Planet XGS3-42000R User Manual

4-slot layer 3 ipv6/ ipv4 routing chassis switch

Table of Contents

Quick Links

Download this manual

User's Manual

XGS3-42000R

4-Slot Layer 3

IPv6/IPv4 Routing

Chassis Switch

Table of Contents

Troubleshooting

Summary of Contents for Planet XGS3-42000R

Page 1 User's Manual XGS3-42000R 4-Slot Layer 3 IPv6/IPv4 Routing Chassis Switch...
Page 2: Fcc Warning
Trademarks Copy right © PLANE T Technology Corp. 2010. Cont ents subject to which revision without prior notice. PLANE T is a registered trademark of P LANE T Technology Corp. All other trademarks belong to their respective owners. Disclaimer PLANE T Technology does not warrant that the hardware will work properly in all environments and applications, and makes no warranty and repres entation, either implied or expressed, with respect to the quality, performance, merchantability, or fitness for a particular purpos e.
Page 3 Do not dis pose of WEEE as unsorted municipal waste and have to collect such WEEE separately. Revision PLANE T 4-Slot Layer 3 IP v6/IP v4 Routing Chassis Switch User's Manual FOR MODEL: XGS3-42000R REVIS ION: 1.0 (APRIL. 2010) Part No: EM-XGS 3-42000R (2081-A96040-000)
Page 4: Table Of Contents
Content CHAPTER 1 INTRODUTION OF XGS3-42000R ..............1-1 1.1 P ........................1-1 ACKET ONTENTS 1.2 P ......................1-2 RODUCT ESCRIPTION 1.3 P ........................1-3 RODUCT EATURES 1.4 P ......................1-5 RODUCT PECIFICATION 1.4.1 XGS3-42000R Specification .................... 1-5 1.4.2 Management Module Specification .................. 1-6 1.4.3 Standard Ethernet Module Specification ................
Page 5 4.2.1 Telnet ..........................4-1 4.2.2 SSH ..........................4-3 4.3 C IP A ................4-4 ONFIGURAT E HASSIS WITCH DDRESSES 4.3.1 Chassis Switch IP Addresses Configuration Task List ............4-4 4.4 SNMP C ......................4-7 ONFIGURATION 4.4.1 Introduction to SNMP ..................... 4-7 4.4.2 Introduction to MIB ......................
Page 6 9.1 I ............. 9-3 NTRODUCTION TO OOPBACK ET ECTION UNCTION 9.2 P ..........9-3 OOPBACK ET ECTION UNCTION ONFIGURATION 9.3 P ................. 9-5 OOPBACK ET ECTION UNCTION XAMPLE 9.4 P ................. 9-5 OOPBACK ET ECTION ROUBLESHOOTING CHAPTER 10 ULDP FUNCTION CONFIGURATION ............10-5 10.1 I ULDP F ..................
Page 7 14.2.4 GV RP Troubleshooting ....................14-10 14.3 D ....................14-10 TUNNEL ONFIGURATION 14.3.1 Introduction to Dot1q-tunnel ..................14-10 14.3.2 Dot1q-tunnel Configuration ..................14-11 14.3.3 Typical Applications of the Dot1q-tunnel ..............14-12 14.4 VLAN- ..................14-13 TRANSLATION ONFIGURATION 14.4.1 Introduction to VLAN-translation .................14-13 14.4.2 VLA N-translation Configuration ..................14-13 14.4.3 Typical application of VLA N-t ranslation ...............14-14 14.4.4 VLA N-translation Troubleshooting ................14-15 14.5 D...
Page 8 17.1.1 QoS Terms ......................... 17-1 17.1.2 QoS Implementation ....................17-2 17.1.3 Basic QoS Model ....................... 17-2 17.2 Q ..................... 17-5 ONFIGURATION 17.3 Q ........................17-9 XAMPLE 17.4 Q ......................17-12 ROUBL ESHOOTING CHAPTER 18 PBR CONFIGURATION ................... 18-1 18.1 I P BR ......................18-1 NT RODUCTION TO 18.2 PBR C ......................
Page 9 21.5 ARP ...........................21-19 21.5.1 Introduction to ARP ....................21-19 21.5.2 A RP Configuration Task List ..................21-19 21.5.3 A RP Troubles hooting ....................21-21 CHAPTER 22 ARP SCANNING PREVENTION FUNCTION CONFIGURATION ... 22-1 22.1 I ARP S ............22-1 NT RODUCTION TO CANNING REVENTION UNCTION 22.2 ARP S...
Page 10 CHAPTER 28 DHCP CONFIGURATION ................28-1 28.1 I DHCP ....................... 28-1 NT RODUCTION TO 28.2 DHCP S ....................28-2 ERVER ONFIGURATION 28.3 DHCP R ....................28-4 ELAY ONFIGURATION 28.4 DHCP C ..................28-5 ONFIGURATION XAMPLES 28.5 DHCP T ..................... 28-7 ROUBL ESHOOTING CHAPTER 29 DHCPV6 CONFIGURATION ................
Page 11 32.3 DHCP ................32-4 NOOPING YPICAL PPLICATION 32.4 DHCP .................. 32-5 NOOPING ROUBL ESHOOTING 32.4.1 Monitor and Debug Information ................... 32-5 32.4.2 DHCP v6 Snooping Troubleshooting Help ..............32-5 CHAPTER 33 ROUTING PROTOCOL OVERVIEW ............. 33-1 33.1 R ........................33-1 OUTING ABLE 33.2 IP R...
Page 12 37.4 OSPF T ....................37-18 ROUBLESHOOTING CHAPTER 38 OSPFV3 ......................38-1 38.1 I OSPF 3 ....................38-1 NT RODUCTION TO 38.2 OSPF ..................38-4 ONFIGURATION 38.3 OSPF ......................38-7 XAMPLES 38.4 OSPF ....................38-10 ROUBL ESHOOTING CHAPTER 39 BGP ........................39-1 39.1 I BGP ......................
Page 13 CHAPTER 43 IPV4 MULTICAST PROTOCOL ..............43-1 43.1 IP ..................43-1 ULTICAST ROTOCOL VERVIEW 43.1.1 Introduction to Multicast ....................43-1 43.1.2 Multicast Address ....................... 43-1 43.1.3 IP Multicast Packet Transmission ................43-3 43.1.4 IP Multicast Application ....................43-3 43.2 PIM-DM ..........................43-3 43.2.1 Introduction to PIM-DM ....................
Page 14 43.8.3 DCS CM Configuration Examples ................43-41 43.8.4 DCS CM Troubleshooting ...................43-42 43.9 IGMP ..........................43-42 43.9.1 Introduction to IGMP ....................43-42 43.9.2 IGMP Configuration Task List ..................43-44 43.9.3 IGMP Configuration Examples ...................43-46 43.9.4 IGMP Troubleshooting ....................43-47 43.10 IGMP S ........................43-47 NOOPING 43.10. 1 Introduction to IGMP Snooping .................43-47 43.10.
Page 15 44.6 MLD ..........................44-24 44.6.1 Introduction to MLD ....................44-24 44.6.2 MLD Configuration Task List ..................44-24 44.6.3 MLD Typical Application .....................44-26 44.6.4 MLD Troubleshooting Help ..................44-27 44.7 MLD S ........................44-27 NOOPING 44.7.1 Introduction to MLD Snooping ..................44-27 44.7.2 MLD Snooping Configuration Task ................44-29 44.7.3 MLD Snooping Examples ...................44-30 44.7.4 MLD Snooping Troubleshooting .................44-32 CHAPTER 45 MULTICAST VLAN ..................
Page 16 CHAPTER 48 THE NUMBER LIMITATION FUNCTION OF PORT, MAC IN VLAN AND IP CONFIGURATION ........................48-1 48.1 I , MAC VLAN IP ....48-1 NT RODUCTION TO THE UMBER IMITATION UNCTION OF 48.2 T , MAC VLAN IP C UMBER IMITATION UNCTION OF ONFIGURATION...
Page 17 CHAPTER 53 SSL CONFIGURATION ................... 53-1 53.1 I SSL ......................53-1 NT RODUCTION TO 53.1.1 Basic Element of SSL ....................53-1 53.2 SSL C ....................53-2 ONFIGURATION 53.3 SSL T ......................53-3 YPICAL XAMPLE 53.4 SSL T ......................53-4 ROUBL ESHOOTING CHAPTER 54 IPV6 SECURITY RA CONFIGURATION ............
Page 18 58.3 VRRP T ..................... 58-3 YPICAL XAMPLES 58.4 VRRP T ..................... 58-4 ROUBL ESHOOTING CHAPTER 59 IPV6 VRRPV3 CONFIGURATION ..............59-1 59.1 I V RRP 3 ....................59-1 NT RODUCTION TO 59.1.1 The Format of V RRP v3 Message ................59-2 59.1.2 VRRP v3 Working Mechanism ..................
Page 19 64.1 I NTP F ................... 64-1 NT RODUCTION TO UNCTION 64.2 NTP F ................64-1 UNCTION ONFIGURATION 64.3 T NTP F ..................64-3 YPICAL XAMPLES OF UNCTION 64.4 NTP F ..................64-4 UNCTION ROUBLESHOOTING CHAPTER 65 DNSV4/V6 CONFIGURATION ................ 65-1 65.1 I DNS ......................
Page 20 CHAPTER 70 TROUBLE SHOOTING ..................70-1 CHAPTER 71 APPENDEX A ....................71-1 71.1 A.1 S RJ-45 P ................... 71-1 WITCH SSIGNMENTS 71.2 A.2 10/100M , 10/100B -TX ..................71-1 CHAPTER 72 GLOSSARY ....................... 72-1...
Page 21: Chapter 1 Introdution Of Xgs3-42000R
Thank you for purchasing XGS 3-42000R is 4-Slot Layer 3 IP v6 / IP v4 Routing Chassis Switch. Terms of “Cha ssi s Switch” means the XGS3-42000R mentioned titled in the cover page of this User’s manual. Open the box of the Chassis Switch and carefully unpack it. The box should contain the following items: Check the contents of your package for following parts: ...
Page 22: Product Description
The XGS3-42000R is a High-Density Chassis-based Routing Switch built with 4 module slots and redundant power supply. It pro vides great porting flexibility for network deployment by offering various and combinable management modules and standard interfaces.
Page 23: Product Features
1.3 Product Features  Hardware and Performance  4 open module slots design: − 2 Management Modules wit h 2 Standard Ethernet Modules − 1 Management Module with 3 Standard Ethernet Modules  Up to 188-P ort Gigabit copper / 156-Port Gigabit SFP / 13-Port 10G XFP ...
Page 24  Support VLAN − IEEE 802.1Q Tagged VLA N − Up to 4K VLANs groups, out of 4041 VLAN IDs − Provider Bridging (V LAN Q-in-Q) support (IEEE 802.1ad) − GVRP protocol for VLA N Management − Privat e VLAN Edge (PVE) ...
Page 25: Product Specification
 SNTP (Simple Network Time Protocol)  LLDP (Link Layer Discovery Protocol )  User Privilege levels control 1.4 Product Specification 1.4.1 XGS3-42000R Specification Product XGS3-42000R Cha ssi s Slots 4 ( 2 Management Modules + 2 Standard Ethernet Modules or 1 Managed...
Page 26: Management Module Specification
Relative Humidity 0°C～40°C Operating Temperature Power Input AC: Input 100~240V, 50~60 Hz; ≤400W Power Consumption 1.4.2 Management Module Specification XGS3-42000R Management Module Model Name Product XGS3-M24GX XGS3-M44G Hardware Specification 24 x 10/100/1000Base-T RJ-45 Copper Ports 44 x 10/100/1000Bas e-T RJ-45 ports...
Page 27 10/100/1000M LNK/ACT 10/100/1000M LNK/ACT 1000M LNK/ACT 10G LNK/ACT 339 x 357 x 43mm (W x D x H) Dimension IPv4 Layer 3 functions Static Route, RIP v1/ v2, OSPFv2, BGP4 IP Routing Protocol Policy-Based Routing (PBR) LPM Routing (MD5 authentication) Multicast Routing IGMP v1 / 2 / 3, DVMRP, PIM-DM/SM, PIM-SSM Protocol...
Page 28 - DSCP/ TOS field in IP Packet Policy-based DiffServ IGMP v1 / v2 / v3 Snooping IGMP Proxy Multicast IGMP Querier mode support MLDv1 / v2, MLD v1/ v2 Snooping Support Standard and Expanded A CL IP-Based ACL / MAC-Based A CL Acce ss Control Li st Time-Based A CL ACL Pool can be used for QoS classification...
Page 29: Standard Ethernet Module Specification
IEEE 802.1s Multiple spanning tree protocol IEEE 802.1p Class of service IEEE 802.1Q VLAN Tagging IEEE 802.1x Port Authentication Network Control IEEE 802.1ab LLDP 1.4.3 Standard Ethernet Module Specification XGS3-42000R Standard Ethernet Module Model Name Product XGS3-S24G XGS3-S48G XGS3-S48GF XGS3-S4X G...
Page 30 XFP/mini-GBIC 10GB ase-S R/LRXFP Slots slots Switch Fabric 68Gbps 96Gbps 96Gbps 40Gbps Throughput 50Mpps@64Bytes 71Mpps@64Bytes 71Mpps@64Bytes 59Mpps@64Bytes System: PWR, RUN System: Ports: Ports: Ports: PWR, RUN 10/100/1000M 1000M 10/100/1000M Ports: LNK/ACT LNK/ACT LNK/ACT 10G LNK/ACT 1000M LNK/ACT Dimension 339 x 357 x 43mm (W x D x H) Standards Conformance Regulation FCC Part 15 Class A, CE...
Page 31: Chapter 2 Installation
The unit front panel provides a simple interfac e monitoring the XGS 3-42000R Chassis Switch. Figure 2-1-1 shows the front panel of the Chassis Switches. XGS3-42000R Front Panel Figure 2-1-1 XGS3-42000R front panel ■ Power slots Used for system power supply modules, support up to two 400W AC modules (XGS3-PWR-A C).
Page 32 Slot2~4 support standard module like XGS 3-S4XG, XGS3-S24G, XGS3-S48G & XGS3-S 48GF. ■ Fan tray slot Supports one system fan assembly, each assembly consists of four axial fans. The unit rear panel provides a simple interface monitoring the XGS3-42000R Chassis Switch. Figure 2-1-2 shows the rear panel of the Chassis Switches.
Page 33: Management Module Hardware Description
2.1.2 Management Module Hardware Description 2.1.2.1 XGS3-M24GX The unit front panel provides a simple interface monitoring the XGS 3-M24GX Management Module. Figure 2-1-3 shows the front panel of the Management Module. XGS3-M24GX Front Panel Figure 2-1-3 XGS3-M24GX front panel ■ Gigabit TP interface 10/100/1000Bas e-T Copper, RJ-45 Twist-Pair: Up to 100 meters.
Page 34 XGS3-M24GX LED indication Figure 2-1-4 XGS3-M24GX LED panel ■ System Color Function Green Lights to indicate that Management Module has power. To indicate the Management Module power off. Blink slowly to indicate that Management Module running in normal status. Green Blink fa st to indicate that system loading (Management Module booting after hot plug in).
Page 35 ■ XFP interface Color Function To indicate the link through that port is successfully established with speed Green 10Gbps. No data go through the port. Blink to indicate that the Management Module is actively sending or Green receiving data over that port. 2.1.2.2 XGS3-M44G The unit front panel provides a simple interface monitoring the XGS3-M44G Management Module.
Page 36 XGS3-M44G LED indication Figure 2-1-6 XGS3-M44GX LED panel ■ System Color Function Green Lights to indicate that Management Module has power. To indicate the Management Module power off. Blink slowly to indicate that Management Module running in normal status. Green Blink fa st to indicate that system loading (Management Module booting after hot plug in).
Page 37: Standard Ethernet Module Hardware Description
2.1.3 Standard Ethernet Module Hardware Description 2.1.3.1 XGS3-S24G The unit front panel provides a simple interface monitoring the XGS 3-S24G Standard Ethernet Module. Figure 2-1-7 shows the front panel of the Standard Ethernet Module. XGS3-S24G Front Panel Figure 2-1-7 XGS3-S 24G front panel ■...
Page 38 ■ 10/100/1000Ba se-T interfaces Color Function To indicate the link through that port is successfully established with speed Green 10/100/1000Mbps. LNK/ ACT To indicate that the Standard Ethernet Module is actively sending or Yellow receiving data over that port. No data go through the port. ■...
Page 39 ■ 10/100/1000Ba se-T interfaces Color Function To indicate the link through that port is successfully established with speed Green 10/100/1000Mbps. LNK/ ACT To indicate that the Standard Ethernet Module is actively sending or Yellow receiving data over that port. No data go through the port. 2.1.3.3 XGS3-S48GF The unit front panel provides a simple interface monitoring the XGS3-S48GF Standard Ethernet Module.
Page 40 The unit front panel provides a simple interface monitoring the XGS3-S4XG Standard Ethernet Module. Figure 2-1-13 shows the front panel of the Standard Ethernet Module. XGS3-S4XG Front Panel Figure 2-1-13 XGS3-S4XG front panel ■ 10 Gigabit XFP slots 10GB ase-S R/LR mini-GBIC slot, XFP (10 Gigabit Small Form Factor Pluggable) transceiver module: From 300 meters (Multi-mode fiber), up to 10 kilometers (Single-mode fiber).
Page 41: Ac Power Supply Module Hardware Description
2.1.4 AC Power Supply Module Hardware Description The unit front panel provides a simple int erface monitoring the XGS3-PWR-A C AC P ower S upply Module. Figure 2-1-15 shows the front panel of the A C Power Supply Module. XGS3-PWR-AC Front Panel Figure 2-1-15 XGS3-PWR-A C front panel The front panel LEDs indicates instant status of power fault and good, helps monitor and troubleshoot when needed.
Page 42: Install The Chassis Switch
2.2 Install the Chassis Switch This section describes how to install your Chassis Switch and mak e connections to the Chassis Switch. Please read the following topics and perform the procedures in the order being presented. To install your Chassis Switch on a desktop or shelf, simply complete the following steps. During the installation, please take care and avoid crash, that may cause the device damage.
Page 43: Rack Mounting
Step4: Supply power to the Chassis Switch. Connect one end of the power cable to the Chassis Switch. Connect the power plug of the power cable to a standard wall outlet. 2.2.2 Rack Mounting To install the Chassis Switch in a 19-inch standard rack, please follows the instructions described below. Step1: Place the Chassis Switch on a hard flat surface, with the front panel positioned towards the front side.
Page 44: Chassis Switch Grounding
Chassis Switch. 2.2.3 Chassis Switch Grounding A good grounding system is the groundwork for the smooth and safe operation of the XGS3-42000R, and an excellent way to prevent lightning strikes and resistance int erference. Please follow t he XGS 3-42000R grounding specification instructions, verify the installation site’s grounding condition and ensure proper...
Page 45 Ground resistance value should be less than 1 ohm. The XGS3-42000R provides chassis grounding post in the lower rear chassis, marked as “GND”. Chassis protection grounding should be properly connected to the rack grounding connector...
Page 46: Installing The Management / Standard Ethernet Module
Insert the optional module into the slot; you can use the metal handle on the front plate of the module to ensure good contact. Then lock the module with panel fasteners in the front plate as shown in Figure 2-2-5. Figure 2-2-5 Insert the optional module into the slot of XGS3-42000R 2-16...
Page 47: Removing / Installing The Dust Gauze
2.2.5 Removing / Installing the Dust Gauze Dust gauze is provided in the right section of the XGS3-42000R, which can be installed and removed from the back of the XGS3-42000R. The dust gauze is meant to prevent large debris or particles in the air from being ingested into the switch.
Page 48: Removing / Installing The Power Supply Unit
XGS3-42000R. Pleaes slid in the PWR-AC module first before plug-in the rear power cord. To remove a power supply unit out the XGS3-42000R, please loose the hand screw counter clockwise and pull out the power supply unit from the XGS3-42000R.
Page 49: Installing The Sfp / Xfp Transceiver
Figure 2-2-8 Install and Removal the Power Supply Unit 2.2.8 Installing the SFP / XFP Transceiver The sections describe how to insert an SFP / XFP transceiver into an SFP / XFP slot. The SFP / XFP transceivers are hot-pluggable and hot -swappable. You can plug-in and out the transceiver to/from any SFP / XFP port without having to power down the Chassis Switch.
Page 50 Figure 2-2-10 Plug-in the XFP transceiver  Approved PLANET SFP Transceivers PLANE T Chassis Switch supports both Single-mode and Multi-mode SFP transceiver. The following list of approved PLANE T SFP transceivers is correct at the time of publication: Gigabit SFP Transceiver modules: ■...
Page 51 To connect to 1000Base-LX SFP transceiver, use the Single-mode fiber cable-with one side must be male duplex LC connector type.  Approved PLANET XFP Transceivers PLANE T Chassis Switch supports both Single-mode and Multi-mode XFP transceiver. The following list of approved PLANE T XFP transceivers is correct at the time of publication: Gigabit SFP Transceiver modules: ■...
Page 52 Figure 2-2-11 Pull out the SFP / XFP transceiver Never pull out the module without pull the handle or the pus h bolts on the module. Direct pull out the module with violent could damage the module and SFP / XFP module slot of the Chassis Switch.
Page 53: Chapter 3 Chassis Switch Management
Chapter 3 Chassis Switch Management 3.1 Management Options After purchasing the Chassis Switch, the user needs to configure the Chassis Switch for network management. Chassis Switch provides two management options: in-band management and out -of-band management. The Chassis Switch is shipped without IP address assigned by default. User must IMPORTANT! assign an IP address to the Chassis Switch via the Console interface to be able to remot e access the Chassis Switch through Telnet or HTTP.
Page 54 installed, such as HyperTerminal included in Windows 9x/NT/2000/ XP. Serial port cable One end attach to the RS -232 serial port, the other end to the Cons ole port. Chassis Switch Functional Console port required. Step 2： Entering the HyperTerminal Open the HyperTerminal included in Windows after the connection established.
Page 55 Figure 3-1-3 Opening HyperTerminal 3) In the “Connecting using” drop-list, select the RS-232 serial port used by the P C, e.g. COM1, and click “OK”. Figure 3-1-4 Opening HyperTerminal 4) COM1 property appears, select “9600” for “Baud rate”, “8” for “Data bits”, “none” for “Parity checksum”, “1” for stop bit and “none”...
Page 56 Figure 3-1-5 Opening HyperTerminal Step 3: Entering switch CLI interface Power on the switch, the following appears in the HyperTerminal windows, that is the CLI configuration mode for Chassis Switch. Testing RAM... 134,217,728 RAM OK. Initializing... Attaching to file system ... done. Loading flash:/nos.img ...
Page 57 25 Ethernet/IEEE 802.3 interface(s ) Discovered modules: --------------------Slot : 1-------------------- Module type: XGS3-M24GX Work mode: ACTIVE MASTE R Hardware version: Bootrom version: 2.2.1 Serial number: N091600096 Manufacture date: 2009/04/21 --------------------Slot : 2-------------------- Module type: XGS3-S24G Work mode: SLAVE Hardware version: Bootrom version: 2.1.0 Serial number:...
Page 58: In-Band Management
3.1.2 In-band Management In-band management refers to the management by login to the Chassis Switch using Telnet, or using HTTP, or using SNMP management software to configure the Chassis Switch. In-band management enables management of the Chassis Switch for some devices attached to the Chassis Switch. In the case when in-band management fails due to Chassis Switch configuration changes, out-of-band management can be used for configuring and managing the Chassis Switch.
Page 59 The IP address configuration commands for VLA N1 interface are listed below. Before in-band management, the switch must be configured with an IP address by out-of-band management (i.e. Console mode), the configuration commands are as follows (All switch configuration prompts are assumed to be “XGS3-42000R” hereafter if not otherwise specified): XGS 3-42000R>...
Page 60: Management Via Http
XGS 3-42000R>enable XGS 3-42000R#config XGS 3-42000R(config)#username test privilege 15 password 0 test XGS 3-42000R(config)#aut hentication line vty login local Enter valid login name and password in the Telnet configuration int erface, Telnet user will be able to enter the switch’s CLI configuration interfac e. The commands used in the Telnet CLI interface after login is the same as that in the Console interface.
Page 61 management chapt er. To enable the WEB configuration, users should type the CLI command IP http server in the global mode as below: XGS 3-42000R>enable XGS 3-42000R#config XGS 3-42000R(config)#ip http server Step 2: Run HTTP protocol on the host. Open the Web browser on the host and type the IP address of the Chassis Switch, or run directly the HTTP protocol on the Windows.
Page 62 Figure 3-1-10 Web Login Interface Input the right username and password, and then the main Web configuration int erface is shown as below. Figure 3-1-11 Main Web Configuration Interface When configure the Chassis Switch, the name of the Chassis Switch is composed with English letters.
Page 63: Cli Interface
3.1.2.3 Manage the Chassis Switch via SNMP Network Management Software The necessities required by SNMP network management soft ware to manage Chassis Switches: 1) IP addresses are configured on the Chassis Switch; 2) The IP address of the client host and that of the VLAN interface on the switch it subordinates to should be in the same segment;...
Page 64: Configuration Modes
On entering the CLI interface, ent ering user ent ry system first. If as common user, it is defaulted to User Mode. The prompt shown is “XGS3-42000R> “, the symbol “>“ is the prompt for User Mode. When exit command is run under Admin Mode, it will also return to the Us er Mode.
Page 65: Global Mode
3.2.1.3 Global Mode Ty pe the config command under Admin Mode will enter the Global Mode prompt “XGS3-42000R(config)#”. Use the exit command under other configuration modes such as Port Mode, VLAN mode will return to Global Mode. The user can perform global configuration settings under Global Mode, such as MAC Table, Port Mirroring, VLAN creation, IGMP Snooping start and STP, etc.
Page 66: Configuration Syntax
 ACL Mode ACL type Entry Operates Exit Standard IP Type ip access-li st Configure parameters Use the exit Mode standard command under for Standard IP ACL command to return Global Mode. Mode. to Global Mode. Extended IP ACL Type ip access-li st Configure parameters Use the exit Mode...
Page 67: Help Function
Left “←” The cursor moves one character to You can use the Left and the left. Right key to modify an entered command. Right “→” The cursor moves one character to the right. Ctrl +p The same as Up key “↑”. The same as Down key “...
Page 68: Input Verification
3.2.5 Input Verification 3.2.5.1 Returned Information: success All commands entered through keyboards undergo syntax check by the Shell. Nothing will be returned if the user ent ered a correct command under corresponding modes and the execution is successful. Returned Information: error Output error message Explanation Unrecognized command or illegal...
Page 69: Chapter 4 Basic Chassis Switch Configuration
Chapter 4 Basic Chassis Switch Configuration 4.1 Basic Configuration Basic Chassis Switch configuration includes commands for entering and exiting the admin mode, commands for entering and exiting interface mode, for configuring and displaying the Chassis Switch clock, for displaying the version information of the Chassis Switch system, etc. Command Explanation Normal User Mode/ Admin Mode...
Page 70 When Chassis Switch is used as the Telnet server, the us er can use the Telnet client program included in Windows or the other operation systems to login to Chassis Switch, as described earlier in the In-band management section. As a Telnet server, Chassis Switch allows up to 5 telnet client TCP connections. And as Telnet client, using telnet command under Admin Mode allows the user to login to the other remote hosts.
Page 71: Ssh
Command Explanation Admin Mode telnet {<ip-addr> | <ipv6-addr> | host Login to a remote host with the Telnet client <hostname>} [<port>] included in the Chassis Switch. 4.2.2 SSH 4.2.2.1 Introduction to SSH SSH (Secure Shell) is a protocol which ensures a secure remote access connection to net work devices. It is based on the reliable TCP/ IP prot ocol.
Page 72: Configurate Chassis Switch Ip Addresses
Display SSH debug information on the SSH client terminal monitor side; the “no terminal monitor” command stops terminal no monitor displaying SSH debug information on the SSH client side. 4.2.2.3 Typical SSH Server Configuration Example1: Requirement: Enable SSH server on the Chassis Switch, and run SSH2.0 client software such as Secure shell client or putty on the terminal.
Page 73 1. Enable VLAN port mode Command Explanation Global Mode Create VLA N interface (layer 3 interfac e); the “ no interface vlan <vlan-id> interface vlan <vlan-id> ” command deletes the no interface vlan <vlan-id> VLAN interface. 2. Manual configuration Command Explanation VLAN Port Mode ip address <ip_address>...
Page 74 4. DHCP configuration Command Explanation VLAN Port Mode Enable the switch to be a DHCP client and obtain IP ip bootp-client enable address and gateway address through DHCP no ip bootp-client enable negotiation; the “no ip bootp-client enable” command disables the DHCP client function.
Page 75: Snmp Configuration
4.4 SNMP Configuration 4.4.1 Introduction to SNMP SNMP (Simple Network Management Protocol) is a standard net work management protocol widely used in computer network management. SNMP is an evolving protocol. SNMP v1 [RFC1157] is the first version of SNMP which is adapted by vast numbers of manufacturers for its simplicity and easy implementation; SNMP v2c is an enhanced version of SNMP v1, which supports layered net work management;...
Page 76: Introduction To Mib
4.4.2 Introduction to MIB The network management information accessed by NMS is well defined and organiz ed in a Management Information Base (MIB). MIB is pre-defined information which can be accessed by network management protocols. It is in layered and structured form. The pre-defined management information can be obtained from monitored network devices.
Page 77: Introduction To Rmon
4.4.3 Introduction to RMON RMON is the most important expansion of the standard SNMP. RMON is a set of MIB definitions, used to define standard net work monitor functions and interfaces, enabling the communication between SNMP management terminals and remote monit ors. RMON provides a highly efficient method to monitor actions inside the subnets.
Page 78 {<ipv6-num -std>|<ipv6-name>}] [read <read-view-nam e>] [write <write-view-nam e>] no snmp-server communi ty < string> [acce ss {<num-std> |<name>}] [ipv6-acce ss {<ipv6-num -std>|<ipv6-name>}] 3. Configure IP address of SNMP management base Command Explanation Global Mode snmp-server securityip { <ipv4-addr> | Configure the secure IP v4/ IP v6 address which is <ipv6-addr>...
Page 79: Typical Snmp Configuration Examples
6. Configure group Command Explanation Global Mode snmp-server group <group-string> {noauthnopriv|authnopriv|authpriv} [[read <read-string> ] [write <write-string>] [notify <notify-string>]] [acce ss {<num-std>|<nam e>}] [ipv6-acce ss Set the group information on the Chassis Switch. {<ipv6-num -std>|<ipv6-name>}] This command is used to configure VACM for SNMP no snmp-server group <group-string>...
Page 80 The IP address of the NMS is 1.1.1.5; the IP address of the Chassis XGS3-42000R(Agent) is 1.1.1.9. Scenario 1: The NMS network administrative software uses SNMP protocol to obtain data from the Chassis Switch. The configuration on the Chassis Switch is listed below:...
Page 81: Snmp Troubleshooting
Chassis Switch with read-only permission. Scenario 6: NMS will receive Trap messages from the Chassis XGS3-42000R(Note: NMS may have community string verification for the Trap messages. In this scenario, the NMS uses a Trap verification community string of dcstrap).
Page 82: Switch Upgrade
4.5 Switch Upgrade Chassis Switch provides two ways for switch upgrade: Boot ROM upgrade and the TFTP/FTP upgrade under Shell. 4.5.1 Chassis Switch System Files The system files includes system image file and boot file. The updating of the Chassis Switch is to update the two files by overwrite the old files with the new ones.
Page 83 operation result is shown below: [Boot]: Step 3: Under BootROM mode, run “setconfig” to set the IP address and mask of the Chassis Switch under BootROM mode, server IP address and mask, and select TFTP or FTP upgrade. Suppose the Chassis Switch address is 192.168.1.2, and P C address is 192.168.1.66, and select TFTP upgrade, the configuration should like: [Boot]: setconfig Host IP Address: [10.1.1.1] 192.
Page 84: Ftp/Tftp Upgrade
File boot.rom exists, overwrite? (Y/N)?[N] y Writing boot.rom……………………………………… Write boot.rom OK. [Boot]: Step 8: After successful upgrade, execute run or reboot command in BootROM mode to return to CLI configuration interface. [Boot]: run（or reboot） Other commands in BootROM mode 1. DIR command Used to list existing files in the FLASH .
Page 85 management connection maintains until data trans fer is complet e. Then, using the address and port number provided by the client, the server establishes data connection on port 20 (if not engaged) to transfer data; if port 20 is engaged, the server automatically generates some other port number to establish data connection. In passive connection, the client, through management connection, notify the server to establish a passive connection.
Page 86  Running configuration file: refers to the running configuration sequence use in the Chassis Switch. In Chassis Switch, the running configuration file stores in t he RAM. In the current version, the running configuration sequence running-config can be saved from the RAM to FLASH by write command or copy running-config startup-config command, so that the running configuration sequence becomes the start up configuration file, which is called configuration save.
Page 87 For FTP client, server file list can be ftp-dir <ftpServerUrl> checked. FtpServerUrl format looks like: ftp: //user: password@IP v4|IP v6 Address. 2. FTP server configuration （1）Start FTP server Command Explanation Global Mode Start FTP server and support IP v4, IP v6, the no ftp-server enable command shuts down FTP server and prevents no ftp-server enable...
Page 88 tftp-server retransmi ssion-number Set the retransmission time for TFTP server. <number> 4.5.3.3 FTP/TFTP Configuration Examples It is the same configuration Chassis Switch for IP v4 addresses and IP v6 addresses. The example only for the IP v4 addresses configuration. 10.1.1.2 10.1.1.1 Figure 4-5-2 Download nos.img file as FTP/TFTP client Scenario 1: The Chassis Switch is used as FTP/TFTP client.
Page 89 The configuration procedures of the Chassis Switch are listed below: XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 XGS 3-42000R(config-if-Vlan1)#no shut XGS 3-42000R(config-if-Vlan1)#exit XGS 3-42000R(config)#exit XGS 3-42000R#copy tftp: //10.1.1.1/12_30_nos.img nos.img Scenario 2: The Chassis Switch is used as FTP server. The Chassis Switch operates as the FTP server and connects from one of its ports to a computer, which is a FTP client.
Page 90  FTP Configuration PC side: Start the FTP server soft ware on the PC and set the username “Switch”, and the password “A dmin”. Switch: XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 XGS 3-42000R(config-if-Vlan1)#no shut XGS 3-42000R(config-if-Vlan1)#exit XGS 3-42000R#copy ftp: //Switch: superuser@10.1.1.1 220 Serv-U FTP -Server v2.5 build 6 for WinSock ready...
Page 91 150 Opening AS CII mode data connection for nos.img. 226 Transfer complete. close ftp client.  The following is the message displays when files are successfully received. Otherwise, please verify link connectivity and retry “copy ” command again. 220 Serv-U FTP -Server v2.5 build 6 for WinSock ready... 331 User name okay, need password.
Page 92 write ok transfer complete close tftp client. If the Chassis Switch is upgrading system file or system start up file through TFTP, the Chassis Switch must not be restarted until “close tftp client” is displayed, indicating upgrade is successful, otherwise the Chassis Switch may be rendered unable to start.
Page 93: Chapter 5 File System Operations
Chapter 5 File System Operations 5.1 Introduction to File Storage Devices File storage devices used in switches mainly include FLASH cards. As the most common storage device, FLASH is usually used to store system image files (IMG files), system boot files (ROM files) and system configuration files (CFG files).
Page 94: Typical Applications
4. The deletion of sub-directory Command Explanation Admin Configuration Mode rmdir <directory> Delet e a sub-directory in a designated directory on a certain device. 5. Changing the current working directory of the storage device Command Explanation Admin Configuration Mode cd <directory> Change the current working directory of the storage device.
Page 95: Troubleshooting
XGS 3-42000R#copy flash:/nos.img flash:/nos -5.2.1.0.img Copy flash:/nos.img to flash:/nos-5.2.1.0.img? [Y:N] y Copy ed file flash:/nos.img to flash:/nos-5.2.1. 0.img. 5.4 Troubleshooting If errors occur when users try to implement file system operations, please check whet her they are caused by the following reasons ...
Page 96: Chapter 6 Cluster Configuration
(member switches) through an intermediate XGS3-42000R(commander s witch). A commander switch can manage multiple member switches. As soon as a Public IP address is configured in the commander switch, all the member switches which are configured with private IP addresses can be managed remotely.
Page 97 5． Remote cluster net work management 1) Remote configuration management 2) Remotely upgrade member switch 3) Reboot member switch 6． Manage cluster network with web 1) Enable http 7． Manage cluster network with snmp 1) Enable snmp server 1. Enable or disable cluster Command Explanation Global Mode...
Page 98 5. Configure attributes of the cluster in the candidate switch Command Explanation Global Mode cluster keepalive interval <second> Set the keep-alive interval of the no cluster keepalive interval cluster. number lost cluster keepalive loss-count <int> keep-alive messages that can be no cluster keepalive loss-count tolerated in the clusters.
Page 99: Examples Of Cluster Administration
8. Manage cluster network with snmp Command Explanation Global Mode Enable snmp server function in commander switch member switch. Notice: must insure the snmp server function be enabled in member snmp-server enable switch when commander s witch visiting member switch by snmp. The commander s witch visit member switch via configure character string...
Page 100: Cluster Administration Troubleshooting
6.4 Cluster Administration Troubleshooting When encountering problems in applying the cluster admin, please check the following possible causes:  If the command s witch is correctly configured and the auto adding function (cluster auto-add) is enabled. If the ports connected the command switch and member switch belongs to the cluster vlan. ...
Page 101: Chapter 7 Port Configuration
Chapter 7 Port Configuration 7.1 Introduction to Port XGS 3-42000R Chassis Switche contain Cable ports and Combo ports. The Combo ports can be configured to as either 1000GX-TX ports or SFP Gigabit fiber ports. If the user needs to configure some net work ports, he/she can us e the interface ethernet <interface-list> command to enter the appropriate Ethernet port configuration mode, where <int erface-list>...
Page 102: Port Configuration Example
Sets the cable type for the specified port; this mdi {auto | across | normal} command is not supported by combo port and no mdi fiber port of Chassis Switch. speed-duplex {auto | force10-half | force10-full | force100-half | Sets port speed and duplex mode of force100-full | force100-fx 100/1000Base-TX or 100Base-FX ports.
Page 103: Port Troubleshooting
Switch1 Ingress bandwidth limit: 150 M Switch2 Mirror sourc e port 100Mbps full, mirror source port 1/10 1000Mbps full, mirror destination port Switch3 1/12 100Mbps full The configurations are listed below: Switch1: Switch1(config)#interface ethernet 1/7 Switch1(Config-If-Ethernet1/7)#bandwidth control 50 both Switch2: Switch2(config)#interface ethernet 1/9 Switch2(Config-If-Ethernet1/9)#speed-duplex force100-full Switch2(Config-If-Ethernet1/9)#exit...
Page 104: Chapter 8 Port Isolation Function Configuration
Chapter 8 Port Isolation Function Configuration 8.1 Introduction to Port Isolation Function Port isolation is an independent port-based function working in an inter-port way, which isolates flows of different ports from each other. With the help of port isolation, users can isolate ports within a VLAN to save VLAN resources and enhance network security.
Page 105: Port Isolation Function Typical Examples
4. Di splay the configuration of port i solation Command Explanation Admin Mode and global Mode Display the configuration of port isolation, show isolate-port group [ <WORD> ] including all configured port isolation groups and Ethernet ports in each group. 8.3 Port Isolation Function Typical Examples e1/15 Vlan...
Page 106: Chapter 9 Port Loopback Detection Function Configuration
Chapter 9 Port Loopback Detection Function Configuration 9.1 Introduction to Port Loopback Detection Function With the development of Chassis Switches, more and more users begin to access the network through Ethernet switches. In enterprise network, users access the network through layer-2 s witches, which means urgent demands for bot h internet and the int ernal layer 2 Interworking.
Page 107 1．Configure the time interval of loopback detection Command Explanation Global Mode loopback-detection interval-time Configure the time interval of loopback <loopback> <no-loopback> detection. no loopback-detection interval-time 2．Enable the function of port loopback detection Command Explanation Port Mode loopback-detection specified-vlan <vlan-list> Enable and disable the function of port no loopback-detection specified-vlan loopback detection.
Page 108: Port Loopback Detection Function Example
9.3 Port Loopback Detection Function Example SWITCH Network Topology Figure 9-3-1 A typical example of port loopback detection As shown in the above configuration, the Chassis Switch will detect the existence of loopbacks in the network topology. After enabling the function of loopback detection on the port connecting the Chassis Switch with the outside net work, the Chassis Switch will notify the connected network about the existence of a loopback, and control the port on the switch to guarantee the normal operation of the whole net work.
Page 109: Introduction To Uldp Function
10.1 Introduction to ULDP Function Unidirectional link is a common error state of link in networks, especially in fiber links. Unidirectional link means that only one port of the link can receive messages from the other port, while the latter one can not receive messages from the former one.
Page 110: Uldp Configuration Task Sequence
ULDP (Unidirectional Link Detection Protocol) can help avoid disasters that could happen in the situations mentioned above. In a Chassis Switch connected via fibers or copper Ethernet line (like ultra five-kind twisted pair), ULDP can monitor t he link state of physical links. Whenever a unidirectional link is discovered, it will send warnings to users and can dis able the port automatically or manually according to users’...
Page 111 uldp aggressive-mode Set the global working mode. no uldp aggressive-mode 4. Configure aggressi ve mode on a port Command Explanation Port configuration mode uldp aggressive-mode Set the working mode of the port. no uldp aggressive-mode 5. Configure the method to shut down unidirectional link Command Explanation Global configuration mode...
Page 112: Uldp Function Typical Examples
Display ULDP information. No parameter means to display global ULDP information. show uldp [interface ethernet IFNAME] The parameter specifying a port will display global information neighbor information of the port. debug uldp fsm interface ethernet Enable or disable the debug Chassis <IFname>...
Page 113: Uldp Troubleshooting
Switch A configuration sequence: SwitchA(config)#uldp enable SwitchA(config)#int erface et hernet 1/1 SwitchA (Config-If-Ethernet1/1)#uldp enable SwitchA (Config-If-Ethernet1/1)#exit SwitchA(config)#int erface et hernet1/2 SwitchA(Config-If-Et hernet1/2)#uldp enable Switch B configuration sequenc e: SwitchB(config)#uldp enable SwitchB(config)#int erface et hernet1/3 SwitchB(Config-If-Et hernet1/3)#uldp enable SwitchB(Config-If-Et hernet1/3)#exit SwitchB(config)#int erface et hernet1/4 SwitchB(Config-If-Et hernet1/4)#uldp enable As a result, port g1/1, g1/2 of SWITCH A are all shut down by ULDP, and there is notification information on the CRT terminal of PC1.
Page 114 increased, which means a reduced bandwidth.  ULDP does not handle any LACP event. It treats every link of TRUNK group (like Port-channal, TRUNK ports) as independent, and handles each of them respectively.  ULDP does not compact with similar protocols of other vendors, which means users can not use ULDP on one end and use other similar protocols on the other end.
Page 115: Chapter 11 Lldp Function Operation Configuration
Chapter 11 LLDP Function Operation Configuration 11.1 Introduction to LLDP Function Link Layer Discovery Protocol (LLDP ) is a new protocol defined in 802.1ab. It enables neighbor devices to send notices of their own state to other devic es, and enables all ports of every device to store information about them.
Page 116: Lldp Function Configuration Task Sequence
11.2 LLDP Function Configuration Task Sequence Globally enable LLDP function Configure the port-based LLDP function switch Configure the operating state of port LLDP Configure the intervals of LLDP updating messages Configure the aging time multiplier of LLDP messages Configure the sending delay of updating messages Configure the intervals of sending Trap messages Configure to enable the Trap function of the port Configure the optional information-sending attribute of the port...
Page 117 6. Configure the sending delay of updating messages Command Explanation Global Mode Configure the sending delay of updating lldp transmit delay <seconds> messages as the specified value or no lldp transmit delay default value. 7. Configure the intervals of sending Trap messages Command Explanation Global Mode...
Page 118: Lldp Function Typical Example
Display current LLDP configuration show lldp information. Display the LLDP configuration information of show lldp interface ethernet <IFNAME> the current port. show lldp traffic Display the information of all kinds of counters. show lldp neighbors interface Display the information of LLDP neighbors ethernet <...
Page 119: Lldp Function Troubleshooting
Switch B(Config-If-Ethernet1/1)# lldp mode receive Switch B(Config-If-Ethernet1/1)#exit 11.4 LLDP Function Troubleshooting  LLDP function is disabled by default. After enabling the global switch of LLDP, users can enable t he debug switch “debug lldp” simultaneously to check debug information.  Using “show” function of LLDP function can display the configuration information in global or port configuration mode.
Page 120: Chapter 12 Port Channel Configuration
Chapter 12 Port Channel Configuration 12.1 Introduction to Port Channel To understand P ort Channel, Port Group should be int roduced first. Port Group is a group of physical ports in the configuration level; only physical ports in the Port Group can take part in link aggregation and become a member port of a Port Channel.
Page 121: Brief Introduction To Lacp
If Port Channel is configured manually or dynamically on switch, the system will automatically set the port with the smallest number to be Master Port of the Port Channel. If the spanning tree function is enabled in the Chassis Switch, the spanning tree protocol will regard Port Channel as a logical port and send BP DU frames via the master port.
Page 122: Dynamic Lacp Aggregation
12.2.2 Dynamic LACP Aggregation 1. The summary of the dynamic LACP aggregation Dynamic LACP aggregation is an aggregation created/deleted by the system automatically, it does not allow the user to add or delete the member ports of the dynamic LACP aggregation. The ports which have the same attribute of s peed and duplex, are connected to the same device, have the s ame basic configuration, can be dynamically aggregat ed together.
Page 123 1. Creating a port group Command Explanation Global Mode port-group <port-group-number> Creates or deletes a port group. no port-group <port-group-number> 2. Add physical ports to the port group Command Explanation Port Mode port-group <port-group-number> mode Adds ports to the port group and sets their {active | passive | on} mode.
Page 124: Port Channel Examples
12.4 Port Channel Examples Scenario 1: Configuring Port Channel in LACP. SwitchA SwitchB Figure 12-4-1 Configuring Port Channel in LACP The switches in the description below are all switch and as shown in the figure, ports 1, 2, 3, 4 of SwitchA are access ports that belong to VLAN1.
Page 125 SwitchA SwitchB Figure 12-4-2 Configuring Port Channel in ON mode Example: As shown in the figure, ports 1, 2, 3, 4 of SwitchA are access ports that belong to VLAN1. Add those four ports to group1 in “on” mode. Ports 6, 8, 9, 10 of SwitchB are access ports that also belong to VLAN1, add these four ports to group2 in “on”...
Page 126: Port Channel Troubleshooting
Configuration result: Add ports 1, 2, 3, 4 of Switch 1 to port-group 1 in order, and we can see a group in “on” mode is completely joined forcedly, Chassis Switch in other ends won’t exchange LA CP BPDU to complete aggregation. Aggregation finishes immediately when the command to add port 2 to port-group 1 is entered, port 1 and port 2 aggregate to be port-channel 1, when port 3 joins port-group 1, port-c hannel 1 of port 1 and 2 are ungrouped and re-aggregate with port 3 to form port-channel 1, when port 4 joins port -group 1, port-channel 1...
Page 127: Chapter 13 Jumbo Configuration
Chapter 13 Jumbo Configuration 13.1 Introduction to Jumbo So far the Jumbo (Jumbo Frame) has not reach a determined standard in the industry (including the format and length of t he frame). Normally frames sized within 1519-9000 should be considered jumbo frame. Networks with jumbo frames will increase the speed of the whole net work by 2% to 5%.
Page 128: Chapter 14 Vlan Configuration
Chapter 14 VLAN Configuration 14.1 VLAN Configuration 14.1.1 Introduction to VLAN VLAN (Virtual Local Area Network) is a t echnology that divides the logical addresses of devices within the network to separate network segments basing on functions, applications or management requirements. By this way, virtual workgroups can be formed regardless of the physical location of the devices.
Page 129: Vlan Configuration Task List
XGS 3 Chassis Switch Ethernet P orts can works in three kinds of modes: Access, Hybrid and Trunk, each mode has a different processing method in forwarding the packets with tagged or untagged. The ports of Access type only belongs to one VLA N, usually they are used t o connect the ports of the computer.
Page 130 switchport interface <interface-li st> Assign Chassis Switch ports to VLAN. no switchport interface <interface-li st> 4. Set the Switch Port Type Command Explanation Port Mode Set the current port as Trunk, Access switchport mode {trunk | acce ss | hybrid} Hybrid port.
Page 131: Typical Vlan Application
private-vlan {primary | isolated | Configure current VLA N to Private VLA N. community} The no command deletes private VLA N. no private-vlan 10. Set Private VLAN association Command Explanation VLAN mode private-vlan association <secondary-vl an-li st> Set/delete Private VLA N association. no private-vlan association 14.1.3 Typical VLAN Application Scenario:...
Page 132 Connect the Trunk ports of both switches for a Trunk link to convey the cross-switch VLA N traffic; connect all network devices to the other ports of corresponding VLA Ns. In this example, port 1 and port 12 is spared and can be used for management port or for other purposes. The configuration steps are listed below: Switch A: XGS 3-42000R(config)#vlan 2...
Page 133: Typical Application Of Hybrid Port
14.1.4 Typical Application of Hybrid Port Scenario: internet Switch A Switch B Figure 14-1-3 Typical Application of Hy brid Port PC1 connects to the interface Ethernet 1/7 of SwitchB, PC2 connects to the interface Ethernet 1/9 of SwitchB, Ethernet 1/10 of SwitchA connect to Ethernet 1/10 of SwitchB. It is required that PC1 and PC2 can not mutually access due to reason of the security, but PC1 and PC2 can access other network resources through the gat eway SwitchA.
Page 134: Gvrp Configuration
The configuration steps are listed below: Switch A: XGS 3-42000R(config)#vlan 10 XGS 3-42000R(Config-Vlan10)#switchport interfac e ethernet 1/10 Switch B: XGS 3-42000R(config)#vlan 7;9; 10 XGS 3-42000R(config)#interface ethernet 1/7 XGS 3-42000R(Config-If-Ethernet1/7)#switchport mode hybrid XGS 3-42000R(Config-If-Ethernet1/7)#switchport hybrid native vlan 7 XGS 3-42000R(Config-If-Ethernet1/7)#switchport hybrid allowed vlan 7;10 untag XGS 3-42000R(Config-If-Ethernet1/7)#exit XGS 3-42000R(Config)#interface Ethernet 1/9 XGS 3-42000R(Config-If-Ethernet1/9)#switchport mode hybrid...
Page 135: Gvrp Configuration Task List
14.2.2 GVRP Configuration Task List 1. Configuring GARP Timer parameters Command Explanation Port Mode garp timer join <timer-value> no garp timer join garp timer leave <timer-value> Configure the hold, join and no garp timer leave leave timers for GA RP. garp timer hold <timer-value>...
Page 136: Typical Gvrp Application
14.2.3 Typical GVRP Application Scenario: Switch A Switch B Switch C Figure 14-2-1 Typical GV RP Application Topology To enable dynamic VLAN information register and updat e among switches, GVRP protocol is to be configured in the Chassis Switch. Configure GVRP in Switch A, B and C, enable Switch B to learn VLAN100 dynamically so that the two workstation connected to VLAN100 in Switch A and C can communicate with each other through Switch B without static VLAN100 entries.
Page 137: Gvrp Troubleshooting
XGS 3-42000R(config-If-Ethernet1/11)# gvrp XGS 3-42000R(config-If-Ethernet1/11)#exit Switch B: XGS 3-42000R(config)# bridge-ext gvrp XGS 3-42000R(config)#interface ethernet 1/10 XGS 3-42000R(config-If-Ethernet1/10)#s witchport mode trunk XGS 3-42000R(config-If-Ethernet1/10)# gvrp XGS 3-42000R(config-If-Ethernet1/10)#exit XGS 3-42000R(config)#interface ethernet 1/11 XGS 3-42000R(config-If-Ethernet1/11)#s witchport mode trunk XGS 3-42000R(config-If-Ethernet1/11)# gvrp XGS 3-42000R(config-If-Ethernet1/11)#exit Switch C: XGS 3-42000R(config)# gvrp XGS 3-42000R(config)#vlan 100 XGS 3-42000R(config-Vlan100)#switchport interface ethernet 1/2-6...
Page 138: Dot1Q-Tunnel Configuration
On the customer port Trunk VLAN 200-300 This port on PE1 is enabled Unsymmetrical QinQ and belong to VLAN3 connection SP networks Customer Trunk connection networks1 Trunk connection This port on PE1 is enabled QinQ and belong to VLAN3 Unsymmetrical Customer connection networks2...
Page 139: Typical Applications Of The Dot1Q-Tunnel
dot1q-tunnel enable Enter/exit the dot1q-t unnel mode on the no dot1q-tunnel enable ports. 2. Configure the type of protocol (TPI D) on the ports Command Explanation Port mode dot1q-tunnel tpid Configure the type of protoc ol on TRUNK {0x8100|0x9100|0x9200|<1-65535>} port. 14.3.3 Typical Applications of the Dot1q-tunnel Scenario: Edge switch PE1 and PE2 of the ISP internet forward the VLAN200~300 data bet ween CE1 and CE2 of the...
Page 140: Vlan-Translation Configuration
XGS 3-42000R(config-Ethernet1/10)#exit XGS 3-42000R(config)# 14.4 VLAN-translation Configuration 14.4.1 Introduction to VLAN-translation VLAN translation, as one can tell from the name, which translates the original VLAN ID to new VLAN ID according to the user requirements so to exchange data across different VLANs. The VLAN translation is classified to ingress translation and egress translation, res pectively translation the VLA N ID at the ent rance or exit.
Page 141: Typical Application Of Vlan-Translation
14.4.3 Typical application of VLAN-translation Scenario: Edge switch PE1 and PE2 of the ISP internet support the VLAN20 data task between CE1 and CE 2 of the client net work with VLA N3. The port1 of PE 1 is connected to CE 1, port10 is connected to public net work; port1 of PE2 is connected to CE2, port10 is connected to public network.
Page 142: Vlan-Translation Troubleshooting
14.4.4 VLAN-translation Troubleshooting  Normally the VLAN-translation is applied on trunk ports. Normally before using the VLA N-translation, the dot1q-tunnel function needs to be enabled, becoming adaptable to double tag data packet and translating the VLAN normally. 14.5 Dynamic VLAN Configuration 14.5.1 Introduction to Dynamic VLAN The dynamic VLAN is named corresponding to the static VLAN (namely the port based VLAN).
Page 143 Command Explanation Port Mode switchport mac-vlan enable Enable/disable the MAC-based VLAN no switchport mac-vlan enable function on the port. 2. Set the VLAN to MAC VLAN Command Explanation Global Mode Configure the specified VLA N to MAC mac-vlan vlan <vlan-id> VLAN;...
Page 144: Typical Application Of The Dynamic Vlan
7. Adjust the priority of the dynamic VLAN Command Explanation Global Mode dynamic-vlan mac-vlan prefer Configure the priority of the dynamic dynamic-vlan subnet-vlan prefer VLAN. 14.5.3 Typical Application of the Dynamic VLAN Scenario: In the office network Department A belongs to VLAN100. Several members of this department often have the need to move within the whole office network.
Page 145: Dynamic Vlan Troubleshooting
SwitchC (Config)#exit SwitchC# 14.5.4 Dynamic VLAN Troubleshooting  On the s witch configured with dynamic VLA N, if the two connected equipment (e. g. PC) are both belongs to the same dynamic VLAN, first communication between the two equipment may not go through.
Page 146: Typical Applications Of The Voice Vlan
Voice VLAN Configuration Task Sequence: Set the VLAN to Voice VLA N Add a voice equipment to Voice VLAN Enable the Voice VLA N on the port 1. Configure the VLAN to Voice VLAN Command Explanation Global Mode voice-vlan vlan <vlan-id> Set/cancel the VLAN as a Voice VLA N no voice-vlan 2.
Page 147: Voice Vlan Troubleshooting
Switch IP-phone1 IP-phone2 Figure 14-6-1 VLA N typical apply topology Configuration items Configuration Explanation Voice VLAN Global configuration on the Chassis Switch. Configuration procedure: Switch 1: XGS 3-42000R(config)#vlan 100 XGS 3-42000R(config-Vlan100)#exit XGS 3-42000R(config)#voice-vlan vlan 100 XGS 3-42000R(config)#voice-vlan mac 00-30-4f-11-22-33 mask 255 priority 5 name company XGS 3-42000R(config)#voice-vlan mac 00-30-4f-11-22-55 mask 255 priority 5 name company XGS 3-42000R(config)#interface ethernet 1/10 XGS 3-42000R(config-If-Ethernet1/10)#s witchport mode trunk...
Page 148: Chapter 15 Mac Table Configuration
Chapter 15 MAC Table Configuration 15.1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and Chassis Switch ports. MAC addresses can be cat egorized as static MAC addresses and dynamic MA C addresses. Static MAC addresses are manually configured by the user, have the highest priority and are permanently effective (will not be overwritten by dynamic MAC addresses);...
Page 149: Forward Or Filter
The topology of the figure above: 4 PCs connected to switch, where PC1 and PC2 belongs to a same physical segment (same collision domain), the physical segment connects to port 1/5 of switch; PC3 and PC4 belongs to the same physical segment that connects to port 1/12 of switch. The initial MAC table contains no address mapping entries.
Page 150: Mac Address Table Configuration Task List
Three types of frames can be forwarded by the Chassis Switch:  Broadcast frame  Multicast frame  Unicast frame The following describes how the Chassis Switch deals with all the three types of frames:  Broadcast frame: The s witch can segregate collision domains but not broadcast domains. If no VLAN is set, all devices connected to the Chassis Switch are in the same broadcast domain.
Page 151: Typical Configuration Examples
15.3 Typical Configuration Examples 1/11 MAC 00-01-33-33-33-33 MAC 00-01-11-11-11-11 MAC 00-01-22-22-22-22 MAC 00-01-44-44-44-44 Figure 15-3-1 MAC Table typical configuration ex ample Scenario: Four PCs as shown in the above figure connect to port 1/5、1/7、1/9、1/11 of Chassis Switch, all the four PCs belong to the default VLAN1.
Page 152: Mac Address Function Extension
15.5 MAC Address Function Extension 15.5.1 MAC Address Binding 15.5.1.1 Introduction to MAC Address Binding Most switches support MAC address learning, each port can dynamically learn several MAC addresses, so that forwarding data streams between known MAC addresses within the ports can be achieved. If a MAC address is aged, the packet destined for that entry will be broadcasted.
Page 153 Lock the MAC addresse s for a port Command Explanation Port Mode Lock the port, then MA C addresses switchport port-security lock learned will be disabled. The “no no switchport port-security lock switchport port-security lock” command restores the function. Convert dynamic secure MAC addresses switchport port-security convert learned by the port to static secure MAC addresses.
Page 154: Chapter 16 Mstp Configuration
Chapter 16 MSTP Configuration 16.1 Introduction to MSTP The MSTP (Multiple STP) is a new spanning-t ree protocol which is based on the STP and the RS TP. It runs on all the bridges of a bridged-LA N. It calculates a common and internal spanning tree (CIS T) for the bridge-LAN which consists of the bridges running the MS TP, the RS TP and the S TP.
Page 155: Operations Within An Mstp Region
In the above network, if the bridges are running the STP or the RS TP, one port between Bridge M and Bridge B should be blocked. But if the bridges in the yellow range run the MS TP and are configured in the same MS T region, MSTP will treat this region as a bridge.
Page 156: Port Roles
16.1.2 Port Roles The MS TP bridge assigns a port role to each port which runs MSTP.  CIS T port roles: Root Port, Designated Port, Alternate Port and B ackup Port  On top of those roles, each MS TI port has one new role: Master Port. The port roles in the CIS T (Root Port, Designated Port, Alternate Port and B ackup Port ) are defined in the same ways as those in the RS TP.
Page 157 no spanning-tree mst <instance-id> priority spanning-tree priority <bridge-priority> Configure the spanning-t ree priority of the no spanning-tree priority switch. Port Mode spanning-tree mst <instance-id> cost <cost> Set port path cost for specified instance. no spanning-tree mst <instance-id> cost spanning-tree mst <instance-id> port-priority <port-priority>...
Page 158 no spanning-tree hello-time messages. spanning-tree maxage <time> Set Aging time for BPDU messages. no spanning-tree maxage spanning-tree max-hop <hop-count> Set Maximum number of hops of no spanning-tree max-hop BPDU messages in the MS TP region. 5. Configure the fa st migrate feature for MSTP Command Explanation Port Mode...
Page 159: Mstp Example
seconds. The no command restores to default setting, enable flush once topology changes. Port Mode spanning-tree tcflush {enable| disable| Configure the port flush mode. The no protect} command restores to use the global no spanning-tree tcflush configured flush mode. 16.3 MSTP Example The following is a typical MSTP application example: Switch1 Switch2...
Page 160 Port 1 200000 200000 200000 Port 2 200000 200000 200000 Port 3 200000 200000 Port 4 200000 200000 Port 5 200000 200000 Port 6 200000 200000 Port 7 200000 200000 By default, the MSTP establishes a tree topology (in blue lines) rooted with SwitchA. The ports marked with “x”...
Page 161 Switch3: Switch3(config)#vlan 20 Switch3(Config-Vlan20)#exit Switch3(config)#vlan 30 Switch3(Config-Vlan30)#exit Switch3(config)#vlan 40 Switch3(Config-Vlan40)#exit Switch3(config)#vlan 50 Switch3(Config-Vlan50)#exit Switch3(config)#spanning-tree mst configuration Switch3(Config-Mstp-Region)#name mstp Switch3(Config-Mstp-Region)#instance 3 vlan 20;30 Switch3(Config-Mstp-Region)#instance 4 vlan 40;50 Switch3(Config-Mstp-Region)#exit Switch3(config)#interface e1/1-7 Switch3(Config-Port-Range)#s witchport mode trunk Switch3(Config-Port-Range)#exit Switch3(config)#spanning-tree Switch3(config)#spanning-tree mst 3 priority 0 Switch4: Switch4(config)#vlan 20 Switch4(Config-Vlan20)#exit...
Page 162 The port 1 in Switch2 is the master port of the instance 3 and the instance 4. The MS TP calculation generates 3 topologies: the instance 0, the instance 3 and the instanc e 4 (marked with blue lines). The ports with the mark “x” are in the status of discarding. The other ports are the status of forwarding.
Page 163: Mstp Troubleshooting
Switch2 Switch3 Switch4 Figure 16-3-4 The Topology Of the Instance 4 after the MS TP Calculation 16.4 MSTP Troubleshooting  In order to run t he MS TP on the switch port, the MS TP has to be enabled globally. If the MS TP is not enabled globally, it can’t be enabled on the port.
Page 164: Chapter 17 Qos Configuration
Chapter 17 QoS Configuration 17.1 Introduction to QoS QoS (Quality of S ervice) is a set of capabilities that allow you to create differentiated servic es for network traffic, thereby providing better service for selected network traffic. QoS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements.
Page 165: Qos Implementation
In-Profile: Traffic within the QoS policing policy range (bandwidth or burst value) is called “In-P rofile". Out-of-P rofile: Traffic out the QoS policing policy range (bandwidth or burst value) is called “Out-of-Profile". 17.1.2 QoS Implementation To implement the Chassis Switch software QoS, a general, mature reference model should be given. QoS can not creat e new bandwidt h, but can maximize the adjustment and configuration for the current bandwidth resource.
Page 166 Classi fication: Classify traffic according to packet classification information and generate internal DSCP value based on the classification information. For different packet types and switch configurations, classification is performed differently; the flowchart below ex plains this in detail. Figure 17-1-4 Classification process Policing and remark: Each packet in classified ingress traffic is assigned an internal DS CP value and can be policed and remarked.
Page 167 Check policing policy, is traffic in-profile? Figure 17-1-5 Policing and Remarking process Queuing and scheduling: Packets at the egress will re-map the internal DS CP value to CoS value, the queuing operation assigns packets to appropriate queues of priority according to the CoS value; while the scheduling operation performs packet forwarding according to the prioritized queue weight.
Page 168: Qos Configuration Task List
Figure 17-1-6 Queuing and Scheduling process 17.2 QoS Configuration Task List 1． Enable QoS QoS can be enabled or disabled in Global Mode. QoS must be enabled first in Global Mode to configure the other QoS commands. 2． Configure class map. Set up a classification rule according t o ACL, CoS, VLA N ID, IP v4 Precedent, DS CP, IPV 6 FL to classify the data stream.
Page 169 Configure queue out to PQ or WRR, set the proportion of the 8 egress queues bandwidth and mapping from internal priority to egress queue. 6． Configure QoS mapping Configure the mapping from CoS to DSCP, DSCP to CoS, DS CP to DS CP mutation, IP precedence to DSCP, and policed DS CP.
Page 170 no set {ip dscp <new-dscp> | ip precedence <new-precedence> | ipv6 dscp <new-dscp> | ipv6 flowlabel <new-flowlabel> | ip nexthop <ip-address> | cos } policy <bits_per_second> The non-aggregation policer command <normal_burst_bytes> ({conform-action supporting three colors. Determine (drop | set-dscp-transmit <dscp_value> | whet her the working mode of token set-prec-transmit <ip_precedence_value>...
Page 171 |set-prec-transmit <ip_precedence_value> |transmit) exceed-action (drop|policed-dscp-transmit |transmit)| violate-action (dro |policed-dscp-transmit| transmit)} | ) no mls qos aggregate-policy Apply a policy set to classified traffic; the policy aggregate <aggregate-policy-nam e> “no policy aggregate no policy aggregate <aggregate-policy-name>” command <aggregate-policy-name> deletes the specified policy set. 4.
Page 172: Qos Example
Global Mode wrr-queue cos-map <queue-id> <cos1 ... Set CoS value mapping to specified cos8> egress queue; the no command restores no wrr-queue cos-map the default setting. 6. Configure QoS mapping Command Explanation Global Mode mls qos map (cos-dscp <dscp1...dscp8> | Support the configuration of all actions dscp-cos <dscp-list>...
Page 173 Configuration result: When QoS enabled in Global Mode, the egress queue bandwidt h proportion of port ethernet 1/1 is 1:1:2:2:4:4:8:8. When packets have CoS value coming in through port ethernet1/1, it will be map to the queue out according to the CoS value, CoS value 0 to 7 correspond to queue out 1, 2, 3, 4, 5, 6, 7, 8, respectively. If the incoming packet has no CoS value, it is default to 5 and will be put in queue6.
Page 174 Configuration result: An ACL name 1 is set to matching segment 192.168.1.0. Enable QoS globally, create a class map named c1, matching ACL1 in class map; create another policy map named p1 and refer to c1 in p1, set appropriate policies to limit bandwidth and burst value.
Page 175: Qos Troubleshooting
QoS configuration in Switch2: XGS 3-42000R#config XGS 3-42000R(config)#mls qos XGS 3-42000R(config)#interface ethernet 1/1 XGS 3-42000R(config-If-Ethernet1/1)#mls qos trust ip-precedence pass-through-qos 17.4 QoS Troubleshooting  QoS is disabled on Chassis Switch ports by default, 8 sending queues are set by default, queue1 forwards normal packets, other queues are used for some important control packets (such as BPDU).
Page 176: Chapter 18 Pbr Configuration
Chapter 18 PBR Configuration 18.1 Introduction to PBR PBR（Policy-Ba sed Routing）is a method which det ermines the next-hop of the data packets by policy messages such as source address, destination address, IP priority, TOS value, IP protocol, source port No, destination port No, etc.
Page 177 XGS 3-42000R(config-P olicyMap-p1-Class-c1)#exit XGS 3-42000R(config-P olicyMap-p1)#exit XGS 3-42000R(config)#interface ethernet 1/1 XGS 3-42000R(config-If-Ethernet1/1)#service-policy input p1 Configuration results: First set an ACL a1 with two items. The first item matches source IP segments 192.168.1.0/24 （allowed） . The second item matches source IP segments 192.168.1.0/ 24 and destination IP segments 192.168.0.0/16 （rejected）.
Page 178: Chapter 19 Ipv6 Pbr Configuration
Chapter 19 IPv6 PBR Configuration 19.1 Introduction to PBR(Policy-based Router) Policy-based routing provides a more powerful control over the forwarding and store of messages than traditional routing protocol to network managers. Traditionally, routers use the routing table derived from router protoc ol, and forward according to destination addresses. The policy-based router is more powerful and more flexible than the traditional one, because it enables network managers to choose the forwarding route not only according to destination addresses but also the size of messages, or source IP addresses.
Page 179: Pbr Examples
4. Configure a policy-map Command Explanation Global Configuration Mode policy-map <policy-map-nam e> Create or delete a policy-map. no policy-map <policy-map-nam e> 5. Configure to correlate a policy and a class-map Command Explanation Policy-map Mode class <class-map-name> Correlate with a class, and enter the no class <class-map-name>...
Page 180: Pbr Troubleshooting Help
XGS 3-42000R(config-if-Vlan3)#ipv6 address 3100::1/64 XGS 3-42000R(config-if-Vlan3)#ipv6 neighbor 3100::2 00-00-00-00-00-03 interface Ethernet 1/5 XGS 3-42000R(config)# ipv6 access-list extended b1 XGS 3-42000R(config-IP v6-Ext-Nacl-b1)# permit tcp 2000:: /64 any-destination XGS 3-42000R(config-IP v6-Ext-Nacl-b1)#exit XGS 3-42000R(config)#mls qos XGS 3-42000R(config)#class-map c1 XGS 3-42000R(config-ClassMap)#match ipv6 access-group b1 XGS 3-42000R(config-ClassMap)# exit XGS 3-42000R(config)#policy-map p1 XGS 3-42000R(config-P olicyMap)#class c1...
Page 181: Chapter 20 Flow-Based Redirection
Chapter 20 Flow-based Redirection 20.1 Introduction to Flow-based Redirection Flow-bas ed redirection function enables the Chassis Switch to transmit the data frames meeting some special condition (specified by ACL) to another specified port. The fames meeting a same special condition are called a class of flow, the ingress port of the data frame is called the source port of redirection, and the specified egress port is called the destination port of redirection.
Page 182: Flow-Based Redirection Examples
20.3 Flow-based Redirection Examples Example: User’s request of configuration is listed as follows: redirecting the frames whose source IP is 192.168.1.111 received from port 1 to port 6, that is sending the frames whose source IP is 192.168.1.111 rec eived from port 1 through port 6.
Page 183: Chapter 21 Layer 3 Forward Configuration
Chapter 21 Layer 3 Forward Configuration Chassis Switch supports Layer 3 forwarding which forwards Layer 3 protocol packets (IP packets) across VLANs. Such forwarding uses IP addresses, when a interface receives an IP packet, it will perform a lookup in its own routing table and decide the operation according to the lookup result.
Page 184: Ip Configuration
Creates a VLA N interface (V LAN int erface is a Layer 3 interface); the no command deletes interface vlan <vlan-id> the VLAN interface (Lay er 3 interface) no interface vlan <vlan-id> created in the Chassis Switch. Creates a Loopback interface then ent er the loopback Port Mode;...
Page 185 Although the combination of CIDR, NAT and private addressing has temporarily mitigated the problem of IP v4 address space shortage, NAT technology has disrupted the end-to-end model which is the original intention of IP design by making it necessary for router devices that serve as network intermediate nodes to maintain every connection status which increases network delay greatly and decreases network performance.
Page 186: Ip Configuration
Multicast addresses increased and the support for multicast has enhanc ed. By dealing with IP v4 broadcast functions such as Router Discovery and Router Query, IP v6 multicast has completely replaced IP v4 broadcast in the sense of function. Multicast not only saves network bandwidth, but enhances network efficiency as well.
Page 187 DHCP v6 (15) Set the flag representing whether the address information will be obtained via DHCP v6 3. IP v6 Tunnel configuration (1) Create/Delete Tunnel (2) Configure tunnel description (3) Configure Tunnel Sourc e (4) Configure Tunnel Destination (5) Configure Tunnel Next-Hop (6) Configure Tunnel Mode (7) Configure Tunnel Routing 1.
Page 188 ipv6 route <ipv6-prefix/prefix-length> {<nexthop-ipv6-addre ss> |<interfac e-type interface-number> | {<nexthop-ipv6-addre ss> <interface-type interface-number>}} [di stance] Configure IP v6 static routing. no ipv6 route command cancels IP v6 static routing. <ipv6-prefix/prefix-length> {<nexthop-ipv6-addre ss> |<interfac e-type interface-number> |{<nexthop-ipv6-addre ss> <interface-type interface-number>}} [di stance] 2.
Page 189 (5) Configure router advertisement Minimum Interval Command Description Interface Configuration Mode ipv6 nd min-ra-interval <seconds> Configure the minimum interval for router no ipv6 nd min-ra-interval advertisement. The NO command res umes <seconds> default value (200 seconds). (6) Configure router advertisement Maximum Interval Command Explanation Interface Configuration Mode...
Page 190 (9) Delet e all entries in IP v6 neighbor table Command Explanation Admin Mode clear ipv6 neighbors Clear all static neighbor table entries. (10) Set the hoplimit of sending router advertisement Command Explanation Interface Configuration Mode ipv6 nd ra-hoplimit <value> Set the hoplimit of sending router advertisement.
Page 191 3. IPv6 Tunnel Configuration (1) A dd/Delete tunnel Command Explanation Global mode interface tunnel <tnl-id> Create a tunnel. The NO command deletes a no interface tunnel <tnl-id> tunnel. (2) Configure tunnel description Command Explanation Tunnel Configuration Mode description <desc> Configure tunnel description. The NO command no description <desc>...
Page 192: Ip Configuration Examples
(6) Configure Tunnel Mode Command Explanation Tunnel Configuration Mode tunnel mode ipv6ip [6to4 | isatap] Configure tunnel mode. The NO command no tunnel mode ipv6ip [6to4 | clears tunnel mode. isatap] (7) Configure Tunnel Routing Command Explanation Global mode ipv6 route <ipv6-addre ss/prefix-length>...
Page 193 4． Configure IP v4 address 192. 168. 2.2 255.255.255.0 in VLAN2 of Switch2, and configure IP v4 address 192. 168. 3.1 255.255.255.0 in VLAN3. 5． The IP v4 address of P C1 is 192.168.1.100 255.255.255.0, and the IP v4 address of P C2 is 192.168.3.100 255.255.255.0.
Page 194 21.2.3.2 Configuration Examples of IPv6 Example 1: Switch2 Switch1 Figure 21-2-2 IP v6 configuration example The user’s configuration requirements are: Configure IP v6 address of different net work segments on S witch1 and Switch2, configure static routing and validate reachability using ping6 function. Configuration De scription: 1．...
Page 195 Switch2(Config)#interface vlan 3 Switch2(Config-if-Vlan3)#ipv6 address 2003::1/64 Switch2(Config-if-Vlan3)#exit Switch2(Config)#ipv6 route 2001::33/64 2002::1 Switch1#ping6 2003::33 Configuration result: Switch1#show run interface Vlan1 ipv6 address 2001::1/64 interface Vlan2 ipv6 address 2002::2/64 interface Loopback mtu 3924 ipv6 rout e 2003::/64 2002::2 no login Switch2#show run interface Vlan2 ipv6 address 2002::2/64 interface Vlan3...
Page 196 Example 2: SwitchC SwithA SwitchB PC-A PC-B Figure 21-2-3 IP v6 tunnel This case is IPv6 tunnel with the following user configuration requirements: SwitchA and SwitchB are tunnel nodes, dual-stack is supported. SwitchC only runs IP v4, PC-A and PC-B communicate. Configuration De scription: Configure two vlans on SwitchA, namely, VLAN1 and VLA N2.
Page 197: Ipv6 Troubleshooting
The configuration procedure is a s follow s: SwitchA(config)#ipv6 enable SwitchA(Config-if-Vlan1)#ipv6 address 2002:caca:ca01:2::1/64 SwitchA(Config-if-Vlan1)#no ipv6 nd suppress-ra SwitchA(Config-if-Vlan1)#interface vlan 2 SwitchA(Config-if-Vlan2)#ipv4 address 202.202.202.1 255.255.255.0 SwitchA(Config-if-Vlan1)#exit SwitchA(config)# interface tunnel 1 SwitchA(Config-if-Tunnel1)#tunnel source 202.202.202.1 SwitchA(Config-if-Tunnel1)#tunnel destination 203.203.203.1 SwitchA(Config-if-Tunnel1)#tunnel mode ipv6ip SwitchA(config)#ipv6 route ::/0 tunnel1 SwitchB(config)#ipv6 enable SwitchB(Config-if-Vlan4)#ipv6 address 2002:cbcb:cb01::2/64 SwitchB(Config-if-Vlan4)#no ipv6 nd suppress-ra...
Page 198: Urpf
IP route aggregation configuration task: 1. Set whether IP route aggregation algorithm with/ without optimization should be used 1. Set whether IP route aggregation algorithm with/without optimization should be used Command Explanation Global Mode Enables the switch to use optimized IP route ip fib optimize aggregation algorithm;...
Page 199: Urpf Configuration Task Sequence
21.4.1.1 IP URPF Operating Mechanism At present the UP RF relies on the A CL function provided by the Chassis Switch chips. Firstly, globally enable the URPF function to monitor the changes in the router table: create a corresponding URPF permit ACL rule for each router in the router table FIB. In URPF strict mode, the format of ACL rules is: the source address segments of inbound packets + the ingress interface VID of inbound packets.
Page 200: Urpf Typical Example
debug l4driver urpf {notice |warning Enable the URPF debug function to display |error|} error information if failures occur during the no debug l4driver urpf {notice | warning | installation of URPF rules. error|} Admin and Config Mode Display which interfaces have been show urpf...
Page 201: Urpf Troubleshooting
21.4.4 URPF Troubleshooting Proper operation of the URPF protocol depends greatly on whether the corresponding URPF rules can be applied correctly. If after the URPF configuration is done and the function does not meet the expectation:  Check if the Chassis Switch has been configured with the rules conflicting with URPF (URPF priority is lower than ACL), the ACL rules will validate if confliction exits.
Page 202 2. Configure proxy ARP Command Explanation VLAN Port Mode ip proxy-arp Enables the proxy ARP function for Ethernet no ip proxy-arp ports: the no command disables the proxy ARP. 3. Clear dynamic ARP Command Explanation Admin mode The command clear arp-cache clears the clear arp-cache content of current ARP table, but it does not clear the current static ARP table.
Page 203: Arp Troubleshooting
21.5.3 ARP Troubleshooting If ping from the switch to directly connected net work devices fails, the following can be used to check the possible cause and create a solution.  Check whether the corresponding A RP has been learned by the Chassis Switch. ...
Page 204: Chapter 22 Arp Scanning Prevention Function Configuration
Chapter 22 ARP Scanning Prevention Function Configuration 22.1 Introduction to ARP Scanning Prevention Function ARP scanning is a common method of network attack. In order to detect all the active hosts in a network segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large part of the bandwidth of the network.
Page 205 2. Configure the thre shold of the port-ba sed and IP-based ARP Scanning Prevention Command Explanation Global configuration mode anti-arpscan port-ba sed thre shold <threshold-value> Set the threshold of the port-based no anti-arpscan port-ba sed ARP Scanning Prevention. thre shold anti-arpscan ip-ba sed thre shold Set the threshold of the IP -based A RP <threshold-value>...
Page 206: Arp Scanning Prevention Typical Examples
Admin Mode debug anti-arpscan <port | ip> Enable or disable the debug switch of A RP no debug anti-arpscan <port | ip> scanning prevention. 22.3 ARP Scanning Prevention Typical Examples SWITCH B E1/1 E1/19 SWITCH A E1/2 E1/2 Server 192.168.1.100/24 Figure 22-3-1 A RP scanning prevention typical configuration example In the net work topology above, port E1/1 of SWITCH B is connected to port E1/19 of SWITCH A, the port E1/2 of SWITCH A is connected to file server (IP address is 192.168.
Page 207: Arp Scanning Prevention Troubleshooting Help
SWITCHB configuration ta sk sequence: Switch B(config)# anti-arpscan enable SwitchB(config)#int erface et hernet1/1 SwitchB (Config-If-Ethernet 1/1)#anti-arpscan trust port SwitchB (Config-If-Ethernet 1/1)exit 22.4 ARP Scanning Prevention Troubleshooting Help  ARP scanning prevention is disabled by default. After enabling A RP scanning prevention, users can enable the debug switch, “debug anti-arpscan”, to view debug information.
Page 208: Chapter 23 Prevent Arp, Nd Spoofing Configuration
Chapter 23 Prevent ARP, ND Spoofing Configuration 23.1 Overview 23.1.1 ARP (Address Resolution Protocol) Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is 00-30-4f-FD-1D-2B.
Page 209: Prevent Arp, Nd Spoofing Configuration
we do in the same way as preventing A RP spoofing to prevent ND spoofing and attack. 23.2 Prevent ARP, ND Spoofing configuration The steps of preventing A RP, ND spoofing configuration as below: Disable A RP, ND automatic updat e function Disable A RP, ND automatic learning function Changing dynamic ARP, ND to static ARP, ND 1.
Page 210 IP:192.168.2.1; mac: 01-01-01-01-01-01 IP:192.168.1.2; mac: 02-02-02-02-02-02 IP:192.168.2.3; mac: 03-03-03-03-03-03 some There is a normal communication between B and C on above diagram. A wants switch to forward packets sent by B to itself, so need switch sends the packets transfer from B to A. firstly A sends ARP reply packet to switch, format is: 192.168.2.3, 01-01-01-01-01-01, mapping its MAC address to C’s IP, so the switch changes IP address when it updates ARP list., then data packet of 192.168.2.3 is transferred to 01-01-01-01-01-01 address (A MAC address).
Page 211: Chapter 24 Arp Guard Configuration
Chapter 24 ARP GUARD Configuration 24.1 Introduction to ARP GUARD There is serious security vulnerability in the design of ARP protocol, which is any network device, can send ARP messages to advertise the mapping relationship between IP address and MAC address. This provides a chance for ARP cheating.
Page 212: Arp Guard Configuration Task List
24.2 ARP GUARD Configuration Task List 1. Configure the protected IP address Command Explanation Port configuration mode arp-guard ip <addr> Configure/delete ARP GUARD address no arp-guard ip <addr> 24-2...
Page 213: Chapter 25 Arp Local Proxy Configuration
Chapter 25 ARP Local Proxy Configuration 25.1 Introduction to ARP Local Proxy function In a real application environment, the switches in the aggregation layer are required to implement local ARP proxy function to avoid A RP cheating. This function will restrict the forwarding of ARP messages in the same vlan and thus direct the L3 forwarding of the data flow through the switch.
Page 214: Arp Local Proxy Function Configuration Task List
25.2 ARP Local Proxy Function Configuration Task List 1．Enable/disable ARP local proxy function Command Explanation Interface vlan mode ip local proxy-arp Enable or disable ARP local proxy function. no ip local proxy-arp 25.3 Typical Examples of ARP Local Proxy Function As shown in the following figure, S1 is a medium/high-level layer-3 switch supporting ARP local proxy, S2 is layer-2 access switches supporting interface isolation.
Page 215: Arp Local Proxy Function Troubleshooting
25.4 ARP Local Proxy Function Troubleshooting ARP local proxy function is disabled by default. Users can view the current configuration with display command. With correct configuration, by enabling debug of ARP, users can check whether t he A RP proxy is normal and send proxy ARP messages.
Page 216: Chapter 26 Gratuitous Arp Configuration
Chapter 26 Gratuitous ARP Configuration 26.1 Introduction to Gratuitous ARP Gratuitous ARP is a kind of A RP request that is sent by the host with its IP address as the destination of the ARP request. The basic working mode for XGS3 Chassis Switches is as below: The Layer 3 interfaces of the Chassis Switch can be configured to advertise grat uitous ARP packets period or the Chassis Switch can be configured to enable to send gratuit ous ARP packets in all the interfaces globally.
Page 217: Gratuitous Arp Configuration Example
26.3 Gratuitous ARP Configuration Example Switch Interface vlan10 Interface vlan1 192.168.15.254 192.168.14.254 255.255.255.0 255.255.255.0 Figure 26-3-1 Gratuitous ARP Configuration Example For the network topology shown in the figure above, interfac e VLAN10 whose IP address is 192.168.15.254 and net work address mask is 255.255.255.0 in the switch system. Three PCs – PC3, PC4, PC5 are connected to the interface.
Page 218: Chapter 27 Nd Snooping Configuration
Chapter 27 ND Snooping Configuration 27.1 Introduction to ND Snooping The purpose of developing ND snooping module: using Control Packet Snooping (CPS ) mechanism, that means to detect the validity of access packets through the method which bind the source IP v6 address and the anchor information, so as to permit the matched packets and drop the unmatched packets that will control access of the direct connected IP v6 nodes.
Page 219 2. Configure the lifetime of ND Snooping Explanation Command Global mode Reset binding lifetime [no] ipv6 nd snooping max-sac-lifetime <max-s ac-lifetime> or 2 hours for <max-sac-lifetime> SAC_BOUND. Reset binding lifetime [no] ipv6 nd snooping max-dad-delay <max-dad-delay> or 1 second for <max-dad-delay>...
Page 220: Nd Snooping Example
27.3 ND Snooping Example Typical example: The application environment of ND Snooping, the figure is as follows: Figure 27-3-1 ND Snooping typical configuration The configuration explanation: SW2 is layer 3 switch, it connect to the layer 2 switch SW1, and enable IP v6 function and RA function; SW1 is layer 2 switch, it enables IP v6 function and ND Snooping, and enable the cont rol function of ND snooping on the ports which connect three P C nodes.
Page 221: Nd Snooping Troubleshooting
IP v6 address MAC address Port ID FE80::2AA:FF:FE9A:4CA 2 02-AA -00-9A -4C-A2 2001::2AA:FF:FE9A:4CA2 02-AA -00-9A -4C-A2 2001::23:4A:1122: C411 02-AA -00-9A -4C-A2 FE80:: BB:FF:FE9A:4CA2 02-BB -00-9A -4C-A2 2001::2BB:FF:FE9A:4CA2 02-BB -00-9A -4C-A2 2001::32:4B:2211:11C4 02-BB -00-9A -4C-A2 FE80:: CC:FF:FE9A:4CA2 02-CC-00-9A-4C-A2 2001::2CC:FF:FE9A:4CA2 02-CC-00-9A-4C-A2 2001::22:4A:1133: C422 02-CC-00-9A-4C-A2 If three PCs do not receive the responding DA D NA packets in the set time, then port 1/1, port 1/2, port 1/3 send to the FFP hardware drive binding entries according to the dynamic binding table.
Page 222: Chapter 28 Dhcp Configuration
Chapter 28 DHCP Configuration 28.1 Introduction to DHCP DHCP [RFC2131] is the acronym for Dynamic Host Configuration P rotocol. It is a protoc ol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway, DNS server, and default route and host image file position within the net work.
Page 223: Dhcp Server Configuration
dynamically is the same as the lease period of t he address pool, and is limited; the lease of manually bound IP address is theoretically endless. 3) Dynamic ally allocated address cannot be bound manually. 4) Dynamic DHCP address pool can inherit the network configuration parameters of the dynamic DHCP address pool of the relat ed segment.
Page 224 Configure Domain name for DHCP clients; domain-name <domain> the “no domain-name” command deletes no domain-name the domain name. netbios-name-server [<address1>[<address2> […<address8> Configure the address for WINS server. The no operation cancels the address for server. no netbios-name-server netbios-node-type Configure node type for DHCP clients. The {b-node|h-node |m-node|p-node|<type-n no operation cancels the node type for umber>}...
Page 225: Dhcp Relay Configuration
client-name <name> Configure/delete a client name when no client-name binding address manually. 3. Enable logging for address conflicts Command Explanation Global Mode ip dhcp conflict logging Enable/disable logging for DHCP address to no ip dhcp conflict logging detect address conflicts. Admin Mode Delet e a single address conflict record or all clear ip dhcp conflict <address | all >...
Page 226: Dhcp Configuration Examples
1. Enable DHCP relay. Command Explanation Global Mode servi ce dhcp DHCP server and DHCP relay is enabled as the no servi ce dhcp DHCP servic e is enabled. 2. Configure DHCP relay to forward DHCP broadca st packet. Command Explanation Global Mode ip forward-protocol udp bootps...
Page 227 XGS 3-42000R(config)#ip dhcp excluded-address 10.16.1.200 10. 16.1.201 XGS 3-42000R(config)#ip dhcp pool B XGS 3-42000R (dhcp-B -config)#network 10.16.2.0 24 XGS 3-42000R (dhcp-B -config)#lease 1 XGS 3-42000R (dhcp-B -config)#default -route 10.16.2.200 10.16.2.201 XGS 3-42000R (dhcp-B -config)#dns-server 10.16.2.202 XGS 3-42000R (dhcp-B -config)#option 72 ip 10.16.2.209 XGS 3-42000R (dhcp-config)#exit XGS 3-42000R(config)#ip dhcp excluded-address 10.16.2.200 10.
Page 228: Dhcp Troubleshooting
As shown in the above figure, route switch is configured as a DHCP relay. The DHCP server address is 10.1.1.10, TFTP server address is 10.1.1.20, the configuration steps is as follows: XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-if-Vlan1)#ip address 192.168.1.1 255.255.255.0 XGS 3-42000R(config-if-Vlan1)#exit XGS 3-42000R(config)#vlan 2 XGS 3-42000R(config-Vlan-2)#exit...
Page 229: Chapter 29 Dhcpv6 Configuration
Chapter 29 DHCPv6 Configuration 29.1 Introduction to DHCPv6 DHCP v6 [RFC3315] is the IPv6 version for Dynamic Host Configuration Protocol (DHCP). It is a protocol that assigns IP v6 address as well as other network configuration parameters such as DNS address, and domain name to DHCP v6 client, DHCP v6 is a conditional auto address configuration prot ocol relative to IP v6.
Page 230: Server Configuration
The above four steps finish a Dynamic host configuration assignment process. However, if the DHCP v6 server and the DHCP v6 client are not in the same network, the server will not rec eive the DHCP v6 broadcast packets sent by the client, therefore no DHCP v6 packets will be sent to the client by the server. In this case, a DHCP v6 relay is required to forward such DHCP v6 packets so that the DHCP v6 packets exchange can be completed between the DHCP v6 client and server.
Page 231: Relay Del Egation Configuration
（2）To configure parameter of DHCP v6 address pool Command Explanation DHCP v6 address pool Configuration Mode network-address <ipv6-pool -start-address> To configure the range of IP v6 address {<ipv6-pool-end-address> | assignable of address pool. <prefix-length>} [eui-64] no network-address dns-server <ipv6-address> To configure DNS server address for no dns-server <ipv6-address>...
Page 232: Prefix Del Egation Server Configuration
2. To configure DHCP v6 relay delegation on port Command Explanation Interface Configuration Mode ipv6 dhcp relay destination { [<ipv6-address> ] [ interface To specify the destination address of { <interface-nam e> | vlan <1-4096> } ] } DHCP v6 relay transmit; The no form of no ipv6 dhcp relay destination this command delete the configuration.
Page 233: Prefix Del Egation Client Configuration
（2）To configure prefix delegation pool us ed by DHCP v6 address pool Command Explanation DHCP v6 address pool Configuration Mode prefix-delegation pool <poolname> To specify prefix delegation pool used by [lifetime { <valid-time> | infinity} DHCP v6 address pool, and assign usable { <preferred-time>...
Page 234: Configuration Examples
Command Explanation Global Mode servi ce dhcpv6 To enable DHCP v6 service. no servi ce dhcpv6 2. To enable DHCPv6 prefix delegation client function on port Command Explanation Interface Configuration Mode To enable client prefix delegation request ipv6 dhcp client pd <prefix-nam e> function on specified port, and the prefix [rapid-commit] obtained associate with universal prefix...
Page 235 Usage guide: Switch3 configuration： Switch3>enable Switch3#config Switch3(config)#ipv6 enable Switch3(config)#service dhcpv6 Switch3(config)#ipv6 dhcp pool EastDormPool Switch3(dhcpv6-EastDormPool-config)#net work-address 2001:da8: 100: 1::1 2001:da8:100:1::100 Switch3(dhcpv6-EastDormPool-config)#excluded-address 2001:da8:100:1::1 Switch3(dhcpv6-EastDormPool-config)#dns-s erver 2001:da8::20 Switch3(dhcpv6-EastDormPool-config)#dns-s erver 2001:da8::21 Switch3(dhcpv6-EastDormPool-config)#domain-name dhcpv6.com Switch3(dhcpv6-EastDormPool-config)#lifetime 1000 600 Switch3(dhcpv6-EastDormPool-config)#exit Switch3(config)#interface vlan 1 Switch3(Config-if-Vlan1)#ipv6 address 2001:da8:1:1::1/64 Switch3(Config-if-Vlan1)#exit Switch3(config)#interface vlan 10 Switch3(Config-if-Vlan10)#ipv6 address 2001:da8:10:1::1/64...
Page 236 Example2: When the net work operator is deploying IP v6 networks, network automatically configuration can be achieved through the prefix delegation allocation of IP v6 addresses, in stead of configuring manually for eac h switch: To configure the switching or routing device which is connected to the client switch as DHCP v6 prefix delegation server, that is to setup a local databas e for the relations hip between t he allocated prefix and the DUID of the client switch.
Page 237 Switch2(config)#ipv6 local pool client-prefix -pool 2001:da8:1800::/40 48 Switch2(config)#ipv6 dhcp pool dhcp-pool Switch2(dhcpv6-dhc p-pool-config)#prefix-delegation pool client-prefix-pool 1800 600 Switch2(dhcpv6-dhc p-pool-config)#exit Switch2(config)#interface vlan 2 Switch2(Config-if-Vlan2)#ipv6 dhcp server dhcp-pool Switch2(Config-if-Vlan2)#exit Switch1 configuration Switch1>enable Switch1#config Switch1(config)#ipv6 enable Switch1(config)#service dhcpv6 Switch1(config)#interface vlan 2 Switch1(Config-if-Vlan2)#ipv6 dhcp client pd prefix -from-provider Switch1(Config-if-Vlan2)#exit Switch1(config)#interface vlan 3 Switch1(Config-if-Vlan3)#ipv6 address prefix-from-provider 0:0:0:1::1/64...
Page 238: Dhcpv6 Troubleshooting
29.7 DHCPv6 Troubleshooting If the DHCP v6 clients cannot obtain IP v6 addresses and other network parameters, the following procedures can be followed when DHCP v6 client hardware and cables have been verified ok:  Verify the DHCP v6 server is running, start the related DHCP v6 server function if not running; ...
Page 239: Chapter 30 Dhcp Option 82 Configuration
Chapter 30 DHCP option 82 Configuration 30.1 Introduction to DHCP option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy. The Relay Agent adds option 82 (including the client’s physical access port, the access device ID and other information), to the DHCP request message from the client then forwards the message to DHCP server.
Page 240: Option 82 Working Mechanism
30.1.2 option 82 Working Mechanism DHCP Relay Agent DHCP Request DHCP Request Option82 DHCP Reply DHCP Reply Option82 DHCP Client DHCP Server Figure 30-1-1 DHCP option 82 flow chart If the DHCP Relay Agent supports option 82, the DHCP client should go through the following four steps to get its IP address from the DHCP server: discover, offer, select and acknowledge.
Page 241 1. Enabling the DHCP option 82 of the Relay Agent. Command Explanation Global mode Set this command to enable the option 82 function of the switch Relay Agent. The “no ip dhcp relay information option ip dhcp relay information option” is used to no ip dhcp relay information option disable t he option 82 function of the s witch Relay Agent.
Page 242: Dhcp Option 82 Application Examples
3. Enable the DHCP option 82 of server. Command Explanation Global mode This command is used to enable the switch ip dhcp server relay information enable DHCP server to identify option82. The “no no ip dhcp server relay information ip dhcp server relay information enable” enable command will make the server ignore the option 82.
Page 243 The following is the configuration of Switch3(MA C address is 00:03:0f:02:33:01): Switch3(config)#service dhcp Switch3(config)#ip dhcp relay information option Switch3(config)#ip forward-protocol udp bootps Switch3(Config-if-vlan3)#ip address 192.168. 10.222 255.255.255.0 Switch3(Config-if-vlan2)#ip address 192.168. 102. 2 255.255.255. 0 Switch3(Config-if-vlan2)#ip helper 192.168.10.88 Linux IS C DHCP Server supports option 82, its configuration file /etc/dhcpd.con is ddns-update-style interim; ignore client-updates;...
Page 244: Chapter 31 Dhcp Snooping Configuration
Chapter 31 DHCP Snooping Configuration 31.1 Introduction to DHCP Snooping DHCP Snooping means that the switch monitors the IP-getting proc ess of DHCP CLIE NT via DHCP protocol. It prevents DHCP attacks and illegal DHCP SE RVER by setting trust ports and untrust ports. And the DHCP messages from trust ports can be forwarded without being verified.
Page 245: Dhcp Snooping Configuration Task Sequence
31.2 DHCP Snooping Configuration Task Sequence Enable DHCP Snooping Enable DHCP Snooping binding function Enable DHCP Snooping binding A RP function Enable DHCP Snooping option82 function Set the private packet version Set DES encrypted key for private packets Set helper server address Set trusted ports Enable DHCP Snooping binding DOT1X function 10.
Page 246 5． Set the private packet version Command Explanation Globe mode ip user private packet version two To configure/delete the private packet version. no ip user private packet version two 6． Set DES encrypted key for private packets Command Explanation Globe mode enable trustview key 0/7 <password>...
Page 247: Dhcp Snooping Typical Application
<mac> address <ipAddr> <mask> entries. vlan <vid> interface (ethernet|) <ifname> no ip dhcp snooping binding user <mac> interface (ethernet|) <ifname> 12． Set defense actions Command Explanation Port mode ip dhcp snooping action {shutdown|blackhole} [recovery Set or delete the DHCP snooping automatic <second>...
Page 248: Dhcp Snooping Troubleshooting Help
As showed in the above chart, Mac-AA device is the normal user, connected to the non-trusted port 1/1 of the switch. It operates via DHCP Client, IP 1.1.1.5; DHCP Server and GateWay are connected to the trusted ports 1/11 and 1/12 of the switch; the malicious user Mac-BB is connected to the non-trusted port 1/10, trying to fake a DHCP Server（by sending DHCPA CK）.
Page 249: Dhcp Snooping Troubleshooting Help
31.4.2 DHCP Snooping Troubleshooting Help If there is any problem happens when using DHCP Snooping function, please check if the problem is caused by the following reasons:  Check that whether the global DHCP Snooping is enabled;  If the port does not react to invalid DHCP Server packets, please check that whether the port is set as a non-trusted port of DHCP Snooping.
Page 250: Chapter 32 Dhcpv6 Snooping Configuration
Chapter 32 DHCPv6 Snooping Configuration 32.1 Introduction to DHCPv6 Snooping DHCP v6 Snooping monitors the interaction flow of the packets between DHCP v6 client and server, so as to create the binding table of the user, and implement all kinds of security policies based on the binding table. DHCP v6 Snooping has the following functions: 32.1.1 Defense against Fake DHCPv6 Server DHCP v6 Snooping can set the port of connecting DHCP v6 server as the trust port, other ports as the...
Page 251: Reply The Remove Requirement For Port
32.1.5 Reply the remove requirement for port Through capturing the ports of DHCP v6 packets, DHCP v6 Snooping judges the port connected to the DHCP v6 user. After DHCP v6 Snooping binding created, DHCP v6 Snooping receives CONFIRM/ REQUES T packets and response packets of DHCP v6 client from ot her ports, it needs to use DA D NS/NA to detect whether the binding of the original port is still usable, if it is still usable (that means to receive the response of DAD NA), then do not creat e new binding on new port, contrarily (that means the response of DAD NA is not received in set time), create the binding on new port and deletes the binding on the original...
Page 252 Command Explanation Admin mode clear ipv6 dhcp snooping binding {<MAC> | <ipv6address> | interface Delet e the dynamic binding information for {ethernet <IFNAME> | DHCP v6 Snooping. <IFNAME>} | all} 5. Set the binding limitation number for the ports Command Explanation Port mode ipv6 dhcp snooping binding-limit...
Page 253: Dhcpv6 Snooping Typical Application
Command Explanation Port mode ipv6 dhcp snooping binding user-control Enable or disable the user access control no ipv6 dhcp snooping binding function is bound by DHCP v6 Snooping. user-control 11. Enable the debug switch Command Explanation Admin mode debug ipv6 dhcp snooping packet debug ipv6 dhcp snooping event Enable the debug of DHCP Snooping.
Page 254: Dhcpv6 Snooping Troubleshooting
As showed in the above chart, MAC-AA and MAC-BB devices are normal users, they are connected to the non-trusted ports 1/2 and 1/3 of the switch, and obtain IP 2010::3 and IP 2010::4 through DHCP v6 Client; DHCP v6 Server are c onnected to the trust port 1/1 of the switch; the malicious user Mac-CC is connected to the non-trusted port1/4, it tries to fake DHCP v6 Server.
Page 255: Chapter 33 Routing Protocol Overview
Chapter 33 Routing Protocol Overview To communicate with a remote host over the Internet, a host must choose a proper route via a set of rout ers or Layer3 switches. Both routers and layer3 switches calculate the rout e using CP U, the difference is that layer3 switch adds the calculated route to the switch chip and forward by the chip at wire speed, while the router always store the calculated route in the route table or route buffer, and data forwarding is performed by the CPU.
Page 256: Ip Routing Policy
200.1. 1.0.  Output interface: specify the interface of layer3 switch to forward IP packets.  IP address of the next layer3 XGS3-42000R(next hop): specify the next layer3 switch the IP packet will pass.  Rout e entry priority: There may be several different next hop routes leading to the same destination.
Page 257 introduce eac h filter in following sections: 1. route-map For matching certain properties of the specified routing information and setting some routing propertities when the conditions are fulfilled. Rout e-map is for controlling and changing the routing messages while also controlling the redistribution among routes.
Page 258: Ip Routing Policy Configuration Task List
5. community-li st Community-list is only for BGP. There is a community property field in the BGP routing messages packet for identifying a community. The community list is for specifying matching conditions for Community-list field. As for relevant Community-list configuration, please refer to the ip as-path command in BGP configuration 33.2.2 IP Routing Policy Configuration Task List 1．...
Page 259 Match by ports; The no match interface match interface <interface-name > [<interface-name >] no match interface [<interface-name >] command delet es match condition. Match the address or next-hop; The no match match ip <address | next-hop> <ip-acl -name | ip-acl-num ip <address | next-hop>...
Page 260 set atomic-aggregate Configure the BGP no set atomic-aggregate atomic aggregate property; The no command delet es the configuration set comm-li st <community-li st-name | Delet e BGP community community-list-num > delete list value; The no no set comm-li st <community-li st-name | command delet es the community-list-num >...
Page 261: Configuration Examples
set weight < weight_val> Set BGP routing weight; no set weight [ <weight_val> ] The no command deletes the configuration 4. Define address prefix list Command Explanation Global mode Describe the prefix list; The no ip prefix-list ip prefix-list <list_nam e> description <description> <list_name>...
Page 262: Troubleshooting
192.68.11.1 VLAN1 VLAN3 192.68.10.1 VLAN2 SwitchA 192.68.6.1 SwitchB VLAN2 VLAN3 VLAN1 192.68.6.2 192.68.5.2 172.16.20.1 VLAN1 VLAN3 192.68.5.1 172.16.20.2 SwitchC SwitchD VLAN2 VLAN2 172 16 1 1 172.16.1.2 Figure 33-2-1 Policy routing Configuration Configuration procedure: (only SwitchA is listed, configurations for other switches are omitted.) The configuration of Lay er 3 switchA: SwitchA#config SwitchA(config) #router bgp 1...
Page 263: Chapter 34 Static Route
Chapter 34 Static Route 34.1 Introduction to Static Route As mentioned earlier, the static route is the manually specified path to a network or a host. Static route is simple and consistent, and can prevent illegal route modification, and is convenient for load balance and route backup.
Page 264: Static Route Configuration Examples
34.4 Static Route Configuration Examples The figure shown below is a simple network consisting of three layer3 switches, the network mask for all switches and PC is 255.255.255.0. PC-A and PC-C are connected via the static route set in SwtichA and SwitchC;...
Page 265: Chapter 35 Rip
Chapter 35 RIP 35.1 Introduction to RIP RIP is first introduced in ARPANET, this is a protocol dedicated to small, simple networks. RIP is a distance vector routing protocol based on the Bellman-Ford algorithm. Network devices running vector routing protocol send two kind of information to the neighboring devices regularly: •...
Page 266: Rip Configuration Task List
destination, and route table is built based on this databas e. When a RIP layer3 switch sent route update packets to its neighbor devices, the complete route table is included in the packets. Therefore, in a large network, routing data to be trans ferred and processed for each layer3 switch is quite large, causing degraded network performance.
Page 267 3. Configure RIP-I/RIP-II switch (1) Configure the RIP version to be used in all interfac es (2) Configure the RIP version to send/receive in all interfaces (3) Configure whether to enable RIP packets sending/receiving for interfaces 4. Delete the specified route in RIP route table 5.
Page 268 （2）Configure RIP route parameters 1） Configure route introduction (default route metric, configure routes of the other protocols to be introduced in RIP ) Command Explanation Rout er Configuration Mode Sets the default route metric for route to be default-metric <value> introduced;...
Page 269 Keychain mode Enter the keychain-key mode and configure a key <keyid> key of the keychain; the no key <keyid> no key <keyid> command delet es one key. Keychain-key mode Configure the password used by the key, the no key-string <text> key-string <text>...
Page 270 5）Configure the split horizon Command Explanation Interface configuration mode Configure that take the split horizon when the ip rip split-horizon [poi soned] port sends data packets; poisoned for poison no ip rip split-horizon reverse the no ip rip split-horizon command cancels the split horizon.
Page 271 （2）Configure the RIP version to send/receive in all ports. （3）Configure whether to enable RIP packets sending/receiving for ports Command Explanation Interface configuration mode Sets the version of RIP packets to send on all ip rip send version { 1 | 1-compatible | ports;...
Page 272: Rip Examples
6. Configure redistribution of OSPF routing to RIP (1) Enable Redistribution of OSPF routing to RIP Command Explanation Rout er RIP Configuration Mode redistribute ospf [ <proce ss-id> ] [metric To enable or disable the redistribution <value> ] [route-map <word> ] OSPF routing to RIP.
Page 273 Configure the IP address of interface vlan 1 SwitchA#config SwitchA(config)# interface vlan 1 SwitchA(Config-if-Vlan1)# ip address 10.1.1.1 255.255.255.0 SwitchA(config-if-Vlan1)# Configure the IP address of interface vlan 2 SwitchA(config)# vlan 2 SwitchA(Config-Vlan2)# switchport interface ethernet 1/2 Set the port Ethernet 1/1 access vlan 2 successfully SwitchA(Config-Vlan2)# exit SwitchA(config)# interface vlan 2 SwitchA(Config-if-Vlan2)# ip address 20.1.1.1 255.255.255.0...
Page 274: Typical Examples Of Rip Aggregation Function
SwitchC(config-router)#network vlan 1 SwitchC(config-router)#exit 35.3.2 Typical Examples of RIP aggregation function The application topology as follows： vlan1:192.168.10.1 192.168.20.0/22 192.168.21.0/24 vlan1:192.168.10.2 192.168.22.0/24 192.168.23.0/24 192.168.24.0/24 Figure 35-3-2 Typical application of RIP aggregation As the above network topology, S2 is connected to S1 through interface vlan1, there are other 4 subnet routers of S2, which are 192.168.21.0/ 24, 192.168.22.0/ 24, 192.168.23.0/ 24, 192.168.24.
Page 275: Rip Troubleshooting
35.4 RIP Troubleshooting The RIP protocol may not be working properly due to errors such as physical connection, configuration error when configuring and using the RIP protoc ol. So users should pay attention to following:  Enabling dot1q-tunnel on Trunk port will make the tag of the data packet unpredictable which is not required in the application.
Page 276 interfaces. Then enter the RIP address family mode configuring corresponding parameters. If the RIP routing problem remains unresolved, please use debug rip command to record the debug message in three minutes, and send them to our technical service center. 35-12...
Page 277: Chapter 36 Ripng
Chapter 36 RIPng 36.1 Introduction to RIPng RIP ng is first introduc ed in ARPA NET, this is a protocol dedicated to small, simple networks. RIP ng is a distance vector routing protocol based on the Bellman-Ford algorithm. Net work devices running vector routing protocol send 2 kind of information to the neighboring devices regularly: •...
Page 278: Ripng Configuration Task List
Besides the above mentioned, RIP ng protocol allows IP v6 route information discovered by the other routing protocols to be introduced to the route table. The operation of RIP ng protocol is shown below: 1． Enable RIP ng The switch sends request packets to the neighbor layer3 switches by broadc asting; on receiving the request, the neighbor devices reply with the packets containing their local routing information.
Page 279 Configure redistribution of OSPFv3 routing to RIP ng （1） Enable redistribution of OSPFv3 routing to RIPng （2） Display and debug the information about configuration of redistribution of OSPFv3 routing t o RIP ng 1. Enable RIPng protocol Applying RIPng route prot ocol with basic configuration in switch is simple. Normally you only have to open the RIP ng switch and configure the segments running RIPng, namely send and receive the RIP ng data packet by default RIPng configuration.
Page 280 Redistribute the routes distributed in other route protocols into the RIP ng data packet; the [no]redi stribute {kernel |connected| [no]redi stribute {kernel |connected| static| static| ospf| i si s| bgp} ospf| isi s| bgp} [metric<value>] [metric<value> ] [route-map<word>] [route-map<word> ] command cancels distributed route of corresponding protocols.
Page 281 3. Configure other RIPng protocol parameters (1) Configure timer for RIPng update, timeout and hold-down Command Explanation Rout er configuration mode timers ba sic <update> <invalid> Adjust the renew, timeout and garbage recycle <garbage> RIP ng timer, the no timers basic command no timers ba sic restore the default configuration.
Page 282: Ripng Configuration Examples
Command Explanation Rout er IP v6 RIP Configuration Mode redistribute ospf [<process-tag> ] To enable or disable redistribution of OSPFv3 [metric<value> ] [route-map<word>] routing for RIPng. no redistribute ospf [<process-tag> ] (2)Di splay and debug the information about configuration of redi stribution of OSPFv3 routing to RIPng Command Explanation...
Page 283 Layer 3 SwitchA Enable RIPng protocol SwitchA(config)#router IP v6 rip SwitchA(config-router)#exit Configure the IP v6 address in vlan1 and configure vlan1 to run RIP ng SwitchA#config SwitchA(config)# interface Vlan1 SwitchA(config-if-Vlan1)# IP v6 address 2000:1:1::1/64 SwitchA(config-if-Vlan1)#IP v6 rout er rip SwitchA(config-if-Vlan1)#exit Configure the IP v6 address in vlan2 and configure vlan2 to run RIP ng SwitchA(config)# interface Vlan2 SwitchA(config-if-Vlan2)#IP v6 address 2001:1:1::1/64...
Page 284: Ripng Aggregation Route Function Typical Examples
36.3.2 RIPng Aggregation Route Function Typical Examples The application topology as follows: VLAN1 2001:1::1:1 2001:1::20:0/110 VLAN1 2001:1::20:0/112 2001:1::1:2 2001:1::21:0/112 2001:1::22:0/112 2001:1::23:0/112 Figure 36-3-2 Typical application of RIP ng aggregation As the above network topology, S2 is connected to S1 through interface vlan1, there are other 4 subnet routers of S 2, which are 2001:1::20:0/112, 2001: 1::21:0/112, 2001:1::22: 0/112, 2001:1::23:0/112.
Page 285: Ripng Troubleshooting
36.4 RIPng Troubleshooting The RIPng protocol may not be working properly due to errors such as physic connection, configuration error when configuring and using the RIPng prot ocol. So users should pay attention to the following:  First ensure the physic connection is correct and the IP Forwarding command is open ...
Page 286: Chapter 37 Ospf
Chapter 37 OSPF 37.1 Introduction to OSPF OSPF is abbreviation for Open Shortest Path First. It is an interior dynamic routing protocol for autonomous system based on link-state. The prot ocol creates a link-state database by exchanging link-states among layer3 switches, and then uses the Shortest Path First algorithm to generate a route table basing on that database.
Page 287 The features of OSPF protocol include the following: OSPF supports networks of various scales, several hundreds of layer3 switches can be supported in an OSPF network. Routing topology changes can be quickly found and updating LSAs can be sent immediately, so that routes converge quickly. Link-state information is used in shortest path algorithm for route calculation, eliminating loop route.
Page 288: Ospf Configuration Task List
OSPF area , and is transferred among area border layer3 switches; AS external LSA is generated by layer3 switches on external border of AS, and is trans ferred throughout the AS. As to autonomous systems mainly advertises exterior link-state, OSPF allow some areas to be configured as STUB areas to reduce the size of the topology database.
Page 289 Set the OSPF interface to receive only Configure the cost for sending packets from the interface Configure OSPF packet sending timer paramet er (timer of broadcast interface sending HELLO packet to poll, timer of neighboring layer3 switch invalid timeout, timer of LSA transmission delay and timer of LSA ret ransmission.
Page 290 （1）Configure OSPF packet sending mechanism parameters 1）Configure OSPF packet verification 2）Set the OSPF interface to receive only 3）Configure the cost for sending packets from the interfac e Command Explanation Interface Configuration Mode Configures the authentication method by the ip ospf authentication interface to accept OSPF packets;...
Page 291 （2）Configure OSPF route introduction parameters Configure the routes of the other protocols to introduce to OSPF. Command Explanation OSPF Protocol Configuration Mode redistribute { bgp | connected | static | Distribute other prot ocols to find routing and rip | kernel} [ metric-type { 1 | 2 } ] [ tag static routings as external routing messages <tag>...
Page 292 <neighbor>} command restores the translator-role] | range <range> | stub default settings. [no-summary] | virtual-link <neighbor>} 4）Configure the priority of the interfac e when electing designated layer3 XGS3-42000R(DR). Command Explanation Interface Configuration Mode Sets the priority of the interface in “designated ip ospf priori ty <priority>...
Page 293: Ospf Examples
37.3 OSPF Examples 37.3.1 Configuration Example of OSPF Scenario 1: OSPF autonomous system. This scenario takes an OSPF autonomous system consists of five switch for example. E1/1:100.1.1.1 E1/2:30.1.1.1 SwitchA SwitchE SwitchD vlan2 vlan3 E1/2:10.1.1.1 E1/1:100.1.1.2 E1/1:30.1.1.2 vlan1 vlan2 vlan3 Area 0 E1/1:10.1.1.2 vlan1 E1/1:20.1.1.2...
Page 294 Configure the IP address for interface vlan1 and vlan2. Switch2#config Switch2(config)# interface vlan 1 Switch2(config-if-vlan1)# ip address 10.1.1.2 255.255.255.0 Switch2(config-if-vlan1)#no shutdown Switch2(config-if-vlan1)#exit Switch2(config)# interface vlan 3 Switch2(config-if-vlan3)# ip address 20.1.1.1 255.255.255.0 Switch2(config-if-vlan3)#no shutdown Switch2(config-if-vlan3)#exit Enable OSPF protocol, configure the OSPF area interfac es vlan1 and vlan3 in Switch2(config)#router ospf Switch2(config-rout er)# net work 10.1.1.0/24 area 0 Switch2(config-rout er)# net work 20.1.1.0/24 area 1...
Page 295 Switch4(config-rout er)# net work 30.1.1.0/24 area 0 Switch4(config-rout er)#exit Switch4(config)#exit Switch4# Layer 3 Switch5: Configuration of the IP address for interface vlan2 Switch5#config Switch5(config)# interface vlan 2 Switch5(config-if-vlan2)# ip address 100.1. 1.2 255.255.255.0 Switch5(config-if-vlan2)#no shutdown Switch5(config-if-vlan2)#exit Configuration of the IP address for interface vlan3 Switch5(config)# interface vlan 3 Switch5(config-if-vlan3)# ip address 30.1.1.1 255.255.255.0 Switch5(config-if-vlan3)#no shutdown...
Page 296 Scenario 2: Typical OSPF protocol complex topology. SwitchD SwitchA SwitchE SwitchB SwitchF SwitchC Area1 Area0 SwitchK SwitchI SwitchJ SwitchG SwitchL SwitchH Area2 Area3 Figure 37-3-2 Typical complex OSPF autonomous system This scenario is a typical complex OSPF autonomous system network topology. Area1 include network N1-N4 and layer3 S witchA-SwitchD, area2 include net work N8-N10, host H1 and layer3 S witchH, area3 include N5-N7 and layer3 S witchF, SwitchG SwitchA0 and Switch11, and network N8-N10 share a summary route with host H1(i.e.
Page 297 layer3 SwitchD interface VLAN2 is 10.1.1.4. SwitchA is connecting to network N1 through Ethernet interface VLAN1 (IP address 20.1.1.1); SwitchB is connecting to network N2 through Ethernet interface VLAN1 (IP address 20.1.2.1); SwitchC is connecting to net work N4 through Ethernet interface VLA N3 (IP address 20.1.3.1).
Page 298 Enable OSPF protocol, configure the area number for interface vlan2. SwitchB(config)#router ospf SwitchB(config-router)#net work 10.1.1.0/24 area 1 SwitchB(config-router)#exit SwitchB(config)#int erface vlan 2 Configure simple key authentication. SwitchB(config)#int erface vlan 2 SwitchB(config-If-Vlan2)#ip ospf authentication SwitchB(config-If-Vlan2)#ip ospf authentication-key DCS SwitchB(config-If-Vlan2)#exit Configure IP address and area number for interfac e vlan1. SwitchB(config)# interface vlan 1 SwitchB(config-If-Vlan1)#ip address 20.1.2.1 255.255.255.0 SwitchB(config-If-Vlan1)#exit...
Page 299 SwitchC(config-If-Vlan3)#ip address 20.1. 3.1 255.255.255.0 SwitchC(config-If-Vlan3)#exit SwitchC(config)#router ospf SwitchC(config-router)#network 20.1. 3.0/24 area 1 SwitchC(config-router)#exit Configure IP address and area number for interfac e vlan 1 SwitchC(config)# interface vlan 1 SwitchC(config-If-Vlan1)#ip address 10.1. 5.1 255.255.255.0 SwitchC(config-If-Vlan1)#exit SwitchC(config)#router ospf SwitchC(config-router)#network 10.1. 5.0/24 area 0 SwitchC(config-router)#exit Configure MD5 key authentication.
Page 300 SwitchD(config-If-Vlan1)# ip address 10.1.6.1 255. 255.255.0 SwitchD(config-If-Vlan1)exit SwitchD(config)#router ospf SwitchD(config-router)#network 10.1. 6.0/24 area 0 SwitchD(config-router)#exit Configure MD5 key authentication SwitchD(config)#interface vlan 1 SwitchD(config-If-Vlan1)#ip ospf authentication message-digest SwitchD(config-If-Vlan1)#ip ospf authentication-key DCS SwitchD(config-If-Vlan1)exit SwitchD(config)#exit SwitchD# Scenario 3: The function of OSPF importing the rout ers of other OSPF processes As shown in the following graph, a switch running the OSPF routing protocol connects two networks: network A and network B.
Page 301: Configuration Examples Of Ospf Vpn
XGS 3-42000R(config-router)#network 2.2.2.0/24 area 1 XGS 3-42000R(config-router)#exit XGS 3-42000R(config)#router ospf 20 XGS 3-42000R(config-router)#network 1.1.1.0/24 area 1 XGS 3-42000R(config-router)#redistribute ospf 10 XGS 3-42000R(config-router)#exit 37.3.2 Configuration Examples of OSPF VPN Interface Interface SWITCHB vlan1:10. 1.1.1/24 vlan1:10. 1.1.2/24 SWITCHC SWITCHA Interface Interface vlan2:20. 1.1.1/24 vlan1:20.
Page 302 SwitchA(config-if-Vlan2)#exit Configure OSPF examples associated wit h vpnb and vpnc respectively SwitchA(config)# SwitchA(config)#router ospf 100 vpnb SwitchA(config-router)#net work 10.1.1.0/24 area 0 SwitchA(config-router)#redistribute bgp SwitchA(config-router)#exit SwitchA(config)#router ospf 200 vpnc SwitchA(config-router)#net work 20.1.1.0/24 area 0 SwitchA(config-router)#redistribute bgp The Layer 3 SwitchB of CE1： Configure the IP address of Ethernet E 1/2 SwitchB#config SwitchB(config)# interface Vlan1...
Page 303: Ospf Troubleshooting
37.4 OSPF Troubleshooting The OSPF protoc ol may not be working properly due to errors such as physic connection, configuration error when configuring and using the OSPF protocol. So users should pay attention to following:  First ensure the physic connection is correct ...
Page 304: Chapter 38 Ospfv3
Chapter 38 OSPFv3 38.1 Introduction to OSPFv3 OSPFv3 （Open Shortest Path First） is the third version for Open Shortest Path First, and it is the IPv6 version of OSPF Protocol. It is an interior dynamic routing protocol for autonomous system based on link-state. The protocol creates a link-state database by exchanging link-states among layer3 switches, and then uses the Shortest Path First algorithm to generate a route table basing on that database.
Page 305 The features of OSPFv3 protocol include the following: OSPFv3 supports networks of various scales, several hundreds of layer3 switches can be supported in an OSPFv3 net work. Routing topology changes can be quickly found and updating LSAs can be sent immediately, so that routes converge quickly. Link-state information is used in shortest path algorithm for rout e calculation, eliminating loop route.
Page 306 switch in an OSPF area, and is sent to all other neighboring Layer 3 switch in this area; network LSA is generated by designated Layer 3 switch in the OSPF area of multi-access network and is sent to all other neighboring layer3 switches in this area.(To reduce data traffic among each Layer 3 switches in the multi-access network, “designat ed layer3 switch”...
Page 307: Configuration Task List
38.2 OSPFv3 Configuration Task List OSPFv3 Configuration Task List: Enable OSPFv3 (required) （1） Enable/disable OSPFv3(required) （2） Configure the router-id number of the layer3 switch running OSPFv3 (optional) （3） Configure the network scope for running OSPFv3 (optional) （4） Enable OSPFv3 on the interface (required) Configure OSPFv3 auxiliary parameters (optional) （1）...
Page 308 Configure router for OSPFv3 process. The router-id <router_id> no router-id command returns ID to no router-id 0.0.0.0 .(required) Configure an interface receiving without sending. [no] [no] pa ssive-interface<ifname> passive-interface<ifname>command cancels configuration. Interface Configuration Mode Implement OSPFv3 routing on the interface. [no] IPv6 router ospf {area <area-id>...
Page 309 IPv6 ospf retransmit <time> .Sets the interval for ret ransmission of link-state [instance-id <id>] advertisement among neighbor layer3 switches; no IPv6 ospf retransmit [instance-id the “no IPv6 ospf retransmit [instance-id <id>] <id>]” command restores the default setting. （2）Configure OSPFv3 route introduction parameters Configure OSPFv3 route introduction paramet ers Commands Explanation...
Page 310: Ospfv3 Examples
<id> virtual-link A.B.C.D [instance-id <instance-id> INTERVAL] no area <id> virtual-link A.B.C.D [|I NTERV AL] 4）Configure the priority of the interfac e when electing designated layer3 XGS3-42000R(DR). Commands Explanation Interface Configuration Mode IPv6 ospf priority <priority>...
Page 311 and SwitchD make up OSPF area 0, layer3 Switch2 and Switch3 form OSPF area 1 (assume vlan1 interface of layer3 S witchA belongs to area 0), layer3 SwitchD forms OSPF area2 (assume vlan2 interface of layer3 SwitchD belongs to area 0). Swtich1 and SwitchD are backbone layer3 switches, Swtich2 and SwitchD are area edge layer3 switches, and Switch3 is the in-area layer3 switch.
Page 312 Layer 3 SwitchB: Enable OSPFv3 protocol, configure router ID SwitchB(config)#router IP v6 ospf SwitchB (config-router)#router-id 192.168.2.2 Configure interface vlan1 address, VLAN2 IP v6 address and affiliated OSPFv3 area SwitchB#config SwitchB(config)# interface vlan 1 SwitchB(config-if-vlan1)# IP v6 address 2010: 1:1::2/64 SwitchB(config-if-vlan1)# IP v6 router ospf area 0 SwitchB(config-if-vlan1)#exit SwitchB(config)# interface vlan 3 SwitchB(config-if-vlan3)# IP v6 address 2020: 1:1::1/64...
Page 313: Ospfv3 Troubleshooting
SwitchD(config-if-vlan3)#exit SwitchD(config)#exit SwitchD# Layer 3 SwitchE: Startup OSPFv3 protocol, configure router ID SwitchE(config)#router IP v6 ospf SwitchE(config-router)#router-id 192.168.2.5 Configure interface IP v6 address and affiliated OSPFv3 area SwitchE#config SwitchE(config)# interface vlan 2 SwitchE(config-if-vlan2)# IP v6 address 2100: 1:1::2/64 SwitchE(config-if-vlan2)# IP v6 router ospf area 0 SwitchE(config-if-vlan2)#exit Configure interface VLAN3 IP v6 address and affiliated area SwitchE(config)# interface vlan 3...
Page 314: Chapter 39 Bgp
Chapter 39 BGP 39.1 Introduction to BGP BGP stands for a Border Gateway Protocol. It’s a dynamic routing prot ocol inter-aut onomous system. Its basic function is automatically exchanging routing information without loops. By exchanging routing reachable information with autonomous number of AS sequence attributes, BGP could create autonomous topological map to eliminat e routing loop and implement policies configured by users.
Page 315 Unlike RIP and OSPF protoc ols, BGP protoc ol is connection oriented. BGP switches must establish connection to exchange routing information. The operation of BGP protocol is driven by messages and the messages can be divided into four kinds: Open message----It’s the first message which is sent after a TCP connection is established. It is used to create BGP connecting relation among BGP peers.
Page 316 information in a big organization. Attention, the switches in the AS needn’t be connected physically. Only if the switches are in the same AS, they can be neighbors each other. Because BGP can’t detect route, the route tables of ot her inner route protocols (such as static route, direct route, OSPF and RIP) need contain neighbor IP addresses and these routes are used to exchange information among BGPs.
Page 317: Bgp Configuration Task List
one from the least router ID. 39.2 BGP Configuration Task List The BGP configuration tasks include basic and advanced tasks. Basic BGP configuration tasks include the following: 1． Enable BGP Routing (required) 2． Configure BGP Neighbors (required) 3． Administrate the change of routing policy 4．...
Page 318 router bgp <as-id> Enable BGP, “no router no router bgp <as-id> <as-id>”command disenable BGP process. Rout er configuration mode Set the network that BGP will announc e, the no network <ip-address/M> network <ip-address/M> command cancels the no network <ip-address/M> network that will be announced. 2.
Page 319 4. Configure BGP Weights Command Explanation BGP configuration mode Configure BGP neighbor weights; neighbor { <ip-address> | <TAG> } weight the no neighbor { <ip-addre ss> | <weight> <TAG> } command recovers default no neighbor { <ip-address> | <TAG> } weights.
Page 320 {<ip-address> |<TAG>} ebgp-multihop [<1-255>] command cancels the setting. 8. Configure BGP session identifier Command Explanation BGP configuration mode Configure the router-id value; the no bgp bgp router-id <ip-address> router-id command recovers the default no bgp router-id value. 9. Configure the BGP Version Command Explanation BGP configuration mode...
Page 321 BGP configuration mode Allow the routing updates wit h community attributes sending to neighbor {<ip-address> | <TAG>} BGP neighbors; the no neighbor send-community {<ip-address> <TAG>} no neighbor {<ip-address> | <TAG>} send-community command send-community enables route without community attributes. 4．Configure BGP Confederation Command Explanation BGP configuration mode...
Page 322 （3） If the route reflector from clients to clients i s needed, the following commands can be used. Command Explanation BGP configuration mode Configure the allowance of the route bgp client-to-client reflection reflector from clients to clients; the no bgp no bgp client-to-client reflection client-to-client reflection command forbids this allowance.
Page 323 send-community sent to the neighbor. no neighbor { <ip-address> | <TAG> } send-community Configure a particular neighbor’s neighbor { <ip-address> | <TAG> } timers <keep keep-alive and hold-time timer; the alive> <holdtime> neighbor {<ip-address> no neighbor { <ip-address> | <TAG> } timers <TAG>} timers command recovers the default value.
Page 324 { <ip-address> | <TAG> } version command recovers default setting. Apply a route map to incoming or neighbor { <ip-address> | <TAG> } route-map outgoing routes; the no neighbor <map-nam e> {in | out} <ip-address> <TAG> no neighbor { <ip-address> | <TAG> } route-map route-map <map-name>...
Page 325 Configure the minimum int erval among neighbor {<ip-address> | <TAG>} BGP routes update information; the no advertisement-interval <seconds> neighbor {<ip-address> | <TAG>} no neighbor {<ip-address> | <TAG>} advertisement-interval command advertisement-interval recovers the default setting. 10． Configure the Local Preference Value Command Explanation BGP configuration mode...
Page 326 no redistribute { connected | static | rip static | rip | ospf} command cancels the | ospf} redistribution. 14． Configure Route Dampening Command Explanation BGP configuration mode Enable BGP rout e dampening and apply the bgp dampening [<1-45>] [< 1-20000> specified paramet ers;...
Page 327 configures this router as route server and specify clients it serves, neighbor {<ip-address> |<TAG>} route-server-client command can delete clients. 17． Configure Path-selected rules Command Explanation BGP configuration mode bgp always-compare-med no bgp always-compare-med BGP may change some path-select rules by bgp bestpath as-path ignore configuration to change the best selection no bgp bestpath as-path ignore...
Page 328: Configuration Examples Of Bgp
39.3 Configuration Examples of BGP 39.3.1 Examples 1: configure BGP neighbor SwitchB, SwitchC and SwitchD are in AS200, SwitchA is in AS100. SwitchA and SwitchB share the same network segment. SwitchB and SwitchD are not connected physically. SwitchC Vlan1: 12.1.1.3 Vlan2: 13.1.1.3 Vlan1:11.1.1.1 Vlan1:11.1.1.2...
Page 329: Examples 2: Configure Bgp Aggregation
SwitchD(config)#router bgp 200 SwitchD(config-router-bgp)#network 13.0.0.0 SwitchD(config-router-bgp)#neighbor 12.1. 1.2 remote-as 200 SwitchD(config-router-bgp)#neighbor 13.1. 1.3 remote-as 200 SwitchD(config-router-bgp)#exit Presently, the connection between SwitchB and SwitchA is EBGP, and other connections with SwitchC and SwitchD are IBGP. SwitchB and SwitchD may have BGP connection without physical connection. But there is a precondition that these two switches must have reachable route to each other.
Page 330: Examples 4: Configure Bgp Confederation
XGS 3-42000R(config-route-map)#exit XGS 3-42000R(config)#route-map set-community permit 20 XGS 3-42000R(config-route-map)#match address 2 XGS 3-42000R(config-route-map)#exit XGS 3-42000R(config)#access-list 1 permit 11.1. 0.0 0.0.255.255 XGS 3-42000R(config)#access-list 2 permit 0.0.0.0 255.255.255.255 XGS 3-42000R(config)#exit XGS 3-42000R#clear ip bgp 16.1.1.6 soft out In the following sample, configure the MED local preference of the routes from neighbor 16.1.1.6 selectively according to the route community value.
Page 331 SwitchA vlan1 :11.1.1.1 AS100 AS300 vlan1 :11.1.1.2 SwitchB vlan3 :12.1.1.2 Vlan2:13.1.1.2 vlan1 :13.1.1.4 SwitchD SwitchC vlan1 :12.1.1.3 AS10 AS20 AS200 Figure 39-3-2 Confederation configuring topology The configurations are as following: SwitchA: SwitchA(config)#router bgp 100 SwitchA(config-router-bgp)#neighbor 11.1.1.2 remote-as 200 SwitchB: SwitchB(config)#router bgp 10 SwitchB(config-router-bgp)#bgp confederation identifier 200 SwitchB(config-router-bgp)#bgp confederation peers 20 SwitchB(config-router-bgp)#neighbor 12.1.1.3 remote-as 10...
Page 332: Examples 5: Configure Bgp Route Reflector
SwitchD: SwitchD(config)#router bgp 20 SwitchD(config-router-bgp)#bgp confederation identifier 200 SwitchD(config-router-bgp)#bgp confederation peers 10 SwitchD(config-router-bgp)#neighbor 13.1. 1.2 remote-as 10 39.3.5 Examples 5: configure BGP route reflector The following is the configuration of a route reflector. As the picture illustrated, SwitchA, SwitchB, SwitchC, SwitchD, SWE, SWF and SWG establish IBGP connection which is affiliated to AS100.
Page 333: Examples 6: Configure Med Of Bgp
The configurations are as following: The configurations of SwitchC: SwitchC(config)#router bgp 100 SwitchC(config-router-bgp)#neighbor 1.1.1.1 remote-as 100 SwitchC(config-router-bgp)#neighbor 1.1.1.1 route-reflector-client SwitchC(config-router-bgp)#neighbor 2.2.2.2 remote-as 100 SwitchC(config-router-bgp)#neighbor 2.2.2.2 route-reflector-client SwitchC(config-router-bgp)#neighbor 7.7.7.7 remote-as 100 SwitchC(config-router-bgp)#neighbor 3.3.3.4 remote-as 100 SwitchC(config-router-bgp)#neighbor 8.8.8.8 remote-as 200 The configurations of SwitchD: SwitchD(config)#router bgp 100 SwitchD(config-router-bgp)#neighbor 5.5.5.5 remote-as 100 SwitchD(config-router-bgp)#neighbor 5.5.5.5 route-reflector-client...
Page 334 Metric=0 AS100 AS400 vlan1 :4.4.4.4 Set metric 50 vlan1 :4.4.4.3 SwitchA vlan3 :3.3.3.3 vlan2 :2.2.2.2 SwitchB Set metric 200 Set metric 120 vlan1 :2.2.2.1 AS300 vlan1 :3.3.3.2 vlan2 :1.1.1.2 SwitchD vlan2 :1.1.1.1 SwitchC Figure 39-3-4 MED Configuring Topological Map The configurations of SwitchA: SwitchA(config)#router bgp 100 SwitchA(config-router-bgp)#neighbor 2.2.2.1 remote-as 300 SwitchA(config-router-bgp)#neighbor 3.3.3.2 remote-as 300...
Page 335: Examples 7: Example Of Bgp Vpn
SwitchD (config-rout er-bgp)#neighbor 1.1.1.1 remote-as 300 SwitchD (config-rout er-bgp)#exit SwitchD (config)#route-map set-metric permit 10 SwitchD (Config-Router-RouteMap)#set metric 200 The configurations of SwitchB SwitchB (config)#router bgp 400 SwitchB (config-router-bgp)#neighbor 4.4.4.4 remote-as 100 SwitchB (config-router-bgp)#neighbor 4.4.4.4 route-map set-metric out SwitchB (config-router-bgp)#exit SwitchB (config)#route-map set-metric permit 10 SwitchB (Config-Router-RouteMap)#set metric 50 After the configuration above, SwitchB, SwitchC and SwitchD are assumed to send a rout e 12.0.0.0 to SwitchA.
Page 336 Figure 39-3-5 Example of MP LS VPN As the figure shows, for a typical MPLS VPN application, the public net work region consists of PE1, P and PE2, which MP LS is applied for packet transmission. VPN-A consists of CE-A1 and CE -A2, and VP N-B consists of CE-B1 and CE-B2.
Page 337 CE-A1(config-router)#neighbor 192.168.101.1 remote-as 100 CE-A1(config-router)#exit Configurations on CE-A2： CE-A2#config CE-A2(config)#interface vlan 2 CE-A2(config-if-Vlan2)#ip address 192.168.102.2 255. 255.255.0 CE-A2(config-if-Vlan2)#exit CE-A2(config)#interface vlan 1 CE-A2(config-if-Vlan2)#ip address 10.1.2.1 255.255.255.0 CE-A2(config-if-Vlan2)#exit CE-A2(config)#rout er bgp 60102 CE-A2(config-router)#neighbor 192.168.102.1 remote-as 100 CE-A2(config-router)#exit Configurations on CE-B1： CE-B1#config CE-B1(config)#interface vlan 2 CE-B1(config-if-Vlan2)#ip address 192.168.201.2 255.
Page 338 PE1(config-vrf)#rd 100:10 PE1(config-vrf)#route-target both 100:10 PE1(config-vrf)#exit PE1(config)#ip vrf VRF-B PE1(config-vrf)#rd 100:20 PE1(config-vrf)#route-target both 100:20 PE1(config-vrf)#exit PE1(config)#int erface vlan 1 PE1(config-if-Vlan1)#ip vrf forwarding VRF-A PE1(config-if-Vlan1)#ip address 192.168.101.1 255.255.255.0 PE1(config-if-Vlan1)#exit PE1(config)#int erface vlan 2 PE1(config-if-Vlan2)#ip vrf forwarding VRF-B PE1(config-if-Vlan2)#ip address 192.168.201.1 255.255.255.0 PE1(config-if-Vlan2)#exit PE1(config)#int erface vlan 3 PE1(config-if-Vlan3)#ip address 202.200.1.
Page 339: Bgp Troubleshooting
PE2(config-vrf)#exit PE2(config)#int erface vlan 1 PE2(config-if-Vlan1)#ip vrf forwarding VRF-A PE2(config-if-Vlan1)#ip address 192.168.102.1 255.255.255.0 PE2(config-if-Vlan1)#exit PE2(config)#int erface vlan 2 PE2(config-if-Vlan2)#ip vrf forwarding VRF-B PE2(config-if-Vlan2)#ip address 192.168.202.1 255.255.255.0 PE2(config-if-Vlan2)#exit PE2(config)#int erface vlan 3 PE2(config-if-Vlan3)#ip address 202.200.2. 2 255. 255. 255. 0 PE2(config-if-Vlan3)#label-s witching PE2(config-if-Vlan3)#exit PE2(config)#int erface loopback 1 PE2(Config-if-Loopback1)# ip address 200.200.1.2 255.255.255.255...
Page 340 enables these rout es to announce IB GP and EBGP neighbors by importing routes. Direct-link rout es, static route, and IGP route (RIP and OSPF) are included in these imported routes. network and redistribute (BGP) command are the ways of import ed routes. ...
Page 341: Chapter 40 Mbgp4
Chapter 40 MBGP4+ 40.1 Introduction to MBGP4+ MBGP4+ is multi-protocol B GP (Multi-protocol Border Gateway Protocol) extension to IP v6, referring to BGP protocol chapter about BGP protocol introduction in this manual. Different from RIP ng and OSPFv3, BGP has no corresponging independent protoc ol for IP v6, instead,it takes extensions to address families on the original BGP.
Page 342: Mbgp4+ Examples
Rout er IP v6 BGP Configuration Mode redistribute ospf [<process-tag> ] [route-map<word> ] To enable or disable redistribution of OSPFv3 no redistribute ospf routing to MBGP4+. [<process-tag>] (2) Display and debug the information about configuration of redistribution of OSPFv3 routing to MBGP4+ Command Explanation Admin Mode and Configuration Mode...
Page 343 SwitchA(config-router-af)#neighbor 2001::2 activate SwitchA(config-router-af)#exit-address-family SwitchA(config-router-bgp)#exit SwitchA(config)# SwitchB configuration as follows: SwitchB(config)#router bgp 200 SwitchA(config-router)#bgp router-id 2.2.2. 2 SwitchB(config-router)#neighbor 2001::1 remote-as 100 SwitchB(config-router)#neighbor 2002::3 remote-as 200 SwitchB(config-router)#neighbor 2003::4 remote-as 200 SwitchB(config-router)#address-family IP v6 unicast SwitchB(config-router-af)#neighbor 2001::1 activate SwitchB(config-router-af)#neighbor 2002::3 activate SwitchB(config-router-af)#neighbor 2003::4 activate SwitchB(config-router-af)#exit-address-family SwitchB(config-router)#exit SwitchB(config)#...
Page 344: Mbgp4+ Troubleshooting
SwitchD is IBGP. The BGP connection can be processed bet ween SwitchB and SwitchD wit hout physical link, but the premise is a route which reaches from one switch to the other switch. The route can be obtained by static routing or IGP. 40.4 MBGP4+ Troubleshooting It is the same as corresponding section of BGP.
Page 345: Chapter 41 Black Hole Routing Manual
Chapter 41 Black Hole Routing Manual 41.1 Introduction to Black Hole Routing Black Hole Routing is a special kind of static routing which drops all the datagrams that match the routing rule. 41.2 IPv4 Black Hole Routing Configuration Task 1. Configure IPv4 Black Hole Routing Command Explaination Global Configuration Mode...
Page 346 192.168.0.1/ 21 SWITCH1 192.168.0.2/ 21 SWITCH2 ……… 192.168.1.0/ 24 192.168.7.0/ 24 Figure 41-4-1 IP v4 Black Hole Routing Configuration Example As it is shown in the figure, in Switch 2, eight in all interfaces are configured as Layer 3 VLAN interfaces for access interfaces.
Page 347: Black Hole Routing Troubleshooting
Example 2: IP v6 Black Hole Routing function. 2004:1:2:3::1/64 SWITCH1 2004:1:2:3::2/64 SWITCH2 ……… 2004:1:2:3:1::/80 2004:1:2:3:7::/80 Figure 41-4-2 IP v6 Black Hole Routing Configuration Example As it is shown in the figure, in Switch 2, eight in all interfaces are configured as Layer 3 VLAN interfaces for access interfaces.
Page 348 and show ip route fib, and show l3. And copy and paste the output of the commands, and send to the technical service center of our company. 41-4...
Page 349: Chapter 42 Ecmp Configuration
Chapter 42 ECMP Configuration 42.1 Introduction to ECMP ECMP (Equal-cost Multi-path Routing) works in the network environment where there are many different links to arrive at the same destination address. If using the traditional routing technique, only a link can be used to send the data packets to the destination address, other links at the backup state or the invalidation state, and it needs some times to process the mutual switchover under t he static routing environment.
Page 350: Ecmp Typical Example
42.3 ECMP Typical Example Figure 42-3-1 the application environment of ECMP As it is shown in the figure, the R1 connect to R2 and R3 with the interface address 100.1.1.1/24 and 100.1. 2.1/24. The R2 and R3 connect to R1 with the interface address 100.1.1.2/24 and 100.1.2. 2/24. The R4 connect to R2 and R3 with interfac e address 100.
Page 351: Ospf Implements Ecmp
42.3.2 OSPF Implements ECMP R1 configuration: R1(c onfig)#interface Vlan100 R1(Config-if-Vlan100)# ip address 100.1.1.1 255.255.255.0 R1(c onfig)#interface Vlan200 R1(Config-if-Vlan200)# ip address 100.1.2.1 255.255.255.0 R1(c onfig)#interface loopback 1 R1(Config-if-loopback1)# ip address 1.1.1.1 255.255.255.255 R1(c onfig)#router ospf 1 R1(c onfig-router)# ospf router-id 1. 1.1.1 R1(c onfig-router)# network 100.1.1.0/24 area 0 R1(c onfig-router)# network 100.1.2.0/24 area 0 R2 configuration:...
Page 352 R4(c onfig)#interface Vlan200 R4(Config-if-Vlan200)# ip address 100.2.2.1 255.255.255.0 R4(c onfig)#interface loopback 1 R4(Config-if-loopback1)# ip address 5.5.5.5 255.255.255.255 R4(c onfig)#router ospf 1 R4(c onfig-router)# ospf router-id 4. 4.4.4 R4(c onfig-router)# network 100.2.1.0/24 area 0 R4(c onfig-router)# network 100.2.2.0/24 area 0 On R1, show ip route, the following is displayed: R1(c onfig)#show ip route Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area...
Page 353: Chapter 43 Ipv4 Multicast Protocol
Chapter 43 IPv4 Multicast Protocol 43.1 IPv4 Multicast Protocol Overview This chapter will give an introduction to the configuration of IP v4 Multicast Protocol. All IPs in this chapter are IP v4. 43.1.1 Introduction to Multicast Various transmission modes can be adopted when the destination of packet (including data, sound and video) transmission is the minority users in the network.
Page 354 Multicast group are dynamic, the hosts can join and leave the Multicast group at any time. Multicast group can be permanent or temporary. Some of the Multicast group addresses are assigned officially; they are called Permanent Multicast Group. Permanent Multicast Group keeps its IP address fixed but its member structure can vary within.
Page 355: Ip Multicast Packet Transmission
43.1.3 IP Multicast Packet Transmission In Multicast mode, the source host sends packets to the host group indic ated by the Multicast group address in the destination address field of IP data packet. Unlike Unicast mode, Multicast data packet must be forwarded t o a number of external interfaces to be sent to all receiver sites in Multicast mode, thus Multicast transmission procedure is more complicat ed than Unicast transmission procedure.
Page 356 run P IM-DM use Hello message to contact each other. PIM-DM Hello message is sent periodically. 2. Flooding & Prune of proce ss PIM-DM assumes all hosts on the network are ready to receive Multicast data. When some Multicast Source begins to send data to a Multicast Group G, after receiving the Multicast packet, the router will make RPF check first according to the Unicast table.
Page 357: Pim-Dm Configuration Task List
43.2.2 PIM-DM Configuration Task List 1. Enable PIM-DM (Required) 2. Configure static multicast routing entries (Optional) 3. Configure additional PIM-DM parameters(Optional) a) Configure the interval for PIM-DM hello messages b) Configure the interval for state-refresh messages c) Configure the boundary interfaces d) Configure the management boundary 4.
Page 358 Configure the interval for state-refresh messages Command Explanation Interface Configuration Mode ip pim state-refresh To configure the interval for sending PIM-DM origination-interval state-refresh packets. The no form of this no ip pim state-refresh command will restore the default value. origination-interval Configure the boundary interfaces Command Explanation...
Page 359: Pim-Dm Configuration Examples
43.2.3 PIM-DM Configuration Examples As shown in the following figure, add the Ethernet interfaces of S witch A and Switch B to corresponding vlan, and enable PIM-DM Protocol on each vlan interfac e. SwitchB SwitchA Vlan 2 Vlan 1 Vlan 1 Vlan 2 Figure 43-2-1 PIM-DM Typical Environment The configuration procedure for SwitchA and SwitchB is as follows:...
Page 360: Pim-Dm Troubleshooting
43.2.4 PIM-DM Troubleshooting In configuring and using PIM-DM Protocol, PIM-DM Protocol might not operate normally caused by physical connection or incorrect configuration. Therefore, the user should pay attention to the following issues:  To assure that physical connection is correct ...
Page 361: Pim-Sm Configuration Task List
router connected to it directly will take charge of encaps ulating the Multicast packet into registered message and unicast it to corresponding RP. If there are more than one PIM-SM Multicast routers on a network segment, then DR (Designated Router) takes charge of sending the Multicast packet. SPT Switch When the Multicast router finds that the rate of the Multicast packet from RP with destination address G exceeds threshold, the Multicast router will send Join message to the next upper lever nodes in...
Page 362 configuration mode and then enabling P IM-SM for specific interfaces in the interface configuration mode. Command Explanation Global Mode To enable the PIM-SM protocol for all the interfaces (However, in order to make PIM-SM ip pim multicast-routing work for specific interfaces, the following command should be issued).(Required) And then turn on PIM-SM switch on the interface...
Page 363 ip pim To configure ACL to filter PIM-SM neighbors. If neighbor-filter{<access-li st-number session to the neighbor has been denied by > } ACL, then the sessions that have been set up no ip pim will be discarded immediately and new sessions neighbor-filter{<access-li st-number will not be set up.
Page 364 Configure the switch as a candidate RP Command Explanation Global Configuration Mode This command is the global candidate RP configuration command, which is used to ip pim rp-candidate { vlan configure the information of PIM-SM candidate <vlan-id>| lookback<index> RP so that it can compete for RP router with <ifname>} [<A.B.C.D>...
Page 365: Pim-Sm Configuration Examples
43.3.3 PIM-SM Configuration Examples As shown in the following figure, add the Ethernet interfaces of S witchA, SwitchB, SwitchC and S witchD to corresponding VLAN, and enable PIM-SM Protocol on each VLA N interface. SwitchB SwitchA Vlan 2 Vlan 1 Vlan 1 Vlan 2 rp SwitchD...
Page 366: Pim-Sm Troubleshooting
(3) Configure SwitchC: XGS 3-42000R(config)#ip pim multicast-routing XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-if-Vlan1)# ip address 34.1.1. 3 255. 255. 255. 0 XGS 3-42000R(config-if-Vlan1)# ip pim sparse-mode XGS 3-42000R(config-if-Vlan1)#exit XGS 3-42000R(config)#interface vlan 2 XGS 3-42000R(config-if-Vlan2)# ip address 13.1.1. 3 255. 255. 255. 0 XGS 3-42000R(config-if-Vlan2)# ip pim sparse-mode XGS 3-42000R(config-if-Vlan2)#exit XGS 3-42000R(config)#interface vlan 3...
Page 367: Msdp Configuration
 PIM-SM Protocol requires supports by RP and BSR, therefore you should use show ip pim bsr-router first to see if there is BSR information. If not, you need to check if there is unicast routing leading to BSR.  Use show ip pim rp-hash command to check if RP information is correct; if there is not RP information, you still need to check unicast routing.
Page 368: Brief Introduction To Msdp Configuration Tasks
43.4.2 Brief Introduction to MSDP Configuration Tasks Configuration of MS DP Basic Function Enabling MSDP (Required) Configuring MS DP entities (Required) Configuring the Connect-S ourc e interface Configuring static RPF entities Configuring Originator RP Configuring TTL value Configuration of MS DP entities Configuring the Connect-S ourc e interface Configuring the descriptive information for MSDP entities Configuring the AS number...
Page 369: Configuration Of Msdp Entities
43.4.3.2 Enabling MSDP MSDP should be enabled before various MSDP functions can be configured. Enable the MSDP function Configure MSDP 1. Enabling MSDP Commands Explanation Global Configuration Mode router m sdp To enable MSDP. The no form of this no router m sdp command will disable MSDP globally.
Page 370: Configuration Of Delivery Of Msdp Packet
43.4.4.2 Configuration of MSDP parameters Commands Explanation MSDP Peer Configuration Mode To configure the Connect-Source interface for connect-source <interface-type> MSDP Peer. The no form of this command will <interface-number> remove configured Connect-Source no connect-source interface. To configure the descriptive information about description <text>...
Page 371: Configuration Of Parameters Of Sa-Cache
no sa-reque st-filter [li st command will remove the configured filter <access-li st-number | access-li st-name>] rules for SA request packets. 43.4.6 Configuration of Parameters of SA-cache Commands Explanation MSDP Configuration Mode cache-sa-state To enable the SA packet cache. no cache-sa-state To disable the SA packets cache.
Page 372 DomainB Rout erB DomainC Rout erA Receiver DomainA Source Figure 43-4-1 Network Topology for MSDP Entry Configuration tasks are listed as below: Prerequisite s: Enable the single cast routing protoc ol and P IM prot ocol on every router, and make sure that the inter-domain routing works well and multicasting inside the domain works well.
Page 373 Router B in Domain B: XGS 3-42000R#config XGS 3-42000R(config)#interface vlan 2 XGS 3-42000R(config-if-Vlan2)#ip address 20.1.1.1 255. 255.255.0 XGS 3-42000R(config-if-Vlan2)#exit XGS 3-42000R(config)#interface vlan 3 XGS 3-42000R(config-if-Vlan3)#ip address 30.1.1.1 255. 255.255.0 XGS 3-42000R(config-if-Vlan3)#exit XGS 3-42000R(config)#router msdp XGS 3-42000R(rout er-msdp)#peer 20.1.1.2 XGS 3-42000R(msdp-peer)#exit XGS 3-42000R(rout er-msdp)#peer 30.1.1.2 RP2 in Domain B: XGS 3-42000R#config...
Page 374 Peer Peer Peer PIM SM 1 Peer Peer Peer Figure 43-4-2 Flooding of SA messages Mesh Group Peer Peer Peer PIM SM 1 Peer Peer Peer Figure 43-4-3 Flooding of SA messages with mesh group configuration Configuration steps are listed as below: Router A: XGS 3-42000R#config XGS 3-42000R(config)#interface vlan 1...
Page 375 XGS 3-42000R(config-if-Vlan3)#ip address 30.1.1.1 255. 255.255.0 XGS 3-42000R(config-if-Vlan3)#exit XGS 3-42000R(config)#router msdp XGS 3-42000R(rout er-msdp)#peer 10.1.1.2 XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1 XGS 3-42000R(msdp-peer)#exit XGS 3-42000R(rout er-msdp)#peer 20.1.1.4 XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1 XGS 3-42000R(msdp-peer)#exit XGS 3-42000R(rout er-msdp)#peer 30.1.1.3 XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1 XGS 3-42000R(msdp-peer)#exit Router B: XGS 3-42000R#config XGS 3-42000R(config)#interface vlan 1...
Page 376: Msdp Troubleshooting
XGS 3-42000R(config-if-Vlan6)#ip address 60.1.1.4 255. 255.255.0 XGS 3-42000R(config-if-Vlan6)#exit XGS 3-42000R(config)#router msdp XGS 3-42000R(rout er-msdp)#peer 20.1.1.1 XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1 XGS 3-42000R(msdp-peer)#exit XGS 3-42000R(rout er-msdp)#peer 40.1.1.4 XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1 XGS 3-42000R(msdp-peer)#exit XGS 3-42000R(rout er-msdp)#peer 60.1.1.2 XGS 3-42000R(rout er-msdp)#mesh-group XGS3-1 Router D: XGS 3-42000R#config XGS 3-42000R(config)#interface vlan 2 XGS 3-42000R(config-if-Vlan2)#ip address 20.1.1.4 255.255.255.0...
Page 377: Anycast Rp Configuration
If the MSDP problems cannot be solved through all the methods provided above, please issue the command debug msdp to get the debugging messages within three minutes, and send them to the technical service cent er of our company. 43.5 ANYCAST RP Configuration 43.5.1 Introduction to ANYCAST RP Anycast RP is a technology based on PIM protocol, which provides redundancy in order to recover as soon as possible onc e an RP becomes unusable.
Page 378 Command Explanation Global Configuration Mode Now, the P IM-SM has allowed the Loopback interface to be a RP candidate.(necessary ) Please pay attention to that, ANYCAST RP protocol can configure the Loopback interface ip pim rp-candidate {vlan<vlan-id> or a regular three-layer VLAN interface to be |loopback<index>...
Page 379: Anycast Rp Configuration Examples
by this router (as a RP). (3) Configure other-rp-address (other RP communication addresses) Command Explanation Global Configuration Mode Configure anycast-rp-addr on this router (as a RP). This unicast address is actually the RP address configured on multiple RP in the network, in accordance with the address of candidate interface...
Page 380 VLAN1:10.1.1.1 Multicast Server VLAN2:192.168.2.5 VLAN2:192.168.2.1 VLAN1:192.168.1.4 ……… VLAN2:192.168.3.2 receiver VLAN2:2. 2.2.2 receiver receiver Figure 43-5-1 The A NY CAST RP v4 function of the router As shown in the Figure, the overall net work environment is PIM-SM, which provides two routers supporting ANYCAS T RP, RP1 and RP2.
Page 381: Anycast Rp Troubleshooting
RP2 Configuration: XGS 3-42000R#config XGS 3-42000R(config)#interface loopback 1 XGS 3-42000R(config-if-Loopback1)#ip address 1.1.1.1 255. 255. 255. 255 XGS 3-42000R(config-if-Loopback1)#exit XGS 3-42000R(config)#ip pim rp-candidate loopback1 XGS 3-42000R(config)#ip pim multicast-routing XGS 3-42000R(config)#ip pim anycast-rp XGS 3-42000R(config)#ip pim anycast-rp self-rp-address 192.168.3.2 XGS 3-42000R(config)#ip pim anycast-rp 1.1. 1.1 192.168.2.1 43.5.4 ANYCAST RP Troubleshooting When configuring and using A NYCAS T RP function, the A NYCAS T RP might work abnormally because of faults in physical connections, configurations or something others.
Page 382: Pim-Ssm
43.6 PIM-SSM 43.6.1 Introduction to PIM-SSM Source Specific Multicast (PIM-SSM) is a new kind of multicast service protocol. With PIM-SSM, a multicast session is distinguished by the multicast group address and multicast source address. In SSM, hosts can be added into the multicast group manually and efficiently like the traditional PIM-SM, but leave out the shared tree and RP management in PIM-SM.
Page 383 Figure 46-3-1 PIM-SSM typical environment Configurations of SwitchA, SwitchB, SwitchC, and S witchD are shown as below. (1) Configuration of Switch A XGS 3-42000R(config)#ip pim multicast-routing XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-If-Vlan1)# ip pim sparse-mode XGS 3-42000R(config-If-Vlan1)#exit XGS 3-42000R(config)#interface vlan 2 XGS 3-42000R(config-If-Vlan2)# ip pim sparse-mode XGS 3-42000R(config-If-Vlan2)#exit XGS 3-42000R(config)#access-list 1 permit 224.1.1.1 0.0.
Page 384: Pim-Ssm Troubleshooting
(3) Configuration of Switch C XGS 3-42000R(config)#ip pim multicast-routing XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-If-Vlan1)# ip pim sparse-mode XGS 3-42000R(config-If-Vlan1)#exit XGS 3-42000R(config)#interface vlan 2 XGS 3-42000R(config-If-Vlan2)# ip pim sparse-mode XGS 3-42000R(config-If-Vlan2)#exit XGS 3-42000R(config)#interface vlan 3 XGS 3-42000R(config-If-Vlan3)# ip pim sparse-mode XGS 3-42000R(config-If-Vlan3)# exit XGS 3-42000R(config)# ip pim bsr-candidate vlan2 30 10 XGS 3-42000R(config)#access-list 1 permit 224.1.1.1 0.0.
Page 385: Dvmrp
commands such debug pim event/debug pim packet please, and then copy DEBUG information in 3 minutes and send to Technology Service Cent er. 43.7 DVMRP 43.7.1 Introduction to DVMRP DVMRP Protoc ol, namely, is “Distance Vector Multicast Routing Protocol”. It is a Multicast Routing Protocol in dense mode, whic h sets up a Forward Broadcast Tree for each source in a manner similar to RIP, and sets up a Truncation Broadcast Tree, i.e.
Page 386: Dvmrp Configuration Task List
In DVMRP, source network routing selection message are exchanged in a basic manner same to RIP. That is, routing report message is transmitted among DVMRP neighbors periodically (the default is 60 seconds). The routing information in DVMRP routing selection table is used t o set up source distribution tree, i.e. to determine by which neighbor it passes to get to the source t ransmitting multicast packet;...
Page 387 2. Enable DVMRP Protocol on the interface The basic configuration to function DVMRP routing protocol on XGS3 series Layer 3 switch is very simple. After globally enabling DVMRP Protocol, it is required to t urn on DVMRP switch under corresponding interface.
Page 388 Command Explanation Interface Configuration Mode Configure the delay of transmitting DVMRP ip dvmrp output-report-delay report message on interface and the message <delay_val> [<burst_siz e>] number each time it transmits, the “no ip dvmrp no ip dvmrp output-report-delay output-report-delay” command restores default value.
Page 389: Dvmrp Configuration Examples
43.7.3 DVMRP Configuration Examples As shown in the following figure, add the Ethernet interfaces of Switch A and Switch B to corresponding VLAN, and enable DVMRP on each VLAN int erface. SwitchA SwitchB Vlan 2 Vlan 1 Vlan 1 Figure 43-7-1 DVMRP Net work Topology Diagram The configuration procedure for SwitchA and SwitchB is as follows: (1) Configure SwitchA: XGS 3-42000R(config)#ip dvmrp multicast-routing...
Page 390: Dcscm
 Next, to assure the Prot ocol of Interface and Link is UP (use show interface command);  Please check if the correct IP address is configured on the interface (use ip address c ommand);  Afterwards, enable DVMRP Protoc ol on the interface (use ip dvmrp command and ip dv multicast-routing command);...
Page 391: Dcscm Configuration Task List
43.8.2 DCSCM Configuration Task List Source Cont rol Configuration Destination Control Configuration Multicast Strategy Configuration 1． Source Control Configuration Source Control Configuration has three parts, of which the first is to enable source cont rol. The command of source control is as follows: Command Explanation Global Configuration Mode...
Page 392 Command Explanation Port Configuration Mode [no] ip multica st source-control Used to configure the rules source control uses access-group <5000-5099> to port, the NO form cancels the configuration. 2． Destination Control Configuration Like source cont rol configuration, destination control configuration also has three steps. First, enable destination control globally.
Page 393: Dcscm Configuration Examples
[no] ip multica st de stination-control Used to configure the rules destination <1-4094> <macaddr> acce ss-group control uses to specify VLAN-MAC, the <6000-7999> NO form cancels the configuration. Used to configure the rules destination [no] ip multica st de stination-control control uses to specified IP address/net <IPA DDRESS/M>...
Page 394: Dcscm Troubleshooting
XGS 3-42000R(config)#access-list 6000 deny ip any 238.0.0. 0 0.255.255.255 XGS 3-42000R(config)#access-list 6000 permit ip any any XGS 3-42000R(config)#multicast destination-cont rol XGS 3-42000R(config)#ip multicast destination-control 10.0.0.0/8 access-group 6000 In this way, users of this network segment can only join groups other than 238.0.0.0/8. 3．...
Page 395 group. Up to now, there are three versions of IGMP: IGMP version1 (defined by RFC1112), IGMP version2 (defined by RFC2236) and IGMP version3 (defined by RFC3376). The main improvements of IGMP version2 over version1 are: 1. The election mechanism of multicast switches on the shared network segment Shared network segment is the situation of there is more than one multicast switch on a network segment.
Page 396: Igmp Configuration Task List
In order to increase strength, the host retransmits State-Change message. Additional data is defined to adapt future extension. Report group is sent to 224.0.0.22 to help with IGMP Snooping of Layer 2 Switch. Report group can include more than one group record, and it allows using small group to report complete current status.
Page 397 （1）Configure IGMP group parameters 1) Configure IGMP group filtering conditions 2) Configure IGMP to join in group 3) Configure IGMP to join in static group Command Explanation Interface Configuration Mode ip igmp access-group {<acl _num | Configure the filtering conditions of the interface acl_name>} to IGMP group;...
Page 398: Igmp Configuration Examples
no ip dvmrp | no ip pim dense-mode | no ip pim sparse-mode | no ip dvmrp Disable IGMP Protocol. multicast-routing | no ip pim multicast-routing 43.9.3 IGMP Configuration Examples As shown in the following figure, add the Ethernet ports of Switch A and Switch B to corresponding VLAN, and start PIM-DM on eac h VLAN interface.
Page 399: Igmp Troubleshooting
43.9.4 IGMP Troubleshooting In configuring and using IGMP Protocol, IGMP Protocol might not operate normally caused by physical connection or incorrect configuration. Therefore, user should pay attention to the following issues:  Firstly to assure that physical connection is correct; ...
Page 400 Enables IGMP S nooping for specified VLA N. ip igmp snooping vlan <vlan-id> The no operation disables IGMP Snooping for no ip igmp snooping vlan <vlan-id> specified VLAN. ip igmp snooping vlan < vlan-id > limit Configure the max group count of vlan and {group <g_limit>...
Page 401 ip igmp snooping vlan <vlan-id> Configure the suppression query time. The suppre ssion-query-time <value> “no ip igmp snooping vlan <vlan-id> no ip igmp snooping vlan <vlan-id> suppre ssion-query-time” command restores suppre ssion-query-time to the default value. ip igmp snooping vlan <vlan-id> static-group <A.B.C.D>...
Page 402: Igmp Snooping Examples
43.10.3 IGMP Snooping Examples Scenario 1: IGMP Snooping function Multicast router Multicast Server 1 Multicast Server 2 Multicast port IGMP Snooping Group 1 Group 1 Group 1 Group 2 Enabling IGMP Snooping function Figure 43-10-1 Example: As shown in the above figure, a VLA N 100 is configured in the switch and includes ports 1, 2, 6, 10 and 12.
Page 403 and port 12 will not receive the traffic of program 1. Scenario 2: L2-general-querier Multicast Server Group 1 Group 2 Switch A IGMP Snooping L2 general querier Multicast port Switch B IGMP Snooping Group 1 Group 1 Group 1 Group 2 The switches as IGMP Queries Figure 43-10-1 The configuration of S witch2 is the same as the switch in scenario 1, SwitchA takes the place of Multicast...
Page 404: Igmp Snooping Troubleshooting
Scenario 3: To run in cooperation with lay er 3 multicast prot ocols. SWITCH which is used in Scenario 1 is replaced with ROUTE R with specific configurations remains the same. And multicast and IGMP snooping configurations are the same with what it is in Scenario 1. To configure PIM-SM on ROUTE R, and enable PIM-SM on vlan 100 (use the same PIM mode with the connected multicast router) Configurations are listed as below:...
Page 405: Igmp Proxy Configuration Task List
The IGMP/MLD proxy works between the multicast router and the client, it works as both the multicast host and router. Upstream and downstream ports should be specified in the IGMP/MLD proxy configuration. The host protocol runs at upstream ports, while the router protocol runs at downstream ports. The s witch collects the join and leave messages received from downstream ports and forward them to the multicast router through upstream ports.
Page 406: Igmp Proxy Examples
robustness <2-10> sending unsolicited reports. The no form of no ip igmp proxy unsolicited-report this command will restore the default value. robustness To configure non-query downstream ports to ip igmp proxy aggregate be able to aggregate the IGMP operations. no ip igmp proxy aggregate The no form of this command will restore the default configuration.
Page 407 switches. 43-55...
Page 408 The configuration steps are listed below: XGS 3-42000R#config XGS 3-42000R(config)#ip igmp proxy XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-if-Vlan1)#ip igmp proxy upstream XGS 3-42000R(config)#interface vlan 2 XGS 3-42000R(config-if-Vlan2)#ip igmp proxy downstream Multicast Configuration: Suppose the multicast server offers some programs through 224.1. 1.1. Some hosts subscribe that program at the edge of the net work.
Page 409: Igmp Proxy Troubleshooting
The configuration steps are listed below: IGMP PROXY Switch1 configuration： XGS 3-42000R#config XGS 3-42000R(config)#ip igmp proxy XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-if-Vlan1)#ip igmp proxy upstream XGS 3-42000R(config)#interface vlan 2 XGS 3-42000R(config-if-Vlan2)#ip igmp proxy downstream XGS 3-42000R(config-if-Vlan2)#ip igmp proxy multicast-source Rout e1 configuration: XGS 3-42000R#config XGS 3-42000R(config)#ip pim multicast XGS 3-42000R(config)#interface vlan 1...
Page 410: Chapter 44 Ipv6 Multicast Protocol
Chapter 44 IPv6 Multicast Protocol 44.1 PIM-DM6 44.1.1 Introduction to PIM-DM6 PIM-DM6 （ P rotocol Independent Multicast, Dense Mode） is the IP v6 version of Protocol Independent Multicast Dens e Mode. It is a Multicast Routing Protocol in dense mode which adapted to small network. The members of multicast group are relatively dense under this kind of net work environment.
Page 411: Pim-Dm6 Configuration Task List
the multicast packet will be discarded as redundant message. The unicast routing message used as path judgment can root in any Unicast Routing Protocol, such as messages found by RIP, OSPF, etc. It doesn’t rely on any specific unicast routing protocol. 4.
Page 412 Configure static multica st routing entrie s Command Explanation Global configuration mode ipv6 mroute <X:X::X:X> To configure IP v6 static multicast routing entries. <X:X::X:X> <ifname> <.ifname> The no form of this command will remove the no ipv6 mroute <X:X::X:X> specified routing entry. <X:X::X:X>...
Page 413: Pim-Dm6 Typical Application
To configure PIM-DM6 management boundary for the interface and apply ACL for the management boundary. With default settings, ffx0::/13 is considered as the scope of the ipv6 pim scope-border management group. If ACL is configured, then <500-599>|<acl_name> the scope specified by ACL permit command is no ipv6 pim scope-border the scope of the management group.
Page 414: Pim-Dm6 Troubleshooting
XGS 3-42000R(config-if-Vlan1)#exit XGS 3-42000R(config)#interface vlan2 XGS 3-42000R(config-if-Vlan2)#ipv6 address 2000:12:1:1:: 1/64 XGS 3-42000R(config-if-Vlan2)#ipv6 pim dense-mode (2) Configure SwitchB: XGS 3-42000R(config)#ip pim multicast-routing XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-if-Vlan1)#ipv6 address 2000:12:1:1::2/64 XGS 3-42000R(config-if-Vlan1)#ipv6 pim dense-mode XGS 3-42000R(config-if-Vlan1)#exit XGS 3-42000R(config)#interface vlan 2 XGS 3-42000R(config-if-Vlan2)#ipv6 address 2000:20:1:1::1/64 XGS 3-42000R(config-if-Vlan2)#ipv6 pim dense-mode 44.1.4 PIM-DM6 Troubleshooting When configuring and using PIM-DM protocol, PIM-DM protocol may fail to work normally due to physical...
Page 415 RP. Consequently the network bandwidth occupied by data packets and control messages is cut down and the transaction cost of routers is reduced. Multicast data get to the network segment where the multicast group members are located along the shared t ree flow. When the data traffic reac hes a certain amount, multicast data stream can be switched to source-based SPT (S hort est Path Tree) to shorten network delay.
Page 416: Pim-Sm6 Configuration Task List
BSR through automatic selection. 44.2.2 PIM-SM6 Configuration Task List 1． Enable PIM-SM (Required) 2． Configure static multicast routing entries (Optional) 3． Configure additional paramet ers for PIM-SM (Optional) Configure parameters for PIM-SM interfaces 1) Configure the interval for PIM-SM hello messages 2) Configure the holdtime for P IM-SM hello messages 3) Configure ACL for PIM-SM6 neighbors 4) Configure the interface as the boundary interface of the P IM-SM6 protocol...
Page 417 ipv6 mroute <X:X::X:X> To configure a static multicast routing entry. The <X:X::X:X> <ifname> <.ifname> no form of this command will remove the no ipv6 mroute <X:X::X:X> specified static multicast routing entry. <X:X::X:X> [<ifname> <.ifname>] 3. Configure the additional parameters for PIM-SM （1）Configure parameters for PIM-SM interfaces 1) Configure the interval for PIM-SM hello messages Command...
Page 418 Interface Configuration Mode To configure PIM-SM6 management boundary for the interface and apply ACL for the management boundary. With default settings, ffx0::/13 is considered as the scope of the ipv6 pim scope-border management group. If ACL is configured, then <500-599>|<acl_name> the scope specified by ACL permit command is no ipv6 pim scope-border the scope of the management group.
Page 419: Pim-Sm6 Typical Application
4. Di sable PIM-SM protocol Command Explanation Interface Configuration Mode no ipv6 pim sparse-mode To disable the P IM-SM6 protocol. Global Configuration Mode no ipv6 pim sparse-mode To disable PIM-DM globally. 44.2.3 PIM-SM6 Typical Application As shown in the following figure, add the Ethernet interfaces of S witchA, SwitchB, SwitchC and S witchD to corresponding VLAN, and start PIM-SM Protocol on each VLAN interface.
Page 420 XGS 3-42000R(config-if-Vlan1)#ipv6 address 2000:12:1:1::2/64 XGS 3-42000R(config-if-Vlan1)#ipv6 pim spars e-mode XGS 3-42000R(config-if-Vlan1)#exit XGS 3-42000R(config)#interface vlan 2 XGS 3-42000R(config-if-Vlan2)#ipv6 address2000:24:1:1::2/64 XGS 3-42000R(config-if-Vlan2)#ipv6 pim spars e-mode XGS 3-42000R(config-if-Vlan2)#exit XGS 3-42000R(config)#ipv6 pim rp-candidate vlan2 (3) Configure SwitchC: XGS 3-42000R(config)#ipv6 pim multicast-routing XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-if-Vlan1)#ipv6 address 2000:34:1:1::3/64 XGS 3-42000R(config-if-Vlan1)#ipv6 pim spars e-mode XGS 3-42000R(config-if-Vlan1)#exit...
Page 421: Pim-Sm6 Troubleshooting
44.2.4 PIM-SM6 Troubleshooting When configuring and using PIM-SM prot ocol, PIM-SM prot ocol may fail to work normally due to physical connections, incorrect configuration and so on. So, users shall note the following points:  Assure the physical connection is correct. ...
Page 422 1. Enable A NYCAS T RP v6 function 2. Configure ANY CAST RP v6 1. Enable ANYCAST RP v6 function Command Explanation Global Configuration Mode Enable ANY CAST RP function. (necessary) ipv6 pim anycast-rp The no operation will globally disable the no ipv6 pim anycast-rp ANYCAS T RP function.
Page 423 message from other RP unicast, such as a register message whose destination is the self-rp-address of this router, it will create (S,G) state and send back a register-t erminating message, whose destination address is the source address of the register message. Pay attention: self-rp-address has to be the address of a t hree-layer interfac e on this router, but the configuration is allowed to be done with...
Page 424: Anycast Rp V6 Configuration Examples
address register message into other-rp-address. 2 Multiple other-rp-addresses can be configured in accordance with one anycast-rp-addr, Once the register message from a DR is received, it should be forwarded to all of this RP one by one. operation will cancel other-rp-address communicating with this router.
Page 425: Anycast Rp V6 Troubleshooting
XGS 3-42000R(config)#ipv6 pim anycast-rp 2006::1 2004::2 RP2 Configuration: XGS 3-42000R#config XGS 3-42000R(config)#interface loopback 1 XGS 3-42000R(config-if-Loopback1)#ipv6 address 2006::1/128 XGS 3-42000R(config-if-Loopback1)#exit XGS 3-42000R(config)#ipv6 pim rp-candidate loopback1 XGS 3-42000R(config)#ipv6 pim multicast-routing XGS 3-42000R(config)#ipv6 pim anycast-rp XGS 3-42000R(config)#ipv6 pim anycast-rp self-rp-address 2004::2 XGS 3-42000R(config)#ipv6 pim anycast-rp 2006::1 2003::1 Please pay attention to that, for promulgating loopback interface router, if use MBGP4+ protocol, then can use network command;...
Page 426: Pim-Ssm6 Configuration Task List
group address and S for the source address of the multicast which sends datagram to G. (S,G) in a pair is named as a channel of SSM6. SSM6 serves best for the application of multicast service which is from one station to many ones, for example, the network sports video channel, and the news channel.
Page 427 XGS 3-42000R(config)#ipv6 pim multicast-routing XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-If-Vlan1)# ipv6 address 2000:12:1: 1::1/64 XGS 3-42000R(config-If-Vlan1)# ipv6 pim sparse-mode XGS 3-42000R(config-If-Vlan1)#exit XGS 3-42000R(config)#interface vlan 2 XGS 3-42000R(config-If-Vlan2)# ipv6 address 2000:13:1: 1::1/64 XGS 3-42000R(config-If-Vlan2)# ipv6 pim sparse-mode XGS 3-42000R(config-If-Vlan2)#exit XGS 3-42000R(config)#ipv6 access-list 500 permit ff1e::1/64 XGS 3-42000R(config)#ip pim ssm range 500 (2)Configuration of switchB：...
Page 428: Pim-Ssm6 Troubleshooting
XGS 3-42000R(config)#ip pim ssm range 500 (4) Configuration of SwitchD： XGS 3-42000R(config)#ipv6 pim multicast-routing XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-If-Vlan1)# ipv6 address 2000:34:1: 1::4/64 XGS 3-42000R(config-If-Vlan1)# ipv6 pim sparse-mode XGS 3-42000R(config-If-Vlan1)#exit XGS 3-42000R(config)#interface vlan 2 XGS 3-42000R(config-If-Vlan2)# ipv6 address 2000:24:1: 1::4/64 XGS 3-42000R(config-If-Vlan2)# ipv6 pim sparse-mode XGS 3-42000R(config-If-Vlan2)#exit XGS 3-42000R(config)#interface vlan 3...
Page 429: Ipv6 Dcscm Configuration Task Sequence
IP v6 DCSCM Cont rollable Multicast technology proceeds as the following way: 1. If source controlled multicast is configured on the edge switches, only the multicast data of the specified group from the specified source can pass. 2. The RP switches which are the core of PIM-SM will directly send REGIS TE R_S TOP as response to the REGIS TE R messages not from the specified source and specified group, and no entry is allowed to be creat ed.
Page 430 ACL number from 8000 to 8099, while each rule number can configure 10 rules. What should be paid attention to is that these rules have orders, the earliest configured rule is at the front. Once a rule is matched, the following ones will not take effect, so the globally enabled rules should be the last to configure. The following is the command: Command Explanation...
Page 431 Global Configuration Mode Used to configure destination control [no] ipv6 access-li st <9000-10099> rules, these rules can only take effect {deny|permit} {{< source/M>}|{host-source when applied to specified source IP, <source-host-ip>}|any-source} VLAN-MA C or port. The no operation {{<destination/M>}|{host-de stination of this rule will delete the specified <destination-host-ip>}|any-de stination} rule.
Page 432: Ipv6 Dcscm Typical Examples
44.5.3 IPv6 DCSCM Typical Examples 1． Source control In order to prevent an edge switch sends multicast data at will, we configure on the edge switch that only the switch whose port is Ethernet1/5 can send multicast data, and the group of data should be ff1e::1. The uplink port Ethernet 1/25 can forward multicast data without being restricted, so we can configure as follows.
Page 433: Ipv6 Dcscm Troubleshooting
44.5.4 IPv6 DCSCM Troubleshooting IP v6 DCSCM module acts like ACL, so most problems are caused by improper configuration. Please read the instructions above carefully. 44.6 MLD 44.6.1 Introduction to MLD MLD (Multicast Listener Discovery) is the multicast group member (receiver) discovery protocol serving IP v6 multicast.
Page 434 1）Configure the interval of MLD sending query message 2）Configure the maximum response time of MLD query 3）Configure overtime of MLD query 3、 Shut down MLD Protoc ol Start MLD Protocol There is no special command for starting MLD Protoc ol on EDGECORE series layer 3 switches. MLD Protocol will aut omatically start up as long as any IP v6 multicast protocol is started on corresponding interface.
Page 435: Mld Typical Application
ipv6 mld query-max-response-time Configure the maximum response time of the <time_val> interface for MLD query; the NO operation of this no ipv6 mld command restores the default value. query-max-response -time Configure the overtime of the interface for MLD ipv6 mld query-timeout <time_val> query;...
Page 436: Mld Troubleshooting Help
XGS 3-42000R(config) #ipv6 pim multicast-routing XGS 3-42000R(config) #ipv6 pim rp-address 3FFE::1 XGS 3-42000R(config) #interfac e vlan1 XGS 3-42000R(Config-if-Vlan1) #ipv6 address 3FFE::2/64 XGS 3-42000R(Config-if-Vlan1) #ipv6 pim sparse-mode XGS 3-42000R(Config-if-Vlan1) #exit XGS 3-42000R(config) #interfac e vlan2 XGS 3-42000R(Config-if-Vlan2) #ipv6 address 3FFA::1/64 XGS 3-42000R(Config-if-Vlan2) #ipv6 pim sparse-mode XGS 3-42000R(Config-if-Vlan2) #ipv6 mld query-timeout 150 44.6.4 MLD Troubleshooting Help When configuring and using MLD protocol, MLD protocol may fail to work normally due to physical...
Page 437 The switch realizes the MLD Snooping function while supporting MLD v2. This way, the user can acquire IP v6 multicast with the switch. 44-28...
Page 438: Mld Snooping Configuration Task
44.7.2 MLD Snooping Configuration Task 1. Enable the MLD S nooping function 2. Configure the MLD Snooping 1. Enable the MLD Snooping function Command Explanation Global Mode Enable global MLD S nooping, the “no ipv6 ipv6 mld snooping mld snooping” command disables the no ipv6 mld snooping global MLD snooping.
Page 439: Mld Snooping Examples
ipv6 mld snooping vlan <vlan-id> query-mrsp Configure the query maximum res ponse period. The <value> “no” form of this command restores to the default. no ipv6 mld snooping vlan <vlan-id> query-mrsp ipv6 mld snooping vlan <vlan-id> query-robustne ss < value> Configure the query robustness, the “no”...
Page 440 XGS 3-42000R#config XGS 3-42000R(config)#ipv6 mld snooping XGS 3-42000R(config)#ipv6 mld snooping vlan 100 XGS 3-42000R(config)#ipv6 mld snooping vlan 100 mrout er-port interface et hernet 1/1 Multicast configuration: Assume there are two multicast servers: the Multicast Server 1 and the Multicast Server 2, amongst program 1 and 2 are supplied on the Multicast Server 1 while program 3 on the Multicast server 2, using group addresses respectively the Group 1, Group 2 and Group 3.
Page 441: Mld Snooping Troubleshooting
while executing the mld snooping vlan 60 l2-general-querier, setting the vlan 60 to a Level 2 General Querier. Configuration procedure is as follows: SwitchA#config SwitchA(config)#ipv6 mld snooping SwitchA(config)#ipv6 mld snooping vlan 60 SwitchA(config)#ipv6 mld snooping vlan 60 l2-general-querier SwitchB#config SwitchB(config)#ipv6 mld snooping SwitchB(config)#ipv6 mld snooping vlan 100 SwitchB(config)#ipv6 mld snooping vlan 100 mrouter interface et hernet 1/1 Multicast configuration:...
Page 442: Chapter 45 Multicast Vlan
 Ensure there is a vlan configured as a L2 general querier, or there is a static mrouter configured in a segment,  Use command to check if the MLD snooping information is correct Chapter 45 Multicast VLAN 45.1 Introductions to Multicast VLAN Based on current multicast order method, when orders from users in different VLAN, each VLAN will copy a multicast traffic in this VLAN, which is a great waste of the bandwidth.
Page 443: Multicast Vlan Examples
3. Configure the MLD Snooping Command Explanation Global Mode Enable MLD Snooping on multicast VLAN; ipv6 mld snooping vlan <vlan-id> the “no” form of this command disables MLD no ipv6 mld snooping vlan <vlan-id> Snooping on multicast VLAN. Enable the MLD Snooping function. The “no” ipv6 mld snooping form of this command disables the MLD no ipv6 mld snooping...
Page 444 XGS 3-42000R(config-if-Vlan10)#exit SwitchA(config)#vlan 20 SwitchA(config-vlan20)#exit SwitchA(config)#int erface vlan 20 SwitchA(Config-if-Vlan20)#ip pim dense-mode SwitchA(Config-if-Vlan20)#exit SwitchA(config)#ip pim multicast SwitchA(config)# interface ethernet1/10 SwitchA(Config-If-Et hernet1/10)s witchport mode trunk SwitchB#config SwitchB(config)#vlan 100 SwitchB(config-vlan100)#S witchport access ethernet 1/15 SwitchB(config-vlan100)exit SwitchB(config)#vlan 101 SwitchB(config-vlan101)#S witchport access ethernet 1/20 SwitchB(config-vlan101)exit SwitchB(config)# interface ethernet 1/10 SwitchB(Config-If-Et hernet1/10)#Switchport mode trunk...
Page 445: Chapter 46 Acl Configuration
Chapter 46 ACL Configuration 46.1 Introduction to ACL ACL (Access Control List) is an IP packet filtering mechanism employ ed in switches, providing network traffic control by granting or denying access the switches, effectively safeguarding the security of net works. The user can lay down a set of rules according to some information specific to packets, each rule describes the action for a packet with certain information matched: “permit”...
Page 446: Acl Configuration Task List
46.2 ACL Configuration Task List ACL Configuration Task Sequence: 1. Configuring access-list (1) Configuring a numbered standard IP access-list (2) Configuring a numbered extended IP access-list (3) Configuring a standard IP access-list based on nomenclature a) Create a standard IP access-list based on nomenclature b) Specify multiple “permit”...
Page 447 5. Clear the filtering information of the specified port 1. Configuring acce ss-li st (1) Configuring a numbered standard IP access-li st Command Explanation Global Mode Creates a numbered standard IP access-list, if the access-list already exists, then a rule will access-li st <num>...
Page 448 range <dPortMin> <dPortMax> }] [precedence using this number. <prec>] [tos <tos>][time-range<time-range-name>] Creates a numbered IP extended access-li st <num> {deny | permit} {eigrp | gre | igrp | IP access rule for other specific IP ipinip | ip | ospf | <protocol-num>} {{< sIpAddr> protocol or all IP protocols;...
Page 449 Creates extended access-list basing nomenclature; “no ip access-list extended <name> access-li st extended no ip access-list extended <name> <name> “ command deletes the name-based extended IP access-list. b. Specify multiple “permit” or “deny” rules Command Explanation Extended IP ACL Mode [no] {deny | permit} icmp {{<sIpAddr>...
Page 450 c. Exit extended IP ACL configuration mode Command Explanation Extended IP ACL Mode Exits extended name-based exit IP ACL configuration mode. (5) Configuring a numbered standard MAC access-li st Command Explanation Global Mode Creates a numbered standard access-list, access-list already exists, access-li st<num>{deny|permit}{any-source-mac|{ho then a rule will add to the...
Page 451 b. Specify multiple “permit” or “deny” rule entries Command Explanation Extended name-based MA C access rule Mode [no]{deny|permit}{any-source-mac|{host-source-ma c<host_smac>}|{< smac>< smac-mask>}} {any-de stination-mac|{host-destination-mac <host_dmac>} |{<dmac> <dmac-mask>}} [cos <cos-val> [<cos-bitmask> ] [vlanId <vid-value> [<vid-mask>][ethertype<protocol>[<protocol-mask>] Creates extended name-based MAC access rule [no]{deny|permit}{any-source-mac|{host-source-ma matching MAC frame;...
Page 452 {any-de stination-mac|{host-destination-mac<host_d “no” form command mac>}|{<dmac><dmac-mask>}} [tagged-802-3 [cos deletes this MAC access rule. <cos-val> [<cos-bitmask> ]] [vlanId <vid-value> [<vid-mask>]]] c. Exit ACL Configuration Mode Command Explanation Extended name-based MA C access configure Mode Quit extended exit name-based MA C access configure mode.
Page 453 range <sPortMin> <sPortMax> }] be creat ed using this number. {{<destination><destination-wildcard>}|any-de stinati on| {host-de stination <destination-host-ip>}} [d-port { <port3> | range <sPortMin> <sPortMax> }] [ack+fin+psh+rst+urg+ syn] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] access-li st<num>{deny|permit}{any-source-mac| {host-source-mac<host_sm ac>}|{< sm ac>< smac-ma sk>}}{any-de stination-mac|{host-destination-mac Creates a numbered mac-udp <host_dmac>}|{<dmac><dmac-mask>}}udp extended mac-ip access rule;...
Page 454 b. Specify multiple “permit” or “deny” rule entries Command Explanation Extended name-based MA C-IP access Mode [no]{deny|permit} {any-source-mac|{host-source-mac <host_smac>}|{< sm ac>< sm ac-m ask>}} {any-de stination-mac|{host-destination-mac Creates an extended <host_dmac>}|{<dmac><dmac-mask>}}icmp name-based MA C-ICMP {{< source>< source-wildcard>}|any-source| access rule; the “no” form {host-source<...
Page 455 {{< source>< source-wildcard>}|any-source| name-based extended {host-source< source-host-ip>}} [s-port { <port1> | MAC-UDP access rule. range <sPortMin> <sPortMax> }] {{<destination><destination-wildcard>}|any-de stinati on| {host-de stination <destination-host-ip>}} [d-port { <port3> | range <sPortMin> <sPortMax> }] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] [no]{deny|permit}{any-source-mac|{host-source-ma c<host_smac>}|{< smac>< smac-mask>}} {any-de stination-mac|{host-destination-mac Creates an extended <host_dmac>}|{<dmac><dmac-mask>}}...
Page 456 （11） Configuring a numbered extensive IPV6 access-li st Command Explanation Global Mode ipv6 access-li st <num-ext> {deny | permit} icmp {{< sIPv6Prefix/sPrefixlen>} | any-source | {host-source <sIPv6Addr>}} {<dIPv6Prefix/dPrefixlen> | any-destination | {host-de stination <dIPv6Addr>}} [<icmp-type> [<icmp-code>]] [dscp <dscp>] [flow-label <flowlabel>] [time-range <time-range-name>] ipv6 access-li st <num-ext>...
Page 457 ipv6 access-li st standard <name> Creates standard no ipv6 access-li st standard <name> access-list based nomenclature; command delete name-based standard IPV6 access-list. b. Specify multiple permit or deny rules Command Explanation Standard IPV6 ACL Mode [no] {deny | permit} {{< sIPv6Prefix/sPrefixlen>} | Creates standard any-source | {host-source <...
Page 458 [time-range <time-range-name>] access rule. [no] {deny | permit} tcp {< sIPv6Prefix/sPrefixlen> | Creates extended any-source | {host-source < sIPv6Addr>}} [s-port name-based IPV6 { <sPort> | range <sPortMin> <sPortMax> }] access rule; the no form {<dIPv6Prefix/dPrefi xlen> | any-destination | command deletes this {host-de stination <dIPv6Addr>}} [dPort { <dPort>...
Page 459 Enables global packet firewall enable filtering function. Disables global packet firewall disable filtering function. (2) Configure default action. Command Explanation Global Mode Sets default action firewall default {permit |deny}[ipv4|ipv6|all]} firewall. 3. Configuring time range function （1）Create the name of the time range Command Explanation Global Mode...
Page 460: Acl Example
（3）Configure absolute time range Command Explanation Global Mode absolute start < start_time> < start_data> [end Configure absolute time <end_time> <end_data>] range. [no] absolute start < start_time> < start_data> [end Stop the function of the time <end_time> <end_data>] range. 4. Bind access-li st to a specific direction of the specified port. Command Explanation Physical Port Mode, VLAN Port Mode...
Page 461 The configuration steps are listed below: XGS 3-42000R(config)#access-list 110 deny tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 XGS 3-42000R(config)#firewall enable XGS 3-42000R(config)#firewall default permit XGS 3-42000R(config)#interface ethernet 1/10 XGS 3-42000R(config-If-Ethernet1/10)#ip access-group 110 in XGS 3-42000R(config-If-Ethernet1/10)#exit XGS 3-42000R(config)#exit Configuration result: XGS 3-42000R#show firewall Firewall status: enable.
Page 462 Configuration result: XGS 3-42000R#show firewall Firewall Status: Enable. Firewall Default Rule: Permit. Switch #show access-lists access-list 1100(used 1 time(s )) access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac untagged-802-3 access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac Switch #show access-group int erface ethernet 1/10 interface name:Ethernet1/10 MAC Ingress access-list used is 1100,traffic-statistics Disable.
Page 463 access-list 3110(used 1 time(s )) access-list 3110 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 access-list 3110 deny any-source-mac 00-12-11-23-00-00 00-00-00-00-ff-ff icmp any-source 10. 0.0.0 0.0.0.255 Switch #show access-group int erface ethernet 1/10 interface name:Ethernet1/10 MAC-IP Ingress access-list used is 3110, traffic-statistics Disable. Scenario 4: The configuration requirement is stated as below: IP v6 protocol runs on the interface 600 of the switch.
Page 464: Acl Troubleshooting
interface name:Ethernet1/10 IP v6 Ingress access-list used is 600, traffic-statistics Disable. Scenario 5: The configuration requirement is stated as below: The interface 1, 2, 5, 7 belongs to vlan100, Hosts with 192.168.0.1 as its IP address should be disabled from accessing the listed interfaces. Configuration description: 1．...
Page 465  The number of ACLs that can be successfully bound depends on the content of the A CL bound and the hardware resource limit. Users will be prompted if an A CL cannot be bound due to hardware res ourc e limitation.
Page 466: Chapter 47 802.1X Configuration
Chapter 47 802.1x Configuration 47.1 Introduction to 802.1x The 802.1x protocol originates from 802.11 protocol, the wireless LAN protocol of IEEE, which is designed to provide a solution to doing authentication when users access a wireless LAN. The LAN defined in IEEE 802 LAN protocol does not provide access authentication, which means as long as the users can access a LAN controlling device (s uch as a LA N Switch), they will be able to get all the devices or resources in the LAN.
Page 467  The authenticator system is another entity on one end of the LA N segment to authenticate the supplicant systems connected. An authenticator system usually is a network device supporting 802,1x prot ocol, providing ports to access the LA N for s upplicant systems. The ports provided can either be physical or logical.
Page 468: The Work Mechanism Of 802.1X
47.1.2 The Work Mechanism of 802.1x IEEE 802.1x authentication system uses EAP (Extensible Authentication P rotocol) to implement exchange of authentication information bet ween the supplicant system, authenticator system and authentication server system. the Work Mechanism of 802.1x Figure 47-1-2 ...
Page 469 PAE Ethernet Type: Represents the type of the protocol whose value is 0x888E. Protocol Version: Represents the version of the protocol supported by the sender of EAPOL data packets. Ty pe: repres ents the type of the EAPOL data packets, including: ...
Page 470: The Encapsulation Of Eap Attributes
the Format of Data Domain in Request and Response Packets Figure 47-1-5 Identifier: to assist matching the Request and Response messages. Length: the length of the EAP packet, covering the domains of Code, Identifier, Lengt h and Data, in byte. Data: the content of the EAP packet, depending on the Code type.
Page 471: The Authentication Methods Of 802.1X
authentication system privately. The devices are layer 2 switch and the authentication server is RA DIUS server. EAP protocol is used for t he authentication message pattern. EAPOL encapsulation is used bet ween client and the authentication proxy switch, that is to say, EAP message is encapsulated in the Ethernet frame to authenticate and communicate, however, EAPOR encapsulation is used between authentication proxy switch and authentication s erver, that is to say, EAP message is loaded on the Radius protocol to authenticate and communicate.
Page 472 EAP is a widely-used aut hentication frame to transmit the actual authentication protocol rather than a special authentication mechanism. EAP provides some common function and allows the authentication mechanisms expected in the negotiation, which are called EAP Method. The advantage of EAP lies in that EAP mechanism working as a bas e needs no adjustment when a new authentication protoc ol appears.
Page 473 the Authentication Flow of 802.1x EAP-MD5 Figure 47-1-9 2. EAP -TLS Authenti cation Method EAP-TLS is brought up by Mic rosoft based on EAP and TLS protocols. It uses PKI t o protect the id authentication bet ween the supplicant system and the RADIUS server and the dynamically generated session keys, requiring both the supplicant system and t he Radius authentication server t o possess digital certificate to implement bidirectional authentication.
Page 474 The following figure illustrates the basic operation flow of the EAP-TLS authentication method. the Authentication Flow of 802.1x EAP-TLS Figure 47-1-10 3. EAP -TTLS Authentication Method EAP-TTLS is a product of the cooperation of Funk Software and Certicom. It can provide an authentication as strong as that provided by EAP-TLS, but without requiring users to have their own digital certificate.
Page 475 PEAP Authentication Method EAP-PEAP is brought up by Cisco, Microsoft and RAS Security as a recommended open standard. It has long been utilized in products and provides very good sec urity. Its design of protocol and security is similar to that of EAP-TTLS, using a server’s PKI certificate to establish a safe TLS tunnel in order to protect user authentication.
Page 476: The Extension And Optimization Of 802.1X
the Authentication Flow of 802.1x EAP Termination Mode Figure 47-1-12 47.1.7 The Extension and Optimization of 802.1x Besides supporting the port- based access authentication method specified by the protocol, devices also extend and optimize it when implementing the EAP relay mode and EAP termination mode of 802.1x. ...
Page 477: The Features Of Vlan Allocation
resources, whic h means all users of t his port can access limited resources before being authenticated. The user-based advanced control will restrict the access to limited resources, only some particular users of the port can access limited resources before being authenticated. Once those users pass the aut hentication, they can access all resources.
Page 478: Configuration Task List
because of lacking exclusive authentication supplicant system or the version of the supplicant system being too low. Once the 802. 1x feature is enabled and the Guest VLAN is configured properly, a port will be added into Guest VLAN, just like Auto VLAN, if there is no response message from the supplicant system after the device sends more authentication-triggering messages than the upper limit (EAP-Request/Identity) from the port.
Page 479 2. Configure Web authentication agent function Command Explanation Global Mode dot1x web authentication enable Enable Web authentication agent, the no command no dot1x web authentication disable Web authentication agent. enable dot1x web redirect <URL> Set the HTTP s erver address for Web redirection, the no no dot1x web redirect command clears the address.
Page 480 dot1x macfilter enable Enables the 802.1x address filter function in the switch; the no dot1x macfilter enable no command disables the 802.1x address filter function. dot1x accept-mac <mac-address> [interface <interface-name> ] Adds 802.1x address filter table entry, the no command no dot1x accept-mac deletes 802.1x filter address table entries.
Page 481: Application Example
47.3 802.1x Application Example 47.3.1 Examples of Guest Vlan Applications Update server Authenticator server VLAN2 VLAN10 SWITCH VLAN100 VLAN5 Internet User The Network Topology of Guest VLAN Figure 47-3-1 Notes: in the figures in this session, E2 means Ethernet 1/2, E3 means Ethernet 1/3 and E6 means Ethernet 1/6.
Page 482 As illustrated in the up figure, on the switch port Ethernet1/2, the 802.1x feature is enabled, and the VLA N10 is set as the port’s Guest VLAN. Before the user gets authenticated or when the user fails to do so, port Ethernet1/2 is added into VLA N10, allowing the user to access the Update Server.
Page 483: Examples Of Ipv4 Radius Applications
# Set the link type of the port as access mode. XGS 3-42000R(config-If-Ethernet1/2)#switch-port mode access # Set the access control mode on the port as portbased. XGS 3-42000R(config-If-Ethernet1/2)#dot1x port-method portbased # Set the access control mode on the port as auto. XGS 3-42000R(config-If-Ethernet1/2)#dot1x port-control auto # Set the port’s Guest VLAN as 100.
Page 484: Examples Of Ipv6 Radius Application
The configuration procedures are listed below: XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-if-vlan1)#ip address 10.1.1. 2 255.255. 255. 0 XGS 3-42000R(config-if-vlan1)#exit XGS 3-42000R(config)#radius-s erver authentication host 10.1.1.3 XGS 3-42000R(config)#radius-s erver accounting host 10.1.1. 3 XGS 3-42000R(config)#radius-s erver key test XGS 3-42000R(config)#aaa enable XGS 3-42000R(config)#aaa-accounting enable XGS 3-42000R(config)#dot 1x enable XGS 3-42000R(config)#interface ethernet 1/2...
Page 485: Web Proxy Authentication Sample Application
The detailed configurations are listed as below: XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-if-vlan1)#ipv6 address 2004:1:2: 3::2/64 XGS 3-42000R(config-if-vlan1)#exit XGS 3-42000R(config)#radius-s erver authentication host 2004:1:2:3::3 XGS 3-42000R(config)#radius-s erver accounting host 2004:1:2:3::3 XGS 3-42000R(config)#radius-s erver key test XGS 3-42000R(config)#aaa enable XGS 3-42000R(config)#aaa-accounting enable XGS 3-42000R(config)#dot 1x enable XGS 3-42000R(config)#interface ethernet 1/2 XGS 3-42000R(config-If-Ethernet1/2)#dot1x enable...
Page 486: Troubleshooting
In the network topology shown as above, Ethernet 1/1 on SWITCH1 is connected to the Web server whose IP address is 192.168.20. 20/24, Ethernet 1/2 on SWITCH1 is connected to the RADIUS server whose IP address is 192.168.20.88/24 and authentication port is 1812. PC is connected to Ethernet 1/16 on SWITCH1 through an unknown network.
Page 487: Chapter 48 The Number Limitation Function Of Port, Mac In Vlan And Ip Configuration
Chapter 48 The Number Limitation Function of Port, MAC in VLAN and IP Configuration 48.1 Introduction to the Number Limitation Function of Port, MAC in VLAN and IP MAC address list is used to identify the mapping relationship between the destination MAC addresses and the ports of switch.
Page 488: The Number Limitation Function Of Port, Mac In Vlan And Ip Configuration Task Sequence
1. Limiting the number of dynamic MA C. If the number of dynamically learnt MA C address by the switch is already larger than or equal with the max number of dynamic MAC address, then shutdown the MAC study function on this port, otherwis e, the port can continue its study. 2.
Page 489 vlan mac-address dynamic maximum <value> Enable and disable the number limitation no vlan mac-address dynamic function of MAC in the VLA N. maximum Interface configuration mode ip arp dynamic maximum <value> Enable and disable the number limitation no ip arp dynamic maximum function of ARP in the VLA N.
Page 490: The Number Limitation Function Of Port, Mac In Vlan And Ip Typical Examples
48.3 The Number Limitation Function of Port, MAC in VLAN and IP Typical Examples SWITCH A SWITCH B ……… The Number Limitation of Port, MAC in VLAN and IP Typical Configuration Example Figure 48-3-1 In the network topology above, SWITCH B connects to many PC users, before enabling the number limitation function of port, MAC in VLAN and IP, if the system hardware has no other limitation, SWTICH A and SWTICH B can get the MA C, ARP, ND list entries of all the P C, so limiting the MA C, ARP list entry can avoid DOS...
Page 491: The Number Limitation Function Of Port, Mac In Vlan And Ip Troubleshooting Help
48.4 The Number Limitation Function of Port, MAC in VLAN and IP Troubleshooting Help The number limitation function of port, MAC in VLAN and IP is disabled by default, if users need to limit the number of user accessing the network, they can enable it. If the number limitation function of MAC address can not be configured, please check whether Spanning-tree, dot1x, TRUNK is running on the switch and whet her the port is configured as a MAC-binding port.
Page 492: Chapter 49 Operational Configuration Of Am Function
Chapter 49 Operational Configuration of AM Function 49.1 Introduction to AM Function AM (Access Management) means that when a s witch receives an IP or A RP message, it will compare the information extracted from the message (such as source IP address or source MAC-IP address) with the configured hardware address pool.
Page 493: Am Function Example
3. Configure the forwarding IP Command Explanation Port Mode am ip-pool <ip-address> <num> Configure the forwarding IP of the port. no am ip-pool <ip-address> <num> 4. Configure the forwarding MAC-IP Command Explanation Port Mode am mac-ip-pool <mac-address> <ip-address> Configure the forwarding MAC-IP of the no am mac-ip-pool <mac-address>...
Page 494: Am Function Troubleshooting
In the topology above, 30 PCs, after converged by HUB1, connect with interface1 on the switch. The IP addresses of these 30 PCs range from 100. 10.10. 1 to 100.10.10.30. Considering security, the system manager will only take user with an IP address within that range as legal ones. And the switch will only forward data packets from legal users while dumping packets from other users.
Page 495: Chapter 50 Security Feature Configuration
Chapter 50 Security Feature Configuration 50.1 Introduction to Security Feature Before introducing t he security features, we here first introduc e the DoS. The DoS is short for Denial of Service, which is a simple but effective destructive attack on the internet. The server under DoS attack will drop normal user data packet due to non-stop processing the attacker’s data packet, leading to the denial of the servic e and worse can lead to leak of sensitive data of the server.
Page 496: Anti Port Cheat Function Configuration Task Sequence
50.2.3 Anti Port Cheat Function Configuration Task Sequence 1． Enable the anti port cheat function Command Explanation Global Mode [no] dosattack-check Enable/disable the prevent-port-cheat function. srcport-equal-dstport enable Enable/disable checking IP v4 fragment. This command has no effect when used separately, dosattack-check ipv4-first-fragment but if this function is not enabled, the switch will enable...
Page 497: Security Feature Example
Configure the max permitted ICMP v4 net load length. This command has not effect when dosattack-check icmpv4-size <size> used separat ely, the user have to enable the dosattack-check icmp-attacking enable. Configure the max permitted ICMP v6 net load length. This command has not effect when dosattack-check icmpv6-size <size>...
Page 498: Chapter 51 Tacacs+ Configuration
Chapter 51 TACACS+ Configuration 51.1 Introduction to TACACS+ TA CACS+ terminal access controller access control prot ocol is a protoc ol similar to the radius protocol for control the terminal access to the net work. Three independent functions of Authentication, Authorization, Accounting are also available in this protocol.
Page 499: Tacacs+ Scenarios Typical Examples
3. Configure the TACACS+ authentication timeout time Command Explanation Global Mode Configure the authentication timeout for the tacacs-server timeout <seconds> TA CACS+ server, the “no tacacs-server no tacacs-server timeout timeout” command restores the default configuration. 4. Configure the IP address of the TACACS+ NAS Command Explanation Global Mode...
Page 500: Tacacs+ Troubleshooting
51.4 TACACS+ Troubleshooting In configuring and using TACA CS+, the TACA CS+ may fail to authentication due to reasons such as physical connection failure or wrong configurations. The user should ensure the following:  First good condition of the TACACS+ server physical connection. ...
Page 501: Chapter 52 Radius Configuration
Chapter 52 RADIUS Configuration 52.1 Introduction to RADIUS 52.1.1 AAA and RADIUS Introduction AAA is short for Authentication, Authorization and Accounting, it provide a consistency framework for the network management safely. According to the three functions of Authentication, Authorization, Accounting, the framework can meet the access control for the security net work: which one can visit the network device, which access-level the user can have and the accounting for the net work resource.
Page 502: Radius Configuration Task List
Length field (2 octets): The length of the overall RADIUS packet, including Code, Identifier, Length, Authenticator and Attributes Authenticator field (16 octets): used for validation of the packets received from the RADIUS server. Or it can be used to carry encrypted passwords. This field falls into t wo kinds: the Request Authenticator and the Response Authenticator.
Page 503 5． Configure the IP address of the RADIUS NAS. 1. Enable the authentication and accounting function. Command Explanation Global Mode To enable the AAA authentication function. aaa enable The no form of this command will disable no aaa enable the AAA authentication function. aaa-accounting enable To enable AAA accounting.
Page 504 4. Configure the parameter of the RADIUS servi ce Command Explanation Global Mode To configure the interval that the RADIUS radius-se rver dead-time <minutes> becomes available after it is down. The no no radius-se rver dead-time form of this command will restore the default configuration.
Page 505: Radius Typical Examples
52.3 RADIUS Typical Examples 52.3.1 IPv4 Radius Example 10.1.1.2 10.1.1.1 Radius Server 10.1.1.3 Figure 52-3-1 The Topology of IEEE802.1x configuration A computer connects to a switch, of which the IP address is 10.1.1.2 and connected with a RA DIUS authentication server without Ethernet 1/2; IP address of the server is 10.1.1.3 and the authentication port is defaulted at 1812, accounting port is defaulted at 1813.
Page 506: Ipv6 Radiusexample
52.3.2 IPv6 RadiusExample 2004:1:2:3::2 2004:1:2:3::1 Radius Server 2004:1:2:3::3 Figure 52-3-2 The Topology of IP v6 Radius configuration A computer connects to a switch, of which the IP address is 2004:1:2:3::2 and connected with a RA DIUS authentication server wit hout Ethernet1/2; IP address of the server is 2004: 1:2:3::3 and the authentication port is defaulted at 1812, accounting port is defaulted at 1813.
Page 507: Chapter 53 Ssl Configuration
Chapter 53 SSL Configuration 53.1 Introduction to SSL As the computer net working technology spreads, the security of the network has been taking more and more important impact on the availability and the usability of the networking application. The network security has become one of the greatest barriers of modern networking applications.
Page 508: Ssl Configuration Task List
data transmission in the application layer will be encrypted. SSL handshake is done when the SSL session is being set up. The switch should be able to provide certification keys. Currently the keys provided by the switch are not the formal certification k eys issued by official authentic, but the private certification keys generated by SSL software under Linux which may not be recognized by the web brows er.
Page 509: Ssl Typical Example
2. Configure/delete port number by SSL used Command Explanation Global Mode Configure port number by SSL used, the“no ip http secure-port <port-number> ip http secure-port” command deletes the no ip http secure-port port number. 3. Configure/delete secure cipher suite by SSL used Command Explanation Global Mode...
Page 510: Ssl Troubleshooting
Configuration on the switch: XGS 3-42000R(config)# ip http secure-server XGS 3-42000R(config)# ip http secure-port 1025 XGS 3-42000R(config)# ip http secure-ciphersuite rc4-128-sha 53.4 SSL Troubleshooting In configuring and using SSL, the SSL function may fail due to reasons such as physical connection failure or wrong configurations.
Page 511: Chapter 54 Ipv6 Security Ra Configuration
Chapter 54 IPv6 Security RA Configuration 54.1 Introduction to IPv6 Security RA In IP v6 networks, the network topology is generally compromised of rout ers, layer-t wo switches and IP v6 hosts. Routers usually advertise RA, including link prefix, link MTU and other information, when the IP v6 hosts receive RA, they will create link address, and set the default router as the one sending RA in order to implement IP v6 network communication.
Page 512: Ra T Ypical E Xamples
54.3 IPv6 Security RA Typical Examples Other IP v6 net work Ethernet1/1 Ethernet1/3 Ethernet1/2 PC user Illegal user Instructions: if the illegal user in t he graph advertises RA, the normal user will receive the RA, set the default router as the vicious IP v6 host user and change its own address. This will cause the normal user to not be able to connect the network.
Page 513: Chapter 55 Vlan-Acl Configuration
Chapter 55 VLAN-ACL Configuration 55.1 Introduction to VLAN-ACL The user can configure ACL policy to VLAN to implement the accessing control of all ports in VLAN, and VLAN-A CL enables the user to expediently manage the net work. The user only needs to configure ACL policy in VLAN, the corresponding ACL action can takes effect on all member ports of VLAN, but it does not need to solely configure on each member port.
Page 514 2. Configure VLAN-ACL of MAC type Command Explanation Global mode vacl mac access-group {<700-1199> | WORD} {in | out} [traffic-stati stic] vlan WORD Configure or delete MA C VLAN-ACL. no vacl mac access-group {<700-1199> | WORD} {in | out} vlan WORD 3.
Page 515: Vlan-Acl Configuration Example
55.3 VLAN-ACL Configuration Example A company’s network configuration is as follows, all departments are divided by different VLANs, technique department is Vlan1, finance department is Vlan2. It is required that technique department can access the outside net work at timeout, but financ e department are not allowed to access the outside network at any time for the security.
Page 516: Vlan-Acl Troubleshooting
Configure the extended acl_b of IP, at any time it only allows to access resource wit hin the int ernal network (such as 192.168.1.255). XGS 3-42000R(config)#ip access-list extended vacl_b XGS 3-42000R(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.1.0 0. 0.0.255 XGS 3-42000R(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination Apply the configuration to VLAN XGS 3-42000R(config)#vacl ip access-group vacl_a in vlan 1 XGS 3-42000R(config)#vacl ip access-group vacl_b in vlan 2...
Page 517: Mirror Configuration Task List
55.6 Mirror Configuration Task List 1. Specify mirror destination port 2. Specify mirror source port（CPU） 3. Specify flow mirror source 1. Specify mirror destination port Command Explanation Global mode monitor se ssion < session> de stination Specifies mirror destination port; the no interface <interface-number>...
Page 518: Mirror Examples
55.7 Mirror Examples Example: The requirement of the configurations is shown as below: to monitor at interface 1 the data frames sent out by interface 9 and received from interfac e 7, sent and received by CPU, and the data frames received by interface 15 and matched by rule 120(The sourc e IP address is 1.2.3.4 and the destination IP address is 5.6.7.8).
Page 519: Chapter 56 Rspan Configuration
Chapter 56 RSPAN Configuration 56.1 Introduction to RSPAN Port mirroring refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port. It is more convenience for network administrator to monitor and manage the network and diagnostic after the mirroring function achieved.
Page 520: Rspan Configuration Task List
For Chassis Switches, at most 4 mirror destination ports are supported, and source or destination port of one mirror session can be configured on each line card. For box switches, only one mirror session can be configured. The number of the source mirror ports is not limited, and can be one or more. Multiple source ports are not restricted to be in the same V LAN.
Page 521 1. Configure RSPAN VLAN Command Explanation VLAN Configuration Mode To configure the specified VLAN as remote-span RSPAN VLAN. The no command will no remote-span remove the configuration of RSPA N VLAN. 2. Configure mirror source port (CPU) Command Explanation Global Mode monitor se ssion <...
Page 522: Typical Examples Of Rspan
56.3 Typical Examples of RSPAN Before RSPAN is invented, network administrators had to connect their P Cs directly to the switches, in order to check the statistics of the net work. However, with the help of RSPA N, the network administrators can c onfigure and supervise the switches remot ely, which brings more efficiency.
Page 523 Intermediate switch: Interface ethernet1/6 is the source port which is connected to the source switch. Interface ethernet1/7is the destination port which is connected to the intermediat e switch. The native VLAN of this port cannot be configured as RSPAN VLA N, or the mirrored data may not be carried by the destination switch.
Page 524: Rspan Troubleshooting
XGS 3-42000R(config-If-Ethernet1/3)#switchport mode trunk XGS 3-42000R(config-If-Ethernet1/3)#exit XGS 3-42000R(config)#monitor session 1 source interface ethernet1/1 rx XGS 3-42000R(config)#monitor session 1 reflector-port ethernet 1/3 XGS 3-42000R(config)#monitor session 1 remote vlan 5 Intermediate switch: Interface ethernet1/6 is the source port which is connected to the source switch. Interface ethernet1/7 is the destination port which is connected to the destination switch.
Page 525  Whether the destination mirror port is a member of the Port -channel group. If so, please change the Port-channel group configuration;  The throughput the destination port is less than the total throughput of the source mirror ports. If so, the destination cannot catch all the datagrams from every source ports.
Page 526: Chapter 57 Sflow Configuration
Chapter 57 sFlow Configuration 57.1 Introduction to sFlow The sFlow (RFC 3176) is a protocol based on standard network export and used on monitoring the network traffic information developed by the InMon Company. The monitored s witch or router sends date to the client analyzer t hrough its main operations such as sampling and statistic, then the analyzer will analyze according to the user requirements so to monitor the network.
Page 527 2. Configure the sFlow proxy address Command Explanation Global Mode sflow agent-address <collector-address> Configure the sourc e IP address applied by no sflow agent-address the sFlow proxy; the “no” form of the command delet es this address. 3. Configure the sFlow proxy priority Command Explanation Global Mode...
Page 528: Sflow Examples
57.3 sFlow Examples SWITCH sFlow configuration topology Figure 57-3-1 As shown in the figure, sFlow sampling is enabled on the port 1/1 and 1/2 of the switch. Assume the sFlow analysis software is installed on the PC with the address of 192.168.1.200. The address of the layer 3 interface on the SwitchA connected with PC is 192.168.1.100.
Page 529: Chapter 58 Vrrp Configuration
Chapter 58 VRRP Configuration 58.1 Introduction to VRRP VRRP (Virtual Router Redundancy Protocol) is a fault tolerant protocol designed to enhance connection reliability between routers (or L3 Ethernet switches) and external devices. It is developed by the IE TF for local area networks (LAN) with multicast/broadcast capability (Ethernet is a Configuration Example) and has wide applications.
Page 530: Vrrp Configuration Task List
58.2 VRRP Configuration Task List Configuration Task List: 1. Create/Remove the Virtual Router (required) 2. Configure VRRP dummy IP and interface (required) 3. Activate/ Deactivate Virtual Router (required) 4. Configure VRRP sub-parameters (optional) （1） Configure the preemptive mode for VRRP （2）...
Page 531: Vrrp Typical Examples
(2) Configure VRRP priority Command Explanation VRRP protocol configuration mode priority <priority> Configures VRRP priority. (3) Configure VRRP Timer intervals Command Explanation VRRP protocol configuration mode advertisement-interval <time> Configures VRRP timer value (in seconds). (4) Configure VRRP interface monitor Command Explanation VRRP protocol configuration mode circuit-failover {IFNAME | ethernet...
Page 532: Vrrp Troubleshooting
Configuration of SwitchB: SwitchB(config)#int erface vlan 1 SwitchB (Config-if-Vlan1)# ip address 10.1.1. 7 255.255.255. 0 SwitchB(config)#router vrrp 1 SwitchB (Config-Router-Vrrp)# virtual-ip 10.1.1.5 SwitchB(Config-Router-Vrrp)# interfac e vlan 1 SwitchB(Config-Router-Vrrp)# enable 58.4 VRRP Troubleshooting In configuring and using VRRP protocol, the VRRP protocol may fail to run properly due to reasons such as physical connection failure or wrong configurations.
Page 533: Chapter 59 Ipv6 Vrrpv3 Configuration
Chapter 59 IPv6 VRRPv3 Configuration 59.1 Introduction to VRRPv3 VRRP v3 is a virtual router redundancy protocol for IP v6. It is designed based on VRRP (V RRP v2) in IP v4 environment. The following is a brief int roduction to it. In a net work based on TCP/IP protocol, in order t o guarantee the communication between the devices which are not physically connected, routers should be specified.
Page 534: The Format Of Vrrpv3 Message
take up the unavailable master router in about 3 seconds (default parameter), and this process needs no interaction with hosts, which means being transparent to hosts. 59.1.1 The Format of VRRPv3 Message VRRP v3 has its own message format, VRRP messages are used to communicate the priority of routers and the state of Master in the backup group, they are encapsulated in IP v6 messages to send, and are sent to the specified IP v6 multicast address.
Page 535: Vrrpv3 Working Mechanism
59.1.2 VRRPv3 Working Mechanism The working mec hanism of VRRP v3 is the same with that of VRRP v2, which is mainly implemented via the interaction of V RRP advertisement messages. It will be briefly described as follows: Each VRRP router has a unique ID: VRIP, ranging from 1 to 255. This router has a unique virtual MA C address outwardly, and the format of which is 00-00-5E -00-02-{VRID} (the format of virtual MAC address in VRRP v2 is 00-00-5E -00-01-{VRID}).
Page 536: Vrrpv3 Configuration
59.2 VRRPv3 Configuration 59.2.1 Configuration Task Sequence Create/delete the virtual router (necessary ) Configure the virtual IP v6 address and interface of VRRP v3 (nec essary) Enable/disable the virtual router (necessary) Configure VRRP v3 assistant parameters (optional) (1) Configure VRRP v3 preempt mode (2) Configure VRRP v3 priority (3) Configure the VRRP v3 advertisement interval (4) Configure the monitor int erface of VRRP v3...
Page 537: Vrrpv3 Typical Examples
( 3 ) Configure the VRRP v3 advertisement interval Command Explanation VRRP v3 Protocol Mode Configure V RRP v3 advertisement advertisement-interval <time> interval (in cent seconds). (4 ) Configure the monitor interfac e of V RRP v3 Command Explanation VRRP v3 Protocol Mode circuit-failover {vlan <ID>| IFNAME} Configure the monitor int erface of VRRP v3, <value_reduced>...
Page 538: Vrrpv3 Troubleshooting
The configuration of SwitchA: SwitchA (config)#ipv6 enable SwitchA (config)#int erface vlan 1 SwitchA (config)#router ipv6 vrrp 1 SwitchA (config-router)#virt ual-ipv6 fe80::2 interface vlan 1 SwitchA (config-router)#priority 150 SwitchA (config-router)#enable SwitchA (config)#router ipv6 vrrp 2 SwitchA (config-router)#virt ual-ipv6 fe80::3 interface vlan 1 SwitchA (config-router)#enable The configuration of SwitchB: SwitchB (config)# ipv6 enable...
Page 539: Chapter 60 Mrpp Configuration
Chapter 60 MRPP Configuration 60.1 Introduction to MRPP MRPP (Multi-layer Ring Protection Prot ocol), is a link layer protocol applied on Ethernet loop protection. It can avoid broadcast storm caused by data loop on Ethernet ring, and restore communication among every node on ring net work when the Ethernet ring has a break link.
Page 540: Mrpp Protocol Packet Types
3. nodes Each switch is named after a node on Ethernet. The node has some types: Primary node: each ring has a primary node, it is main node to detect and defend. Trans fer node: except for primary node, other nodes are trans fer nodes on each ring. The node role is determined by user configuration.
Page 541: Mrpp Protocol Operation System
60.1.3 MRPP Protocol Operation System 1. Link Down Alarm System When trans fer node finds themselves belonging to MRPP ring port Down, it sends link Down packet to primary node immediately. The primary node receives link down packet and immediately releas es block state of secondary port, and sends LINK-DOWN-FLUSH-FDB packet to inform all of trans fer nodes, refres hing own MA C address forward list.
Page 542 Configure MRPP ring Command Explanation Global Mode mrpp ring <ring-id> Create MRPP ring. The “no” command no mrpp ring <ring-id> deletes MRPP ring and its configuration. MRPP ring mode control -vlan <vid> Configure control VLAN ID, format “no” no control-vlan deletes configured control VLAN ID.
Page 543: Mrpp Typical Scenario
60.3 MRPP Typical Scenario SWITCH A SWITCH B Master Node MRPP Ring 4000 SWITCH C SWITCH D MRPP typical configuration scenario Figure 60-3-1 The above topology often occurs on using MRPP protocol. The multi switch constitutes a single MRPP ring, all of the switches only are configured an MRPP ring 4000, thereby constitutes a single MRPP ring.
Page 544 SWITCH B configuration Task Sequence: XGS 3-42000R(config)#mrpp enable XGS 3-42000R(config)#mrpp ring 4000 XGS 3-42000R(mrpp-ring-4000)#control-vlan 4000 XGS 3-42000R(mrpp-ring-4000)#enable XGS 3-42000R(mrpp-ring-4000)#exit XGS 3-42000R(config)#interface ethernet 1/1 XGS 3-42000R(config-If-Ethernet1/1)#mrpp ring 4000 primary-port XGS 3-42000R(config-If-Ethernet1/1)#interface ethernet 1/2 XGS 3-42000R(config-If-Ethernet1/2)#mrpp ring 4000 secondary-port XGS 3-42000R(config-If-Ethernet1/2)#exit XGS 3-42000R(config)# SWITCH C configuration Task Sequence: XGS 3-42000R(config)#mrpp enable XGS 3-42000R(config)#mrpp ring 4000...
Page 545: Mrpp Troubleshooting
60.4 MRPP Troubleshooting The normal operation of MRPP protocol depends on normal configuration of each s witch on MRPP ring, otherwise it is very possible to form ring and broadcast storm:  Configuring MRPP ring, you’d better disconnected the ring, and wait for each s witch configuration, then open the ring.
Page 546: Chapter 61 Ulpp Configuration
Chapter 61 ULPP Configuration 61.1 Introduction to ULPP Each ULPP group has two uplink ports, they are master port and slave port. The port may be a physical port or a port channel. The member ports of ULPP group have three states: Forwarding, Standby, Down. Normally, only one port at the forwarding state, the other port is blocked at the Standby state.
Page 547: Ulpp Configuration Task List
When configuring ULPP, it needs to specify the VLAN which is protected by this ULPP group through the method of MS TP instances, and ULPP does not provide the protection to other VLANs. When the uplink switch is happennig, the primary forwarding entries of the device will not be applied to new topology in the network.
Page 548 1. Create ULPP group globally Command Expalnation Global mode ulpp group <integer> Configure and delete ULPP group no ulpp group <integer> globally. 2. Configure ULPP group Command Explanation ULPP group configuration mode Configure the preemption mode of preemption mode ULPP group. The no operation no preemption mode deletes the preemption mode.
Page 549: Ulpp Typical Examples
3. Show and debug the relating information of ULPP Command Explanation Admin mode Show t he configuration information of the show ulpp group [group-id] configured ULPP group. show ulpp flush counter interface Show the statistic information of the flus h <name>...
Page 550 SwitchA has two uplinks, they are SwitchB and SwitchC. When any protocols are not enabled, this topology forms a ring. For avoiding the loopback, SwitchA can configure ULPP protocol, the master port and the slave port of ULPP group. When both master port and slave port are up, the slave port will be set as standby state and will not forward t he data packets.
Page 551: Ulpp Typical Example2
SwitchC configuration task list: XGS 3-42000R(config)#vlan 10 XGS 3-42000R(config-vlan10)#s witchport interface et hernet 1/2 XGS 3-42000R(config-vlan10)#exit XGS 3-42000R(config)#interface ethernet 1/2 XGS 3-42000R(config-If-Ethernet1/2)# ulpp control vlan 5 XGS 3-42000R(config-If-Ethernet1/2)# ulpp flush enable mac XGS 3-42000R(config-If-Ethernet1/2)# ulpp flush enable arp 61.3.2 ULPP Typical Example2 SwitchD SwitchB E1/1...
Page 552: Ulpp Troubleshooting
XGS 3-42000R(ulpp-group-1)#exit XGS 3-42000R(config)#ulpp group 2 XGS 3-42000R(ulpp-group-2)#protect vlan-reference-instance 2 XGS 3-42000R(ulpp-group-2)#exit XGS 3-42000R(config)#interface ethernet 1/1 XGS 3-42000R(config-If-Ethernet1/1)#switchport mode trunk XGS 3-42000R(config-If-Ethernet1/1)#ulpp group 1 master XGS 3-42000R(config-If-Ethernet1/1)#ulpp group 2 slave XGS 3-42000R(config-If-Ethernet1/1)#exit XGS 3-42000R(config)#interface Ethernet 1/2 XGS 3-42000R(config-If-Ethernet1/2)#switchport mode trunk XGS 3-42000R(config-If-Ethernet1/2)# ulpp group 1 slave XGS 3-42000R(config-If-Ethernet1/2)# ulpp group 2 master XGS 3-42000R(config-If-Ethernet1/2)#exit...
Page 553: Chapter 62 Ulsm Configuration
Chapter 62 ULSM Configuration 62.1 Introduction to ULSM ULSM (Uplink State Monitor) is used to process the port state synchronization. Each ULSM group is made up of the uplink port and the downlink port, both the uplink port and the downlink port may be multiple. The port may be a physical port or a port channel, but it can not be a member port of a port channel, and each port only belongs to one ULSM group.
Page 554: Ulsm Configuration Task List
62.2 ULSM Configuration Task List 1. Create ULSM group globally 2. Configure ULSM group 3. Show and debug the relating information of ULSM 1. Create ULSM group globally Command explanation Global mode ulsm group <group-id> Configure and delete ULSM group globally. no ulsm group <group-id>...
Page 555 The above topology is the typical application environment which is used by ULSM and ULPP protocol. ULSM is used to process the port state synchronization, its independent running is useless, so it usually associates with ULPP protocol to use. In the topology, SwitchA enables ULPP protocol, it is used to switch the uplink.
Page 556: Ulsm Troubleshooting
SwitchB configuration task list: XGS 3-42000R(config)#ulsm group 1 XGS 3-42000R(config)#interface ethernet 1/1 XGS 3-42000R(config-If-Ethernet1/1)#ulsm group 1 downlink XGS 3-42000R(config-If-Ethernet1/1)#exit XGS 3-42000R(config)#interface ethernet 1/3 XGS 3-42000R(config-If-Ethernet1/3)#ulsm group 1 uplink XGS 3-42000R(config-If-Ethernet1/3)#exit SwitchC configuration task list: XGS 3-42000R(config)#ulsm group 1 XGS 3-42000R(config)#interface ethernet 1/2 XGS 3-42000R(config-If-Ethernet1/2)#ulsm group 1 downlink XGS 3-42000R(config-If-Ethernet1/2)#exit XGS 3-42000R(config)#interface ethernet 1/4...
Page 557: Chapter 63 Sntp Configuration
Chapter 63 SNTP Configuration 63.1 Introduction to SNTP The Network Time Protocol (NTP ) is widely used for clock synchronization for global computers connected to the Internet. NTP can assess packet sending/receiving delay in the network, and estimate the comput er’s clock deviation independently, so as to achieve high accuracy in network computer clocking.
Page 558: Typical Examples Ofs Ntp Configuration
63.2 Typical Examples of SNTP Configuration SNTP/NTP SNTP/NTP SERVER SERVER … … SWITCH SWITCH SWITCH Typical SNTP Configuration Figure 63-2-1 All switches in the autonomous zone are required to perform time synchronization, which is done through two redundant S NTP/NTP servers. For time to be synchronized, the net work must be properly configured. There should be reachable route between any switch and the two SNTP/ NTP servers.
Page 559: Chapter 64 Ntp Function Configuration
Chapter 64 NTP Function Configuration 64.1 Introduction to NTP Function The NTP (Network Time P rotocol) synchronizes timekeeping spans WAN and LAN among distributed time servers and clients, it can get millisecond precision. The introduction of event, state, transmit function and action are defined in RFC-1305.
Page 560 3. To configure the max number of broadcast or multica st servers supported by the NTP client Command Explication Global Mode Set the max number of broadcast or ntp broadca st server count <number> multicast servers supported by the NTP no ntp broadca st server count client.
Page 561: Typical Examples Of Ntp Function
8. To configure some interface can’t receive NTP packets Command Explication Interface Configuration Mode ntp di sable To disable the NTP function. no ntp di sable 9. Di splay information Command Explication Admin Mode show ntp status To display the state of time synchronize. show ntp se ssion [ <ip-addre ss>...
Page 562: Ntp Function Troubleshooting
The configuration of Switch C is as follows: (Switch A and Switch B may have the different command because of different companies, we not explain there, our switches are not support NTP server at present) Switch C: XGS 3-42000R(config)#ntp enable XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-if-Vlan1)#ip address 192.168.1.12 255.
Page 563: Chapter 65 Dnsv4/V6 Configuration
Chapter 65 DNSv4/v6 Configuration 65.1 Introduction to DNS DNS (Domain Name System) is a distributed dat abase used by TCP/ IP applications to translate domain names into corresponding IP v4/ IP v6 addresses. With DNS, you can use easy-to-remember and signification domain names in some applications and let the DNS server translat e them into correct IP v4/IP v6 addresses.
Page 564: Onfiguration T Ask L Ist
65.2 DNSv4/v6 Configuration Task List To enable/disable DNS function To configure/delete DNS server To configure/delete domain name suffix To delete the domain ent ry of specified address in dynamic cache To enable DNS dynamic domain name resolution Enable/disable DNS SERVE R function Configure the max number of client information in the switch queue Configure the timeout value of caching the client information on the switch Monitor and diagnosis of DNS function...
Page 565 6. Enable/disable DNS SERV ER function Command Explanation Global Mode ip dns server Enable/disable DNS SERVE R function. no ip dns server 7. Configure the max number of client information in the switch queue Command Explanation Global Mode ip dns server queue maximum Configure number client...
Page 566: Typical Examples Of Dns
65.3 Typical Examples of DNS DNS SERVER IP: 219.240.250.101 IP v6: 2001::1 ip domain-lookup dns-server 219.240.250.101 dns-server 2001::1 INTE RNE T SWITCH DNS CLIENT typical environment Figure 65-3-1 As shown in fig, the switch connected to DNS server through network, if the switch want to visit sina Website, it needn’t to know the IP v4/ IP v6 address of sina Website, only need is to rec ord t he domain name of sina Website is www.sina.com.cn.
Page 567: Dns Troubleshooting
Switch configuration for DNS CLIE NT: XGS 3-42000R(config)# ip domain-look up XGS 3-42000R(config)# dns-server 219.240.250.101 XGS 3-42000R(config)# dns-server 2001::1 XGS 3-42000R#ping host www.sina.com.cn XGS 3-42000R#traceroute host www.sina.com.cn XGS 3-42000R#telnet host www.sina.com.cn Switch configuration for DNS SERVER: XGS 3-42000R(config)# ip domain-look up XGS 3-42000R(config)# dns-server 219.240.250.101 XGS 3-42000R(config)# dns-server 2001::1 XGS 3-42000R(config)# ip dns server...
Page 568: Chapter 66 Monitor And Debug
Chapter 66 Monitor and Debug When the users configures the switch, they will need to verify whether the configurations are correct and the switch is operating as expected, and in net work failure, the users will also need to diagnostic the problem. Switch provides various debug commands including ping, telnet, show and debug, etc.
Page 569: Show
every time to discover another router, the Traceroute6 repeat this action till certain datagram reaches the destination. Traceroute6 Options and explanations of the parameters of the Traceroute6 command please refer to traceroute6 command chapt er in the command manual. 66.5 Show show command is used to dis play information about the system , port and protocol operation.
Page 570: System Log
66.7 System log 66.7.1 System Log Introduction The system log takes all information output under it control, while making detailed catalogue, so to select the information effectively. Combining wit h Debug programs, it will provide a powerful support to the network administrator and developer in monitoring the net work operation state and locating the net work failures.
Page 571 66.7.1.2 Format and Severity of the Log Information The log information format is compatible with the BS D syslog protocol, so we can record and analyze the log by the systlog (system log prot ect session) on the UNIX/ LINUX, as well as syslog similar applications on PC. The log information is classified into eight classes by severity or emergency procedure.
Page 572: System Log Configuration
66.7.2 System Log Configuration System Log Configuration Task Sequence: 1. Display and clear log buffer zone 2. Configure the log host output channel Di splay and clear log buffer zone Command Description Admin Mode show logging buffered [ level {critical | Show detailed log information in warnings} | range <begin-index>...
Page 573: System Log Configuration Example
66.7.3 System Log Configuration Example Example 1: When managing VLA N the IP v4 address of the switch is 100.100.100.1, and the IP v4 address of the remote log server is 100.100.100.5. It is required to send the log information with a severity equal to or higher than warnings to this log server and save in the log record equipment local1.
Page 574: Chapter 67 Reload Switch After Specified Time
Chapter 67 Reload Switch after Specified Time 67.1 Introduce to Reload Switch after Specifid Time Reload switch after specified time is to reboot the switch without shutdown its power after a specified period of time, usually when updating the switch version. The switch can be rebooted after a period of time instead of immediat ely after its version being updated successfully.
Page 575: Chapter 68 Debugging And Diagnosis For Packets Received And Sent By Cpu
Chapter 68 Debugging and Diagnosis for Packets Received and Sent by CPU 68.1 Introduction to Debugging and Diagnosis for Packets Received and Sent by CPU The following commands are used to debug and diagnose the packets received and sent by CPU, and are supposed to be used with the help of the technical support.
Page 576: Chapter 69 Switch Operation
Chapter 69 SWITCH OPERATION 69.1 Address Table The S witch is implemented with an address table. This address table composed of many entries. Each entry is used to store the address information of some node in net work, including MAC address, port no, etc. This in-formation comes from the learning process of Ethernet Switch.
Page 577: Auto-Negotiation
69.5 Auto-Negotiation The S TP ports on the Switch have built-in "Auto-negotiation". This technology automatically sets the best possible bandwidth when a connection is established with another net work device (us ually at Power On or Reset). This is done by detect the modes and speeds at the second of both devic e is connected and capable of, bot h 10Base-T and 100Base-TX devices can connect with the port in either Half- or Full-Duplex mode.
Page 578: Chapter 70 Trouble Shooting
Chapter 70 TROUBLE SHOOTING This chapter contains information to help you solve problems. If the Ethernet Switch is not functioning properly, make sure the Ethernet Switch was set up according to instructions in this manual. The Link LED i s not lit Solution: Check the cable connection and remove duplex mode of the Ethernet Switch Some stations cannot talk to other stations located on the other port...
Page 579: Chapter 71 Appendex A
Chapter 71 APPENDEX A 71.1 A.1 Switch's RJ-45 Pin Assignments 1000Mbps, 1000B ase T Contact MDI-X BI_DA+ BI_DB+ BI_DA- BI_DB- BI_DB+ BI_DA+ BI_DC+ BI_DD+ BI_DC- BI_DD- BI_DB- BI_DA- BI_DD+ BI_DC+ BI_DD- BI_DC- Implicit implementation of the crossover function within a t wisted-pair cable, or at a wiring panel, while not expressly forbidden, is beyond the scope of this standard.
Page 580 The standard RJ-45 receptacle/connector There are 8 wires on a standard UTP/STP cable and eac h wire is color-coded. The following shows the pin allocation and color of straight cable and crossover cable connection: Straight Cable SIDE 1 SIDE2 SIDE 1 1 = White / Orange 1 = White / Orange 2 = Orange...
Page 581: Chapter 72 Glossary
Chapter 72 GLOSSARY Bandwidth Utilization The percentage of packets received over time as compared to overall bandwidth. BOOTP Boot prot ocol used to load the operating system for devices connected to the network. Di stance Vector Multica st Routing Protocol (DVMRP) A distance-vector-style routing protocol used for routing multicast datagrams through the Internet.
Page 582 IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree P rotocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry V LAN information. It allows switches to assign end-stations to different virtual LANs, and defines a standard way for VLA Ns to communicate across switched networks.
Page 583 Multicast Switching A process whereby the switch filters incoming multicast frames for services no attached host has registered for, or forwards them to all ports contained within the designated multicast VLAN group. Open Shortest Path First (OSPF) OSPF is a link state routing protocol that functions better over a larger network such as the Internet, as opposed to distance vector routing prot ocols such as RIP.
Page 584 Telnet Defines a remot e communication facility for interfacing to a terminal device over TCP/IP. Trivial File Transfer Protocol (TFTP) A TCP/ IP protoc ol commonly used for soft ware downloads. Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network.
Page 585: Ec Declaration Of Conformity
*Model Number: XGS3-42000R * Produced by: Manufacturer‘s Name : Planet Technology Corp. Manufacturer‘s Address: 11F, No 96, Min Chuan Road, Hsin Tien, Taipei, Taiwan, R.O.C. is herewith confirmed to comply with the requirements set out in the Council Directive on the Approximation of the Laws of the Member States relating to Electromagnetic Compatibility Directive on (89/336/EEC).

Planet XGS3-42000R User Manual

Chapter 1 Introdution of Xgs3-42000R

Chapter 2 Installation

Chapter 3 Chassis Switch Management

Chapter 4 Basic Chassis Switch Configuration

Chapter 5 File System Operations

Chapter 6 Cluster Configuration

Chapter 7 Port Configuration

Chapter 8 Port Isolation Function Configuration

Chapter 9 Port Loopback Detection Function Configuration

Chapter 10 Uldp Function Configuration

Chapter 11 Lldp Function Operation Configuration

Chapter 12 Port Channel Configuration

Chapter 13 Jumbo Configuration

Chapter 14 Vlan Configuration

Chapter 15 Mac Table Configuration

Chapter 16 Mstp Configuration

Chapter 17 Qos Configuration

Chapter 18 Pbr Configuration

Chapter 19 Ipv6 Pbr Configuration

Chapter 20 Flow-Based Redirection

Chapter 21 Layer 3 Forward Configuration

Chapter 22 Arp Scanning Prevention Function Configuration

Chapter 23 Prevent Arp, Nd Spoofing Configuration

Chapter 24 Arp Guard Configuration

Chapter 25 Arp Local Proxy Configuration

Chapter 26 Gratuitous Arp Configuration

Chapter 27 Nd Snooping Configuration

Chapter 28 Dhcp Configuration

Chapter 29 Dhcpv6 Configuration

Chapter 30 Dhcp Option 82 Configuration

Chapter 31 Dhcp Snooping Configuration

Chapter 32 Dhcpv6 Snooping Configuration

Chapter 33 Routing Protocol Overview

Chapter 34 Static Route

Chapter 35 Rip

Chapter 36 Ripng

Chapter 37 Ospf

Chapter 38 Ospfv3

Quick Links

Troubleshooting

Related Manuals for Planet XGS3-42000R

Summary of Contents for Planet XGS3-42000R