, A default route (for example, the next hop address of the default route is ■ 10.100.10.1, as shown in the following figure) is configured for every host on a network.
Page 554 In this case, the switch is called an IP address owner. A backup group is established if it is assigned an IP address for the first time. If ■ you then add other IP addresses to the backup group, the IP addresses are...
Page 555 By default, virtual router IP addresses are mapped to the virtual MAC address of a backup group. When you map a virtual IP address to the virtual MAC address on a Switch 7750, the number of backup groups that can be configured on a VLAN interface is determined by the chips used.
Page 556 With the configuration of delay period, the backup switch will wait for a while if it does not receive packets from the master switch in time. A new master is determined only after the backup switches do not receive packets from the master switch after the specified delay time.
Page 557: Vrrp Configuration
VRRP Configuration if it does not receive a VRRP packet from the master for the period specified by the master-down-interval argument. Configuring the VLAN interfaces/Ethernet ports to be tracked for a backup group The VLAN interface/Ethernet port tracking function expands the backup group function.
Page 558 IP address virtual-ip virtual-address By default, no IP address is configured for the virtual router. Configuring Backup Table 435 lists the operations to configure a switch in a backup group. Group-Related Table 435 Configure backup group-related parameters Parameters Operation...
Page 559: Displaying And Maintaining Vrrp
Single-VRRP Backup Network requirements Group Configuration Host A uses the VRRP virtual router comprising switch A and switch B as its default gateway to visit host B on the Internet. The information about the VRRP backup group is as follows: VRRP backup group ID: 1 ■...
Page 560 [LSW-A-vlan2] quit [LSW-A] interface Vlan-interface 2 [LSW-A-Vlan-interface2] ip address 202.38.160.1 255.255.255.0 [LSW-A-Vlan-interface2] quit # Enable a backup group to respond to ping operations destined for its virtual router IP address. [LSW-A] vrrp ping-enable # Create a backup group. [LSW-A] interface Vlan-interface 2 [LSW-A-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111...
Page 561 # Configure the preemptive mode for the backup group. [LSW-B-Vlan-interface2] vrrp vrid 1 preempt-mode The IP address of the default gateway of Host A can be configured to be 202.38.160.111. Normally, Switch A functions as the gateway, but when Switch A is turned off or malfunctions, Switch B will function as the gateway instead.
Page 562 [LSW-A-vlan2] quit [LSW-A] interface Vlan-interface 2 [LSW-A-Vlan-interface2] ip address 202.38.160.1 255.255.255.0 [LSW-A-Vlan-interface2] quit # Configure that the virtual router can be pinged. [LSW-A] vrrp ping-enable # Create a backup group. [LSW-A] interface Vlan-interface 2 [LSW-A-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Set the priority for the backup group.
Page 563 Normally, Switch A functions as the gateway, but when VLAN 3 interface on Switch A goes down, its priority will be reduced by 30, lower than that of Switch B so that Switch B will preempt the master for gateway services instead.
Page 564 HAPTER ONFIGURATION 2 and a backup switch in backup group 1. Some hosts in the network take virtual router 1 as the gateway, while others take virtual router 2 as the gateway. In this way, both load balancing and mutual backup are implemented.
Page 565: Troubleshooting Vrrp
VRRP packets from each other, or receive some illegal packets. To solve such a problem, an attempt should be made to ping among these masters and if such an attempt fails, check the connectivity between related devices. If they can be pinged through, check VRRP configuration.
Page 566 52: VRRP C HAPTER ONFIGURATION Symptom 3: VRRP state of a switch changes repeatedly Such problems occur when the backup group timer duration is too short. They can be solved through prolonging the duration or configuring the preemption delay period.
Page 567: Ha Overview
The Switch 7758 supports high availability (HA) feature. This feature is to achieve a high availability of the system and to recover the system as soon as possible in the event of failures so as to shorten the mean time between failures (MTBF) of the system.
Page 568: Ha Configuration
Configuration File of the System Manually” on page 569 When the Switch 7758 starts, if you log in to the slave module, it will take ■ about 3 minutes before you can see the system prompt. During the 3 minutes, the slave module does not response to any operation.
Page 569: Displaying Ha
Synchronize the configuration file slave update configuration Optional manually This operation can backup the configuration file to the slave module only if the slave system operates normally. The configuration file will be fully copied at each time the operation is executed. Displaying HA After the above configuration, you can execute the display command in any view to view the HA configuration, and to verify the effect of the configuration.
Page 570 53: HA C HAPTER ONFIGURATION...
Page 571: Introduction To Arp
Network devices can directly identify Layer 2 MAC addresses instead of Layer 3 IP addresses. For a Layer 3 packet to be received by its destination host, it must carry the MAC address of the destination host. So, before sending a packet, the source device must map the destination IP address to the MAC address of the destination device.
Page 572 ARC network ARP Table In an Ethernet network, two hosts must know each other’s MAC address for them to communicate with each other. For this reason, each host on the network maintains an ARP table, which contains some lately used IP address-to-MAC address mapping entries.
Page 573 Suppose Host A and Host B are on the same network segment. The IP address ■ of Host A is IP_A and that of Host B is IP_B. To send a packet to Host B, Host A first looks up its own ARP table for an ARP entry that contains IP_B. If such an...
Page 574 With this feature, you can limit the number of IP addresses to be bound to a MAC address in a VLAN. If a MAC address is bound to more than the specified number of IP addresses, it is considered an attacking MAC address.
Page 575: Configuring Arp
ARP packets with the same type that can be sent to the CPU in a time of time, so as to protect the CPU from being attacked by illegal ARP packets generated by ARP scanning of a host to the whole network.
Page 576 VLAN, and the port specified by the interface-type and interface-number arguments must belong to the VLAN. Configuring the Table 450 Configure the maximum number of ARP entries that can be learnt on a port Maximum Number of ARP Entries that Can Be...
Page 577 Configuring ARP Table 450 Configure the maximum number of ARP entries that can be learnt on a port Operation Command Description Enter port view interface interface-type interface-number Configure the maximum arp max-dynamic-entry Optional number of dynamic ARP number It is 2048 by default.
Page 578 With VRRP enabled on a VLAN interface of a switch If the switch is the master switch, it sends gratuitous ARP messages with the IP ■ address of the VRRP virtual router. If it is not the master switch, it sends gratuitous ARP messages with the primary ■...
Page 579: Displaying And Maintaining Arp Configuration
By setting the maximum numbers of ARP packets of different types that can be Suppression sent to the CPU in a unit of time, you can protect the CPU from being attacked by illegal ARP packets. Table 458 Configure ARP source suppression...
Page 580: Arp Configuration Example
Disable the ARP entry checking function. ■ Enable the switch to send gratuitous ARP packets periodically. ■ Set the aging time for dynamic ARP entries to 10 minutes. ■ Add a static ARP entry with IP address 192.168.1.1, MAC address ■...
Page 581 Enable DHCP snooping on Switch A and specify Ethernet 2/0/1 as the trusted ■ port for DHCP snooping and ARP packet rate limit. Enable the ARP packet rate limit function, so as to prevent Client A and Client ■ B from attacking Switch A through ARP traffic.
Page 582 54: ARP C HAPTER ONFIGURATION [SwitchA] arp protective-down recover interval 200...
Page 583: Proxy Arp Overview
However, when Host A (192.168.0.22/16) needs to send packets to Host D (192.168.1.30/16), it finds they are on the same network 192.168.0.0/16, and thus Host A will broadcast an ARP request to request the MAC address of Host D.
Page 584: Configuring Proxy Arp
VLAN-interface 3 of the switch, and then the switch routes the packets to Host D, so as to realize the Layer 3 connectivity between Host A and Host D. Proxy ARP is needed in the following cases (hosts have IP addresses of the same network segment).
Page 585 Configure the IP address of VLAN-interface 3 as 192.168.0.27/24, and that of ■ VLAN-interface 4 as 192.168.1.27/24. Enable proxy ARP on VLAN-interface 3 and VLAN-interface 4 to allow Host A ■ and Host D to communicate with each other through ARP.
Page 586 Ethernet 2/0/2 belongs to VLAN 2 and Ethernet 2/0/3 belongs to VLAN 3. ■ Enable proxy ARP on VLAN-interface 10 to allow Host A (in VLAN 2) and Host B ■ (in VLAN 3) to communicate with each other through ARP.
Page 587 Proxy ARP Configuration Example Enable proxy ARP on Switch A to allow Host A (in VLAN 2) and Host B (in VLAN ■ 3) to communicate with each other through ARP. Network diagram Figure 151 Network diagram for proxy ARP configuration in isolate-user-vlan...
Page 588 55: P ARP C HAPTER ROXY ONFIGURATION [SwitchA-Vlan-interface5] arp proxy enable [SwitchA-Vlan-interface5] arp proxy source-vlan enable [SwitchA-Vlan-interface5] quit...
Page 589: Dhcp O
With the emerging of wireless networks and the using of laptops, the position change of hosts and frequent change of IP addresses also require new technology. Dynamic host configuration protocol (DHCP) is developed in this background.
Page 590: Dhcp Packet Format
DHCP-DISCOVER packet. For details, see “DHCP Packet Format” on page 590. 3 Select: In this phase, the DHCP client selects an IP address. If more than one DHCP server sends DHCP-OFFER packets to the DHCP client, the DHCP client only...
Page 591 Elapsed time after the DHCP client initiates a DHCP request. ■ flags: The first bit is the broadcast response flag bit. It is used to identify that ■ the DHCP response packet is sent in the unicast or broadcast mode. Other bits are reserved.
Page 592: Dhcp Packet Processing Modes
DHCP server picks IP addresses from the interface address pools and assigns them to the DHCP clients. If there is no available IP address in the interface address pools, the DHCP server picks IP addresses from its global address pool that contains the interface address pool segment and assigns them to the DHCP clients.
Page 593: Dhcp Server
Networks where the number of available IP addresses is less than that of the ■ hosts. In this type of networks, IP addresses are not enough for all the hosts to obtain a fixed IP address, and the number of on-line users is limited (such is the case in an ISP network).
Page 594: Global Address Pool-Based Dhcp Server Configuration
DHCP IP Address Interfaces of the DHCP server can work in the global address pool mode or in the Preferences interface address pool mode. If the DHCP server works in the interface address pool mode, it picks IP addresses from the interface address pools and assigns them to the DHCP clients.
Page 595 Required By default, DHCP is enabled Configuring Global You can configure the global address pool mode on the specified or all interfaces Address Pool Mode on of a DHCP server. After that, when the DHCP server receives DHCP packets from...
Page 596 ONFIGURATION Configuring How to You can specify to bind an IP address in a global address pool statically to a DHCP Assign IP Addresses in a client or assign IP addresses in the pool dynamically to DHCP clients as needed. In...
Page 597 (such as gateways and FTP servers). The lease time can differ with address pools. But that of the IP addresses of the same address pool are the same. Lease time is not inherited, that is to say, the lease time of a child address pool is not affected by the configuration of the parent address pool.
Page 598 M-node. Nodes of this type are p-nodes mixed with broadcasting features (The ■ character m stands for the word mixed), that is to say, this type of nodes obtain mappings by sending broadcast packets first. If they fail to obtain mappings, they send unicast packets to the WINS server to obtain mappings.
Page 599 Customizing DHCP With the evolution of DHCP, new options are constantly coming into being. You Service can add the new options as the properties of DHCP servers by performing the following configuration. Table 468 Customize DHCP service Operation...
Page 600: Interface Address Pool-Based Dhcp Server Configuration
DHCP clients. As a result, the IP addresses obtained from global address pools and those obtained from interface address pools are not in the same network segment, so the clients cannot interoperate with each other.
Page 601 IP addresses to the MAC addresses of these DHCP clients. When such a DHCP client applies for an IP address, the DHCP server finds the IP address corresponding to the MAC address of the DHCP client, and then assigns the IP address to the DHCP client.
Page 602 The lease time can differ with address pools. But that of the IP addresses of the same address pool is the same. Lease time is not inherited, that is to say, the lease time of a child address pool is not affected by the configuration of the parent address pool.
Page 603 DNS server addresses for a DHCP address pool. On the DHCP server, you can configure domain names to be used by DHCP clients for address pools. After you do this, the DHCP server provides the domain names to the DHCP clients while the DHCP server assigns IP addresses to the DHCP clients.
Page 604 M-node. Nodes of this type are p-nodes mixed with broadcasting features (The ■ character m stands for the word mixed), that is to say, this type of nodes obtain mappings by sending broadcast packets first. If they fail to obtain mappings, they send unicast packets to the WINS server to obtain mappings.
Page 605 ] | all } Customizing DHCP With the evolution of DHCP, new options are constantly coming into being. You Service can add the new options as the properties of DHCP servers by performing the following configuration. Table 477 Customize DHCP service Operation...
Page 606: Dhcp Security Configuration
IP address detecting is achieved by performing ping operations. To detect whether an IP address is currently in use, the DHCP server sends an ICMP packet with the IP address to be assigned as the destination and waits for a response. If the DHCP server receives no response within a specified time, it resends an ICMP packet.
Page 607: Displaying And Maintaining A Dhcp Server
Executing the save command will not save the lease information on a DHCP server to the flash memory. Therefore, the configuration file contains no lease information after the DHCP server restarts or you clear the lease information by executing the reset dhcp server ip-in-use command.
Page 608 Gateway: 10.1.1.254 ■ If you use the inheriting relation of parent and child address pools, make sure that the number of the assigned IP addresses does not exceed the number of the IP addresses in the child address pool; otherwise extra IP addresses will be obtained from the parent address pool.
Page 609: Troubleshooting A Dhcp Server
Troubleshooting a DHCP Server Configuration procedure 1 Configure a VLAN and add a port in this VLAN, and then configure the IP address of the VLAN interface (omitted). 2 Configure DHCP service. # Enable DHCP. <SW7750> system-view [SW7750] dhcp enable # Configure the IP addresses that are not dynamically assigned.
Page 610 IP address as the destination and an enough timeout time. The IP address is manually configured on a host if you receive a response ■ packet of the ping operation. You can then disable the IP address from being dynamically assigned by using the dhcp server forbidden-ip command on the DHCP server.
Page 611: Dhcp Relay
Since the packets are broadcasted in the process of obtaining IP addresses, DHCP Agent is only applicable to the situation that DHCP clients and DHCP servers are in the same network segment, that is, you need to deploy at least one DHCP server for each network segment, which is far from economical.
Page 612 Option 82 is a relay agent information option in DHCP packets. When a request packet from a DHCP client travels through a DHCP relay agent on its way to the DHCP server, the DHCP relay agent adds option 82 into the request packet. Option 82 includes many sub-options, but the DHCP server supports only sub-option 1 and sub-option 2 at present.
Page 613: Configuring Dhcp Relay Agent
The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay agent is similar to that for the client to obtain an IP address from a DHCP server directly. The following are the mechanism of option 82 supporting on DHCP relay agent.
Page 614 Required By default, DHCP is enabled Configuring an Interface When an interface operates in the relay mode, the interface forwards the DHCP to Operate in DHCP packets received from DHCP clients to an external DHCP server, which assigns IP Relay Agent Mode addresses to the DHCP clients.
Page 615 Broadcast Responses to clients according to the flag field in the DHCP-DISCOVER packet. Clients When the first bit of the flag field is set to 1, the DHCP relay agent broadcasts ■ the response packets to the clients. When the flag field is set to 0, the DHCP relay agent unicasts the response ■...
Page 616 When a Switch 7750 Ethernet switch working as a DHCP relay agent forwards a Address of Uplink client’s packet to the DHCP server, the source IP address of the packet is the IP Packets address of the relay agent’s interface that connects to the DHCP server by default.
Page 617 Configuring DHCP Relay Agent However, if two equal-cost uplinks to the DHCP server exist, the packets from a client may have different source IP addresses. As a result, some packets may fail to pass the validity check. Switch 7750 Ethernet switches supports specifying the source IP address of uplink packets.
Page 618 Specifying address checking fields After enabled with the address checking function, Switch 7750 Ethernet switches default to check the IP address, MAC address, VLAN ID, and port number of a DHCP client respectively. The DHCP client can access external networks only after an entry matching all the four fields is found in the client address table.
Page 619 A freely-connected client refers to the client whose IP address and MAC address are not in the DHCP security table. When the freely-connected client is not allowed to pass DHCP security check, you cannot access the network on this client even if the freely-connected client has a valid IP address.
Page 620: Displaying And Maintaining Dhcp Relay Agent
After the above configuration, execute the display command in any view to Maintaining DHCP display and verify the DHCP relay agent configuration. Relay Agent Execute the reset command in user view to clear the statistics information of the specified DHCP server group. Table 494 Display DHCP relay agent configuration Operation...
Page 621: Troubleshooting Dhcp Relay Agent
Troubleshooting DHCP Relay Agent # Enable DHCP. [SW7750] dhcp enable # Create DHCP server group 1 and configure an IP address of 202.38.1.2 for it. [SW7750] dhcp-server 1 ip 202.38.1.2 # Map VLAN-interface 2 to DHCP server group 1. [SW7750] interface Vlan-interface 2...
Page 622 58: DHCP R HAPTER ELAY GENT ONFIGURATION...
Page 623: Dhcp Snooping
Configuring DHCP Snooping Introduction to DHCP For the sake of security, the IP addresses used by online DHCP clients need to be Snooping tracked for the administrator to verify the corresponding relationship between the IP addresses the DHCP clients obtained from DHCP servers and the MAC addresses of the DHCP clients.
Page 624 Padding content and frame format of Option 82 There is no specification for what should be padded in Option 82. Manufacturers can pad it as required. By default, the sub-options of Option 82 for the Switch 7750 (enabled with DHCP snooping) are padded as follows:...
Page 625 ID sub-option defines the type and length of a circuit ID or remote ID. The remote ID type field and circuit ID type field are determined by the option storage format. They are both set to 0 in the case of HEX format and to 1 in the case of ASCII format.
Page 626 Upon receiving a packet returned by the DHCP server, the DHCP snooping device checks the Option 82 field: If it was added by the local device, the device strips off Option 82 and forwards ■ the packet to the DHCP client.
Page 627 The resources on the server are exhausted, so the server does not respond to ■ other requests. After receiving such type of packets, a switch needs to send them to the CPU ■ for processing. Too many request packets cause high CPU usage rate. As a result, the CPU cannot work normally.
Page 628: Dhcp Snooping Configuration
DHCP relay agent and DHCP snooping cannot be enabled at the same time. If ■ you have enabled DHCP relay agent on the device, you will fail to enable DHCP snooping. The dhcp-snooping trust command and the dhcp-snooping command must ■...
Page 629 } specified interface If a handling policy is configured on a port, this configuration overrides the globally configured handling policy for requests received on this port, while the globally configured handling policy applies on those ports where a handling policy...
Page 630 By default, the format is hex. The dhcp-snooping information format command applies only to the default content of the Option 82 field. If you have configured the circuit ID or remote ID sub-option, the format of the sub-option is ASCII, instead of the one specified with the dhcp-snooping information format command.
Page 631 DHCP snooping device that received the client’s request. If you configure a remote ID sub-option in both system view and on a port, the ■ remote ID sub-option configured on the port applies when the port receives a packet, and the global remote ID applies to other interfaces that have no remote ID sub-option configured.
Page 632: Displaying And Maintaining Dhcp Snooping
DHCP Snooping Trusted Network requirements Port Configuration As shown in Figure 163, the Ethernet 2/0/1 port of Switch A is connected to Example Switch B (acting as a DHCP relay agent). A network segment containing some DHCP clients is connect to the Ethernet 2/0/2 port of Switch A.
Page 633 DHCP-Snooping Option Network requirements 82 Support As shown in Figure 164, Ethernet 2/0/5 of the switch is connected to the DHCP Configuration Example server, and Ethernet 2/0/1, Ethernet 2/0/2, and Ethernet 2/0/3 are respectively connected to DHCP Client A, DHCP Client B, and DHCP Client C.
Page 634 [Switch-Ethernet2/0/5] quit # Enable DHCP-snooping Option 82 support. [Switch] dhcp-snooping information enable # Set the remote ID sub-option in Option 82 to the system name of the DHCP snooping device. [Switch] dhcp-snooping information remote-id sysname # Set the circuit ID sub-option in DHCP packets from VLAN 1 to abcd on Ethernet 2/0/3.
Page 635 Enable IP filtering on Ethernet 2/0/2, Ethernet 2/0/3, and Ethernet 2/0/4 to ■ prevent attacks to the server from clients using fake source IP addresses. Create static binding entries on the switch, so that Host A using a fixed IP ■ address can access external networks.
Page 636 59: DHCP S HAPTER NOOPING ONFIGURATION [Switch] interface Ethernet2/0/2 [Switch-Ethernet2/0/2] ip source static binding ip-address 1.1.1.1 m ac-address 0001-0001-0001...
Page 637: Acl Overview
In this case, the match order of multiple rules in an ACL is determined by the hardware of the switch, and any user-defined match order, even if it is configured when the ACL is defined, will not work.
Page 638 4 Range of Layer 4 port number, that is, of TCP/UDP port number. The smaller the range, the higher the priority. If rule A and rule B are the same in all the four ACEs (access control elements) above, and also in their numbers of other ACEs to be considered in deciding their priority order, weighting principles will be used in deciding their priority order.
Page 639: Choosing Acl Mode For Traffic Flows
Ranges differentiating the time ranges. A time range can be specified in each rule in an ACL. If the time range specified in a rule is not configured, the system will give a prompt message and allow such a rule to be successfully created. However, the rule does not take effect immediately.
Page 640: Specifying The Matching Order Of Acl Rules Sent To A Port
Ranges configuring absolute time sections. A periodic time section appears as a period of time in a day of the week, while an absolute time section appears in the form of “the start time to the end time”. Configuration Procedure...
Page 641: Defining Basic Acls
This command can be executed in any view. Note that: If only a periodic time section is defined in a time range, the time range is ■ active only within the defined periodic time section. If only an absolute time section is defined in a time, the time range is active ■...
Page 642: Defining Advanced Acls
If you do not specify a rule ID, you will create and define a new rule, and the system will assign an ID for the rule automatically.
Page 643 For the configuration of time ranges, refer to “Configuring Time Ranges” on page 640. The values of source and destination IP addresses, the type of the protocols carried by IP, and protocol-specific features in the rule have been defined.
Page 644 100010 af42 100100 af43 100110 001000 010000 011000 100000 101000 110000 111000 be (default) 000000 To define the IP precedence, you can directly input a value ranging from 0 to 7, or input a keyword listed in the following table.
Page 645 To define the ToS value, you can directly input a value ranging from 0 to 15, or input a keyword listed in the following table. Table 515 Description of ToS value Keyword ToS value in decimal...
Page 646 ICMP rule message code, ranging 0 to 255 If the protocol type is ICMP, you can also directly input the ICMP message name after the icmp-type argument. The following table describes some common ICMP messages. Table 518 ICMP messages...
Page 647: Defining Layer 2 Acls
If you do not specify a rule ID, you will create and define a new rule, and the system will assign an ID for the rule automatically.
Page 648 1 to 32 characters To define the CoS, you can directly input a value ranging from 0 to 7, or input a keyword listed in the following table. Table 521 Description of CoS value...
Page 649: Defining User-Defined Acls
If you do not specify a rule ID, you will create and define a new rule, and the system will assign an ID for the rule automatically.
Page 650: Applying Acls On Ports
You can create a rule by specifying an ID that identifies no rule. ■ You will fail to create a rule if the newly created rule is the same as an existing ■ one. If you do not specify the rule ID when creating an ACL rule, the rule ID of the newly created rule is assigned by the system.
Page 651 } acl-rule: Applied ACL, which can be a combination of different types of ACL rules. Table 524 and Table 526 describe the ACL combinations on Type A I/O Modules and the corresponding parameter description. Table 525 and Table 526 describe the ACL combinations on I/O Modules other than Type A and the corresponding parameter description.
Page 652: Displaying Acl Configuration
| acl-name } acl-number: ACL number, ranging from 2,000 to 3,999. acl-name: ACL name, up to 32 characters long, beginning with an English letter (a to z or A to Z) without space and quotation mark, case insensitive. link-group { acl-num...
Page 653: Acl Configuration Example
Example Through basic ACL configuration, packets from the host with the source IP address of 10.1.1.1 (the host is connected to the switch through Ethernet 2/0/1 port) are to be filtered within the time range from 8:00 to 18:00 everyday.
Page 654 Different departments of an enterprise are interconnected on the intranet through the ports of a switch. The IP address of the wage query server is 192.168.1.2. Devices of the R&D department are connected to the Ethernet 2/0/1 port of the switch.
Page 655 ACL Configuration Example filtered within the time range from 8:00 to 18:00 everyday. Apply this ACL on Ethernet 2/0/1 port. Network diagram Figure 168 Network diagram for Layer 2 ACL configuration PC 1 Eth2/0/1 0011-0011 -0011 To the router Switch...
Page 656 To the router Switch PC 2 Configuration procedure Only the commands related to the ACL configuration are listed below. 1 Define the time range. # Define the time range ranging from 8:00 to 18:00. <SW7750> system-view [SW7750] time-range aaa 8:00 to 18:00 daily 2 Create an ACL rule to filter TCP packets.
Page 657: Overview
Quality of Service (QoS) is a concept generally existing in occasions with service supply and demand. It evaluates the ability to meet the need of the customers in service. Generally, the evaluation is not to grade precisely. Its purpose is to analyze the conditions when the service is the best and the conditions when the service still needs improvement and then to make improvements in the specified aspects.
Page 658 RFC2474 re-defines the ToS field in the IP packet header, which is called the DS ■ field. The first six (bit 0 to bit 5) bits of the DS field indicate DSCP precedence in the range of 0 to 63. The first three bits in DSCP precedence are class selector codepoints, bit 4 and bit 5 indicate drop precedence, and bit 6 is zero indicating that the device sets the service class with the DS model.
Page 659 Overview service level can be segmented. The QoS rank of the AF class is lower than that of the EF class; Class selector (CS) class: This class comes from the IP TOS field and includes 8 ■ classes; Best Effort (BE) class: This class is a special class without any assurance in the CS ■...
Page 660 Priority VLAN ID In the figure above, the 3-bit priority field in TCI is 802.1p priority in the range of 0 to 7. The 3 bits specify the precedence of the frame. 8 classes of precedence are used to determine which packet is sent preferentially when the switch is congested.
Page 661 The network will be made more congested by plenty of continuous burst packets if the traffic of each user is not limited. The traffic of each user must be limited in order to make better use of the limited network resources and provide better service for more users.
Page 662 The evaluation for the traffic specification is based on whether the number of tokens in the bucket can meet the need of packet forwarding. If the number of tokens in the bucket is enough to forward the packets (generally, one token is associated with a 1-bit forwarding authority), the traffic is conforming to the specification, and otherwise the traffic is nonconforming or excess.
Page 663 Therefore, the network resources and the interests of the operators are protected. For example, you can limit HTTP packets within 50% of the network bandwidth. If the traffic of a certain connection is excess, TP can choose to drop the packets or to reset the priority of the packets.
Page 664 When the queue with higher priority is empty, packets in the queue with lower priority are sent. You can put critical service packets into the queues with higher priority and put non-critical service (such as e-mail) packets into the queues with lower priority.
Page 665 50, 50, 30, 30, 10, 10, 10 and 10 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0 in order). In this way, the queue with the lowest priority can get 5 Mbps bandwidth at least, and the disadvantage of SP queue-scheduling that the packets in queues with lower priority may not get service for a long time is avoided.
Page 666: Qos Supported By The Switch 7750
When the queue length is bigger than the upper limit, all inbound packets all ■ dropped. When the queue length is in the range of the upper limit and the lower limit, ■ the inbound packets are dropped at random. In this case, a number is assigned to each inbound packet and then compared with the drop probability of the current queue.
Page 667: Configuring Priority To Be Used When A Packet Enters An Output Queue
Packet Enters an A port of the switch supports eight output queues. The priority of each queue is Output Queue different, and packets in the queue with higher priority are sent preferentially. The switch puts a packet into the corresponding queue according to the DSCP precedence, IP precedence, 802.1p priority or local precedence of the packet.
Page 668 56 to 63 cs7(56) cs7(56) Configuring Priority to You can select the corresponding priority as the basis for a packet to enter an Be Used When a Packet output queue on a port as required. Enters an Output Queue Configuration prerequisites The priority to be used when a packet enter a queue is specified.
Page 669: Configuring Priority Remark
Configuration example Configure the 802.1p-to-local-precedence as follows: 0 to 2, 1 to 3, 2 to 4, 3 ■ to 1, 4 to 7, 5 to 0, 6 to 5 and 7 to 6. Display the configuration.
Page 670 ■ Prerequisites Mode for Traffic Flows” on page 639 for defining ACL rules. The type and value of the precedence that the packets matching with ACL ■ rules are remarked are specified The ports which need this configuration are specified ■...
Page 671: Configuring Rate Limit On Ports
Apply a rule in a user-defined ACL separately user-group { acl-number | acl-name } rule rule-id Apply a rule in an IP ACL and a rule in a Link ip-group { acl-number | acl-name } rule ACL at the same time...
Page 672: Configuring Tp
Prerequisites Mode for Traffic Flows” on page 639 for defining ACL rules The limit rate for TP, the actions for the packets within the specified traffic and ■ the actions for the packets beyond the specified traffic have been specified.
Page 673: Configuring Redirect
Configuring Redirect When a switch is connected to a RADIUS server, if the switch does not support ■ the inbound TP or outbound TP configured on the RADIUS server, the TP configuration will be ignored on the switch. Configuration Example GigabitEthernet 2/0/1 of the switch is accessed to the 10.1.1.1/24 network...
Page 674: Configuring Queue-Scheduling
61: Q HAPTER ONFIGURATION Only non-type-A I/O Modules support the traffic redirect configuration. ■ The redirect configuration is effective only for the ACL rules whose actions are ■ permit. Packets redirected to CPU will not be forwarded normally. ■ Configuration Example Ethernet 2/0/1 of the switch is accessed into the 10.1.1.1/24 network segment.
Page 675: Configuring Congestion Avoidance
Only non-type-A I/O Modules support the configuration for queue scheduling mode. Configuration Example The switch adopts the WRR queue scheduling algorithm, and the weight values ■ of outbound queues are 10, 5, 10, 10, 5, 10, 5, and 10 respectively; Display the configuration. ■ Configuration procedure: <SW7750> system-view...
Page 676: Configuring Traffic Statistics
The way of combination is described in Table 541. Only type-A I/O Modules support the configuration above. ■ Only the rules with the permit action can be properly applied to the hardware. ■ Configuration Example Ethernet 2/0/1 is accessed to the network segment 10.1.1.1/24.
Page 677 [ interface-type interface-number ] all acl-rule: Applied ACL rules which can be the combination of various ACL rules. Type-A I/O Modules’ way of combination is described in Table 540, and non-type-A I/O Modules’ way of combination is described in Table 541.
Page 678: Configuring Assured Bandwidth
I/O Modules’ way of combination is described in Table 541. Only type-A I/O Modules support the configuration above. ■ Only the rules with the permit action can be properly applied to the hardware. ■ Configuration Example Ethernet 2/0/1 of the switch is accessed into the network segment 10.1.1.1/24.
Page 679: Configuring Bidirectional Car
Configuration procedure: <SW7750> system-view [SW7750] inboundcar enable Configuring QinQ is to encapsulate the VLAN tags of the private network in the VLAN tags of Traffic-Based Selective the public network in order that the packets are transmitted through the QinQ backbone network of the carrier (also called public network). The traffic-based...
Page 680 61: Q HAPTER ONFIGURATION selective QinQ function can tag a packet with external VLAN tags according to the ACL rule that the packets matches on the inbound port. The traffic-based selective QinQ function is configured on the hybrid port of the edge device connecting the user device to the carrier’s network.
Page 681: Qos Configuration Example
Ethernet switch. The salary query server of the financial department is accessed through Ethernet 2/0/1 whose subnet address is 129.110.1.2. The network requirements are to limit the average rate of outbound traffic within 640 kbps and set the precedence of packets exceeding the specification to 4.
Page 682 Configuration Example Network requirements of Priority Remark Mark ef on the packets that PC1 whose IP address is 1.0.0.2 sends from 8:00 to 18:00 every day to provide the basis of precedence for the upper-layer devices. Network diagram Figure 177 Network diagram for priority remark configuration...
Page 683 # Enter number-identification-based basic ACL view identified. [SW7750] acl number 2000 [SW7750-acl-basic-2000] rule 0 permit source 1.0.0.1 0 time-range test [SW7750-acl-basic-2000] quit 3 Remark ef precedence on the packets that PC1 sends [SW7750] interface Ethernet 2/0/1 [SW7750-Ethernet2/0/1] qos [SW7750-qosb-Ethernet2/0/1] traffic-priority inbound ip-group 2000 dscp ef...
Page 684 61: Q HAPTER ONFIGURATION...
Page 685: Mirroring
Data detect device Local Port Mirroring Port mirroring refers to the process of copying the packets received or sent by the specified port to the specified local port. Remote Port Mirroring Remote port mirroring eliminates the limitation that the source port and the destination port must be located on the same switch.
Page 686 It forwards mirrored flows it received from the remote-probe VLAN to the monitoring device through the destination port. Table 552 describes how the ports on various switches are involved in the mirroring operation. Table 552 Ports involved in the mirroring operation...
Page 687 (except the configuration of source port for mirroring). Mirroring to Local I/O Mirroring to local I/O Module (including LS81VSNP and LS82VSNP) means copying Module the packets received or sent on the specified port on the specified I/O Module to the specified local I/O Module.
Page 688: Mirroring Supported By The Switch 7750
For mirroring features, see “Overview” on page 685. Configuration Configuring Local Port Configuration prerequisites Mirroring The source port is specified and whether the packets to be mirrored are ■ inbound or outbound is specified. The destination port is specified. ■...
Page 689 { all | This command can be local } executed in any view. Configuration Example The source port is GigabitEthernet 2/0/1. Mirror all packets received and sent ■ via this port. The destination port is GigabitEthernet 2/0/4. ■ 1 Configuration procedure 1: <SW7750>...
Page 690 The source switch, intermediate switch, and the destination switch have been ■ determined. The source port, the reflector port, the destination port, and the remote-probe ■ VLAN have been determined. Required configurations are performed to ensure Layer 2 connectivity between ■...
Page 691 To mirror tagged packets, you need to configure VLAN VPN on the reflector ■ port. The reflector ports are mutually exclusive with STP or DLDP. That is, if STP or ■ DLDP is enabled on a port, you are not recommended to configure it as a reflector port;...
Page 692 MAC addresses and destination MAC addresses of packets at the same time. If the incoming port of a packet is the same as the outgoing port of the packet, the packet is dropped. Refer to “Configuring Redirect”...
Page 693 MAC addresses of packets at the same time. If the incoming port of a packet is the same as the outgoing port of the packet, the packet is dropped. Refer to “Configuring Redirect” on page 673 for configuring traffic redirect.
Page 694 GigabitEthernet 2/0/2, the port of Switch C, is connected to PC1. ■ The purpose is to monitor and analyze the packets sent and received by PC1 via the data detect device. To meet the requirement above by using the remote port mirroring function, perform the following configuration: Define VLAN10 as remote-probe VLAN.
Page 695 [SW7750-GigabitEthernet2/0/1] port link-type trunk [SW7750-GigabitEthernet2/0/1] port trunk permit vlan 10 [SW7750-GigabitEthernet2/0/1] quit [SW7750] mirroring-group 1 remote-source [SW7750] mirroring-group 1 mirroring-port GigabitEthernet 2/0/2 both [SW7750] mirroring-group 1 reflector-port GigabitEthernet 2/0/3 [SW7750] mirroring-group 1 remote-probe vlan 10 [SW7750] display mirroring-group remote-source mirroring-group 1:...
Page 696 [ interface-type interface-number ] all acl-rule: Applied ACL rules, the following table describes the ACL combinations. Table 560 Combined application of ACLs on I/O Module other than A type. Combination mode Form of acl-rule Apply all rules in an IP type ACL separately...
Page 697 Only non-type-A I/O Modules support the traffic mirroring configuration. ■ To define a destination port for mirroring, you can also enter the port view of ■ the specified port directly to execute the mirroring-group group-id monitor-port command. Refer to corresponding command manual for detail.
Page 698 Operation Command Description Enter system view system-view Create a VLAN and enter the vlan vlan-id The vlan-id is the ID of the VLAN view remote-probe VLAN to be defined. Define the current VLAN as remote-probe vlan enable Required the remote-probe VLAN...
Page 699 Only one mirroring destination I/O Module can be configured for the centralized or distributed system, and can be referenced by only one local mirroring group. If you want to mirror the tagged packets, you need to configure VLAN VPN on ■ the reflector port.
Page 700 Define Switch A as the destination switch; configure GigabitEthernet 2/0/2, the ■ port that is connected to the data detect device, as the destination port for remote mirroring. Set GigabitEthernet2/0/2 to an Access port, where LACP must be disabled and STP is recommended to be disabled.
Page 701 Mirrored to: mirroring-group 1 Configuring Mirroring to Configuration prerequisites Local I/O Module The mirroring source port or the mirroring source I/O Module is specified, that ■ is, the direction of mirrored packets is specified. The mirroring destination I/O Module is specified.
Page 702 } command in any view. Configuration example The mirroring source I/O Module resides in slot 3 and all the packets sent or ■ received on the I/O Module are mirrored. The mirroring destination I/O Module resides in slot 4.
Page 703: Cluster
Clustering V2 management protocol (Switch Clustering V2), a network administrator can manage multiple switches using the public IP address of a switch known as a management device. The switches under the management of the management device are member devices. The management device, along with the member devices, forms a cluster.
Page 704 BootROM version and so on. An NDP-enabled device maintains an NDP information table. Each entry in an NDP table ages with time. You can also clear the current NDP information manually to have adjacent information collected again.
Page 705 You need to designate the management device first. The management device ■ of a cluster is the portal of the cluster. That is, any operations performed in external networks and intended for the member devices of a cluster, such as accessing, configuring, managing, and monitoring, can only be implemented through the management device.
Page 706 The management device in the cluster is the default public FTP server of the cluster when the public FTP server of the cluster is not configured. Cluster, together with the network management system, can perform large-scaled device management.
Page 707 Each cluster has one (and only one) management device. A management ■ device collects NDP/NTDP information to discover and determine candidate devices, which can be then added into the cluster through manual configurations. A candidate device becomes a member device after being added to a cluster. ■...
Page 708: Management Device Configuration
63: C HAPTER LUSTER A member device becomes a candidate device after being removed from the ■ cluster. Management Device Configuration Management Device Table 564 Management device configuration tasks Configuration Tasks Operation Description Related section Enable NDP globally and for Required “Enabling NDP Globally and for...
Page 709 Optional function globally By default, the cluster function is enabled Configuring Cluster Parameters CAUTION: When configuring a cluster, you must ensure that the routing table is not full. Otherwise, the private IP routes of the cluster cannot be advertised, and...
Page 710 If the routing table of the administrative device is full when a candidate device ■ of a cluster joins the cluster, this device will repeatedly join or leave the cluster. Creating a cluster and configuring cluster parameters manually Table 570 Configure cluster parameters manually...
Page 711: Member Device Configuration
Optional CAUTION: For Switch 7750 Ethernet switches, the IP address of the cluster public FTP/TFTP server must be in the same network segment as that of the Layer-3 interface of management VLAN (VLAN1). Otherwise, member devices cannot communicate with the cluster public FTP/TFTP server.
Page 712 By default, the NTDP is enabled for the port. Configure Member Perform the following configuration in user view of the member device. Devices to Access Table 576 Configure member devices to access FTP/TFTP server of the cluster FTP/TFTP Server of the Cluster Operation Command...
Page 713: Intra-Cluster Configuration
} device view After a cluster is established, SNMP Trap is enabled when Switch 7750s join the cluster as candidate devices or leave the cluster as member devices. You can use the undo snmp trap enable command to disable SNMP Trap.
Page 714: Cluster Configuration Example
Ethernet1/0/1 port of the management device belongs to VLAN1, whose ■ interface IP address is 163.172.55.1. All the devices in the cluster use the same FTP server and TFTP server. ■ The FTP server and TFTP server share one IP address: 163.172.55.2.
Page 715 [SW7750-Ethernet1/1] quit # Enable the cluster function. [SW7750] cluster enable 2 Configure the management device # Configure the IP address of the management VLAN (the Switch 7750 take VLAN 1 as the default VLAN). <SW7750> system-view [SW7750] interface Vlan-interface 1 [SW7750-Vlan-interface1] ip address 163.172.55.1...
Page 716 # Enter cluster view. [SW7750] cluster [SW7750-cluster] # Configure an IP address pool for the cluster. The IP address in the IP address pool starts from 172.16.0.1. The mask is 255.255.255.248. [SW7750-cluster] ip-pool 172.16.0.1 255.255.255.248 # Specify a name for the cluster and create the cluster.
Page 717 # Connect the member device to the public remote FTP server of the cluster. <aaa_1.3Com> ftp cluster # Download the file named aaa.txt from the public TFTP server of the cluster to the member device. <aaa_1.3Com> tftp cluster get aaa.txt # Upload the file named bbb.txt from the member device to the public TFTP server...
Page 718 63: C HAPTER LUSTER...
Page 719: Poe Overview
PoE Overview Introduction to PoE Power over Ethernet (PoE) uses 10BaseT, 100Base-TX, and 1000Base-T twisted pairs to supply power to the remote powered devices (PD) in the network and implement power supply and data transmission simultaneously. Advantages of PoE Reliability: The centralized power supply provides backup convenience, unified ■...
Page 720 For example: Port A has the priority critical. When the switch is reaching its full load and a new PD is now added to port A, the switch will not supply power to this new PD.
Page 721: Poe Configuration
PoE Configuration In auto mode, when the switch is reaching its full load in supplying power, the switch decides whether to supply power to remote PDs on a port based on the port priority. Note that the switch can compare only the priority of ports on the same module.
Page 722 Once PoE is enabled on a module, the system reserves the power for the slot ■ even after you remove the module from the slot; in this case, you can use the undo poe enable slot command to release this power.
Page 723: Displaying Poe Configuration
The Switch 7750 do not support the spare mode. ■ When a module is almost fully loaded and a new PD is added, the switch will ■ respond to the PD according to the PoE management mode. For details, see “Setting PoE Management Mode”...
Page 724: Poe Configuration Example
■ Set the PoE management mode of slot 3 to auto. ■ Slot 3 is supplied with 400 W of power and slot 5 is supplied with full power ■ (namely, 806 W). Enable PoE-compatibility detection on the PoE module in slot 3.
Page 725 # Set the maximum power supplied by the module in slot 3 to 400 W. [SW7750] poe max-power 400 slot 3 # Set the maximum power supplied by the module in slot 5 is 806 W (full power). [SW7750] poe max-power 806 slot 5...
Page 726 [SW7750]interface Ethernet 3/0/24 [SW7750-Ethernet3/0/24] undo poe enable [SW7750-Ethernet3/0/24] quit # Set the priority of Ethernet3/0/48 to critical, so that the devices connected to Ethernet3/0/48 can be provided with power preferentially without interrupting power supply to the current ports. [SW7750]interface Ethernet 3/0/48 [SW7750-Ethernet3/0/48] poe priority critical # Enable the PoE-compatibility detection feature on the module in slot 3.
Page 727: Introduction To Poe Psu Supervision
PoE PSUs must be no less than 5 seconds. AC Input Alarm You can set the AC input alarm thresholds for the PoE PSUs to enable the Switch Thresholds 7750 to monitor the AC input voltages of the PSUs in real time through Fabrics.
Page 728: Dc Output Alarm Threshold Configuration
[SW7750] display poe-power ac-input state DC Output Alarm You can set the DC output alarm thresholds for the PoE PSUs to enable the Switch Threshold 7750 to monitor the DC output voltages of the PSUs in real time through Fabrics.
Page 729: Displaying Poe Supervision Information
[SW7750] display poe-power dc-output value Displaying PoE After the above configuration, you can execute the display commands in any Supervision view to display the PoE operation of the switch and verify the configuration. Information Table 588 Display PoE supervision information Operation...
Page 730 # Enable PoE on the module in slot 3. [SW7750] poe enable slot 3 # Set the overvoltage alarm threshold of AC input for the PoE PSUs to 264.0 V. [SW7750] poe-power input-thresh upper 264.0 # Set the undervoltage alarm threshold of AC input for the PoE PSUs to 181.0 V.
Page 731: O E Profile
ROFILE ONFIGURATION Introduction to PoE On a large-sized network or a network with mobile users, to help network Profile administrators to monitor the PoE features of the switch, Switch 7750 Ethernet switches provide the PoE profile features. Features of PoE profile: Various PoE profiles can be created.
Page 732: Displaying Poe Profile Configuration
PoE profile is applied successfully if one PoE feature in the PoE profile is applied properly. If one or more features in the PoE profile are not applied properly on a port, ■ the switch prompts explicitly which PoE features in the PoE profile are not applied properly on which ports.
Page 733 ■ mW, whereas the maximum power for Ethernet2/0/6 through Ethernet2/0/10 is 15,400 mW. Based on the above requirements, two PoE profiles are made for users of group A. Apply PoE profile 1 for Ethernet2/0/1 through Ethernet 1/0/5; ■ Apply PoE profile 2 for Ethernet2/0/6 through Ethernet 1/0/10.
Page 734 3000 poe priority critical # Create Profile2, and enter poe-profile view. [SW7750] poe-profile Profile2 # In Profile2, add the PoE policy configuration applicable to Ethernet2/0/6 through Ethernet2/0/10 ports for users of group A. [SW7750-poe-profile-Profile2] poe enable [SW7750-poe-profile-Profile2] poe mode signal...
Page 735: Udp-Helper
UDP-Helper is designed to relay specified UDP broadcast packets. It enables a UDP-Helper device to operate as a UDP packet relay. That is, it can convert UDP broadcast packets into unicast packets and forward them to a specified server. Normally, all the received UDP broadcast packets are passed to the UDP module.
Page 736: Displaying And Maintaining Udp-Helper
The dns, netbios-ds, netbios-ns, tacacs, tftp, and time keywords refers to ■ the six default UDP ports. You can configure a default port to be a UDP-Helper destination port by specifying the corresponding port number or the corresponding keyword. For example, udp-helper port 53 and udp-helper port dns specify the same port as a UDP-Helper destination port.
Page 737: Udp-Helper Configuration Example
[SW7750] udp-helper enable # Configure port 55 as a UDP-Helper destination port. [SW7750] udp-helper port 55 # Configure the server with the IP address of 202.38.1.2 as a destination server for the UDP broadcast packets. [SW7750] interface Vlan-interface 1 [SW7750-Vlan-interface1] ip address 10.110.1.1 16...
Page 738 67: UDP-H HAPTER ELPER ONFIGURATION...
Page 739: Snmp Overview
Write operation according to the message types, generate and return the Response message to the NMS. Agent will send Trap message on its own initiative to the NMS to report the events whenever the device status changes or the device encounters any abnormalities such as restarting the device.
Page 740 The management information base (MIB) is used to describe the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network device. In the above figure, the managed object B can be uniquely specified by a string of numbers {1.2.1.1}.
Page 741: Configuring Snmp Basic Functions
Device management Interface management Configuring SNMP The configuration of SNMP V3 configuration is different from that of SNMP V1 Basic Functions and SNMP V2C, therefore SNMP basic function configurations for different versions are introduced respectively. For specific configurations, refer to Table 595 and Table 596.
Page 742 68: SNMP C HAPTER ONFIGURATION Table 595 Configure SNMP basic functions for SNMP V1 and SNMP V2C Operation Command Description Set a Direct Set a snmp-agent Required community configura communit community { read | write } Direct configuration ■ name and...
Page 743: Configuring Trap
ViewDefault and OID is 1. oid-tree Configuring Trap Trap is the information that the managed device initiatively sends to the NMS without request. Trap is used to report some urgent and important events (e.g., the managed device is rebooted). Configuration Complete SNMP basic configuration.
Page 744: Displaying Snmp
The snmp-agent trap ifmib command is used to privately extend a linkup/linkdown trap packet and add two objects “ifDescr” (interface description) and “ifType” (interface type) to a trap packet. The two objects facilitate your understanding and failure port location. Displaying SNMP After the above configuration is completed, execute the display command in any view to view the running status of SNMP, and to verify the configuration.
Page 745: Snmp Configuration Example
Example SNMP Configuration Network requirements Example An NMS and Switch A are connected through the Ethernet. The IP address of ■ the NMS is 10.10.10.1 and that of the VLAN interface on Switch A is 10.10.10.2. Perform the following configuration on Switch A: setting the community name ■...
Page 746 [SW7750] snmp-agent usm-user v3 managev3user managev3group # Set the VLAN interface 2 as the interface used by NMS. Add port Ethernet1/0/2 to VLAN 2. This port will be used for network management. Set the IP address of VLAN interface 2 as 10.10.10.2.
Page 747: Rmon C
successfully.
Page 748 The events defined in an event group are mainly used in alarm group and extended alarm group to trigger alarms. You can specify a network device to act in one of the following ways in response to an event: Logging the event ■...
Page 749: Rmon Configuration
Statistics group Statistics group contains the statistics of each monitored port on a network device. An entry in a statistics group is an accumulated value counting from the time when the statistics group is created. The statistics include the number of the following items: collisions, packets with cyclic redundancy check (CRC) errors, undersize (or oversize) packets, broadcast packets, multicast packets, and received bytes and packets.
Page 750: Displaying Rmon
The rmon alarm and rmon prialarm commands take effect on existing nodes ■ only. For each port, only one RMON statistics entry can be created. That is, if an ■ RMON statistics entry is already created for a given port, creation of another entry with a different index for the same port will not succeed.
Page 751: Configuration Procedures
# Configure RMON. <SW7750> system-view [SW7750] interface Ethernet2/0/1 [SW7750-Ethernet2/0/1] rmon statistics 1 owner user1-rmon # View RMON configuration. [SW7750-Ethernet2/0/1] display rmon statistics Ethernet2/0/1 Statistics entry 1 owned by user1-rmon is VALID. Interface : Ethernet2/0/1<ifIndex.4227626> etherStatsOctets , etherStatsPkts etherStatsBroadcastPkts , etherStatsMulticastPkts : 0...
Page 752 69: RMON C HAPTER ONFIGURATION...
Page 753: Introduction To Ntp
■ host, you must make sure they adopt the same time. As setting the system time manually in a network with many devices leads to a lot of workload and cannot ensure the accuracy, it is unfeasible for an administrator to perform the operation.
Page 754 Before the system clocks of Device A and Device B are synchronized, the clock ■ of Device A is set to 10:00:00 am, and the clock of Device B is set to 11:00:00 Device B serves as the NTP server, that is, the clock of Device A will be ■...
Page 755 ■ (T4). At this time, Device A has enough information to calculate the following two parameters: Delay for an NTP message to make a round trip between Device A and Device ■ Delay = (T )-(T Time offset of Device A relative to Device B: ■...
Page 756 ONFIGURATION In peer mode, the active peer sends clock synchronization packets first, and its peer works as a passive peer automatically. If both of the peers have reference clocks, the one with smaller stratum is adopted. Broadcast mode Figure 195 NTP implementation mode: broadcast mode...
Page 757: Ntp Implementation Mode Configuration
■ Prerequisites When a Switch 7750 operates in NTP server mode or NTP peer mode, you need to perform configuration on the client or the active peer only. When a Switch 7750 operates in NTP broadcast mode or NTP multicast mode, you need to perform configurations on both the server side and the client side.
Page 758 ■ time server. The Switch 7750 operates as the client, whose clock is synchronized to the NTP server. (In this case, the clock of the NTP server is not synchronized to the local client.) When the remote-ip argument is an IP address of a host, it cannot be a ■...
Page 759: Access Control Permission Configuration
After the configuration, the Switch 7750 does not establish connections with ■ the peer if it operates in NTP server mode. Whereas if it operates in any of the other modes, it establishes connections with the peer. If a Switch 7750 operates as a passive peer in peer mode, NTP broadcast client ■...
Page 760 Besides, the authentication keys must be trusted keys. Otherwise, the client cannot be synchronized with the server. In NTP server mode and NTP peer mode, you need to associate the specified ■ key with the corresponding NTP server/active peer on the client/passive peer. In...
Page 761: Configuration Of Optional Ntp Parameters
NTP mode where a switch is to operate The procedures for configuring NTP authentication on the server are the same as that on the client. Besides, the client and the server must be configured with the same authentication key. Configuration of...
Page 762: Displaying And Debugging Ntp
By default, the NTP service is enabled CAUTION: The source IP address in an NTP packet is the address of the sending interface ■ specified by the ntp-service unicast-server command or the ntp-service unicast-peer command if you provide the address of the sending interface in these two commands.
Page 763 S 7750- 1 S 7750- 2 Configuration procedures Configure S7750-1. # Set the local clock as the NTP master clock, with the stratum being 2. <SW7750-1> system-view System View: return to User View with Ctrl+Z. [SW7750-1] ntp-service refclock-master 127.127.1.1 2 ? The following configurations are for S7750-2.
Page 764 This example assumes that 3Com2 is a switch that allows its local clock to be the master clock. ■ 3Com3 is a switch that allows its local clock to be the master clock and the ■ stratum of its clock is 1.
Page 765 3Com3 operates in the active peer mode, while the Switch 7750 operates in the passive peer mode. Because the stratum of the local clock of 3Com3 is 1, and that of the Switch 7750 is 3, the Switch 7750 is synchronized to Qudiway3.
Page 766 <SW77503> system-view [SW77503] # Enter VLAN-interface 2 view. [SW77503] interface Vlan-interface 2 [SW77503-Vlan-Interface2] # Configure 3Com3 to be the broadcast server and send broadcast packets through VLAN-interface 2. [SW77503-Vlan-Interface2] ntp-service broadcast-server 2 Configure Switch 7750-1. # Enter system view. <SW7750-1> system-view [SW7750-1] # Enter VLAN-interface 2 view.
Page 767 NTP Multicast Mode Network requirements Configuration 3Com3 sets the local clock to be NTP master clock, with the clock stratum of 2. It advertises multicast packets through VLAN interface 2. Configure Switch 7750-1 and Switch 7750-2 to listen to multicast packets through their VLAN interface 2.
Page 768 70: NTP C HAPTER ONFIGURATION Network diagram Figure 200 Network diagram for NTP multicast mode configuration Vlan - int 2 3 . 0 . 1 . 31 / 24 3Com 3 Vlan - int 2 1 . 0 . 1 . 31 / 24...
Page 769 The output information indicates that Switch 7750-1 is synchronized to 3Com3, with the clock stratum being 3, one stratum higher than 3Com3. # View the information about the NTP sessions of Switch 7750-1 and you can see that a connection is established between Switch 7750-1 and 3Com3.
Page 770 [[SW7750-2] ntp-service unicast-server 1.0.1.11 authentication-keyid 42 The above configuration synchronizes Switch 7750-2 to Switch 7750-1. As NTP authentication is not enabled on Switch 7750-1, Switch 7750-2 will fail to be synchronized to Switch 7750-1. The following configuration is needed for Switch 7750-1.
Page 771 The output information indicates that Switch 7750-2 is synchronized to Switch 7750-1, with the clock stratum being 3, one stratum higher than Switch 7750-1. # View the information about the NTP sessions of Switch 7750-2 and you can see that a connection is established between Switch 7750-2 and Switch 7750-1.
Page 772 70: NTP C HAPTER ONFIGURATION...
Page 773: Ssh Terminal Ervices
Switch remotely through an insecure network. As an SSH server, a switch can connect to multiple SSH clients; as an SSH client, a switch can establish SSH connections with switches or UNIX hosts that support SSH server.
Page 774 ■ request carrying the username, public key and public key algorithm to the server. The server checks the validity of the public key. If the key is invalid, the server returns an authentication failure message directly; otherwise, the server authenticates the client and returns the authentication result to the client.
Page 775 This configuration task is used to generate or destroy the server RSA key pair, including the host RSA key pair and the server RSA key pair. The name of the host RSA key pair is in the format of switch name plus _Host, ■...
Page 776 You just need to execute the command once, with no further action required ■ even after the system is rebooted. If you use this command to generate an RSA key provided an old one exits, the ■ system will prompt you whether to replace the previous one or not.
Page 777 SSH2.0 client. This operation is not required for password authentication type. On the other hand, you can import the RSA public key of an SSH user from the public key file. When the rsa peer-public-key keyname import sshkey filename...
Page 778 SSH server and the host public key will be saved on the client even if the server host public key is not configured on the client. When the SSH client accesses the SSH server next time, the SSH client uses the host public key saved on it to authenticate the SSH server.
Page 779 { sha1 | sha1_96 | md5 | md5_96 } ]* Displaying SSH Use the display commands in any view to view the running of SSH and further to Configuration check the configuration result. Through the displaying information, you can verify the configuration effect.
Page 780 1 Generate a local RSA key pair. <SW7750> system-view [SW7750] rsa local-key-pair create If the local RSA key pair has been generated in previous operations, skip this step here. 2 Set authentication type. Settings for the two authentication types are described respectively in the...
Page 781 Switch A Configuration procedure 1 Configure Switch B (SSH server) # Create a VLAN interface on the switch and assign it an IP address, which the SSH client will use as the destination for SSH connection. <SW7750> system-view [SW7750] interface vlan-interface 1...
Page 782 If the first-time authentication is not configured, it is required to manually configure the RSA host public key of the server on the client. # Display the RSA pubic key of the server (only the host public key contents are displayed).
Page 783 010001 <Omitted> Configure Switch A (SSH client) ■ # Create a VLAN interface on the switch and assign it an IP address, which the SSH server will use as the destination for SSH connection. <SW7750> system-view [SW7750] interface vlan-interface 1 [SW7750-Vlan-interface1] ip address 10.1.1.2 255.255.255.0...
Page 784: Sftp Service
71: SSH T HAPTER ERMINAL ERVICES After generating a key pair on a client, you need to configure the public key on the server and have the configuration on the server done before continuing configuration of the client. # Disable first-time authentication.
Page 785 SFTP Service provide secured data transfer. As an SFTP client, it allows you to securely log onto another device to transfer files. SFTP Server The following sections describe SFTP server configuration tasks: Configuration “Configuring service type for an SSH user” on page 785 ■...
Page 786 Get help information about SFTP help SFTP client view Optional client commands Enabling the SFTP client You can enable the SFTP client, establish a connection to the remote SFTP server and enter STP client view. Table 621 Enable the SFTP client Operation Command Description...
Page 787 SFTP Service Operating with SFTP directories SFTP directory-related operations include: changing or displaying the current directory, creating or deleting a directory, displaying files or information of a specific directory. Table 623 Operate with SFTP directories Operation Command Description Enter system view...
Page 788 2 Configure Switch A (SFTP client) # Establish a connection to the remote SFTP server and enter SFTP client view. [SW7750] sftp 10.111.27.91 # Display the current directory on the SFTP server, delete file z and verify the operation. sftp-client> dir...
Page 789 This operation may take a long time, please wait... Remote file:/pubkey2 ---> Local file: public Received status: End of file Received status: Success... Downloading file successfully ended # Upload file pu to the SFTP server and rename it to puk. Verify the operations.
Page 790 71: SSH T HAPTER ERMINAL ERVICES sftp-client> put pu puk This operation may take a long time, please wait... Local file: pu ---> Remote file: /puk Received status: Success Uploading file successfully ended sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg...
Page 791: File System Management
By specifying the name of a storage device, such as flash:/ and cf:/. ■ You can provide the file-url argument in the following two ways in this chapter. In the form of [drive] [path] [file name]. In this case, the argument can be a ■ string containing 1 to 64 characters.
Page 792 Disable a CF card umount cf: Required Currently, only the 96Gbps Switch Fabric supports the CF module. The operations listed in Table 627 are available in the directories on a CF module. File System Table 627 File system configuration tasks Configuration Tasks...
Page 793 The execute command cannot be executed recursively. ■ Storage Device-Related With the file system, you can format a storage device, such as the Flash or a CF Operations module. Note that the format operation leads to the loss of all files on the storage device and is irretrievable.
Page 794 Optional Prompt Mode You can set the file system prompt mode to be alert or quiet. When in the alert Configuration mode, the file system prompts for confirmation when you perform irreversible operations (such as deleting a file completely or overwriting a file). If you are in the quiet mode, you are not prompted when you execute the operations.
Page 795 %Deleted file flash:/test/c.cfg. # Restore the file c.cfg. <SW7750> undelete c.cfg ..%Undeleted file flash:/test/c.cfg. # Display the content of the file c.cfg. <SW7750>more c.cfg sysname 3Com Switch 7754 local-server nas-ip 127.0.0.1 key 3Com domain default enable system temperature-limit 0 10 70...
Page 796 72: F HAPTER YSTEM ANAGEMENT...
Page 797: Introduction To Bims
At BIMS center side is service software operating on a PC or server, such as the BIMS component of 3Com’s Quidview (V3.10). At BIMS device side the BIMS function is integrated in the software system of the router. By accessing the BIMS center, the router updates its configuration file and application automatically.
Page 798: Bims Device Configuration Tasks
In this case, the upgrade will fail, the configuration on the device will be lost, and eventually the BIMS cannot manage the device.
Page 799: Configuring Bims Access Mode
When the BIMS device is configured with an access interval different than the one set at the BIMS center, it obtains and uses the setting on the BIMS center for later accesses. The likelihood exists that this interval is obtained by multiple BIMS devices.
Page 800: Bims Configuration Example
When the device accesses the BIMS center, the BIMS center will judge whether to use these files to upgrade the files on the device. If yes, the BIMS center sends these files to the device to upgrade the files on the device For detailed configuration procedures, refer to the part discussing the BIMS component in Quidview Network Management System User Manual.
Page 801 Network requirements Device to Access the The BIMS device will access the BIMS center at 12:10 on May 1, 2005. From then BIMS Center Periodically on, it will access the BIMS center every two days until 23:50 on October 1, 2005.
Page 802 73: BIMS C HAPTER ONFIGURATION...
Page 803: Ftp Configuration
As an application layer protocol, FTP is used for file transfer between remote server and local host. TCP port 21 is used for control connections, and port 20 is used for data connections. Basic FTP operations are described in RFC 959.
Page 804 FTP client ■ A switch can operate as an FTP client, through which you can access files on FTP servers. In this case, you need to establish a connection between your PC and the switch through a terminal emulation program or Telnet and then execute the ftp X.X.X.X command on your PC (X.X.X.X is the IP address of an FTP server).
Page 805 Optional The default connection idle time is 30 minutes. Only one user can access a Switch 7750 at a given time when the latter ■ operates as an FTP server. FTP services are implemented in this way: An FTP client sends FTP requests to ■...
Page 806 1.1.1.1 Configuration procedure 1 Configure the switch # Log into the switch. (You can log into a switch through the Console port or by Telneting to the switch. See “Logging into an Ethernet Switch” on page 33 for detailed information.) <SW7750>...
Page 807 CAUTION: If the available space of the flash of the switch is not enough to hold the file to ■ be uploaded, you need to move the files that are not in use from the flash to other place to make room for the file.
Page 808 74: FTP TFTP C HAPTER ONFIGURATION operating as an FTP client. Table 641 lists the operations that can be performed on an FTP client. Table 641 Basic FTP client configuration Operation Command Description Enter FTP client view ftp [ cluster | ftp-server...
Page 809 CAUTION: If the available space of the flash of the switch is not enough to hold the file to be uploaded, you need to move the files that are not in use from the flash to other place to make room for the file.
Page 810: Tftp Configuration
74: FTP TFTP C HAPTER ONFIGURATION # Connect to the FTP server using the ftp command. You need to provide the IP address of the FTP server, the user name and the password as well. <SW7750> ftp 2.2.2.2 Trying ...
Page 811 TFTP Configuration Prerequisites A switch operates as a TFTP client and a remote PC as the TFTP server. The network operates properly, as shown in Figure 208. Basic TFTP configurations Table 643 Basic TFTP configurations Operation...
Page 812 CAUTION: If the available space of the flash of the switch is not enough to hold the file to be uploaded, you need to move the files that are not in use from the flash to other place to make room for the file.
Page 813 TFTP Configuration <SW7750> boot boot-loader switch.app <SW7750> reboot For information about the boot boot-loader command and how to specify the startup file for a switch, refer to “Specifying the APP to be Adopted at Reboot” on page 863.
Page 814 74: FTP TFTP C HAPTER ONFIGURATION...
Page 815: Information Center
The following describes the fields of an information item: 1 Priority The calculation formula for priority is priority = facility × 8 + severity - 1. in which facility (the device name) defaults to local7 with the value being 23 (the value ■...
Page 816 HAPTER NFORMATION ENTER hh:mm:ss” is the local time, where “hh” is in the 24-hour format, ranging from 00 to 23, both “mm” and “ss” range from 00 to 59. yyyy” is the year. Note that a space separates the time stamp and host name.
Page 817 Rapid ring protection protocol module Revest, Shamir and Adleman encryption module L3+ plug-in module traffic accounting module RTPRO Routing protocol module RXTX Lower layer packets receiving and transmitting module Server control module SHELL User interface module SNMP Simple network management protocol module...
Page 818 For example, the “debugging” severity corresponds to level 8, and the “emergencies” severity corresponds to level 1. If filtered by severity, the information of a severity level greater than the defined threshold will be filtered out for output. Therefore, when the severity threshold is set to “debugging”, all information will be output.
Page 819: Information Center Configuration
The above section describes the log information format sent to a log server by a switch. Some log server software will resolve the received information as well as its format, so that you may see the log format displayed on the log server is different from the one described in this manual.
Page 820 | trap | debugging } { boot | date | none } To view the debugging information of specific modules, you need to set the information type as debug in the info-center source command, and enable debugging for corresponding modules through the debugging command.
Page 821 For example, to view log information of the switch on the console, you should not only enable log information output to the console, but also enable log information terminal display with the terminal logging command.
Page 822 (including module filter, language and severity level threshold settings) are shared between them. In this case, change to any such parameter made by one user will also be reflected on all other user terminals. To view debugging information of specific modules, you need to set the ■...
Page 823 This determines how the time stamp is presented to users. To view debugging information of specific modules, you need to set the information type as debug in the info-center source command, and enable debugging on corresponding modules with the debugging command as well.
Page 824 This determines how the time stamp is presented to users. To view debugging information of specific modules, you need to set the information type as debug in the info-center source command, and enable debugging on corresponding modules with the debugging command as well.
Page 825: Displaying And Debugging Information Center Configuration
After the above configurations, you can execute the display command in any Debugging view to display the running status of the information center, and thus validate you Information Center configurations. You can also execute the reset command in user view to clear the Configuration information in the log buffer and trap buffer.
Page 826 [SW7750] undo info-center source default channel loghost # Configure the host whose IP address is 202.38.1.10 as the log host. Set the output language to English. Permit ARP and IP modules to output information with severity level higher than informational to the log host.
Page 827 <SW7750> system-view [SW7750] info-center enable # Configure the host whose IP address is 202.38.1.10 as the log host. Set the output language to English. Permit all modules to output information with severity level higher than error to the log host.
Page 828 A note must start in a new line following a “#” sign. ■ In each pair, a tab should be used as a separator instead of a space. ■ No space is permitted at the end of the file name.
Page 829 # Disable for all modules the function of outputting information to the console channels. [SW7750] undo info-center source default channel console # Enable log information output to the console. Permit ARP and IP modules to output information with severity level higher than informational to the console. [SW7750] info-center console channel console...
Page 830 75: I HAPTER NFORMATION ENTER...
Page 831: Dns C
1 A user program sends a name query to the resolver in the DNS Client. 2 The DNS resolver looks up the local DNS cache for a match. If a match is found, it returns the corresponding IP address to the user program. If not, it sends a query to the DNS Server.
Page 832 DNS lookup. If all the suffixes in the DNS suffix list have been tried but no DNS lookup succeeds, the resolver will use the original name (such as aabbcc) for a DNS lookup.
Page 833: Configuring Static Dns Resolution
Network requirements Example As shown in Figure 214, Switch is used as a DNS client with dynamic DNS resolution. It allows you to visit Host with IP address 3.1.1.1/16. The DNS server IP address is 2.1.1.2/16. The DNS suffixes “com” and “net” are configured.
Page 834: Displaying And Maintaining Dns
After the above configuration, you can execute the display command in any view Maintaining DNS to view the DNS configuration and running information to verify your configuration. You can execute the reset command in user view to clear the dynamic DNS cache.
Page 835: Troubleshooting Dns Configuration
Dynamic DNS resolution is enabled, but the user cannot get the correct IP address from a domain name. Analysis DNS client needs to be used in conjunction with the DNS server to get the correct IP address through domain name resolution. Solution Use the display dns dynamic-host command to check if the specified domain ■...
Page 836 76: DNS C HAPTER ONFIGURATION...
Page 837: Introduction To Loading Approaches
The BootROM software version should be compatible with the host software version when you load the BootROM and host software. Local Software If your terminal is directly connected to the switch, you can load the BootROM and Loading host software locally.
Page 838 To enter the Boot Menu, you should press <Ctrl+B> within five seconds after the information “Press Ctrl-B to enter Boot Menu...” appears. Otherwise, the system starts to decompress the program; and if you want to enter the Boot Menu at this time, you will have to restart the switch.
Page 839 Please change the terminal’s baudrate to 115200 bps and select XMODEM protocol Press enter key when ready If you have chosen 9600 bps as the download baud rate, you need not modify the HyperTerminal’s baud rate, and therefore you can skip Step 4 and 5 below and...
Page 840 77: B HAPTER OFTWARE OADING proceed to Step 6 directly. In this case, the system will not display the above information. Following are configurations on PC. Take the Hyperterminal using Windows operating system as example. Step 4: Choose [File/Properties] in HyperTerminal, click <Configure> in the pop-up dialog box, and then select the baud rate of 115200 bps in the Console port configuration dialog box that appears, as shown in Figure 215, Figure 216.
Page 841 If you want to exit, Press <Ctrl+X>. Loading ...CCCCCCCCCC Step 7: Choose [Transfer/Send File] in the HyperTerminal’s window, and click <Browse> in pop-up dialog box, as shown in Figure 218. Select the software you need to download, and set the protocol to XMODEM.
Page 842 Step 9: After the download completes, the system displays the following information: Loading ...CCCCCCCCCC done! Step 10: Reset HyperTerminal’s baud rate to 9600 bps (refer to Step 4 and 5). Then, press any key as prompted. The system will display the following information when it completes the loading.
Page 843 PC. You can use one PC as both the configuration device and the TFTP server. Step2: Run the TFTP server program on the TFTP server, and specify the path of the program to be downloaded. CAUTION: TFTP server program is not provided with the 3Com Series Ethernet Switches.
Page 844 Port transfer between server and client, and is widely used in IP networks. You can use the switch as an FTP client or a server, and download software to the switch through an Ethernet port. The following is an example.
Page 845 You can use one computer as both configuration device and FTP server. Step 2: Run the FTP server program on the FTP server, configure an FTP user name and password, and copy the program file to the specified FTP directory.
Page 846: Remote Software Loading
Loading Process Using FTP Client 1 Loading BootROM As shown in Figure 222, a PC is used as both the configuration device and the FTP server. You can telnet to the switch, and then execute the FTP commands to download the BootROM program s7500.btm from the remote FTP server (with an IP address 10.1.1.1) to the switch.
Page 847 ■ Loading Process Using FTP Server As shown in Figure 223, the switch is used as the FTP server. You can telnet to the switch, and then execute the FTP commands to download the BootROM program s7500.btm from the switch.
Page 848 Figure 224 Command line interface Step 5: Enter cd in the interface to switch to the path that the BootROM upgrade file is to be stored, and assume the name of the path is “D:Bootrom”, as shown in Figure 225.
Page 849 Step 6: Enter “ftp 192.168.0.65" and enter the user name test, password pass, as shown in Figure 226, to log on the FTP server. Figure 226 Log on the FTP server Step 7: Use the put command to upload the file s7500.btm to the switch, as shown in Figure 227.
Page 850 Loading the host software is the same as loading the BootROM program, except for that the file to be downloaded is the host software file, and that you need to use the boot boot-loader command to select the host software at reboot of the switch.
Page 851 To keep the software of Fabric and I/O Module identical, you need to restart ■ the I/O Module after you upgrade the host software of the Fabric of the Switch 7750 Ethernet switches. The Switch 7758 features the double Fabrics and active-standby switchover ■...
Page 852 77: B HAPTER OFTWARE OADING...
Page 853: Basic
User View Operation Command Description Enter system view from system-view user view Setting the System Table 661 Set the system name of the switch Name of the Switch Operation Command Description Enter system view system-view Set the system name of...
Page 854 YYYY/MM/DD Setting the Local Time This configuration task is to set the name of the local time zone and the difference Zone between the local time zone and the standard UTC (universal time coordinated) time.
Page 855: Displaying The System Status
Displaying the System You can use the following display commands to check the status and Status configuration information about the system. For information about protocols and ports, and the associated display commands, refer to relevant sections.
Page 856 Protocol debugging switches Protocol debugging switches Terminal display switches Terminal display switches You can use the following commands to operate the two kinds of switches. Perform the following operations in user view. Table 669 Enable debugging and terminal display Operation...
Page 857 System Debugging Displaying Operating When your Ethernet switch is in trouble, you may need to view a lot of operating Information about information to locate the problem. Each functional module has its own operating Modules in System information display command(s). You can use the command here to display the current operating information about the modules (settled when this command is designed) in the system for troubleshooting your system.
Page 858 78: B & D HAPTER ASIC YSTEM ONFIGURATION EBUGGING...
Page 859: Network Connectivity Test
The executing procedure of the tracert command is as follows: First, the source host sends a data packet with the TTL of 1, and the first hop device returns an ICMP error message indicating that it cannot forward this packet because of TTL timeout.
Page 860 Operation Command Support IP protocol tracert [ -a source-ip | -f first-TTL | -m max-TTL | -p port | -q num-packet | -w timeout ] * host Support CLNS protocol tracert clns [ -m max-TTL | -n num-packet | -t timeout | -v ]*...
Page 861: Device Management
If the 96Gbps Switch Fabric switch works with the Switch 7708 chassis without the XGbus silkscreen, the four SFP interfaces on the switch fabric do not work. If a 96Gbps Switch Fabric is installed in a Switch 7758 XGbus chassis, the four SFP interfaces on the switch fabric all work normally.
Page 862 When rebooting, the system checks whether there is any configuration change. If there is, it prompts you to indicate whether or not to proceed. This prevents you from losing your original configuration due to oblivion after system reboot. Rebooting a Module of It would be necessary to reset a module of Ethernet switch when failure occurs.
Page 863 Specifying the APP to be APP is the host software of the switch. If multiple APPs exist in the Flash memory, Adopted at Reboot you can use the command here to specify the one that will be adopted when the switch reboots.
Page 864 ■ command, the system will upgrade all the modules working normally by default. After you specify the boot file of the primary module, if you want to upgrade ■ BootROM, the system will upgrade all modules working normally by default.
Page 865 3Com only customized by 3Com interface-number ] You can use the Vendor Name field in the prompt information of the display ■ transceiver interface command to identify an anti-spoofing pluggable transceiver customized by 3Com. If the field is 3Com, it is considered an 3Com-customized pluggable transceiver.
Page 866: Configuring Pause Frame Protection Mechanism
3Com only transceiver(s) customized by 3Com Configuring Pause Pause frames, which can be utilized as packets to attack a network, are used in Frame Protection traffic controlling. A switch that has pause frame protection mechanism enabled Mechanism discards the detected pause frames that are utilized to attack the network it resides and logs these attacks in the logbuffer.
Page 867: Configuring Layer 3 Connectivity Detection
ARP request packets continuously to the IP addresses of the devices to be detected. Users can then locate, solve, and log link problems by monitoring the peer devices through the received ARP response packets. This function requires no Layer 3 device existing between the local peer and the remote peer.
Page 868: Configuring Queue Traffic Monitoring
Traffic Monitoring queue traffic and relieves blocks in the output queue of its interfaces. The criterion used to distinguish a block is that the queue is full, and the traffic of the corresponding interface is less than the specified threshold.
Page 869: Displaying The Device Management Configuration
# Specify only detect current interface for error packets of runt type. [SW7750-Ethernet4/0/1] qe monitor errpkt runt Displaying the Device After the above configurations, you can execute the display command in any Management view to display the operating status of the device management to verify the Configuration configuration effects.
Page 870: Remote Switch Update Configuration Example
Make appropriate configuration so that the IP address of a VLAN interface on ■ the switch is 1.1.1.1, the IP address of the PC is 2.2.2.2, and the switch and the PC is reachable to each other. The host software switch.app and the BootROM file boot.btm of the switch are stored into the directory of the switch.
Page 871 Switch. The detailed configuration is omitted here. 2 Configure the switch as follows: # On the switch, configure a level 3 telnet user with the username and password as user and hello respectively. Authentication by user name and password is required for the user.
Page 872 The specified file will be booted next time on unit 1! <SW7750> display boot-loader The primary app to boot of board 0 at the next time is: flash:/switch.app The backup app to boot of board 0 at the next time is: flash:/old.app The app to boot of board 0 at this time is: flash:/old.app...
Page 873: Remote-Ping Overview
Remote-ping provides more functions than the ping command. The ping command can only use the ICMP protocol to test the round trip time ■ (RTT) between this end and a specified destination end for the user to judge whether the destination end is reachable.
Page 874 EMOTE PING ONFIGURATION Test Types Supported by Among the test types supported by remote-ping, only the ICMP test can be Remote-ping performed when IRF fabric is enabled; all other test types cannot be performed when IRF fabric is enabled. Table 690 Test types supported by remote-ping...
Page 875 Number of probes per test (count) For tests except jitter test, only one test ■ packet is sent in a probe. In a jitter test, you can use the jitter-packetnum command to set the number of packets to be sent in a probe.
Page 876: Remote-Ping Configuration
Table 691 Remote-ping test parameters Test parameter Description HTTP operation string and version (http-string) This parameter is used to set the HTTP operation string and version in an HTTP test. FTP operation type (ftp-operation) This parameter is used to set the type of FTP interaction operation between remote-ping client and FTP server.
Page 877 Among the test types supported by remote-ping, only the ICMP test can be performed when IRF fabric is enabled; all other test types cannot be performed when IRF fabric is enabled. With IRF fabric enabled, you are allowed to configure remote-ping tests and use the display commands to check your configurations,...
Page 878 81: R HAPTER EMOTE PING ONFIGURATION but for non ICMP tests, the remote-ping tests you configured cannot be executed until fabric is disabled. 1 Configuring an ICMP test on remote-ping client Table 694 Configure ICMP test on remote-ping client Operation...
Page 879 Required [ admin-name operation-tag ] You can execute the command in any view. 3 Configuring an FTP test on a remote-ping client Table 696 Configure an FTP test on a remote-ping client Operation Command Description Enter system view system-view...
Page 880 81: R HAPTER EMOTE PING ONFIGURATION Table 696 Configure an FTP test on a remote-ping client Operation Command Description Configure the source IP source-ip ip-address Required address By default, no source IP address is configured. Configure the source port source-port port-number...
Page 881 Remote-ping Configuration Table 697 Configure an HTTP test on a remote-ping client Operation Command Description Enable the remote-ping client remote-ping-agent enable Required function By default, the remote-ping client function is disabled. Required Create a remote-ping test remote-ping group and enter its view...
Page 882 81: R HAPTER EMOTE PING ONFIGURATION Table 697 Configure an HTTP test on a remote-ping client Operation Command Description Configure the type of HTTP http-operation { get | post } Optional operation By default, the type of HTTP operation is get, that is, the HTTP operation will get data from the HTTP server.
Page 883 Remote-ping Configuration Table 698 Configure jitter test on remote-ping client Operation Command Description Configure the number of count times Optional probes per test By default, each test makes one probe. history-records number Configure the maximum Figure 236 Optional number of history records that...
Page 884 81: R HAPTER EMOTE PING ONFIGURATION Table 699 Configure SNMP test on remote-ping client Operation Command Description Configure the destination IP destination-ip ip-address Required address By default, no destination address is configured. Configure the source IP source-ip ip-address Optional address By default, no source IP address is configured.
Page 885 Remote-ping Configuration Table 700 Configure TCP test on remote-ping client Operation Command Description Configure the destination destination-ip ip-address Required address This IP address and the one configured on the remote-ping server for listening services must be the same. By default, no destination address is configured.
Page 886 81: R HAPTER EMOTE PING ONFIGURATION Table 700 Configure TCP test on remote-ping client Operation Command Description Display test results display remote-ping results [ Required admin-name operation-tag ] The display command can be executed in any view. 8 Configuring UDP test on remote-ping client...
Page 887 Remote-ping Configuration Table 701 Configure UDP test on remote-ping client Operation Command Description Configure the number of count times Optional probes per test By default, one probe is made per test. history-records number Configure the maximum Figure 239 Optional number of history records that...
Page 888 Configuring Remote-ping client to send Trap messages Trap messages are generated regardless of whether the remote-ping test succeeds or fails. You can specify whether to output Trap messages by enabling/disabling Trap sending. Table 703 Configure the remote-ping client to send Trap messages...
Page 889: Remote-Ping Configuration Example
The Switch 7750 serves as the remote-ping client. A remote-ping ICMP test between the switch and another switch uses ICMP to test the round trip time (RTT) for packets generated by the remote-ping client to travel to and back from the destination switch.
Page 890 # Set the probe timeout time to 5 seconds. [7750-remote-ping-administrator-icmp] timeout 5 # Start the test. [7750-remote-ping-administrator-icmp] test-enable # Set the maximum number of history records that can be saved to 5. [7750-remote-ping-administrator-icmp] history-records 5 # Display test results. [7750-remote-ping-administrator-icmp] display remote-ping results administrator i Remote-ping entry(admin administrator, tag icmp) test result: Destination ip address:10.2.2.2...
Page 891 [7750] Remote-ping administrator dhcp # Configure the test type as dhcp. [7750-remote-ping-administrator-dhcp] test-type dhcp # Configure the source interface, which must be a VLAN interface. Make sure the DHCP server resides on the network connected to this interface. [7750-remote-ping-administrator-dhcp] source-interface Vlan-interface 1 # Configure to make 10 probes per test.
Page 892 FTP test between the two switches to test the connectivity to the specified FTP server and the time required to upload a file to the server after the connection is established. Both the username and password used to log in to the FTP server are admin.
Page 893 2000-04-03 03:58:35.9 For detailed output description, see the corresponding command manual. If you are downloading a file from the server, you do not need to specify an FTP operation type. For details, see “Configuring an FTP test on a remote-ping client”.
Page 894 10 . 2 . 2 . 2 / 8 IP network Switch A Configuration procedure Configure the HTTP Server. Use a Windows 2003 Server as the HTTP server and ■ follow the instructions in your Windows 2003 Server documentation. Configure remote-ping Client (Switch A): ■...
Page 895 For an HTTP test, if configuring the destination address as the host name, you must configure the IP address of the DNS server to resolve the host name into an IP address, which is the destination IP address of this HTTP test.
Page 896 [7750] remote-ping administrator Jitter # Configure the test type as jitter [7750-remote-ping-administrator-Jitter] test-type Jitter # Configure the IP address of the remote-ping server as 10.2.2.2. [7750-remote-ping-administrator-Jitter] destination-ip 10.2.2.2 # Configure the destination port on the remote-ping server. [7750-remote-ping-administrator-Jitter] destination-port 9000 # Configure to make 10 probes per test.
Page 897 Both the remote-ping client and the SNMP Agent are Switch 7750s. Perform remote-ping SNMP tests between the two switches to test the time required from Switch A sends an SNMP query message to Switch B (SNMP Agent) to it receives a response from Switch B.
Page 898 Both the remote-ping client and the remote-ping server are Switch 7750s. Perform a remote-ping Tcpprivate test to test time required to establish a TCP connection between this end (Switch A) and the specified destination end (Switch B), with the port number set to 8000.
Page 899 ■ # Enable the remote-ping client. <7750> system-view [7750] remote-ping-agent enable # Create a remote-ping test group, setting the administrator name to administrator and test tag to tcpprivate. [7750] Remote-ping administrator tcpprivate # Configure the test type as tcpprivate. [7750-remote-ping-administrator-tcpprivate] test-type tcpprivate # Configure the IP address of the remote-ping server as 10.2.2.2.
Page 900 Switch A Switch B Configuration procedure Configure remote-ping Server (Switch B): ■ # Enable the remote-ping server and configure the IP address and port to listen <7750> system-view [7750] remote-ping-server enable [7750] remote-ping-server udpecho 10.2.2.2 8000 Configure remote-ping Client (Switch A): ■...
Page 901 DNS Test Network requirements A Switch 7750 serves as the remote-ping client, and a PC serves as the DNS server. Perform a remote-ping DNS test between the switch and the DNS server to test the time required from the client sends a DNS request to it receives a resolution result from the DNS server.
Page 902 81: R HAPTER EMOTE PING ONFIGURATION # Create a remote-ping test group, setting the administrator name to administrator and test tag to dns. [7750] remote-ping administrator dns # Configure the test type as dns. [7750-remote-ping-administrator-dns] test-type dns # Configure the IP address of the DNS server as 10.2.2.2.
Page 903: Rrpp Overview
As shown in Figure 250, Domain 1 is an RRPP domain, which consists of Ethernet ring 1 and ring 2. All the nodes on the Ethernet rings belong to the RRPP domain.
Page 904 1. As shown in Figure 250, RRPP domain 1 consists of ring 1 and ring 2. If their levels are set to level 0 and level 1 respectively, ring 1 is the primary ring and ring 2 is the subring.
Page 905 The node roles are determined by user configuration. As shown in Figure 250, Switch B and Switch C are on ring 1 and ring 2 at the same time. Port 2 of Switch B and Port 1 of Switch C connect the primary and a subring, so they are common ports.
Page 906 Basic Principles of RRPP Link DOWN notification mechanism When detecting a port in the RRPP domain is down, a transit node sends the LINK DOWN packet immediately to the master node. After receiving the LINK DOWN packet, the master node unblocks the data VLAN of the secondary port, and sends the Common Flush packet to tell all transit nodes to refresh their respective MAC address FDB and ARP table.
Page 907 Domain 1 Switch A Switch B Transit node Master node Ring 1 Transit node Transit node Switch C Switch D There is only one ring in the network topology. In this case, only one RRPP domain is to be defined.
Page 908 There are two or more rings in the network topology and two common nodes exist between each pair of rings. In this case, only one RRPP domain is to be defined, in which one ring must be defined as the primary ring and the rest as subrings.
Page 909: Master Node Configuration
Configuration The switch ports connecting the Ethernet rings have been configured as trunk Prerequisites ports. All ports allow data VLAN packets to pass. And STP has been disenabled on all the ports connecting the Ethernet rings. Master Node The following table describes the master node configuration tasks.
Page 910 The control VLAN of an RRPP domain cannot be a static VLAN already created ■ on the switch. If you configure a dynamic VLAN as the control VLAN of an RRPP domain, the VLAN becomes a static VLAN automatically. You are not recommended to configure a VLAN as both an RRPP control VLAN ■...
Page 911: Transit Node Configuration
Configuration The switch ports connecting the Ethernet rings have been configured as trunk Prerequisites ports. All ports allow data VLAN packets to pass. And STP has been disenabled on all the ports connecting the Ethernet rings. Transit Node The following table describes the transit node configuration tasks.
Page 912: Edge Node Configuration
The control VLAN of an RRPP domain cannot be a static VLAN already created ■ on the switch. If you configure a dynamic VLAN as the control VLAN of an RRPP domain, the VLAN becomes a static VLAN automatically. You are not recommended to configure a VLAN as both an RRPP control VLAN ■...
Page 913 The control VLAN of an RRPP domain cannot be a static VLAN already created ■ on the switch. If you configure a dynamic VLAN as the control VLAN of an RRPP domain, the VLAN becomes a static VLAN automatically. You are not recommended to configure a VLAN as both an RRPP control VLAN ■...
Page 914: Assistant Edge Node Configuration
■ GigabitEthernet2/0/1 as the primary port, and GigabitEthernet2/0/2 as the secondary port. Define the switch as an edge node on subring 2 in RRPP domain 1, the port ■ GigabitEthernet2/0/2 as the common port, the port GigabitEthernet2/0/4 as the edge port.
Page 915 The control VLAN of an RRPP domain cannot be a static VLAN already created ■ on the switch. If you configure a dynamic VLAN as the control VLAN of an RRPP domain, the VLAN becomes a static VLAN automatically. You are not recommended to configure a VLAN as both an RRPP control VLAN ■...
Page 916: Configuration Example
Define the switch as a node in RRPP domain 1. ■ Define VLAN 4092 as the control VLAN ■ Define the switch as a transit node in primary ring 1 in RRPP domain 1, the port ■ GigabitEthernet2/0/1 as the primary port, the port GigabitEthernet2/0/2 as the secondary port.
Page 917 Configuration Example Switch B, Switch C and Switch D are transit nodes of the primary ring. Their ■ respective GigabitEthernet2/0/1 and GigabitEthernet2/0/2 serve as the primary and secondary ports The default values are used for the timers on the primary ring ■...
Page 918 Switch E serves as the master node of the subring, its GigabitEthernet2/0/1 is ■ the primary port, and its GigabitEthernet2/0/2 is the secondary port. Switch B serves as a transit node of the primary ring and the edge node of the ■ subring, its GigabitEthernet2/0/2 is the common port, and its GigabitEthernet2/0/3 is the edge port.
Page 919 Configuration procedure CAUTION: Make sure that the switch ports connecting the Ethernet rings have been configured as trunk ports. All ports allow data VLAN packets to pass. And STP has been disenabled on all the ports connecting the Ethernet rings.
Page 920 [SW7750-rrpp-domain-1] control-vlan 4092 [SW7750-rrpp-domain-1] ring 2 node-mode master primary-port GigabitE thernet2/0/1 secondary-port GigabitEthernet2/0/2 level 1 [SW7750-rrpp-domain-1] ring 2 enable [SW7750-rrpp-domain-1] quit [SW7750] rrpp enable After the configuration, you can use the display command to view the RRPP configuration and packet statistics.
Page 921: Telnet
Introduction The Telnet protection function is used to protect Telnet packets, SNMP packets, and ICMP packets from the specific source IP addresses in the case of attacks against the network or high CPU utilization. Telnet protection comes in global Telnet protection, special ARP Telnet protection, and default-route Telnet protection.
Page 922 Command Description Enable global Telnet attack-protection Required protection or special [ ip-address ] If you use this command with the ARP Telnet protection ip-address parameter, you can protect the specified Layer-3 interfaces. Configuring SNMP Table 711 Configure SNMP protection Protection...
Page 923: Smart
Normally, only one port (master or slave) is active, and the other port is blocked, that is, in the standby state. When link failure occurs on the port in active state, the Smart Link group will block the port automatically and turn standby state to active state on the blocked port.
Page 924 Currently, the member ports of a Smart Link group cannot be dynamic link ■ aggregation groups. If the master port or slave port of a Smart Link group is a link aggregation ■ group, you cannot remove this link aggregation group directly or change the aggregation group into a dynamic aggregation group.
Page 925: Configuring Smart Link
When link switching occurs in the Smart Link group, MAC forwarding entries ■ and ARP entries of each device in the network may be out of date. In order to guarantee correct packet transmission, you must enable the Smart Link device to send flush messages to notify the other devices in the network to refresh their own MAC forwarding entries and ARP entries.
Page 926 VLAN so as to work with the corresponding Smart Link device. As shown in Figure 257, all the devices including Switch C, Switch D, and Switch E on the active and backup links connecting the Smart Link device (Switch A) and the target uplink device (Switch E) are all associated devices.
Page 927 When configuring Smart Link, pay attention to the following points: 1 A port or a link aggregation group cannot serve as a member port for two Smart Link groups. On the other hand, a port or a link aggregation group cannot serve as a member for a Smart Link group and a Monitor Link group at the same time.
Page 928: Displaying And Debugging Smart Link
After the above-mentioned configuration, you can use the following display Debugging Smart Link commands in any view to view the Smart Link group information and the statistics information of flush messages received and processed by current device, so as to verify the configuration.
Page 929 Smart Link Configuration Example Configuration procedure 1 Configure a Smart Link group on Switch A and configure member ports for it. Enable the function of sending flush messages in Control VLAN 1. # Enter system view. <switchA> system-view # Enter Ethernet port view. Disable STP on Ethernet2/0/1 and Ethernet2/0/2.
Page 930 84: S HAPTER MART ONFIGURATION 4 Enable the function of processing flush messages received from VLAN 1 on Switch # Enter system view. <SwitchE> system-view # Enable the function of processing flush messages received from VLAN 1 on Ethernet 2/0/2 and Ethernet 2/0/3.
Page 931: Introduction To Monitor Link
A monitor Link consists of an uplink port and one or multiple downlink ports. When the link for the uplink port of a Monitor Link group fails, all the downlink ports in the Monitor Link group are forced down. When the link for the uplink port recovers, all the downlink ports in the group are re-enabled.
Page 932: Configuring Monitor Link
Switch A Switch B As shown in Figure 260, the devices Switch C and Switch D are connected to the uplink device Switch E. Switch C is configured with a Monitor Link group, where Ethernet2/0/1 is the uplink port, while Ethernet2/0/2 and Ethernet2/0/3 are the downlink ports.
Page 933 Configuring Monitor Link and one or multiple downlink ports. The uplink port can be a manually-configured or static LACP link aggregation group, an Ethernet port, or a Smart Link group. The downlink ports can be manually-configured link aggregation groups or static LACP link aggregation groups, or Ethernet ports.
Page 934: Displaying Monitor Link Configuration
The Smart Link/Monitor Link function and the remote port mirroring function ■ are incompatible with each other. If a single port is specified as a Smart Link/Monitor Link group member, do not ■ use the lacp enable command on the port or add the port to another dynamic link aggregation group because doing so will cause the port to become an aggregation group member.
Page 935 PC 3 PC 4 Configuration procedure 1 Enable Smart Link on Switch A and Switch B to implement link redundancy backup. Perform the following configuration on Switch A. The configuration on Switch B is the same as on Switch A.
Page 936 # Configure to send flush messages in VLAN 1. [SwitchA-smlk-group1] flush enable control-vlan 1 2 Enable Monitor Link on Switch C and Switch D and enable the function of processing flush messages received from VLAN 1. Perform the following configuration on Switch C. The operation procedure on Switch D is the same as that performed on Switch C.
Page 937: Configuring Boot Rom Upgrade With App File
Specify the App file abcd.app as the primary startup file for next booting and ■ use it to upgrade the Boot ROMs. Configuration example # Use the current startup file to upgrade the Boot ROMs of all normal I/O Module modules in position.
Page 938: Configuring Inter-Card Link State Adjustment
EPENDENT OFTWARE <SW7750> boot bootrom default # Use the specified App file (abcd.app) to upgrade the Boot ROMs of slot 1 I/O Module modules in position. <SW7750> boot bootrom abcd.app # Specify the App file abcd.app as the primary startup file for next booting.
Page 939: Configuring Internal Channel Monitoring
The Fabric sends handshake packets to each service module every second. After receiving the handshake packets, the service modules reports the result to the Fabric. In this case, the Fabric knows that the service modules are operating normally. Through this process, the Fabric can judge whether each service module in the device operates normally.
Page 940: Configuring Cpu Usage Threshold
CPU threshold of the specified module is determined by the latter one. For example, if you set the CPU usage threshold of all the modules to 88 and set that of the module in slot 2 to 77, the CPU usage threshold of the module in slot 2 is CPU Usage Threshold...

This manual is also suitable for:

7750 7758 7754

3Com 7757 Configuration Manual

About this Guide

Cli Overview

2 Logging into an Ethernetswitch

Ogging in through the

Console Port

Ogging in through Telnet

Ogging in Using Modem

Logging in through the

Web - Based

Nms

User Control

Configuration File-Related Operations

Management

Vlan Overview

11 Vlan C Onfiguration

12 Voicevlan Configuration

Isolate -User -Vlan Configuration

Super Vlan

Ip Address

Ip Performance Configuration

17 Ipx Configuration

18 Gvrp C Onfiguration

Qin

Selective Qin

Vlan Configuration

Port

Link Aggregation

Port Isolation

Port Security

Port Binding

27 Dldp C Onfiguration

Mac Address Table Management

Centralized Mac Address Authentication Configuration

30 Mstp C Onfiguration

Ip Routing Protocol Overview

Static Route

33 Rip Configuration

34 Ospf Configuration

35 Is-Is Configuration

36 Bgp Configuration

Ip Routing

Route Capacity Configuration

Displaying Route Capacity Configuration

39 802.1X Configuration

40 Habp C Onfiguration

41 Multicast Overview

42 Gmrp C Onfiguration

Igmp Snooping

Common

Static Multicast Mac Address

46 Igmp Configuration

47 Pim Configuration

Msdp C

Aaa & Radius & Hwtacacs Configuration

Ead C

Traffic Accounting Configuration

52 Vrrp C Onfiguration

Quick Links

Configuration Guide

Troubleshooting

Related Manuals for 3Com 7757

Summary of Contents for 3Com 7757