Page 3
Do not dis pose of WEEE as unsorted municipal waste and have to collect such WEEE separately. Revision PLANE T 4-Slot Layer 3 IP v6/IP v4 Routing Chassis Switch User's Manual FOR MODEL: XGS3-42000R REVIS ION: 1.0 (APRIL. 2010) Part No: EM-XGS 3-42000R (2081-A96040-000)
Content CHAPTER 1 INTRODUTION OF XGS3-42000R ..............1-1 1.1 P ........................1-1 ACKET ONTENTS 1.2 P ......................1-2 RODUCT ESCRIPTION 1.3 P ........................1-3 RODUCT EATURES 1.4 P ......................1-5 RODUCT PECIFICATION 1.4.1 XGS3-42000R Specification .................... 1-5 1.4.2 Management Module Specification .................. 1-6 1.4.3 Standard Ethernet Module Specification ................
Page 5
4.2.1 Telnet ..........................4-1 4.2.2 SSH ..........................4-3 4.3 C IP A ................4-4 ONFIGURAT E HASSIS WITCH DDRESSES 4.3.1 Chassis Switch IP Addresses Configuration Task List ............4-4 4.4 SNMP C ......................4-7 ONFIGURATION 4.4.1 Introduction to SNMP ..................... 4-7 4.4.2 Introduction to MIB ......................
Page 6
9.1 I ............. 9-3 NTRODUCTION TO OOPBACK ET ECTION UNCTION 9.2 P ..........9-3 OOPBACK ET ECTION UNCTION ONFIGURATION 9.3 P ................. 9-5 OOPBACK ET ECTION UNCTION XAMPLE 9.4 P ................. 9-5 OOPBACK ET ECTION ROUBLESHOOTING CHAPTER 10 ULDP FUNCTION CONFIGURATION ............10-5 10.1 I ULDP F ..................
Page 7
14.2.4 GV RP Troubleshooting ....................14-10 14.3 D ....................14-10 TUNNEL ONFIGURATION 14.3.1 Introduction to Dot1q-tunnel ..................14-10 14.3.2 Dot1q-tunnel Configuration ..................14-11 14.3.3 Typical Applications of the Dot1q-tunnel ..............14-12 14.4 VLAN- ..................14-13 TRANSLATION ONFIGURATION 14.4.1 Introduction to VLAN-translation .................14-13 14.4.2 VLA N-translation Configuration ..................14-13 14.4.3 Typical application of VLA N-t ranslation ...............14-14 14.4.4 VLA N-translation Troubleshooting ................14-15 14.5 D...
Page 8
17.1.1 QoS Terms ......................... 17-1 17.1.2 QoS Implementation ....................17-2 17.1.3 Basic QoS Model ....................... 17-2 17.2 Q ..................... 17-5 ONFIGURATION 17.3 Q ........................17-9 XAMPLE 17.4 Q ......................17-12 ROUBL ESHOOTING CHAPTER 18 PBR CONFIGURATION ................... 18-1 18.1 I P BR ......................18-1 NT RODUCTION TO 18.2 PBR C ......................
Page 9
21.5 ARP ...........................21-19 21.5.1 Introduction to ARP ....................21-19 21.5.2 A RP Configuration Task List ..................21-19 21.5.3 A RP Troubles hooting ....................21-21 CHAPTER 22 ARP SCANNING PREVENTION FUNCTION CONFIGURATION ... 22-1 22.1 I ARP S ............22-1 NT RODUCTION TO CANNING REVENTION UNCTION 22.2 ARP S...
Page 10
CHAPTER 28 DHCP CONFIGURATION ................28-1 28.1 I DHCP ....................... 28-1 NT RODUCTION TO 28.2 DHCP S ....................28-2 ERVER ONFIGURATION 28.3 DHCP R ....................28-4 ELAY ONFIGURATION 28.4 DHCP C ..................28-5 ONFIGURATION XAMPLES 28.5 DHCP T ..................... 28-7 ROUBL ESHOOTING CHAPTER 29 DHCPV6 CONFIGURATION ................
Page 11
32.3 DHCP ................32-4 NOOPING YPICAL PPLICATION 32.4 DHCP .................. 32-5 NOOPING ROUBL ESHOOTING 32.4.1 Monitor and Debug Information ................... 32-5 32.4.2 DHCP v6 Snooping Troubleshooting Help ..............32-5 CHAPTER 33 ROUTING PROTOCOL OVERVIEW ............. 33-1 33.1 R ........................33-1 OUTING ABLE 33.2 IP R...
Page 12
37.4 OSPF T ....................37-18 ROUBLESHOOTING CHAPTER 38 OSPFV3 ......................38-1 38.1 I OSPF 3 ....................38-1 NT RODUCTION TO 38.2 OSPF ..................38-4 ONFIGURATION 38.3 OSPF ......................38-7 XAMPLES 38.4 OSPF ....................38-10 ROUBL ESHOOTING CHAPTER 39 BGP ........................39-1 39.1 I BGP ......................
Page 13
CHAPTER 43 IPV4 MULTICAST PROTOCOL ..............43-1 43.1 IP ..................43-1 ULTICAST ROTOCOL VERVIEW 43.1.1 Introduction to Multicast ....................43-1 43.1.2 Multicast Address ....................... 43-1 43.1.3 IP Multicast Packet Transmission ................43-3 43.1.4 IP Multicast Application ....................43-3 43.2 PIM-DM ..........................43-3 43.2.1 Introduction to PIM-DM ....................
Page 14
43.8.3 DCS CM Configuration Examples ................43-41 43.8.4 DCS CM Troubleshooting ...................43-42 43.9 IGMP ..........................43-42 43.9.1 Introduction to IGMP ....................43-42 43.9.2 IGMP Configuration Task List ..................43-44 43.9.3 IGMP Configuration Examples ...................43-46 43.9.4 IGMP Troubleshooting ....................43-47 43.10 IGMP S ........................43-47 NOOPING 43.10. 1 Introduction to IGMP Snooping .................43-47 43.10.
Page 16
CHAPTER 48 THE NUMBER LIMITATION FUNCTION OF PORT, MAC IN VLAN AND IP CONFIGURATION ........................48-1 48.1 I , MAC VLAN IP ....48-1 NT RODUCTION TO THE UMBER IMITATION UNCTION OF 48.2 T , MAC VLAN IP C UMBER IMITATION UNCTION OF ONFIGURATION...
Page 17
CHAPTER 53 SSL CONFIGURATION ................... 53-1 53.1 I SSL ......................53-1 NT RODUCTION TO 53.1.1 Basic Element of SSL ....................53-1 53.2 SSL C ....................53-2 ONFIGURATION 53.3 SSL T ......................53-3 YPICAL XAMPLE 53.4 SSL T ......................53-4 ROUBL ESHOOTING CHAPTER 54 IPV6 SECURITY RA CONFIGURATION ............
Page 18
58.3 VRRP T ..................... 58-3 YPICAL XAMPLES 58.4 VRRP T ..................... 58-4 ROUBL ESHOOTING CHAPTER 59 IPV6 VRRPV3 CONFIGURATION ..............59-1 59.1 I V RRP 3 ....................59-1 NT RODUCTION TO 59.1.1 The Format of V RRP v3 Message ................59-2 59.1.2 VRRP v3 Working Mechanism ..................
Page 19
64.1 I NTP F ................... 64-1 NT RODUCTION TO UNCTION 64.2 NTP F ................64-1 UNCTION ONFIGURATION 64.3 T NTP F ..................64-3 YPICAL XAMPLES OF UNCTION 64.4 NTP F ..................64-4 UNCTION ROUBLESHOOTING CHAPTER 65 DNSV4/V6 CONFIGURATION ................ 65-1 65.1 I DNS ......................
Thank you for purchasing XGS 3-42000R is 4-Slot Layer 3 IP v6 / IP v4 Routing Chassis Switch. Terms of “Cha ssi s Switch” means the XGS3-42000R mentioned titled in the cover page of this User’s manual. Open the box of the Chassis Switch and carefully unpack it. The box should contain the following items: Check the contents of your package for following parts: ...
The XGS3-42000R is a High-Density Chassis-based Routing Switch built with 4 module slots and redundant power supply. It pro vides great porting flexibility for network deployment by offering various and combinable management modules and standard interfaces.
1.3 Product Features Hardware and Performance 4 open module slots design: − 2 Management Modules wit h 2 Standard Ethernet Modules − 1 Management Module with 3 Standard Ethernet Modules Up to 188-P ort Gigabit copper / 156-Port Gigabit SFP / 13-Port 10G XFP ...
Page 24
Support VLAN − IEEE 802.1Q Tagged VLA N − Up to 4K VLANs groups, out of 4041 VLAN IDs − Provider Bridging (V LAN Q-in-Q) support (IEEE 802.1ad) − GVRP protocol for VLA N Management − Privat e VLAN Edge (PVE) ...
Relative Humidity 0°C~40°C Operating Temperature Power Input AC: Input 100~240V, 50~60 Hz; ≤400W Power Consumption 1.4.2 Management Module Specification XGS3-42000R Management Module Model Name Product XGS3-M24GX XGS3-M44G Hardware Specification 24 x 10/100/1000Base-T RJ-45 Copper Ports 44 x 10/100/1000Bas e-T RJ-45 ports...
Page 27
10/100/1000M LNK/ACT 10/100/1000M LNK/ACT 1000M LNK/ACT 10G LNK/ACT 339 x 357 x 43mm (W x D x H) Dimension IPv4 Layer 3 functions Static Route, RIP v1/ v2, OSPFv2, BGP4 IP Routing Protocol Policy-Based Routing (PBR) LPM Routing (MD5 authentication) Multicast Routing IGMP v1 / 2 / 3, DVMRP, PIM-DM/SM, PIM-SSM Protocol...
Page 28
- DSCP/ TOS field in IP Packet Policy-based DiffServ IGMP v1 / v2 / v3 Snooping IGMP Proxy Multicast IGMP Querier mode support MLDv1 / v2, MLD v1/ v2 Snooping Support Standard and Expanded A CL IP-Based ACL / MAC-Based A CL Acce ss Control Li st Time-Based A CL ACL Pool can be used for QoS classification...
IEEE 802.1s Multiple spanning tree protocol IEEE 802.1p Class of service IEEE 802.1Q VLAN Tagging IEEE 802.1x Port Authentication Network Control IEEE 802.1ab LLDP 1.4.3 Standard Ethernet Module Specification XGS3-42000R Standard Ethernet Module Model Name Product XGS3-S24G XGS3-S48G XGS3-S48GF XGS3-S4X G...
Page 30
XFP/mini-GBIC 10GB ase-S R/LRXFP Slots slots Switch Fabric 68Gbps 96Gbps 96Gbps 40Gbps Throughput 50Mpps@64Bytes 71Mpps@64Bytes 71Mpps@64Bytes 59Mpps@64Bytes System: PWR, RUN System: Ports: Ports: Ports: PWR, RUN 10/100/1000M 1000M 10/100/1000M Ports: LNK/ACT LNK/ACT LNK/ACT 10G LNK/ACT 1000M LNK/ACT Dimension 339 x 357 x 43mm (W x D x H) Standards Conformance Regulation FCC Part 15 Class A, CE...
The unit front panel provides a simple interfac e monitoring the XGS 3-42000R Chassis Switch. Figure 2-1-1 shows the front panel of the Chassis Switches. XGS3-42000R Front Panel Figure 2-1-1 XGS3-42000R front panel ■ Power slots Used for system power supply modules, support up to two 400W AC modules (XGS3-PWR-A C).
Page 32
Slot2~4 support standard module like XGS 3-S4XG, XGS3-S24G, XGS3-S48G & XGS3-S 48GF. ■ Fan tray slot Supports one system fan assembly, each assembly consists of four axial fans. The unit rear panel provides a simple interface monitoring the XGS3-42000R Chassis Switch. Figure 2-1-2 shows the rear panel of the Chassis Switches.
2.1.2 Management Module Hardware Description 2.1.2.1 XGS3-M24GX The unit front panel provides a simple interface monitoring the XGS 3-M24GX Management Module. Figure 2-1-3 shows the front panel of the Management Module. XGS3-M24GX Front Panel Figure 2-1-3 XGS3-M24GX front panel ■ Gigabit TP interface 10/100/1000Bas e-T Copper, RJ-45 Twist-Pair: Up to 100 meters.
Page 34
XGS3-M24GX LED indication Figure 2-1-4 XGS3-M24GX LED panel ■ System Color Function Green Lights to indicate that Management Module has power. To indicate the Management Module power off. Blink slowly to indicate that Management Module running in normal status. Green Blink fa st to indicate that system loading (Management Module booting after hot plug in).
Page 35
■ XFP interface Color Function To indicate the link through that port is successfully established with speed Green 10Gbps. No data go through the port. Blink to indicate that the Management Module is actively sending or Green receiving data over that port. 2.1.2.2 XGS3-M44G The unit front panel provides a simple interface monitoring the XGS3-M44G Management Module.
Page 36
XGS3-M44G LED indication Figure 2-1-6 XGS3-M44GX LED panel ■ System Color Function Green Lights to indicate that Management Module has power. To indicate the Management Module power off. Blink slowly to indicate that Management Module running in normal status. Green Blink fa st to indicate that system loading (Management Module booting after hot plug in).
2.1.3 Standard Ethernet Module Hardware Description 2.1.3.1 XGS3-S24G The unit front panel provides a simple interface monitoring the XGS 3-S24G Standard Ethernet Module. Figure 2-1-7 shows the front panel of the Standard Ethernet Module. XGS3-S24G Front Panel Figure 2-1-7 XGS3-S 24G front panel ■...
Page 38
■ 10/100/1000Ba se-T interfaces Color Function To indicate the link through that port is successfully established with speed Green 10/100/1000Mbps. LNK/ ACT To indicate that the Standard Ethernet Module is actively sending or Yellow receiving data over that port. No data go through the port. ■...
Page 39
■ 10/100/1000Ba se-T interfaces Color Function To indicate the link through that port is successfully established with speed Green 10/100/1000Mbps. LNK/ ACT To indicate that the Standard Ethernet Module is actively sending or Yellow receiving data over that port. No data go through the port. 2.1.3.3 XGS3-S48GF The unit front panel provides a simple interface monitoring the XGS3-S48GF Standard Ethernet Module.
Page 40
The unit front panel provides a simple interface monitoring the XGS3-S4XG Standard Ethernet Module. Figure 2-1-13 shows the front panel of the Standard Ethernet Module. XGS3-S4XG Front Panel Figure 2-1-13 XGS3-S4XG front panel ■ 10 Gigabit XFP slots 10GB ase-S R/LR mini-GBIC slot, XFP (10 Gigabit Small Form Factor Pluggable) transceiver module: From 300 meters (Multi-mode fiber), up to 10 kilometers (Single-mode fiber).
2.1.4 AC Power Supply Module Hardware Description The unit front panel provides a simple int erface monitoring the XGS3-PWR-A C AC P ower S upply Module. Figure 2-1-15 shows the front panel of the A C Power Supply Module. XGS3-PWR-AC Front Panel Figure 2-1-15 XGS3-PWR-A C front panel The front panel LEDs indicates instant status of power fault and good, helps monitor and troubleshoot when needed.
2.2 Install the Chassis Switch This section describes how to install your Chassis Switch and mak e connections to the Chassis Switch. Please read the following topics and perform the procedures in the order being presented. To install your Chassis Switch on a desktop or shelf, simply complete the following steps. During the installation, please take care and avoid crash, that may cause the device damage.
Step4: Supply power to the Chassis Switch. Connect one end of the power cable to the Chassis Switch. Connect the power plug of the power cable to a standard wall outlet. 2.2.2 Rack Mounting To install the Chassis Switch in a 19-inch standard rack, please follows the instructions described below. Step1: Place the Chassis Switch on a hard flat surface, with the front panel positioned towards the front side.
Chassis Switch. 2.2.3 Chassis Switch Grounding A good grounding system is the groundwork for the smooth and safe operation of the XGS3-42000R, and an excellent way to prevent lightning strikes and resistance int erference. Please follow t he XGS 3-42000R grounding specification instructions, verify the installation site’s grounding condition and ensure proper...
Page 45
Ground resistance value should be less than 1 ohm. The XGS3-42000R provides chassis grounding post in the lower rear chassis, marked as “GND”. Chassis protection grounding should be properly connected to the rack grounding connector...
Insert the optional module into the slot; you can use the metal handle on the front plate of the module to ensure good contact. Then lock the module with panel fasteners in the front plate as shown in Figure 2-2-5. Figure 2-2-5 Insert the optional module into the slot of XGS3-42000R 2-16...
2.2.5 Removing / Installing the Dust Gauze Dust gauze is provided in the right section of the XGS3-42000R, which can be installed and removed from the back of the XGS3-42000R. The dust gauze is meant to prevent large debris or particles in the air from being ingested into the switch.
XGS3-42000R. Pleaes slid in the PWR-AC module first before plug-in the rear power cord. To remove a power supply unit out the XGS3-42000R, please loose the hand screw counter clockwise and pull out the power supply unit from the XGS3-42000R.
Figure 2-2-8 Install and Removal the Power Supply Unit 2.2.8 Installing the SFP / XFP Transceiver The sections describe how to insert an SFP / XFP transceiver into an SFP / XFP slot. The SFP / XFP transceivers are hot-pluggable and hot -swappable. You can plug-in and out the transceiver to/from any SFP / XFP port without having to power down the Chassis Switch.
Page 50
Figure 2-2-10 Plug-in the XFP transceiver Approved PLANET SFP Transceivers PLANE T Chassis Switch supports both Single-mode and Multi-mode SFP transceiver. The following list of approved PLANE T SFP transceivers is correct at the time of publication: Gigabit SFP Transceiver modules: ■...
Page 51
To connect to 1000Base-LX SFP transceiver, use the Single-mode fiber cable-with one side must be male duplex LC connector type. Approved PLANET XFP Transceivers PLANE T Chassis Switch supports both Single-mode and Multi-mode XFP transceiver. The following list of approved PLANE T XFP transceivers is correct at the time of publication: Gigabit SFP Transceiver modules: ■...
Page 52
Figure 2-2-11 Pull out the SFP / XFP transceiver Never pull out the module without pull the handle or the pus h bolts on the module. Direct pull out the module with violent could damage the module and SFP / XFP module slot of the Chassis Switch.
Chapter 3 Chassis Switch Management 3.1 Management Options After purchasing the Chassis Switch, the user needs to configure the Chassis Switch for network management. Chassis Switch provides two management options: in-band management and out -of-band management. The Chassis Switch is shipped without IP address assigned by default. User must IMPORTANT! assign an IP address to the Chassis Switch via the Console interface to be able to remot e access the Chassis Switch through Telnet or HTTP.
Page 54
installed, such as HyperTerminal included in Windows 9x/NT/2000/ XP. Serial port cable One end attach to the RS -232 serial port, the other end to the Cons ole port. Chassis Switch Functional Console port required. Step 2: Entering the HyperTerminal Open the HyperTerminal included in Windows after the connection established.
Page 55
Figure 3-1-3 Opening HyperTerminal 3) In the “Connecting using” drop-list, select the RS-232 serial port used by the P C, e.g. COM1, and click “OK”. Figure 3-1-4 Opening HyperTerminal 4) COM1 property appears, select “9600” for “Baud rate”, “8” for “Data bits”, “none” for “Parity checksum”, “1” for stop bit and “none”...
Page 56
Figure 3-1-5 Opening HyperTerminal Step 3: Entering switch CLI interface Power on the switch, the following appears in the HyperTerminal windows, that is the CLI configuration mode for Chassis Switch. Testing RAM... 134,217,728 RAM OK. Initializing... Attaching to file system ... done. Loading flash:/nos.img ...
Page 57
25 Ethernet/IEEE 802.3 interface(s ) Discovered modules: --------------------Slot : 1-------------------- Module type: XGS3-M24GX Work mode: ACTIVE MASTE R Hardware version: Bootrom version: 2.2.1 Serial number: N091600096 Manufacture date: 2009/04/21 --------------------Slot : 2-------------------- Module type: XGS3-S24G Work mode: SLAVE Hardware version: Bootrom version: 2.1.0 Serial number:...
3.1.2 In-band Management In-band management refers to the management by login to the Chassis Switch using Telnet, or using HTTP, or using SNMP management software to configure the Chassis Switch. In-band management enables management of the Chassis Switch for some devices attached to the Chassis Switch. In the case when in-band management fails due to Chassis Switch configuration changes, out-of-band management can be used for configuring and managing the Chassis Switch.
Page 59
The IP address configuration commands for VLA N1 interface are listed below. Before in-band management, the switch must be configured with an IP address by out-of-band management (i.e. Console mode), the configuration commands are as follows (All switch configuration prompts are assumed to be “XGS3-42000R” hereafter if not otherwise specified): XGS 3-42000R>...
XGS 3-42000R>enable XGS 3-42000R#config XGS 3-42000R(config)#username test privilege 15 password 0 test XGS 3-42000R(config)#aut hentication line vty login local Enter valid login name and password in the Telnet configuration int erface, Telnet user will be able to enter the switch’s CLI configuration interfac e. The commands used in the Telnet CLI interface after login is the same as that in the Console interface.
Page 61
management chapt er. To enable the WEB configuration, users should type the CLI command IP http server in the global mode as below: XGS 3-42000R>enable XGS 3-42000R#config XGS 3-42000R(config)#ip http server Step 2: Run HTTP protocol on the host. Open the Web browser on the host and type the IP address of the Chassis Switch, or run directly the HTTP protocol on the Windows.
Page 62
Figure 3-1-10 Web Login Interface Input the right username and password, and then the main Web configuration int erface is shown as below. Figure 3-1-11 Main Web Configuration Interface When configure the Chassis Switch, the name of the Chassis Switch is composed with English letters.
3.1.2.3 Manage the Chassis Switch via SNMP Network Management Software The necessities required by SNMP network management soft ware to manage Chassis Switches: 1) IP addresses are configured on the Chassis Switch; 2) The IP address of the client host and that of the VLAN interface on the switch it subordinates to should be in the same segment;...
On entering the CLI interface, ent ering user ent ry system first. If as common user, it is defaulted to User Mode. The prompt shown is “XGS3-42000R> “, the symbol “>“ is the prompt for User Mode. When exit command is run under Admin Mode, it will also return to the Us er Mode.
3.2.1.3 Global Mode Ty pe the config command under Admin Mode will enter the Global Mode prompt “XGS3-42000R(config)#”. Use the exit command under other configuration modes such as Port Mode, VLAN mode will return to Global Mode. The user can perform global configuration settings under Global Mode, such as MAC Table, Port Mirroring, VLAN creation, IGMP Snooping start and STP, etc.
ACL Mode ACL type Entry Operates Exit Standard IP Type ip access-li st Configure parameters Use the exit Mode standard command under for Standard IP ACL command to return Global Mode. Mode. to Global Mode. Extended IP ACL Type ip access-li st Configure parameters Use the exit Mode...
Left “←” The cursor moves one character to You can use the Left and the left. Right key to modify an entered command. Right “→” The cursor moves one character to the right. Ctrl +p The same as Up key “↑”. The same as Down key “...
3.2.5 Input Verification 3.2.5.1 Returned Information: success All commands entered through keyboards undergo syntax check by the Shell. Nothing will be returned if the user ent ered a correct command under corresponding modes and the execution is successful. Returned Information: error Output error message Explanation Unrecognized command or illegal...
Chapter 4 Basic Chassis Switch Configuration 4.1 Basic Configuration Basic Chassis Switch configuration includes commands for entering and exiting the admin mode, commands for entering and exiting interface mode, for configuring and displaying the Chassis Switch clock, for displaying the version information of the Chassis Switch system, etc. Command Explanation Normal User Mode/ Admin Mode...
Page 70
When Chassis Switch is used as the Telnet server, the us er can use the Telnet client program included in Windows or the other operation systems to login to Chassis Switch, as described earlier in the In-band management section. As a Telnet server, Chassis Switch allows up to 5 telnet client TCP connections. And as Telnet client, using telnet command under Admin Mode allows the user to login to the other remote hosts.
Command Explanation Admin Mode telnet {<ip-addr> | <ipv6-addr> | host Login to a remote host with the Telnet client <hostname>} [<port>] included in the Chassis Switch. 4.2.2 SSH 4.2.2.1 Introduction to SSH SSH (Secure Shell) is a protocol which ensures a secure remote access connection to net work devices. It is based on the reliable TCP/ IP prot ocol.
Display SSH debug information on the SSH client terminal monitor side; the “no terminal monitor” command stops terminal no monitor displaying SSH debug information on the SSH client side. 4.2.2.3 Typical SSH Server Configuration Example1: Requirement: Enable SSH server on the Chassis Switch, and run SSH2.0 client software such as Secure shell client or putty on the terminal.
Page 73
1. Enable VLAN port mode Command Explanation Global Mode Create VLA N interface (layer 3 interfac e); the “ no interface vlan <vlan-id> interface vlan <vlan-id> ” command deletes the no interface vlan <vlan-id> VLAN interface. 2. Manual configuration Command Explanation VLAN Port Mode ip address <ip_address>...
Page 74
4. DHCP configuration Command Explanation VLAN Port Mode Enable the switch to be a DHCP client and obtain IP ip bootp-client enable address and gateway address through DHCP no ip bootp-client enable negotiation; the “no ip bootp-client enable” command disables the DHCP client function.
4.4 SNMP Configuration 4.4.1 Introduction to SNMP SNMP (Simple Network Management Protocol) is a standard net work management protocol widely used in computer network management. SNMP is an evolving protocol. SNMP v1 [RFC1157] is the first version of SNMP which is adapted by vast numbers of manufacturers for its simplicity and easy implementation; SNMP v2c is an enhanced version of SNMP v1, which supports layered net work management;...
4.4.2 Introduction to MIB The network management information accessed by NMS is well defined and organiz ed in a Management Information Base (MIB). MIB is pre-defined information which can be accessed by network management protocols. It is in layered and structured form. The pre-defined management information can be obtained from monitored network devices.
4.4.3 Introduction to RMON RMON is the most important expansion of the standard SNMP. RMON is a set of MIB definitions, used to define standard net work monitor functions and interfaces, enabling the communication between SNMP management terminals and remote monit ors. RMON provides a highly efficient method to monitor actions inside the subnets.
Page 78
{<ipv6-num -std>|<ipv6-name>}] [read <read-view-nam e>] [write <write-view-nam e>] no snmp-server communi ty < string> [acce ss {<num-std> |<name>}] [ipv6-acce ss {<ipv6-num -std>|<ipv6-name>}] 3. Configure IP address of SNMP management base Command Explanation Global Mode snmp-server securityip { <ipv4-addr> | Configure the secure IP v4/ IP v6 address which is <ipv6-addr>...
6. Configure group Command Explanation Global Mode snmp-server group <group-string> {noauthnopriv|authnopriv|authpriv} [[read <read-string> ] [write <write-string>] [notify <notify-string>]] [acce ss {<num-std>|<nam e>}] [ipv6-acce ss Set the group information on the Chassis Switch. {<ipv6-num -std>|<ipv6-name>}] This command is used to configure VACM for SNMP no snmp-server group <group-string>...
Page 80
The IP address of the NMS is 1.1.1.5; the IP address of the Chassis XGS3-42000R(Agent) is 1.1.1.9. Scenario 1: The NMS network administrative software uses SNMP protocol to obtain data from the Chassis Switch. The configuration on the Chassis Switch is listed below:...
Chassis Switch with read-only permission. Scenario 6: NMS will receive Trap messages from the Chassis XGS3-42000R(Note: NMS may have community string verification for the Trap messages. In this scenario, the NMS uses a Trap verification community string of dcstrap).
4.5 Switch Upgrade Chassis Switch provides two ways for switch upgrade: Boot ROM upgrade and the TFTP/FTP upgrade under Shell. 4.5.1 Chassis Switch System Files The system files includes system image file and boot file. The updating of the Chassis Switch is to update the two files by overwrite the old files with the new ones.
Page 83
operation result is shown below: [Boot]: Step 3: Under BootROM mode, run “setconfig” to set the IP address and mask of the Chassis Switch under BootROM mode, server IP address and mask, and select TFTP or FTP upgrade. Suppose the Chassis Switch address is 192.168.1.2, and P C address is 192.168.1.66, and select TFTP upgrade, the configuration should like: [Boot]: setconfig Host IP Address: [10.1.1.1] 192.
File boot.rom exists, overwrite? (Y/N)?[N] y Writing boot.rom……………………………………… Write boot.rom OK. [Boot]: Step 8: After successful upgrade, execute run or reboot command in BootROM mode to return to CLI configuration interface. [Boot]: run(or reboot) Other commands in BootROM mode 1. DIR command Used to list existing files in the FLASH .
Page 85
management connection maintains until data trans fer is complet e. Then, using the address and port number provided by the client, the server establishes data connection on port 20 (if not engaged) to transfer data; if port 20 is engaged, the server automatically generates some other port number to establish data connection. In passive connection, the client, through management connection, notify the server to establish a passive connection.
Page 86
Running configuration file: refers to the running configuration sequence use in the Chassis Switch. In Chassis Switch, the running configuration file stores in t he RAM. In the current version, the running configuration sequence running-config can be saved from the RAM to FLASH by write command or copy running-config startup-config command, so that the running configuration sequence becomes the start up configuration file, which is called configuration save.
Page 87
For FTP client, server file list can be ftp-dir <ftpServerUrl> checked. FtpServerUrl format looks like: ftp: //user: password@IP v4|IP v6 Address. 2. FTP server configuration (1)Start FTP server Command Explanation Global Mode Start FTP server and support IP v4, IP v6, the no ftp-server enable command shuts down FTP server and prevents no ftp-server enable...
Page 88
tftp-server retransmi ssion-number Set the retransmission time for TFTP server. <number> 4.5.3.3 FTP/TFTP Configuration Examples It is the same configuration Chassis Switch for IP v4 addresses and IP v6 addresses. The example only for the IP v4 addresses configuration. 10.1.1.2 10.1.1.1 Figure 4-5-2 Download nos.img file as FTP/TFTP client Scenario 1: The Chassis Switch is used as FTP/TFTP client.
Page 89
The configuration procedures of the Chassis Switch are listed below: XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 XGS 3-42000R(config-if-Vlan1)#no shut XGS 3-42000R(config-if-Vlan1)#exit XGS 3-42000R(config)#exit XGS 3-42000R#copy tftp: //10.1.1.1/12_30_nos.img nos.img Scenario 2: The Chassis Switch is used as FTP server. The Chassis Switch operates as the FTP server and connects from one of its ports to a computer, which is a FTP client.
Page 90
FTP Configuration PC side: Start the FTP server soft ware on the PC and set the username “Switch”, and the password “A dmin”. Switch: XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 XGS 3-42000R(config-if-Vlan1)#no shut XGS 3-42000R(config-if-Vlan1)#exit XGS 3-42000R#copy ftp: //Switch: superuser@10.1.1.1 220 Serv-U FTP -Server v2.5 build 6 for WinSock ready...
Page 91
150 Opening AS CII mode data connection for nos.img. 226 Transfer complete. close ftp client. The following is the message displays when files are successfully received. Otherwise, please verify link connectivity and retry “copy ” command again. 220 Serv-U FTP -Server v2.5 build 6 for WinSock ready... 331 User name okay, need password.
Page 92
write ok transfer complete close tftp client. If the Chassis Switch is upgrading system file or system start up file through TFTP, the Chassis Switch must not be restarted until “close tftp client” is displayed, indicating upgrade is successful, otherwise the Chassis Switch may be rendered unable to start.
Chapter 5 File System Operations 5.1 Introduction to File Storage Devices File storage devices used in switches mainly include FLASH cards. As the most common storage device, FLASH is usually used to store system image files (IMG files), system boot files (ROM files) and system configuration files (CFG files).
4. The deletion of sub-directory Command Explanation Admin Configuration Mode rmdir <directory> Delet e a sub-directory in a designated directory on a certain device. 5. Changing the current working directory of the storage device Command Explanation Admin Configuration Mode cd <directory> Change the current working directory of the storage device.
XGS 3-42000R#copy flash:/nos.img flash:/nos -5.2.1.0.img Copy flash:/nos.img to flash:/nos-5.2.1.0.img? [Y:N] y Copy ed file flash:/nos.img to flash:/nos-5.2.1. 0.img. 5.4 Troubleshooting If errors occur when users try to implement file system operations, please check whet her they are caused by the following reasons ...
(member switches) through an intermediate XGS3-42000R(commander s witch). A commander switch can manage multiple member switches. As soon as a Public IP address is configured in the commander switch, all the member switches which are configured with private IP addresses can be managed remotely.
Page 97
5. Remote cluster net work management 1) Remote configuration management 2) Remotely upgrade member switch 3) Reboot member switch 6. Manage cluster network with web 1) Enable http 7. Manage cluster network with snmp 1) Enable snmp server 1. Enable or disable cluster Command Explanation Global Mode...
Page 98
5. Configure attributes of the cluster in the candidate switch Command Explanation Global Mode cluster keepalive interval <second> Set the keep-alive interval of the no cluster keepalive interval cluster. number lost cluster keepalive loss-count <int> keep-alive messages that can be no cluster keepalive loss-count tolerated in the clusters.
8. Manage cluster network with snmp Command Explanation Global Mode Enable snmp server function in commander switch member switch. Notice: must insure the snmp server function be enabled in member snmp-server enable switch when commander s witch visiting member switch by snmp. The commander s witch visit member switch via configure character string...
6.4 Cluster Administration Troubleshooting When encountering problems in applying the cluster admin, please check the following possible causes: If the command s witch is correctly configured and the auto adding function (cluster auto-add) is enabled. If the ports connected the command switch and member switch belongs to the cluster vlan. ...
Chapter 7 Port Configuration 7.1 Introduction to Port XGS 3-42000R Chassis Switche contain Cable ports and Combo ports. The Combo ports can be configured to as either 1000GX-TX ports or SFP Gigabit fiber ports. If the user needs to configure some net work ports, he/she can us e the interface ethernet <interface-list> command to enter the appropriate Ethernet port configuration mode, where <int erface-list>...
Sets the cable type for the specified port; this mdi {auto | across | normal} command is not supported by combo port and no mdi fiber port of Chassis Switch. speed-duplex {auto | force10-half | force10-full | force100-half | Sets port speed and duplex mode of force100-full | force100-fx 100/1000Base-TX or 100Base-FX ports.
Switch1 Ingress bandwidth limit: 150 M Switch2 Mirror sourc e port 100Mbps full, mirror source port 1/10 1000Mbps full, mirror destination port Switch3 1/12 100Mbps full The configurations are listed below: Switch1: Switch1(config)#interface ethernet 1/7 Switch1(Config-If-Ethernet1/7)#bandwidth control 50 both Switch2: Switch2(config)#interface ethernet 1/9 Switch2(Config-If-Ethernet1/9)#speed-duplex force100-full Switch2(Config-If-Ethernet1/9)#exit...
Chapter 8 Port Isolation Function Configuration 8.1 Introduction to Port Isolation Function Port isolation is an independent port-based function working in an inter-port way, which isolates flows of different ports from each other. With the help of port isolation, users can isolate ports within a VLAN to save VLAN resources and enhance network security.
4. Di splay the configuration of port i solation Command Explanation Admin Mode and global Mode Display the configuration of port isolation, show isolate-port group [ <WORD> ] including all configured port isolation groups and Ethernet ports in each group. 8.3 Port Isolation Function Typical Examples e1/15 Vlan...
Chapter 9 Port Loopback Detection Function Configuration 9.1 Introduction to Port Loopback Detection Function With the development of Chassis Switches, more and more users begin to access the network through Ethernet switches. In enterprise network, users access the network through layer-2 s witches, which means urgent demands for bot h internet and the int ernal layer 2 Interworking.
Page 107
1.Configure the time interval of loopback detection Command Explanation Global Mode loopback-detection interval-time Configure the time interval of loopback <loopback> <no-loopback> detection. no loopback-detection interval-time 2.Enable the function of port loopback detection Command Explanation Port Mode loopback-detection specified-vlan <vlan-list> Enable and disable the function of port no loopback-detection specified-vlan loopback detection.
9.3 Port Loopback Detection Function Example SWITCH Network Topology Figure 9-3-1 A typical example of port loopback detection As shown in the above configuration, the Chassis Switch will detect the existence of loopbacks in the network topology. After enabling the function of loopback detection on the port connecting the Chassis Switch with the outside net work, the Chassis Switch will notify the connected network about the existence of a loopback, and control the port on the switch to guarantee the normal operation of the whole net work.
10.1 Introduction to ULDP Function Unidirectional link is a common error state of link in networks, especially in fiber links. Unidirectional link means that only one port of the link can receive messages from the other port, while the latter one can not receive messages from the former one.
ULDP (Unidirectional Link Detection Protocol) can help avoid disasters that could happen in the situations mentioned above. In a Chassis Switch connected via fibers or copper Ethernet line (like ultra five-kind twisted pair), ULDP can monitor t he link state of physical links. Whenever a unidirectional link is discovered, it will send warnings to users and can dis able the port automatically or manually according to users’...
Page 111
uldp aggressive-mode Set the global working mode. no uldp aggressive-mode 4. Configure aggressi ve mode on a port Command Explanation Port configuration mode uldp aggressive-mode Set the working mode of the port. no uldp aggressive-mode 5. Configure the method to shut down unidirectional link Command Explanation Global configuration mode...
Display ULDP information. No parameter means to display global ULDP information. show uldp [interface ethernet IFNAME] The parameter specifying a port will display global information neighbor information of the port. debug uldp fsm interface ethernet Enable or disable the debug Chassis <IFname>...
Switch A configuration sequence: SwitchA(config)#uldp enable SwitchA(config)#int erface et hernet 1/1 SwitchA (Config-If-Ethernet1/1)#uldp enable SwitchA (Config-If-Ethernet1/1)#exit SwitchA(config)#int erface et hernet1/2 SwitchA(Config-If-Et hernet1/2)#uldp enable Switch B configuration sequenc e: SwitchB(config)#uldp enable SwitchB(config)#int erface et hernet1/3 SwitchB(Config-If-Et hernet1/3)#uldp enable SwitchB(Config-If-Et hernet1/3)#exit SwitchB(config)#int erface et hernet1/4 SwitchB(Config-If-Et hernet1/4)#uldp enable As a result, port g1/1, g1/2 of SWITCH A are all shut down by ULDP, and there is notification information on the CRT terminal of PC1.
Page 114
increased, which means a reduced bandwidth. ULDP does not handle any LACP event. It treats every link of TRUNK group (like Port-channal, TRUNK ports) as independent, and handles each of them respectively. ULDP does not compact with similar protocols of other vendors, which means users can not use ULDP on one end and use other similar protocols on the other end.
Chapter 11 LLDP Function Operation Configuration 11.1 Introduction to LLDP Function Link Layer Discovery Protocol (LLDP ) is a new protocol defined in 802.1ab. It enables neighbor devices to send notices of their own state to other devic es, and enables all ports of every device to store information about them.
11.2 LLDP Function Configuration Task Sequence Globally enable LLDP function Configure the port-based LLDP function switch Configure the operating state of port LLDP Configure the intervals of LLDP updating messages Configure the aging time multiplier of LLDP messages Configure the sending delay of updating messages Configure the intervals of sending Trap messages Configure to enable the Trap function of the port Configure the optional information-sending attribute of the port...
Page 117
6. Configure the sending delay of updating messages Command Explanation Global Mode Configure the sending delay of updating lldp transmit delay <seconds> messages as the specified value or no lldp transmit delay default value. 7. Configure the intervals of sending Trap messages Command Explanation Global Mode...
Display current LLDP configuration show lldp information. Display the LLDP configuration information of show lldp interface ethernet <IFNAME> the current port. show lldp traffic Display the information of all kinds of counters. show lldp neighbors interface Display the information of LLDP neighbors ethernet <...
Switch B(Config-If-Ethernet1/1)# lldp mode receive Switch B(Config-If-Ethernet1/1)#exit 11.4 LLDP Function Troubleshooting LLDP function is disabled by default. After enabling the global switch of LLDP, users can enable t he debug switch “debug lldp” simultaneously to check debug information. Using “show” function of LLDP function can display the configuration information in global or port configuration mode.
Chapter 12 Port Channel Configuration 12.1 Introduction to Port Channel To understand P ort Channel, Port Group should be int roduced first. Port Group is a group of physical ports in the configuration level; only physical ports in the Port Group can take part in link aggregation and become a member port of a Port Channel.
If Port Channel is configured manually or dynamically on switch, the system will automatically set the port with the smallest number to be Master Port of the Port Channel. If the spanning tree function is enabled in the Chassis Switch, the spanning tree protocol will regard Port Channel as a logical port and send BP DU frames via the master port.
12.2.2 Dynamic LACP Aggregation 1. The summary of the dynamic LACP aggregation Dynamic LACP aggregation is an aggregation created/deleted by the system automatically, it does not allow the user to add or delete the member ports of the dynamic LACP aggregation. The ports which have the same attribute of s peed and duplex, are connected to the same device, have the s ame basic configuration, can be dynamically aggregat ed together.
Page 123
1. Creating a port group Command Explanation Global Mode port-group <port-group-number> Creates or deletes a port group. no port-group <port-group-number> 2. Add physical ports to the port group Command Explanation Port Mode port-group <port-group-number> mode Adds ports to the port group and sets their {active | passive | on} mode.
12.4 Port Channel Examples Scenario 1: Configuring Port Channel in LACP. SwitchA SwitchB Figure 12-4-1 Configuring Port Channel in LACP The switches in the description below are all switch and as shown in the figure, ports 1, 2, 3, 4 of SwitchA are access ports that belong to VLAN1.
Page 125
SwitchA SwitchB Figure 12-4-2 Configuring Port Channel in ON mode Example: As shown in the figure, ports 1, 2, 3, 4 of SwitchA are access ports that belong to VLAN1. Add those four ports to group1 in “on” mode. Ports 6, 8, 9, 10 of SwitchB are access ports that also belong to VLAN1, add these four ports to group2 in “on”...
Configuration result: Add ports 1, 2, 3, 4 of Switch 1 to port-group 1 in order, and we can see a group in “on” mode is completely joined forcedly, Chassis Switch in other ends won’t exchange LA CP BPDU to complete aggregation. Aggregation finishes immediately when the command to add port 2 to port-group 1 is entered, port 1 and port 2 aggregate to be port-channel 1, when port 3 joins port-group 1, port-c hannel 1 of port 1 and 2 are ungrouped and re-aggregate with port 3 to form port-channel 1, when port 4 joins port -group 1, port-channel 1...
Chapter 13 Jumbo Configuration 13.1 Introduction to Jumbo So far the Jumbo (Jumbo Frame) has not reach a determined standard in the industry (including the format and length of t he frame). Normally frames sized within 1519-9000 should be considered jumbo frame. Networks with jumbo frames will increase the speed of the whole net work by 2% to 5%.
Chapter 14 VLAN Configuration 14.1 VLAN Configuration 14.1.1 Introduction to VLAN VLAN (Virtual Local Area Network) is a t echnology that divides the logical addresses of devices within the network to separate network segments basing on functions, applications or management requirements. By this way, virtual workgroups can be formed regardless of the physical location of the devices.
XGS 3 Chassis Switch Ethernet P orts can works in three kinds of modes: Access, Hybrid and Trunk, each mode has a different processing method in forwarding the packets with tagged or untagged. The ports of Access type only belongs to one VLA N, usually they are used t o connect the ports of the computer.
Page 130
switchport interface <interface-li st> Assign Chassis Switch ports to VLAN. no switchport interface <interface-li st> 4. Set the Switch Port Type Command Explanation Port Mode Set the current port as Trunk, Access switchport mode {trunk | acce ss | hybrid} Hybrid port.
private-vlan {primary | isolated | Configure current VLA N to Private VLA N. community} The no command deletes private VLA N. no private-vlan 10. Set Private VLAN association Command Explanation VLAN mode private-vlan association <secondary-vl an-li st> Set/delete Private VLA N association. no private-vlan association 14.1.3 Typical VLAN Application Scenario:...
Page 132
Connect the Trunk ports of both switches for a Trunk link to convey the cross-switch VLA N traffic; connect all network devices to the other ports of corresponding VLA Ns. In this example, port 1 and port 12 is spared and can be used for management port or for other purposes. The configuration steps are listed below: Switch A: XGS 3-42000R(config)#vlan 2...
14.1.4 Typical Application of Hybrid Port Scenario: internet Switch A Switch B Figure 14-1-3 Typical Application of Hy brid Port PC1 connects to the interface Ethernet 1/7 of SwitchB, PC2 connects to the interface Ethernet 1/9 of SwitchB, Ethernet 1/10 of SwitchA connect to Ethernet 1/10 of SwitchB. It is required that PC1 and PC2 can not mutually access due to reason of the security, but PC1 and PC2 can access other network resources through the gat eway SwitchA.
14.2.2 GVRP Configuration Task List 1. Configuring GARP Timer parameters Command Explanation Port Mode garp timer join <timer-value> no garp timer join garp timer leave <timer-value> Configure the hold, join and no garp timer leave leave timers for GA RP. garp timer hold <timer-value>...
14.2.3 Typical GVRP Application Scenario: Switch A Switch B Switch C Figure 14-2-1 Typical GV RP Application Topology To enable dynamic VLAN information register and updat e among switches, GVRP protocol is to be configured in the Chassis Switch. Configure GVRP in Switch A, B and C, enable Switch B to learn VLAN100 dynamically so that the two workstation connected to VLAN100 in Switch A and C can communicate with each other through Switch B without static VLAN100 entries.
On the customer port Trunk VLAN 200-300 This port on PE1 is enabled Unsymmetrical QinQ and belong to VLAN3 connection SP networks Customer Trunk connection networks1 Trunk connection This port on PE1 is enabled QinQ and belong to VLAN3 Unsymmetrical Customer connection networks2...
dot1q-tunnel enable Enter/exit the dot1q-t unnel mode on the no dot1q-tunnel enable ports. 2. Configure the type of protocol (TPI D) on the ports Command Explanation Port mode dot1q-tunnel tpid Configure the type of protoc ol on TRUNK {0x8100|0x9100|0x9200|<1-65535>} port. 14.3.3 Typical Applications of the Dot1q-tunnel Scenario: Edge switch PE1 and PE2 of the ISP internet forward the VLAN200~300 data bet ween CE1 and CE2 of the...
XGS 3-42000R(config-Ethernet1/10)#exit XGS 3-42000R(config)# 14.4 VLAN-translation Configuration 14.4.1 Introduction to VLAN-translation VLAN translation, as one can tell from the name, which translates the original VLAN ID to new VLAN ID according to the user requirements so to exchange data across different VLANs. The VLAN translation is classified to ingress translation and egress translation, res pectively translation the VLA N ID at the ent rance or exit.
14.4.3 Typical application of VLAN-translation Scenario: Edge switch PE1 and PE2 of the ISP internet support the VLAN20 data task between CE1 and CE 2 of the client net work with VLA N3. The port1 of PE 1 is connected to CE 1, port10 is connected to public net work; port1 of PE2 is connected to CE2, port10 is connected to public network.
14.4.4 VLAN-translation Troubleshooting Normally the VLAN-translation is applied on trunk ports. Normally before using the VLA N-translation, the dot1q-tunnel function needs to be enabled, becoming adaptable to double tag data packet and translating the VLAN normally. 14.5 Dynamic VLAN Configuration 14.5.1 Introduction to Dynamic VLAN The dynamic VLAN is named corresponding to the static VLAN (namely the port based VLAN).
Page 143
Command Explanation Port Mode switchport mac-vlan enable Enable/disable the MAC-based VLAN no switchport mac-vlan enable function on the port. 2. Set the VLAN to MAC VLAN Command Explanation Global Mode Configure the specified VLA N to MAC mac-vlan vlan <vlan-id> VLAN;...
7. Adjust the priority of the dynamic VLAN Command Explanation Global Mode dynamic-vlan mac-vlan prefer Configure the priority of the dynamic dynamic-vlan subnet-vlan prefer VLAN. 14.5.3 Typical Application of the Dynamic VLAN Scenario: In the office network Department A belongs to VLAN100. Several members of this department often have the need to move within the whole office network.
SwitchC (Config)#exit SwitchC# 14.5.4 Dynamic VLAN Troubleshooting On the s witch configured with dynamic VLA N, if the two connected equipment (e. g. PC) are both belongs to the same dynamic VLAN, first communication between the two equipment may not go through.
Voice VLAN Configuration Task Sequence: Set the VLAN to Voice VLA N Add a voice equipment to Voice VLAN Enable the Voice VLA N on the port 1. Configure the VLAN to Voice VLAN Command Explanation Global Mode voice-vlan vlan <vlan-id> Set/cancel the VLAN as a Voice VLA N no voice-vlan 2.
Chapter 15 MAC Table Configuration 15.1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and Chassis Switch ports. MAC addresses can be cat egorized as static MAC addresses and dynamic MA C addresses. Static MAC addresses are manually configured by the user, have the highest priority and are permanently effective (will not be overwritten by dynamic MAC addresses);...
The topology of the figure above: 4 PCs connected to switch, where PC1 and PC2 belongs to a same physical segment (same collision domain), the physical segment connects to port 1/5 of switch; PC3 and PC4 belongs to the same physical segment that connects to port 1/12 of switch. The initial MAC table contains no address mapping entries.
Three types of frames can be forwarded by the Chassis Switch: Broadcast frame Multicast frame Unicast frame The following describes how the Chassis Switch deals with all the three types of frames: Broadcast frame: The s witch can segregate collision domains but not broadcast domains. If no VLAN is set, all devices connected to the Chassis Switch are in the same broadcast domain.
15.3 Typical Configuration Examples 1/11 MAC 00-01-33-33-33-33 MAC 00-01-11-11-11-11 MAC 00-01-22-22-22-22 MAC 00-01-44-44-44-44 Figure 15-3-1 MAC Table typical configuration ex ample Scenario: Four PCs as shown in the above figure connect to port 1/5、1/7、1/9、1/11 of Chassis Switch, all the four PCs belong to the default VLAN1.
15.5 MAC Address Function Extension 15.5.1 MAC Address Binding 15.5.1.1 Introduction to MAC Address Binding Most switches support MAC address learning, each port can dynamically learn several MAC addresses, so that forwarding data streams between known MAC addresses within the ports can be achieved. If a MAC address is aged, the packet destined for that entry will be broadcasted.
Page 153
Lock the MAC addresse s for a port Command Explanation Port Mode Lock the port, then MA C addresses switchport port-security lock learned will be disabled. The “no no switchport port-security lock switchport port-security lock” command restores the function. Convert dynamic secure MAC addresses switchport port-security convert learned by the port to static secure MAC addresses.
Chapter 16 MSTP Configuration 16.1 Introduction to MSTP The MSTP (Multiple STP) is a new spanning-t ree protocol which is based on the STP and the RS TP. It runs on all the bridges of a bridged-LA N. It calculates a common and internal spanning tree (CIS T) for the bridge-LAN which consists of the bridges running the MS TP, the RS TP and the S TP.
In the above network, if the bridges are running the STP or the RS TP, one port between Bridge M and Bridge B should be blocked. But if the bridges in the yellow range run the MS TP and are configured in the same MS T region, MSTP will treat this region as a bridge.
16.1.2 Port Roles The MS TP bridge assigns a port role to each port which runs MSTP. CIS T port roles: Root Port, Designated Port, Alternate Port and B ackup Port On top of those roles, each MS TI port has one new role: Master Port. The port roles in the CIS T (Root Port, Designated Port, Alternate Port and B ackup Port ) are defined in the same ways as those in the RS TP.
Page 157
no spanning-tree mst <instance-id> priority spanning-tree priority <bridge-priority> Configure the spanning-t ree priority of the no spanning-tree priority switch. Port Mode spanning-tree mst <instance-id> cost <cost> Set port path cost for specified instance. no spanning-tree mst <instance-id> cost spanning-tree mst <instance-id> port-priority <port-priority>...
Page 158
no spanning-tree hello-time messages. spanning-tree maxage <time> Set Aging time for BPDU messages. no spanning-tree maxage spanning-tree max-hop <hop-count> Set Maximum number of hops of no spanning-tree max-hop BPDU messages in the MS TP region. 5. Configure the fa st migrate feature for MSTP Command Explanation Port Mode...
seconds. The no command restores to default setting, enable flush once topology changes. Port Mode spanning-tree tcflush {enable| disable| Configure the port flush mode. The no protect} command restores to use the global no spanning-tree tcflush configured flush mode. 16.3 MSTP Example The following is a typical MSTP application example: Switch1 Switch2...
Page 160
Port 1 200000 200000 200000 Port 2 200000 200000 200000 Port 3 200000 200000 Port 4 200000 200000 Port 5 200000 200000 Port 6 200000 200000 Port 7 200000 200000 By default, the MSTP establishes a tree topology (in blue lines) rooted with SwitchA. The ports marked with “x”...
Page 162
The port 1 in Switch2 is the master port of the instance 3 and the instance 4. The MS TP calculation generates 3 topologies: the instance 0, the instance 3 and the instanc e 4 (marked with blue lines). The ports with the mark “x” are in the status of discarding. The other ports are the status of forwarding.
Switch2 Switch3 Switch4 Figure 16-3-4 The Topology Of the Instance 4 after the MS TP Calculation 16.4 MSTP Troubleshooting In order to run t he MS TP on the switch port, the MS TP has to be enabled globally. If the MS TP is not enabled globally, it can’t be enabled on the port.
Chapter 17 QoS Configuration 17.1 Introduction to QoS QoS (Quality of S ervice) is a set of capabilities that allow you to create differentiated servic es for network traffic, thereby providing better service for selected network traffic. QoS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements.
In-Profile: Traffic within the QoS policing policy range (bandwidth or burst value) is called “In-P rofile". Out-of-P rofile: Traffic out the QoS policing policy range (bandwidth or burst value) is called “Out-of-Profile". 17.1.2 QoS Implementation To implement the Chassis Switch software QoS, a general, mature reference model should be given. QoS can not creat e new bandwidt h, but can maximize the adjustment and configuration for the current bandwidth resource.
Page 166
Classi fication: Classify traffic according to packet classification information and generate internal DSCP value based on the classification information. For different packet types and switch configurations, classification is performed differently; the flowchart below ex plains this in detail. Figure 17-1-4 Classification process Policing and remark: Each packet in classified ingress traffic is assigned an internal DS CP value and can be policed and remarked.
Page 167
Check policing policy, is traffic in-profile? Figure 17-1-5 Policing and Remarking process Queuing and scheduling: Packets at the egress will re-map the internal DS CP value to CoS value, the queuing operation assigns packets to appropriate queues of priority according to the CoS value; while the scheduling operation performs packet forwarding according to the prioritized queue weight.
Figure 17-1-6 Queuing and Scheduling process 17.2 QoS Configuration Task List 1. Enable QoS QoS can be enabled or disabled in Global Mode. QoS must be enabled first in Global Mode to configure the other QoS commands. 2. Configure class map. Set up a classification rule according t o ACL, CoS, VLA N ID, IP v4 Precedent, DS CP, IPV 6 FL to classify the data stream.
Page 169
Configure queue out to PQ or WRR, set the proportion of the 8 egress queues bandwidth and mapping from internal priority to egress queue. 6. Configure QoS mapping Configure the mapping from CoS to DSCP, DSCP to CoS, DS CP to DS CP mutation, IP precedence to DSCP, and policed DS CP.
Page 170
no set {ip dscp <new-dscp> | ip precedence <new-precedence> | ipv6 dscp <new-dscp> | ipv6 flowlabel <new-flowlabel> | ip nexthop <ip-address> | cos } policy <bits_per_second> The non-aggregation policer command <normal_burst_bytes> ({conform-action supporting three colors. Determine (drop | set-dscp-transmit <dscp_value> | whet her the working mode of token set-prec-transmit <ip_precedence_value>...
Page 171
|set-prec-transmit <ip_precedence_value> |transmit) exceed-action (drop|policed-dscp-transmit |transmit)| violate-action (dro |policed-dscp-transmit| transmit)} | ) no mls qos aggregate-policy Apply a policy set to classified traffic; the policy aggregate <aggregate-policy-nam e> “no policy aggregate no policy aggregate <aggregate-policy-name>” command <aggregate-policy-name> deletes the specified policy set. 4.
Global Mode wrr-queue cos-map <queue-id> <cos1 ... Set CoS value mapping to specified cos8> egress queue; the no command restores no wrr-queue cos-map the default setting. 6. Configure QoS mapping Command Explanation Global Mode mls qos map (cos-dscp <dscp1...dscp8> | Support the configuration of all actions dscp-cos <dscp-list>...
Page 173
Configuration result: When QoS enabled in Global Mode, the egress queue bandwidt h proportion of port ethernet 1/1 is 1:1:2:2:4:4:8:8. When packets have CoS value coming in through port ethernet1/1, it will be map to the queue out according to the CoS value, CoS value 0 to 7 correspond to queue out 1, 2, 3, 4, 5, 6, 7, 8, respectively. If the incoming packet has no CoS value, it is default to 5 and will be put in queue6.
Page 174
Configuration result: An ACL name 1 is set to matching segment 192.168.1.0. Enable QoS globally, create a class map named c1, matching ACL1 in class map; create another policy map named p1 and refer to c1 in p1, set appropriate policies to limit bandwidth and burst value.
QoS configuration in Switch2: XGS 3-42000R#config XGS 3-42000R(config)#mls qos XGS 3-42000R(config)#interface ethernet 1/1 XGS 3-42000R(config-If-Ethernet1/1)#mls qos trust ip-precedence pass-through-qos 17.4 QoS Troubleshooting QoS is disabled on Chassis Switch ports by default, 8 sending queues are set by default, queue1 forwards normal packets, other queues are used for some important control packets (such as BPDU).
Chapter 18 PBR Configuration 18.1 Introduction to PBR PBR(Policy-Ba sed Routing)is a method which det ermines the next-hop of the data packets by policy messages such as source address, destination address, IP priority, TOS value, IP protocol, source port No, destination port No, etc.
Page 177
XGS 3-42000R(config-P olicyMap-p1-Class-c1)#exit XGS 3-42000R(config-P olicyMap-p1)#exit XGS 3-42000R(config)#interface ethernet 1/1 XGS 3-42000R(config-If-Ethernet1/1)#service-policy input p1 Configuration results: First set an ACL a1 with two items. The first item matches source IP segments 192.168.1.0/24 (allowed) . The second item matches source IP segments 192.168.1.0/ 24 and destination IP segments 192.168.0.0/16 (rejected).
Chapter 19 IPv6 PBR Configuration 19.1 Introduction to PBR(Policy-based Router) Policy-based routing provides a more powerful control over the forwarding and store of messages than traditional routing protocol to network managers. Traditionally, routers use the routing table derived from router protoc ol, and forward according to destination addresses. The policy-based router is more powerful and more flexible than the traditional one, because it enables network managers to choose the forwarding route not only according to destination addresses but also the size of messages, or source IP addresses.
4. Configure a policy-map Command Explanation Global Configuration Mode policy-map <policy-map-nam e> Create or delete a policy-map. no policy-map <policy-map-nam e> 5. Configure to correlate a policy and a class-map Command Explanation Policy-map Mode class <class-map-name> Correlate with a class, and enter the no class <class-map-name>...
Chapter 20 Flow-based Redirection 20.1 Introduction to Flow-based Redirection Flow-bas ed redirection function enables the Chassis Switch to transmit the data frames meeting some special condition (specified by ACL) to another specified port. The fames meeting a same special condition are called a class of flow, the ingress port of the data frame is called the source port of redirection, and the specified egress port is called the destination port of redirection.
20.3 Flow-based Redirection Examples Example: User’s request of configuration is listed as follows: redirecting the frames whose source IP is 192.168.1.111 received from port 1 to port 6, that is sending the frames whose source IP is 192.168.1.111 rec eived from port 1 through port 6.
Chapter 21 Layer 3 Forward Configuration Chassis Switch supports Layer 3 forwarding which forwards Layer 3 protocol packets (IP packets) across VLANs. Such forwarding uses IP addresses, when a interface receives an IP packet, it will perform a lookup in its own routing table and decide the operation according to the lookup result.
Creates a VLA N interface (V LAN int erface is a Layer 3 interface); the no command deletes interface vlan <vlan-id> the VLAN interface (Lay er 3 interface) no interface vlan <vlan-id> created in the Chassis Switch. Creates a Loopback interface then ent er the loopback Port Mode;...
Page 185
Although the combination of CIDR, NAT and private addressing has temporarily mitigated the problem of IP v4 address space shortage, NAT technology has disrupted the end-to-end model which is the original intention of IP design by making it necessary for router devices that serve as network intermediate nodes to maintain every connection status which increases network delay greatly and decreases network performance.
Multicast addresses increased and the support for multicast has enhanc ed. By dealing with IP v4 broadcast functions such as Router Discovery and Router Query, IP v6 multicast has completely replaced IP v4 broadcast in the sense of function. Multicast not only saves network bandwidth, but enhances network efficiency as well.
Page 187
DHCP v6 (15) Set the flag representing whether the address information will be obtained via DHCP v6 3. IP v6 Tunnel configuration (1) Create/Delete Tunnel (2) Configure tunnel description (3) Configure Tunnel Sourc e (4) Configure Tunnel Destination (5) Configure Tunnel Next-Hop (6) Configure Tunnel Mode (7) Configure Tunnel Routing 1.
Page 189
(5) Configure router advertisement Minimum Interval Command Description Interface Configuration Mode ipv6 nd min-ra-interval <seconds> Configure the minimum interval for router no ipv6 nd min-ra-interval advertisement. The NO command res umes <seconds> default value (200 seconds). (6) Configure router advertisement Maximum Interval Command Explanation Interface Configuration Mode...
Page 190
(9) Delet e all entries in IP v6 neighbor table Command Explanation Admin Mode clear ipv6 neighbors Clear all static neighbor table entries. (10) Set the hoplimit of sending router advertisement Command Explanation Interface Configuration Mode ipv6 nd ra-hoplimit <value> Set the hoplimit of sending router advertisement.
Page 191
3. IPv6 Tunnel Configuration (1) A dd/Delete tunnel Command Explanation Global mode interface tunnel <tnl-id> Create a tunnel. The NO command deletes a no interface tunnel <tnl-id> tunnel. (2) Configure tunnel description Command Explanation Tunnel Configuration Mode description <desc> Configure tunnel description. The NO command no description <desc>...
Page 193
4. Configure IP v4 address 192. 168. 2.2 255.255.255.0 in VLAN2 of Switch2, and configure IP v4 address 192. 168. 3.1 255.255.255.0 in VLAN3. 5. The IP v4 address of P C1 is 192.168.1.100 255.255.255.0, and the IP v4 address of P C2 is 192.168.3.100 255.255.255.0.
Page 194
21.2.3.2 Configuration Examples of IPv6 Example 1: Switch2 Switch1 Figure 21-2-2 IP v6 configuration example The user’s configuration requirements are: Configure IP v6 address of different net work segments on S witch1 and Switch2, configure static routing and validate reachability using ping6 function. Configuration De scription: 1....
Page 195
Switch2(Config)#interface vlan 3 Switch2(Config-if-Vlan3)#ipv6 address 2003::1/64 Switch2(Config-if-Vlan3)#exit Switch2(Config)#ipv6 route 2001::33/64 2002::1 Switch1#ping6 2003::33 Configuration result: Switch1#show run interface Vlan1 ipv6 address 2001::1/64 interface Vlan2 ipv6 address 2002::2/64 interface Loopback mtu 3924 ipv6 rout e 2003::/64 2002::2 no login Switch2#show run interface Vlan2 ipv6 address 2002::2/64 interface Vlan3...
Page 196
Example 2: SwitchC SwithA SwitchB PC-A PC-B Figure 21-2-3 IP v6 tunnel This case is IPv6 tunnel with the following user configuration requirements: SwitchA and SwitchB are tunnel nodes, dual-stack is supported. SwitchC only runs IP v4, PC-A and PC-B communicate. Configuration De scription: Configure two vlans on SwitchA, namely, VLAN1 and VLA N2.
IP route aggregation configuration task: 1. Set whether IP route aggregation algorithm with/ without optimization should be used 1. Set whether IP route aggregation algorithm with/without optimization should be used Command Explanation Global Mode Enables the switch to use optimized IP route ip fib optimize aggregation algorithm;...
21.4.1.1 IP URPF Operating Mechanism At present the UP RF relies on the A CL function provided by the Chassis Switch chips. Firstly, globally enable the URPF function to monitor the changes in the router table: create a corresponding URPF permit ACL rule for each router in the router table FIB. In URPF strict mode, the format of ACL rules is: the source address segments of inbound packets + the ingress interface VID of inbound packets.
debug l4driver urpf {notice |warning Enable the URPF debug function to display |error|} error information if failures occur during the no debug l4driver urpf {notice | warning | installation of URPF rules. error|} Admin and Config Mode Display which interfaces have been show urpf...
21.4.4 URPF Troubleshooting Proper operation of the URPF protocol depends greatly on whether the corresponding URPF rules can be applied correctly. If after the URPF configuration is done and the function does not meet the expectation: Check if the Chassis Switch has been configured with the rules conflicting with URPF (URPF priority is lower than ACL), the ACL rules will validate if confliction exits.
Page 202
2. Configure proxy ARP Command Explanation VLAN Port Mode ip proxy-arp Enables the proxy ARP function for Ethernet no ip proxy-arp ports: the no command disables the proxy ARP. 3. Clear dynamic ARP Command Explanation Admin mode The command clear arp-cache clears the clear arp-cache content of current ARP table, but it does not clear the current static ARP table.
21.5.3 ARP Troubleshooting If ping from the switch to directly connected net work devices fails, the following can be used to check the possible cause and create a solution. Check whether the corresponding A RP has been learned by the Chassis Switch. ...
Chapter 22 ARP Scanning Prevention Function Configuration 22.1 Introduction to ARP Scanning Prevention Function ARP scanning is a common method of network attack. In order to detect all the active hosts in a network segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large part of the bandwidth of the network.
Page 205
2. Configure the thre shold of the port-ba sed and IP-based ARP Scanning Prevention Command Explanation Global configuration mode anti-arpscan port-ba sed thre shold <threshold-value> Set the threshold of the port-based no anti-arpscan port-ba sed ARP Scanning Prevention. thre shold anti-arpscan ip-ba sed thre shold Set the threshold of the IP -based A RP <threshold-value>...
Admin Mode debug anti-arpscan <port | ip> Enable or disable the debug switch of A RP no debug anti-arpscan <port | ip> scanning prevention. 22.3 ARP Scanning Prevention Typical Examples SWITCH B E1/1 E1/19 SWITCH A E1/2 E1/2 Server 192.168.1.100/24 Figure 22-3-1 A RP scanning prevention typical configuration example In the net work topology above, port E1/1 of SWITCH B is connected to port E1/19 of SWITCH A, the port E1/2 of SWITCH A is connected to file server (IP address is 192.168.
SWITCHB configuration ta sk sequence: Switch B(config)# anti-arpscan enable SwitchB(config)#int erface et hernet1/1 SwitchB (Config-If-Ethernet 1/1)#anti-arpscan trust port SwitchB (Config-If-Ethernet 1/1)exit 22.4 ARP Scanning Prevention Troubleshooting Help ARP scanning prevention is disabled by default. After enabling A RP scanning prevention, users can enable the debug switch, “debug anti-arpscan”, to view debug information.
Chapter 23 Prevent ARP, ND Spoofing Configuration 23.1 Overview 23.1.1 ARP (Address Resolution Protocol) Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is 00-30-4f-FD-1D-2B.
we do in the same way as preventing A RP spoofing to prevent ND spoofing and attack. 23.2 Prevent ARP, ND Spoofing configuration The steps of preventing A RP, ND spoofing configuration as below: Disable A RP, ND automatic updat e function Disable A RP, ND automatic learning function Changing dynamic ARP, ND to static ARP, ND 1.
Page 210
IP:192.168.2.1; mac: 01-01-01-01-01-01 IP:192.168.1.2; mac: 02-02-02-02-02-02 IP:192.168.2.3; mac: 03-03-03-03-03-03 some There is a normal communication between B and C on above diagram. A wants switch to forward packets sent by B to itself, so need switch sends the packets transfer from B to A. firstly A sends ARP reply packet to switch, format is: 192.168.2.3, 01-01-01-01-01-01, mapping its MAC address to C’s IP, so the switch changes IP address when it updates ARP list., then data packet of 192.168.2.3 is transferred to 01-01-01-01-01-01 address (A MAC address).
Chapter 24 ARP GUARD Configuration 24.1 Introduction to ARP GUARD There is serious security vulnerability in the design of ARP protocol, which is any network device, can send ARP messages to advertise the mapping relationship between IP address and MAC address. This provides a chance for ARP cheating.
24.2 ARP GUARD Configuration Task List 1. Configure the protected IP address Command Explanation Port configuration mode arp-guard ip <addr> Configure/delete ARP GUARD address no arp-guard ip <addr> 24-2...
Chapter 25 ARP Local Proxy Configuration 25.1 Introduction to ARP Local Proxy function In a real application environment, the switches in the aggregation layer are required to implement local ARP proxy function to avoid A RP cheating. This function will restrict the forwarding of ARP messages in the same vlan and thus direct the L3 forwarding of the data flow through the switch.
25.2 ARP Local Proxy Function Configuration Task List 1.Enable/disable ARP local proxy function Command Explanation Interface vlan mode ip local proxy-arp Enable or disable ARP local proxy function. no ip local proxy-arp 25.3 Typical Examples of ARP Local Proxy Function As shown in the following figure, S1 is a medium/high-level layer-3 switch supporting ARP local proxy, S2 is layer-2 access switches supporting interface isolation.
25.4 ARP Local Proxy Function Troubleshooting ARP local proxy function is disabled by default. Users can view the current configuration with display command. With correct configuration, by enabling debug of ARP, users can check whether t he A RP proxy is normal and send proxy ARP messages.
Chapter 26 Gratuitous ARP Configuration 26.1 Introduction to Gratuitous ARP Gratuitous ARP is a kind of A RP request that is sent by the host with its IP address as the destination of the ARP request. The basic working mode for XGS3 Chassis Switches is as below: The Layer 3 interfaces of the Chassis Switch can be configured to advertise grat uitous ARP packets period or the Chassis Switch can be configured to enable to send gratuit ous ARP packets in all the interfaces globally.
26.3 Gratuitous ARP Configuration Example Switch Interface vlan10 Interface vlan1 192.168.15.254 192.168.14.254 255.255.255.0 255.255.255.0 Figure 26-3-1 Gratuitous ARP Configuration Example For the network topology shown in the figure above, interfac e VLAN10 whose IP address is 192.168.15.254 and net work address mask is 255.255.255.0 in the switch system. Three PCs – PC3, PC4, PC5 are connected to the interface.
Chapter 27 ND Snooping Configuration 27.1 Introduction to ND Snooping The purpose of developing ND snooping module: using Control Packet Snooping (CPS ) mechanism, that means to detect the validity of access packets through the method which bind the source IP v6 address and the anchor information, so as to permit the matched packets and drop the unmatched packets that will control access of the direct connected IP v6 nodes.
Page 219
2. Configure the lifetime of ND Snooping Explanation Command Global mode Reset binding lifetime [no] ipv6 nd snooping max-sac-lifetime <max-s ac-lifetime> or 2 hours for <max-sac-lifetime> SAC_BOUND. Reset binding lifetime [no] ipv6 nd snooping max-dad-delay <max-dad-delay> or 1 second for <max-dad-delay>...
27.3 ND Snooping Example Typical example: The application environment of ND Snooping, the figure is as follows: Figure 27-3-1 ND Snooping typical configuration The configuration explanation: SW2 is layer 3 switch, it connect to the layer 2 switch SW1, and enable IP v6 function and RA function; SW1 is layer 2 switch, it enables IP v6 function and ND Snooping, and enable the cont rol function of ND snooping on the ports which connect three P C nodes.
IP v6 address MAC address Port ID FE80::2AA:FF:FE9A:4CA 2 02-AA -00-9A -4C-A2 2001::2AA:FF:FE9A:4CA2 02-AA -00-9A -4C-A2 2001::23:4A:1122: C411 02-AA -00-9A -4C-A2 FE80:: BB:FF:FE9A:4CA2 02-BB -00-9A -4C-A2 2001::2BB:FF:FE9A:4CA2 02-BB -00-9A -4C-A2 2001::32:4B:2211:11C4 02-BB -00-9A -4C-A2 FE80:: CC:FF:FE9A:4CA2 02-CC-00-9A-4C-A2 2001::2CC:FF:FE9A:4CA2 02-CC-00-9A-4C-A2 2001::22:4A:1133: C422 02-CC-00-9A-4C-A2 If three PCs do not receive the responding DA D NA packets in the set time, then port 1/1, port 1/2, port 1/3 send to the FFP hardware drive binding entries according to the dynamic binding table.
Chapter 28 DHCP Configuration 28.1 Introduction to DHCP DHCP [RFC2131] is the acronym for Dynamic Host Configuration P rotocol. It is a protoc ol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway, DNS server, and default route and host image file position within the net work.
dynamically is the same as the lease period of t he address pool, and is limited; the lease of manually bound IP address is theoretically endless. 3) Dynamic ally allocated address cannot be bound manually. 4) Dynamic DHCP address pool can inherit the network configuration parameters of the dynamic DHCP address pool of the relat ed segment.
Page 224
Configure Domain name for DHCP clients; domain-name <domain> the “no domain-name” command deletes no domain-name the domain name. netbios-name-server [<address1>[<address2> […<address8> Configure the address for WINS server. The no operation cancels the address for server. no netbios-name-server netbios-node-type Configure node type for DHCP clients. The {b-node|h-node |m-node|p-node|<type-n no operation cancels the node type for umber>}...
client-name <name> Configure/delete a client name when no client-name binding address manually. 3. Enable logging for address conflicts Command Explanation Global Mode ip dhcp conflict logging Enable/disable logging for DHCP address to no ip dhcp conflict logging detect address conflicts. Admin Mode Delet e a single address conflict record or all clear ip dhcp conflict <address | all >...
1. Enable DHCP relay. Command Explanation Global Mode servi ce dhcp DHCP server and DHCP relay is enabled as the no servi ce dhcp DHCP servic e is enabled. 2. Configure DHCP relay to forward DHCP broadca st packet. Command Explanation Global Mode ip forward-protocol udp bootps...
As shown in the above figure, route switch is configured as a DHCP relay. The DHCP server address is 10.1.1.10, TFTP server address is 10.1.1.20, the configuration steps is as follows: XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-if-Vlan1)#ip address 192.168.1.1 255.255.255.0 XGS 3-42000R(config-if-Vlan1)#exit XGS 3-42000R(config)#vlan 2 XGS 3-42000R(config-Vlan-2)#exit...
Chapter 29 DHCPv6 Configuration 29.1 Introduction to DHCPv6 DHCP v6 [RFC3315] is the IPv6 version for Dynamic Host Configuration Protocol (DHCP). It is a protocol that assigns IP v6 address as well as other network configuration parameters such as DNS address, and domain name to DHCP v6 client, DHCP v6 is a conditional auto address configuration prot ocol relative to IP v6.
The above four steps finish a Dynamic host configuration assignment process. However, if the DHCP v6 server and the DHCP v6 client are not in the same network, the server will not rec eive the DHCP v6 broadcast packets sent by the client, therefore no DHCP v6 packets will be sent to the client by the server. In this case, a DHCP v6 relay is required to forward such DHCP v6 packets so that the DHCP v6 packets exchange can be completed between the DHCP v6 client and server.
(2)To configure parameter of DHCP v6 address pool Command Explanation DHCP v6 address pool Configuration Mode network-address <ipv6-pool -start-address> To configure the range of IP v6 address {<ipv6-pool-end-address> | assignable of address pool. <prefix-length>} [eui-64] no network-address dns-server <ipv6-address> To configure DNS server address for no dns-server <ipv6-address>...
2. To configure DHCP v6 relay delegation on port Command Explanation Interface Configuration Mode ipv6 dhcp relay destination { [<ipv6-address> ] [ interface To specify the destination address of { <interface-nam e> | vlan <1-4096> } ] } DHCP v6 relay transmit; The no form of no ipv6 dhcp relay destination this command delete the configuration.
(2)To configure prefix delegation pool us ed by DHCP v6 address pool Command Explanation DHCP v6 address pool Configuration Mode prefix-delegation pool <poolname> To specify prefix delegation pool used by [lifetime { <valid-time> | infinity} DHCP v6 address pool, and assign usable { <preferred-time>...
Command Explanation Global Mode servi ce dhcpv6 To enable DHCP v6 service. no servi ce dhcpv6 2. To enable DHCPv6 prefix delegation client function on port Command Explanation Interface Configuration Mode To enable client prefix delegation request ipv6 dhcp client pd <prefix-nam e> function on specified port, and the prefix [rapid-commit] obtained associate with universal prefix...
Page 236
Example2: When the net work operator is deploying IP v6 networks, network automatically configuration can be achieved through the prefix delegation allocation of IP v6 addresses, in stead of configuring manually for eac h switch: To configure the switching or routing device which is connected to the client switch as DHCP v6 prefix delegation server, that is to setup a local databas e for the relations hip between t he allocated prefix and the DUID of the client switch.
29.7 DHCPv6 Troubleshooting If the DHCP v6 clients cannot obtain IP v6 addresses and other network parameters, the following procedures can be followed when DHCP v6 client hardware and cables have been verified ok: Verify the DHCP v6 server is running, start the related DHCP v6 server function if not running; ...
Chapter 30 DHCP option 82 Configuration 30.1 Introduction to DHCP option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy. The Relay Agent adds option 82 (including the client’s physical access port, the access device ID and other information), to the DHCP request message from the client then forwards the message to DHCP server.
30.1.2 option 82 Working Mechanism DHCP Relay Agent DHCP Request DHCP Request Option82 DHCP Reply DHCP Reply Option82 DHCP Client DHCP Server Figure 30-1-1 DHCP option 82 flow chart If the DHCP Relay Agent supports option 82, the DHCP client should go through the following four steps to get its IP address from the DHCP server: discover, offer, select and acknowledge.
Page 241
1. Enabling the DHCP option 82 of the Relay Agent. Command Explanation Global mode Set this command to enable the option 82 function of the switch Relay Agent. The “no ip dhcp relay information option ip dhcp relay information option” is used to no ip dhcp relay information option disable t he option 82 function of the s witch Relay Agent.
3. Enable the DHCP option 82 of server. Command Explanation Global mode This command is used to enable the switch ip dhcp server relay information enable DHCP server to identify option82. The “no no ip dhcp server relay information ip dhcp server relay information enable” enable command will make the server ignore the option 82.
Page 243
The following is the configuration of Switch3(MA C address is 00:03:0f:02:33:01): Switch3(config)#service dhcp Switch3(config)#ip dhcp relay information option Switch3(config)#ip forward-protocol udp bootps Switch3(Config-if-vlan3)#ip address 192.168. 10.222 255.255.255.0 Switch3(Config-if-vlan2)#ip address 192.168. 102. 2 255.255.255. 0 Switch3(Config-if-vlan2)#ip helper 192.168.10.88 Linux IS C DHCP Server supports option 82, its configuration file /etc/dhcpd.con is ddns-update-style interim; ignore client-updates;...
Chapter 31 DHCP Snooping Configuration 31.1 Introduction to DHCP Snooping DHCP Snooping means that the switch monitors the IP-getting proc ess of DHCP CLIE NT via DHCP protocol. It prevents DHCP attacks and illegal DHCP SE RVER by setting trust ports and untrust ports. And the DHCP messages from trust ports can be forwarded without being verified.
31.2 DHCP Snooping Configuration Task Sequence Enable DHCP Snooping Enable DHCP Snooping binding function Enable DHCP Snooping binding A RP function Enable DHCP Snooping option82 function Set the private packet version Set DES encrypted key for private packets Set helper server address Set trusted ports Enable DHCP Snooping binding DOT1X function 10.
Page 246
5. Set the private packet version Command Explanation Globe mode ip user private packet version two To configure/delete the private packet version. no ip user private packet version two 6. Set DES encrypted key for private packets Command Explanation Globe mode enable trustview key 0/7 <password>...
<mac> address <ipAddr> <mask> entries. vlan <vid> interface (ethernet|) <ifname> no ip dhcp snooping binding user <mac> interface (ethernet|) <ifname> 12. Set defense actions Command Explanation Port mode ip dhcp snooping action {shutdown|blackhole} [recovery Set or delete the DHCP snooping automatic <second>...
As showed in the above chart, Mac-AA device is the normal user, connected to the non-trusted port 1/1 of the switch. It operates via DHCP Client, IP 1.1.1.5; DHCP Server and GateWay are connected to the trusted ports 1/11 and 1/12 of the switch; the malicious user Mac-BB is connected to the non-trusted port 1/10, trying to fake a DHCP Server(by sending DHCPA CK).
31.4.2 DHCP Snooping Troubleshooting Help If there is any problem happens when using DHCP Snooping function, please check if the problem is caused by the following reasons: Check that whether the global DHCP Snooping is enabled; If the port does not react to invalid DHCP Server packets, please check that whether the port is set as a non-trusted port of DHCP Snooping.
Chapter 32 DHCPv6 Snooping Configuration 32.1 Introduction to DHCPv6 Snooping DHCP v6 Snooping monitors the interaction flow of the packets between DHCP v6 client and server, so as to create the binding table of the user, and implement all kinds of security policies based on the binding table. DHCP v6 Snooping has the following functions: 32.1.1 Defense against Fake DHCPv6 Server DHCP v6 Snooping can set the port of connecting DHCP v6 server as the trust port, other ports as the...
32.1.5 Reply the remove requirement for port Through capturing the ports of DHCP v6 packets, DHCP v6 Snooping judges the port connected to the DHCP v6 user. After DHCP v6 Snooping binding created, DHCP v6 Snooping receives CONFIRM/ REQUES T packets and response packets of DHCP v6 client from ot her ports, it needs to use DA D NS/NA to detect whether the binding of the original port is still usable, if it is still usable (that means to receive the response of DAD NA), then do not creat e new binding on new port, contrarily (that means the response of DAD NA is not received in set time), create the binding on new port and deletes the binding on the original...
Page 252
Command Explanation Admin mode clear ipv6 dhcp snooping binding {<MAC> | <ipv6address> | interface Delet e the dynamic binding information for {ethernet <IFNAME> | DHCP v6 Snooping. <IFNAME>} | all} 5. Set the binding limitation number for the ports Command Explanation Port mode ipv6 dhcp snooping binding-limit...
Command Explanation Port mode ipv6 dhcp snooping binding user-control Enable or disable the user access control no ipv6 dhcp snooping binding function is bound by DHCP v6 Snooping. user-control 11. Enable the debug switch Command Explanation Admin mode debug ipv6 dhcp snooping packet debug ipv6 dhcp snooping event Enable the debug of DHCP Snooping.
As showed in the above chart, MAC-AA and MAC-BB devices are normal users, they are connected to the non-trusted ports 1/2 and 1/3 of the switch, and obtain IP 2010::3 and IP 2010::4 through DHCP v6 Client; DHCP v6 Server are c onnected to the trust port 1/1 of the switch; the malicious user Mac-CC is connected to the non-trusted port1/4, it tries to fake DHCP v6 Server.
Chapter 33 Routing Protocol Overview To communicate with a remote host over the Internet, a host must choose a proper route via a set of rout ers or Layer3 switches. Both routers and layer3 switches calculate the rout e using CP U, the difference is that layer3 switch adds the calculated route to the switch chip and forward by the chip at wire speed, while the router always store the calculated route in the route table or route buffer, and data forwarding is performed by the CPU.
200.1. 1.0. Output interface: specify the interface of layer3 switch to forward IP packets. IP address of the next layer3 XGS3-42000R(next hop): specify the next layer3 switch the IP packet will pass. Rout e entry priority: There may be several different next hop routes leading to the same destination.
Page 257
introduce eac h filter in following sections: 1. route-map For matching certain properties of the specified routing information and setting some routing propertities when the conditions are fulfilled. Rout e-map is for controlling and changing the routing messages while also controlling the redistribution among routes.
5. community-li st Community-list is only for BGP. There is a community property field in the BGP routing messages packet for identifying a community. The community list is for specifying matching conditions for Community-list field. As for relevant Community-list configuration, please refer to the ip as-path command in BGP configuration 33.2.2 IP Routing Policy Configuration Task List 1....
Page 259
Match by ports; The no match interface match interface <interface-name > [<interface-name >] no match interface [<interface-name >] command delet es match condition. Match the address or next-hop; The no match match ip <address | next-hop> <ip-acl -name | ip-acl-num ip <address | next-hop>...
Page 260
set atomic-aggregate Configure the BGP no set atomic-aggregate atomic aggregate property; The no command delet es the configuration set comm-li st <community-li st-name | Delet e BGP community community-list-num > delete list value; The no no set comm-li st <community-li st-name | command delet es the community-list-num >...
set weight < weight_val> Set BGP routing weight; no set weight [ <weight_val> ] The no command deletes the configuration 4. Define address prefix list Command Explanation Global mode Describe the prefix list; The no ip prefix-list ip prefix-list <list_nam e> description <description> <list_name>...
Chapter 34 Static Route 34.1 Introduction to Static Route As mentioned earlier, the static route is the manually specified path to a network or a host. Static route is simple and consistent, and can prevent illegal route modification, and is convenient for load balance and route backup.
34.4 Static Route Configuration Examples The figure shown below is a simple network consisting of three layer3 switches, the network mask for all switches and PC is 255.255.255.0. PC-A and PC-C are connected via the static route set in SwtichA and SwitchC;...
Chapter 35 RIP 35.1 Introduction to RIP RIP is first introduced in ARPANET, this is a protocol dedicated to small, simple networks. RIP is a distance vector routing protocol based on the Bellman-Ford algorithm. Network devices running vector routing protocol send two kind of information to the neighboring devices regularly: •...
destination, and route table is built based on this databas e. When a RIP layer3 switch sent route update packets to its neighbor devices, the complete route table is included in the packets. Therefore, in a large network, routing data to be trans ferred and processed for each layer3 switch is quite large, causing degraded network performance.
Page 267
3. Configure RIP-I/RIP-II switch (1) Configure the RIP version to be used in all interfac es (2) Configure the RIP version to send/receive in all interfaces (3) Configure whether to enable RIP packets sending/receiving for interfaces 4. Delete the specified route in RIP route table 5.
Page 268
(2)Configure RIP route parameters 1) Configure route introduction (default route metric, configure routes of the other protocols to be introduced in RIP ) Command Explanation Rout er Configuration Mode Sets the default route metric for route to be default-metric <value> introduced;...
Page 269
Keychain mode Enter the keychain-key mode and configure a key <keyid> key of the keychain; the no key <keyid> no key <keyid> command delet es one key. Keychain-key mode Configure the password used by the key, the no key-string <text> key-string <text>...
Page 270
5)Configure the split horizon Command Explanation Interface configuration mode Configure that take the split horizon when the ip rip split-horizon [poi soned] port sends data packets; poisoned for poison no ip rip split-horizon reverse the no ip rip split-horizon command cancels the split horizon.
Page 271
(2)Configure the RIP version to send/receive in all ports. (3)Configure whether to enable RIP packets sending/receiving for ports Command Explanation Interface configuration mode Sets the version of RIP packets to send on all ip rip send version { 1 | 1-compatible | ports;...
6. Configure redistribution of OSPF routing to RIP (1) Enable Redistribution of OSPF routing to RIP Command Explanation Rout er RIP Configuration Mode redistribute ospf [ <proce ss-id> ] [metric To enable or disable the redistribution <value> ] [route-map <word> ] OSPF routing to RIP.
Page 273
Configure the IP address of interface vlan 1 SwitchA#config SwitchA(config)# interface vlan 1 SwitchA(Config-if-Vlan1)# ip address 10.1.1.1 255.255.255.0 SwitchA(config-if-Vlan1)# Configure the IP address of interface vlan 2 SwitchA(config)# vlan 2 SwitchA(Config-Vlan2)# switchport interface ethernet 1/2 Set the port Ethernet 1/1 access vlan 2 successfully SwitchA(Config-Vlan2)# exit SwitchA(config)# interface vlan 2 SwitchA(Config-if-Vlan2)# ip address 20.1.1.1 255.255.255.0...
SwitchC(config-router)#network vlan 1 SwitchC(config-router)#exit 35.3.2 Typical Examples of RIP aggregation function The application topology as follows: vlan1:192.168.10.1 192.168.20.0/22 192.168.21.0/24 vlan1:192.168.10.2 192.168.22.0/24 192.168.23.0/24 192.168.24.0/24 Figure 35-3-2 Typical application of RIP aggregation As the above network topology, S2 is connected to S1 through interface vlan1, there are other 4 subnet routers of S2, which are 192.168.21.0/ 24, 192.168.22.0/ 24, 192.168.23.0/ 24, 192.168.24.
35.4 RIP Troubleshooting The RIP protocol may not be working properly due to errors such as physical connection, configuration error when configuring and using the RIP protoc ol. So users should pay attention to following: Enabling dot1q-tunnel on Trunk port will make the tag of the data packet unpredictable which is not required in the application.
Page 276
interfaces. Then enter the RIP address family mode configuring corresponding parameters. If the RIP routing problem remains unresolved, please use debug rip command to record the debug message in three minutes, and send them to our technical service center. 35-12...
Chapter 36 RIPng 36.1 Introduction to RIPng RIP ng is first introduc ed in ARPA NET, this is a protocol dedicated to small, simple networks. RIP ng is a distance vector routing protocol based on the Bellman-Ford algorithm. Net work devices running vector routing protocol send 2 kind of information to the neighboring devices regularly: •...
Besides the above mentioned, RIP ng protocol allows IP v6 route information discovered by the other routing protocols to be introduced to the route table. The operation of RIP ng protocol is shown below: 1. Enable RIP ng The switch sends request packets to the neighbor layer3 switches by broadc asting; on receiving the request, the neighbor devices reply with the packets containing their local routing information.
Page 279
Configure redistribution of OSPFv3 routing to RIP ng (1) Enable redistribution of OSPFv3 routing to RIPng (2) Display and debug the information about configuration of redistribution of OSPFv3 routing t o RIP ng 1. Enable RIPng protocol Applying RIPng route prot ocol with basic configuration in switch is simple. Normally you only have to open the RIP ng switch and configure the segments running RIPng, namely send and receive the RIP ng data packet by default RIPng configuration.
Page 280
Redistribute the routes distributed in other route protocols into the RIP ng data packet; the [no]redi stribute {kernel |connected| [no]redi stribute {kernel |connected| static| static| ospf| i si s| bgp} ospf| isi s| bgp} [metric<value>] [metric<value> ] [route-map<word>] [route-map<word> ] command cancels distributed route of corresponding protocols.
Page 281
3. Configure other RIPng protocol parameters (1) Configure timer for RIPng update, timeout and hold-down Command Explanation Rout er configuration mode timers ba sic <update> <invalid> Adjust the renew, timeout and garbage recycle <garbage> RIP ng timer, the no timers basic command no timers ba sic restore the default configuration.
Command Explanation Rout er IP v6 RIP Configuration Mode redistribute ospf [<process-tag> ] To enable or disable redistribution of OSPFv3 [metric<value> ] [route-map<word>] routing for RIPng. no redistribute ospf [<process-tag> ] (2)Di splay and debug the information about configuration of redi stribution of OSPFv3 routing to RIPng Command Explanation...
Page 283
Layer 3 SwitchA Enable RIPng protocol SwitchA(config)#router IP v6 rip SwitchA(config-router)#exit Configure the IP v6 address in vlan1 and configure vlan1 to run RIP ng SwitchA#config SwitchA(config)# interface Vlan1 SwitchA(config-if-Vlan1)# IP v6 address 2000:1:1::1/64 SwitchA(config-if-Vlan1)#IP v6 rout er rip SwitchA(config-if-Vlan1)#exit Configure the IP v6 address in vlan2 and configure vlan2 to run RIP ng SwitchA(config)# interface Vlan2 SwitchA(config-if-Vlan2)#IP v6 address 2001:1:1::1/64...
36.3.2 RIPng Aggregation Route Function Typical Examples The application topology as follows: VLAN1 2001:1::1:1 2001:1::20:0/110 VLAN1 2001:1::20:0/112 2001:1::1:2 2001:1::21:0/112 2001:1::22:0/112 2001:1::23:0/112 Figure 36-3-2 Typical application of RIP ng aggregation As the above network topology, S2 is connected to S1 through interface vlan1, there are other 4 subnet routers of S 2, which are 2001:1::20:0/112, 2001: 1::21:0/112, 2001:1::22: 0/112, 2001:1::23:0/112.
36.4 RIPng Troubleshooting The RIPng protocol may not be working properly due to errors such as physic connection, configuration error when configuring and using the RIPng prot ocol. So users should pay attention to the following: First ensure the physic connection is correct and the IP Forwarding command is open ...
Chapter 37 OSPF 37.1 Introduction to OSPF OSPF is abbreviation for Open Shortest Path First. It is an interior dynamic routing protocol for autonomous system based on link-state. The prot ocol creates a link-state database by exchanging link-states among layer3 switches, and then uses the Shortest Path First algorithm to generate a route table basing on that database.
Page 287
The features of OSPF protocol include the following: OSPF supports networks of various scales, several hundreds of layer3 switches can be supported in an OSPF network. Routing topology changes can be quickly found and updating LSAs can be sent immediately, so that routes converge quickly. Link-state information is used in shortest path algorithm for route calculation, eliminating loop route.
OSPF area , and is transferred among area border layer3 switches; AS external LSA is generated by layer3 switches on external border of AS, and is trans ferred throughout the AS. As to autonomous systems mainly advertises exterior link-state, OSPF allow some areas to be configured as STUB areas to reduce the size of the topology database.
Page 289
Set the OSPF interface to receive only Configure the cost for sending packets from the interface Configure OSPF packet sending timer paramet er (timer of broadcast interface sending HELLO packet to poll, timer of neighboring layer3 switch invalid timeout, timer of LSA transmission delay and timer of LSA ret ransmission.
Page 290
(1)Configure OSPF packet sending mechanism parameters 1)Configure OSPF packet verification 2)Set the OSPF interface to receive only 3)Configure the cost for sending packets from the interfac e Command Explanation Interface Configuration Mode Configures the authentication method by the ip ospf authentication interface to accept OSPF packets;...
Page 291
(2)Configure OSPF route introduction parameters Configure the routes of the other protocols to introduce to OSPF. Command Explanation OSPF Protocol Configuration Mode redistribute { bgp | connected | static | Distribute other prot ocols to find routing and rip | kernel} [ metric-type { 1 | 2 } ] [ tag static routings as external routing messages <tag>...
Page 292
<neighbor>} command restores the translator-role] | range <range> | stub default settings. [no-summary] | virtual-link <neighbor>} 4)Configure the priority of the interfac e when electing designated layer3 XGS3-42000R(DR). Command Explanation Interface Configuration Mode Sets the priority of the interface in “designated ip ospf priori ty <priority>...
37.3 OSPF Examples 37.3.1 Configuration Example of OSPF Scenario 1: OSPF autonomous system. This scenario takes an OSPF autonomous system consists of five switch for example. E1/1:100.1.1.1 E1/2:30.1.1.1 SwitchA SwitchE SwitchD vlan2 vlan3 E1/2:10.1.1.1 E1/1:100.1.1.2 E1/1:30.1.1.2 vlan1 vlan2 vlan3 Area 0 E1/1:10.1.1.2 vlan1 E1/1:20.1.1.2...
Page 294
Configure the IP address for interface vlan1 and vlan2. Switch2#config Switch2(config)# interface vlan 1 Switch2(config-if-vlan1)# ip address 10.1.1.2 255.255.255.0 Switch2(config-if-vlan1)#no shutdown Switch2(config-if-vlan1)#exit Switch2(config)# interface vlan 3 Switch2(config-if-vlan3)# ip address 20.1.1.1 255.255.255.0 Switch2(config-if-vlan3)#no shutdown Switch2(config-if-vlan3)#exit Enable OSPF protocol, configure the OSPF area interfac es vlan1 and vlan3 in Switch2(config)#router ospf Switch2(config-rout er)# net work 10.1.1.0/24 area 0 Switch2(config-rout er)# net work 20.1.1.0/24 area 1...
Page 295
Switch4(config-rout er)# net work 30.1.1.0/24 area 0 Switch4(config-rout er)#exit Switch4(config)#exit Switch4# Layer 3 Switch5: Configuration of the IP address for interface vlan2 Switch5#config Switch5(config)# interface vlan 2 Switch5(config-if-vlan2)# ip address 100.1. 1.2 255.255.255.0 Switch5(config-if-vlan2)#no shutdown Switch5(config-if-vlan2)#exit Configuration of the IP address for interface vlan3 Switch5(config)# interface vlan 3 Switch5(config-if-vlan3)# ip address 30.1.1.1 255.255.255.0 Switch5(config-if-vlan3)#no shutdown...
Page 296
Scenario 2: Typical OSPF protocol complex topology. SwitchD SwitchA SwitchE SwitchB SwitchF SwitchC Area1 Area0 SwitchK SwitchI SwitchJ SwitchG SwitchL SwitchH Area2 Area3 Figure 37-3-2 Typical complex OSPF autonomous system This scenario is a typical complex OSPF autonomous system network topology. Area1 include network N1-N4 and layer3 S witchA-SwitchD, area2 include net work N8-N10, host H1 and layer3 S witchH, area3 include N5-N7 and layer3 S witchF, SwitchG SwitchA0 and Switch11, and network N8-N10 share a summary route with host H1(i.e.
Page 297
layer3 SwitchD interface VLAN2 is 10.1.1.4. SwitchA is connecting to network N1 through Ethernet interface VLAN1 (IP address 20.1.1.1); SwitchB is connecting to network N2 through Ethernet interface VLAN1 (IP address 20.1.2.1); SwitchC is connecting to net work N4 through Ethernet interface VLA N3 (IP address 20.1.3.1).
Page 298
Enable OSPF protocol, configure the area number for interface vlan2. SwitchB(config)#router ospf SwitchB(config-router)#net work 10.1.1.0/24 area 1 SwitchB(config-router)#exit SwitchB(config)#int erface vlan 2 Configure simple key authentication. SwitchB(config)#int erface vlan 2 SwitchB(config-If-Vlan2)#ip ospf authentication SwitchB(config-If-Vlan2)#ip ospf authentication-key DCS SwitchB(config-If-Vlan2)#exit Configure IP address and area number for interfac e vlan1. SwitchB(config)# interface vlan 1 SwitchB(config-If-Vlan1)#ip address 20.1.2.1 255.255.255.0 SwitchB(config-If-Vlan1)#exit...
Page 299
SwitchC(config-If-Vlan3)#ip address 20.1. 3.1 255.255.255.0 SwitchC(config-If-Vlan3)#exit SwitchC(config)#router ospf SwitchC(config-router)#network 20.1. 3.0/24 area 1 SwitchC(config-router)#exit Configure IP address and area number for interfac e vlan 1 SwitchC(config)# interface vlan 1 SwitchC(config-If-Vlan1)#ip address 10.1. 5.1 255.255.255.0 SwitchC(config-If-Vlan1)#exit SwitchC(config)#router ospf SwitchC(config-router)#network 10.1. 5.0/24 area 0 SwitchC(config-router)#exit Configure MD5 key authentication.
Page 300
SwitchD(config-If-Vlan1)# ip address 10.1.6.1 255. 255.255.0 SwitchD(config-If-Vlan1)exit SwitchD(config)#router ospf SwitchD(config-router)#network 10.1. 6.0/24 area 0 SwitchD(config-router)#exit Configure MD5 key authentication SwitchD(config)#interface vlan 1 SwitchD(config-If-Vlan1)#ip ospf authentication message-digest SwitchD(config-If-Vlan1)#ip ospf authentication-key DCS SwitchD(config-If-Vlan1)exit SwitchD(config)#exit SwitchD# Scenario 3: The function of OSPF importing the rout ers of other OSPF processes As shown in the following graph, a switch running the OSPF routing protocol connects two networks: network A and network B.
Page 302
SwitchA(config-if-Vlan2)#exit Configure OSPF examples associated wit h vpnb and vpnc respectively SwitchA(config)# SwitchA(config)#router ospf 100 vpnb SwitchA(config-router)#net work 10.1.1.0/24 area 0 SwitchA(config-router)#redistribute bgp SwitchA(config-router)#exit SwitchA(config)#router ospf 200 vpnc SwitchA(config-router)#net work 20.1.1.0/24 area 0 SwitchA(config-router)#redistribute bgp The Layer 3 SwitchB of CE1: Configure the IP address of Ethernet E 1/2 SwitchB#config SwitchB(config)# interface Vlan1...
37.4 OSPF Troubleshooting The OSPF protoc ol may not be working properly due to errors such as physic connection, configuration error when configuring and using the OSPF protocol. So users should pay attention to following: First ensure the physic connection is correct ...
Chapter 38 OSPFv3 38.1 Introduction to OSPFv3 OSPFv3 (Open Shortest Path First) is the third version for Open Shortest Path First, and it is the IPv6 version of OSPF Protocol. It is an interior dynamic routing protocol for autonomous system based on link-state. The protocol creates a link-state database by exchanging link-states among layer3 switches, and then uses the Shortest Path First algorithm to generate a route table basing on that database.
Page 305
The features of OSPFv3 protocol include the following: OSPFv3 supports networks of various scales, several hundreds of layer3 switches can be supported in an OSPFv3 net work. Routing topology changes can be quickly found and updating LSAs can be sent immediately, so that routes converge quickly. Link-state information is used in shortest path algorithm for rout e calculation, eliminating loop route.
Page 306
switch in an OSPF area, and is sent to all other neighboring Layer 3 switch in this area; network LSA is generated by designated Layer 3 switch in the OSPF area of multi-access network and is sent to all other neighboring layer3 switches in this area.(To reduce data traffic among each Layer 3 switches in the multi-access network, “designat ed layer3 switch”...
38.2 OSPFv3 Configuration Task List OSPFv3 Configuration Task List: Enable OSPFv3 (required) (1) Enable/disable OSPFv3(required) (2) Configure the router-id number of the layer3 switch running OSPFv3 (optional) (3) Configure the network scope for running OSPFv3 (optional) (4) Enable OSPFv3 on the interface (required) Configure OSPFv3 auxiliary parameters (optional) (1)...
Page 308
Configure router for OSPFv3 process. The router-id <router_id> no router-id command returns ID to no router-id 0.0.0.0 .(required) Configure an interface receiving without sending. [no] [no] pa ssive-interface<ifname> passive-interface<ifname>command cancels configuration. Interface Configuration Mode Implement OSPFv3 routing on the interface. [no] IPv6 router ospf {area <area-id>...
Page 309
IPv6 ospf retransmit <time> .Sets the interval for ret ransmission of link-state [instance-id <id>] advertisement among neighbor layer3 switches; no IPv6 ospf retransmit [instance-id the “no IPv6 ospf retransmit [instance-id <id>] <id>]” command restores the default setting. (2)Configure OSPFv3 route introduction parameters Configure OSPFv3 route introduction paramet ers Commands Explanation...
<id> virtual-link A.B.C.D [instance-id <instance-id> INTERVAL] no area <id> virtual-link A.B.C.D [|I NTERV AL] 4)Configure the priority of the interfac e when electing designated layer3 XGS3-42000R(DR). Commands Explanation Interface Configuration Mode IPv6 ospf priority <priority>...
Page 311
and SwitchD make up OSPF area 0, layer3 Switch2 and Switch3 form OSPF area 1 (assume vlan1 interface of layer3 S witchA belongs to area 0), layer3 SwitchD forms OSPF area2 (assume vlan2 interface of layer3 SwitchD belongs to area 0). Swtich1 and SwitchD are backbone layer3 switches, Swtich2 and SwitchD are area edge layer3 switches, and Switch3 is the in-area layer3 switch.
Page 312
Layer 3 SwitchB: Enable OSPFv3 protocol, configure router ID SwitchB(config)#router IP v6 ospf SwitchB (config-router)#router-id 192.168.2.2 Configure interface vlan1 address, VLAN2 IP v6 address and affiliated OSPFv3 area SwitchB#config SwitchB(config)# interface vlan 1 SwitchB(config-if-vlan1)# IP v6 address 2010: 1:1::2/64 SwitchB(config-if-vlan1)# IP v6 router ospf area 0 SwitchB(config-if-vlan1)#exit SwitchB(config)# interface vlan 3 SwitchB(config-if-vlan3)# IP v6 address 2020: 1:1::1/64...
Chapter 39 BGP 39.1 Introduction to BGP BGP stands for a Border Gateway Protocol. It’s a dynamic routing prot ocol inter-aut onomous system. Its basic function is automatically exchanging routing information without loops. By exchanging routing reachable information with autonomous number of AS sequence attributes, BGP could create autonomous topological map to eliminat e routing loop and implement policies configured by users.
Page 315
Unlike RIP and OSPF protoc ols, BGP protoc ol is connection oriented. BGP switches must establish connection to exchange routing information. The operation of BGP protocol is driven by messages and the messages can be divided into four kinds: Open message----It’s the first message which is sent after a TCP connection is established. It is used to create BGP connecting relation among BGP peers.
Page 316
information in a big organization. Attention, the switches in the AS needn’t be connected physically. Only if the switches are in the same AS, they can be neighbors each other. Because BGP can’t detect route, the route tables of ot her inner route protocols (such as static route, direct route, OSPF and RIP) need contain neighbor IP addresses and these routes are used to exchange information among BGPs.
one from the least router ID. 39.2 BGP Configuration Task List The BGP configuration tasks include basic and advanced tasks. Basic BGP configuration tasks include the following: 1. Enable BGP Routing (required) 2. Configure BGP Neighbors (required) 3. Administrate the change of routing policy 4....
Page 318
router bgp <as-id> Enable BGP, “no router no router bgp <as-id> <as-id>”command disenable BGP process. Rout er configuration mode Set the network that BGP will announc e, the no network <ip-address/M> network <ip-address/M> command cancels the no network <ip-address/M> network that will be announced. 2.
Page 320
{<ip-address> |<TAG>} ebgp-multihop [<1-255>] command cancels the setting. 8. Configure BGP session identifier Command Explanation BGP configuration mode Configure the router-id value; the no bgp bgp router-id <ip-address> router-id command recovers the default no bgp router-id value. 9. Configure the BGP Version Command Explanation BGP configuration mode...
Page 321
BGP configuration mode Allow the routing updates wit h community attributes sending to neighbor {<ip-address> | <TAG>} BGP neighbors; the no neighbor send-community {<ip-address> <TAG>} no neighbor {<ip-address> | <TAG>} send-community command send-community enables route without community attributes. 4.Configure BGP Confederation Command Explanation BGP configuration mode...
Page 322
(3) If the route reflector from clients to clients i s needed, the following commands can be used. Command Explanation BGP configuration mode Configure the allowance of the route bgp client-to-client reflection reflector from clients to clients; the no bgp no bgp client-to-client reflection client-to-client reflection command forbids this allowance.
Page 323
send-community sent to the neighbor. no neighbor { <ip-address> | <TAG> } send-community Configure a particular neighbor’s neighbor { <ip-address> | <TAG> } timers <keep keep-alive and hold-time timer; the alive> <holdtime> neighbor {<ip-address> no neighbor { <ip-address> | <TAG> } timers <TAG>} timers command recovers the default value.
Page 324
{ <ip-address> | <TAG> } version command recovers default setting. Apply a route map to incoming or neighbor { <ip-address> | <TAG> } route-map outgoing routes; the no neighbor <map-nam e> {in | out} <ip-address> <TAG> no neighbor { <ip-address> | <TAG> } route-map route-map <map-name>...
Page 325
Configure the minimum int erval among neighbor {<ip-address> | <TAG>} BGP routes update information; the no advertisement-interval <seconds> neighbor {<ip-address> | <TAG>} no neighbor {<ip-address> | <TAG>} advertisement-interval command advertisement-interval recovers the default setting. 10. Configure the Local Preference Value Command Explanation BGP configuration mode...
Page 326
no redistribute { connected | static | rip static | rip | ospf} command cancels the | ospf} redistribution. 14. Configure Route Dampening Command Explanation BGP configuration mode Enable BGP rout e dampening and apply the bgp dampening [<1-45>] [< 1-20000> specified paramet ers;...
Page 327
configures this router as route server and specify clients it serves, neighbor {<ip-address> |<TAG>} route-server-client command can delete clients. 17. Configure Path-selected rules Command Explanation BGP configuration mode bgp always-compare-med no bgp always-compare-med BGP may change some path-select rules by bgp bestpath as-path ignore configuration to change the best selection no bgp bestpath as-path ignore...
39.3 Configuration Examples of BGP 39.3.1 Examples 1: configure BGP neighbor SwitchB, SwitchC and SwitchD are in AS200, SwitchA is in AS100. SwitchA and SwitchB share the same network segment. SwitchB and SwitchD are not connected physically. SwitchC Vlan1: 12.1.1.3 Vlan2: 13.1.1.3 Vlan1:11.1.1.1 Vlan1:11.1.1.2...
SwitchD(config)#router bgp 200 SwitchD(config-router-bgp)#network 13.0.0.0 SwitchD(config-router-bgp)#neighbor 12.1. 1.2 remote-as 200 SwitchD(config-router-bgp)#neighbor 13.1. 1.3 remote-as 200 SwitchD(config-router-bgp)#exit Presently, the connection between SwitchB and SwitchA is EBGP, and other connections with SwitchC and SwitchD are IBGP. SwitchB and SwitchD may have BGP connection without physical connection. But there is a precondition that these two switches must have reachable route to each other.
XGS 3-42000R(config-route-map)#exit XGS 3-42000R(config)#route-map set-community permit 20 XGS 3-42000R(config-route-map)#match address 2 XGS 3-42000R(config-route-map)#exit XGS 3-42000R(config)#access-list 1 permit 11.1. 0.0 0.0.255.255 XGS 3-42000R(config)#access-list 2 permit 0.0.0.0 255.255.255.255 XGS 3-42000R(config)#exit XGS 3-42000R#clear ip bgp 16.1.1.6 soft out In the following sample, configure the MED local preference of the routes from neighbor 16.1.1.6 selectively according to the route community value.
SwitchD: SwitchD(config)#router bgp 20 SwitchD(config-router-bgp)#bgp confederation identifier 200 SwitchD(config-router-bgp)#bgp confederation peers 10 SwitchD(config-router-bgp)#neighbor 13.1. 1.2 remote-as 10 39.3.5 Examples 5: configure BGP route reflector The following is the configuration of a route reflector. As the picture illustrated, SwitchA, SwitchB, SwitchC, SwitchD, SWE, SWF and SWG establish IBGP connection which is affiliated to AS100.
SwitchD (config-rout er-bgp)#neighbor 1.1.1.1 remote-as 300 SwitchD (config-rout er-bgp)#exit SwitchD (config)#route-map set-metric permit 10 SwitchD (Config-Router-RouteMap)#set metric 200 The configurations of SwitchB SwitchB (config)#router bgp 400 SwitchB (config-router-bgp)#neighbor 4.4.4.4 remote-as 100 SwitchB (config-router-bgp)#neighbor 4.4.4.4 route-map set-metric out SwitchB (config-router-bgp)#exit SwitchB (config)#route-map set-metric permit 10 SwitchB (Config-Router-RouteMap)#set metric 50 After the configuration above, SwitchB, SwitchC and SwitchD are assumed to send a rout e 12.0.0.0 to SwitchA.
Page 336
Figure 39-3-5 Example of MP LS VPN As the figure shows, for a typical MPLS VPN application, the public net work region consists of PE1, P and PE2, which MP LS is applied for packet transmission. VPN-A consists of CE-A1 and CE -A2, and VP N-B consists of CE-B1 and CE-B2.
Page 340
enables these rout es to announce IB GP and EBGP neighbors by importing routes. Direct-link rout es, static route, and IGP route (RIP and OSPF) are included in these imported routes. network and redistribute (BGP) command are the ways of import ed routes. ...
Chapter 40 MBGP4+ 40.1 Introduction to MBGP4+ MBGP4+ is multi-protocol B GP (Multi-protocol Border Gateway Protocol) extension to IP v6, referring to BGP protocol chapter about BGP protocol introduction in this manual. Different from RIP ng and OSPFv3, BGP has no corresponging independent protoc ol for IP v6, instead,it takes extensions to address families on the original BGP.
Rout er IP v6 BGP Configuration Mode redistribute ospf [<process-tag> ] [route-map<word> ] To enable or disable redistribution of OSPFv3 no redistribute ospf routing to MBGP4+. [<process-tag>] (2) Display and debug the information about configuration of redistribution of OSPFv3 routing to MBGP4+ Command Explanation Admin Mode and Configuration Mode...
SwitchD is IBGP. The BGP connection can be processed bet ween SwitchB and SwitchD wit hout physical link, but the premise is a route which reaches from one switch to the other switch. The route can be obtained by static routing or IGP. 40.4 MBGP4+ Troubleshooting It is the same as corresponding section of BGP.
Chapter 41 Black Hole Routing Manual 41.1 Introduction to Black Hole Routing Black Hole Routing is a special kind of static routing which drops all the datagrams that match the routing rule. 41.2 IPv4 Black Hole Routing Configuration Task 1. Configure IPv4 Black Hole Routing Command Explaination Global Configuration Mode...
Page 346
192.168.0.1/ 21 SWITCH1 192.168.0.2/ 21 SWITCH2 ……… 192.168.1.0/ 24 192.168.7.0/ 24 Figure 41-4-1 IP v4 Black Hole Routing Configuration Example As it is shown in the figure, in Switch 2, eight in all interfaces are configured as Layer 3 VLAN interfaces for access interfaces.
Example 2: IP v6 Black Hole Routing function. 2004:1:2:3::1/64 SWITCH1 2004:1:2:3::2/64 SWITCH2 ……… 2004:1:2:3:1::/80 2004:1:2:3:7::/80 Figure 41-4-2 IP v6 Black Hole Routing Configuration Example As it is shown in the figure, in Switch 2, eight in all interfaces are configured as Layer 3 VLAN interfaces for access interfaces.
Page 348
and show ip route fib, and show l3. And copy and paste the output of the commands, and send to the technical service center of our company. 41-4...
Chapter 42 ECMP Configuration 42.1 Introduction to ECMP ECMP (Equal-cost Multi-path Routing) works in the network environment where there are many different links to arrive at the same destination address. If using the traditional routing technique, only a link can be used to send the data packets to the destination address, other links at the backup state or the invalidation state, and it needs some times to process the mutual switchover under t he static routing environment.
42.3 ECMP Typical Example Figure 42-3-1 the application environment of ECMP As it is shown in the figure, the R1 connect to R2 and R3 with the interface address 100.1.1.1/24 and 100.1. 2.1/24. The R2 and R3 connect to R1 with the interface address 100.1.1.2/24 and 100.1.2. 2/24. The R4 connect to R2 and R3 with interfac e address 100.
Page 352
R4(c onfig)#interface Vlan200 R4(Config-if-Vlan200)# ip address 100.2.2.1 255.255.255.0 R4(c onfig)#interface loopback 1 R4(Config-if-loopback1)# ip address 5.5.5.5 255.255.255.255 R4(c onfig)#router ospf 1 R4(c onfig-router)# ospf router-id 4. 4.4.4 R4(c onfig-router)# network 100.2.1.0/24 area 0 R4(c onfig-router)# network 100.2.2.0/24 area 0 On R1, show ip route, the following is displayed: R1(c onfig)#show ip route Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area...
Chapter 43 IPv4 Multicast Protocol 43.1 IPv4 Multicast Protocol Overview This chapter will give an introduction to the configuration of IP v4 Multicast Protocol. All IPs in this chapter are IP v4. 43.1.1 Introduction to Multicast Various transmission modes can be adopted when the destination of packet (including data, sound and video) transmission is the minority users in the network.
Page 354
Multicast group are dynamic, the hosts can join and leave the Multicast group at any time. Multicast group can be permanent or temporary. Some of the Multicast group addresses are assigned officially; they are called Permanent Multicast Group. Permanent Multicast Group keeps its IP address fixed but its member structure can vary within.
43.1.3 IP Multicast Packet Transmission In Multicast mode, the source host sends packets to the host group indic ated by the Multicast group address in the destination address field of IP data packet. Unlike Unicast mode, Multicast data packet must be forwarded t o a number of external interfaces to be sent to all receiver sites in Multicast mode, thus Multicast transmission procedure is more complicat ed than Unicast transmission procedure.
Page 356
run P IM-DM use Hello message to contact each other. PIM-DM Hello message is sent periodically. 2. Flooding & Prune of proce ss PIM-DM assumes all hosts on the network are ready to receive Multicast data. When some Multicast Source begins to send data to a Multicast Group G, after receiving the Multicast packet, the router will make RPF check first according to the Unicast table.
43.2.2 PIM-DM Configuration Task List 1. Enable PIM-DM (Required) 2. Configure static multicast routing entries (Optional) 3. Configure additional PIM-DM parameters(Optional) a) Configure the interval for PIM-DM hello messages b) Configure the interval for state-refresh messages c) Configure the boundary interfaces d) Configure the management boundary 4.
Page 358
Configure the interval for state-refresh messages Command Explanation Interface Configuration Mode ip pim state-refresh To configure the interval for sending PIM-DM origination-interval state-refresh packets. The no form of this no ip pim state-refresh command will restore the default value. origination-interval Configure the boundary interfaces Command Explanation...
43.2.3 PIM-DM Configuration Examples As shown in the following figure, add the Ethernet interfaces of S witch A and Switch B to corresponding vlan, and enable PIM-DM Protocol on each vlan interfac e. SwitchB SwitchA Vlan 2 Vlan 1 Vlan 1 Vlan 2 Figure 43-2-1 PIM-DM Typical Environment The configuration procedure for SwitchA and SwitchB is as follows:...
43.2.4 PIM-DM Troubleshooting In configuring and using PIM-DM Protocol, PIM-DM Protocol might not operate normally caused by physical connection or incorrect configuration. Therefore, the user should pay attention to the following issues: To assure that physical connection is correct ...
router connected to it directly will take charge of encaps ulating the Multicast packet into registered message and unicast it to corresponding RP. If there are more than one PIM-SM Multicast routers on a network segment, then DR (Designated Router) takes charge of sending the Multicast packet. SPT Switch When the Multicast router finds that the rate of the Multicast packet from RP with destination address G exceeds threshold, the Multicast router will send Join message to the next upper lever nodes in...
Page 362
configuration mode and then enabling P IM-SM for specific interfaces in the interface configuration mode. Command Explanation Global Mode To enable the PIM-SM protocol for all the interfaces (However, in order to make PIM-SM ip pim multicast-routing work for specific interfaces, the following command should be issued).(Required) And then turn on PIM-SM switch on the interface...
Page 363
ip pim To configure ACL to filter PIM-SM neighbors. If neighbor-filter{<access-li st-number session to the neighbor has been denied by > } ACL, then the sessions that have been set up no ip pim will be discarded immediately and new sessions neighbor-filter{<access-li st-number will not be set up.
Page 364
Configure the switch as a candidate RP Command Explanation Global Configuration Mode This command is the global candidate RP configuration command, which is used to ip pim rp-candidate { vlan configure the information of PIM-SM candidate <vlan-id>| lookback<index> RP so that it can compete for RP router with <ifname>} [<A.B.C.D>...
43.3.3 PIM-SM Configuration Examples As shown in the following figure, add the Ethernet interfaces of S witchA, SwitchB, SwitchC and S witchD to corresponding VLAN, and enable PIM-SM Protocol on each VLA N interface. SwitchB SwitchA Vlan 2 Vlan 1 Vlan 1 Vlan 2 rp SwitchD...
PIM-SM Protocol requires supports by RP and BSR, therefore you should use show ip pim bsr-router first to see if there is BSR information. If not, you need to check if there is unicast routing leading to BSR. Use show ip pim rp-hash command to check if RP information is correct; if there is not RP information, you still need to check unicast routing.
43.4.2 Brief Introduction to MSDP Configuration Tasks Configuration of MS DP Basic Function Enabling MSDP (Required) Configuring MS DP entities (Required) Configuring the Connect-S ourc e interface Configuring static RPF entities Configuring Originator RP Configuring TTL value Configuration of MS DP entities Configuring the Connect-S ourc e interface Configuring the descriptive information for MSDP entities Configuring the AS number...
43.4.3.2 Enabling MSDP MSDP should be enabled before various MSDP functions can be configured. Enable the MSDP function Configure MSDP 1. Enabling MSDP Commands Explanation Global Configuration Mode router m sdp To enable MSDP. The no form of this no router m sdp command will disable MSDP globally.
43.4.4.2 Configuration of MSDP parameters Commands Explanation MSDP Peer Configuration Mode To configure the Connect-Source interface for connect-source <interface-type> MSDP Peer. The no form of this command will <interface-number> remove configured Connect-Source no connect-source interface. To configure the descriptive information about description <text>...
no sa-reque st-filter [li st command will remove the configured filter <access-li st-number | access-li st-name>] rules for SA request packets. 43.4.6 Configuration of Parameters of SA-cache Commands Explanation MSDP Configuration Mode cache-sa-state To enable the SA packet cache. no cache-sa-state To disable the SA packets cache.
Page 372
DomainB Rout erB DomainC Rout erA Receiver DomainA Source Figure 43-4-1 Network Topology for MSDP Entry Configuration tasks are listed as below: Prerequisite s: Enable the single cast routing protoc ol and P IM prot ocol on every router, and make sure that the inter-domain routing works well and multicasting inside the domain works well.
Page 374
Peer Peer Peer PIM SM 1 Peer Peer Peer Figure 43-4-2 Flooding of SA messages Mesh Group Peer Peer Peer PIM SM 1 Peer Peer Peer Figure 43-4-3 Flooding of SA messages with mesh group configuration Configuration steps are listed as below: Router A: XGS 3-42000R#config XGS 3-42000R(config)#interface vlan 1...
If the MSDP problems cannot be solved through all the methods provided above, please issue the command debug msdp to get the debugging messages within three minutes, and send them to the technical service cent er of our company. 43.5 ANYCAST RP Configuration 43.5.1 Introduction to ANYCAST RP Anycast RP is a technology based on PIM protocol, which provides redundancy in order to recover as soon as possible onc e an RP becomes unusable.
Page 378
Command Explanation Global Configuration Mode Now, the P IM-SM has allowed the Loopback interface to be a RP candidate.(necessary ) Please pay attention to that, ANYCAST RP protocol can configure the Loopback interface ip pim rp-candidate {vlan<vlan-id> or a regular three-layer VLAN interface to be |loopback<index>...
by this router (as a RP). (3) Configure other-rp-address (other RP communication addresses) Command Explanation Global Configuration Mode Configure anycast-rp-addr on this router (as a RP). This unicast address is actually the RP address configured on multiple RP in the network, in accordance with the address of candidate interface...
Page 380
VLAN1:10.1.1.1 Multicast Server VLAN2:192.168.2.5 VLAN2:192.168.2.1 VLAN1:192.168.1.4 ……… VLAN2:192.168.3.2 receiver VLAN2:2. 2.2.2 receiver receiver Figure 43-5-1 The A NY CAST RP v4 function of the router As shown in the Figure, the overall net work environment is PIM-SM, which provides two routers supporting ANYCAS T RP, RP1 and RP2.
RP2 Configuration: XGS 3-42000R#config XGS 3-42000R(config)#interface loopback 1 XGS 3-42000R(config-if-Loopback1)#ip address 1.1.1.1 255. 255. 255. 255 XGS 3-42000R(config-if-Loopback1)#exit XGS 3-42000R(config)#ip pim rp-candidate loopback1 XGS 3-42000R(config)#ip pim multicast-routing XGS 3-42000R(config)#ip pim anycast-rp XGS 3-42000R(config)#ip pim anycast-rp self-rp-address 192.168.3.2 XGS 3-42000R(config)#ip pim anycast-rp 1.1. 1.1 192.168.2.1 43.5.4 ANYCAST RP Troubleshooting When configuring and using A NYCAS T RP function, the A NYCAS T RP might work abnormally because of faults in physical connections, configurations or something others.
43.6 PIM-SSM 43.6.1 Introduction to PIM-SSM Source Specific Multicast (PIM-SSM) is a new kind of multicast service protocol. With PIM-SSM, a multicast session is distinguished by the multicast group address and multicast source address. In SSM, hosts can be added into the multicast group manually and efficiently like the traditional PIM-SM, but leave out the shared tree and RP management in PIM-SM.
Page 383
Figure 46-3-1 PIM-SSM typical environment Configurations of SwitchA, SwitchB, SwitchC, and S witchD are shown as below. (1) Configuration of Switch A XGS 3-42000R(config)#ip pim multicast-routing XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-If-Vlan1)# ip pim sparse-mode XGS 3-42000R(config-If-Vlan1)#exit XGS 3-42000R(config)#interface vlan 2 XGS 3-42000R(config-If-Vlan2)# ip pim sparse-mode XGS 3-42000R(config-If-Vlan2)#exit XGS 3-42000R(config)#access-list 1 permit 224.1.1.1 0.0.
commands such debug pim event/debug pim packet please, and then copy DEBUG information in 3 minutes and send to Technology Service Cent er. 43.7 DVMRP 43.7.1 Introduction to DVMRP DVMRP Protoc ol, namely, is “Distance Vector Multicast Routing Protocol”. It is a Multicast Routing Protocol in dense mode, whic h sets up a Forward Broadcast Tree for each source in a manner similar to RIP, and sets up a Truncation Broadcast Tree, i.e.
In DVMRP, source network routing selection message are exchanged in a basic manner same to RIP. That is, routing report message is transmitted among DVMRP neighbors periodically (the default is 60 seconds). The routing information in DVMRP routing selection table is used t o set up source distribution tree, i.e. to determine by which neighbor it passes to get to the source t ransmitting multicast packet;...
Page 387
2. Enable DVMRP Protocol on the interface The basic configuration to function DVMRP routing protocol on XGS3 series Layer 3 switch is very simple. After globally enabling DVMRP Protocol, it is required to t urn on DVMRP switch under corresponding interface.
Page 388
Command Explanation Interface Configuration Mode Configure the delay of transmitting DVMRP ip dvmrp output-report-delay report message on interface and the message <delay_val> [<burst_siz e>] number each time it transmits, the “no ip dvmrp no ip dvmrp output-report-delay output-report-delay” command restores default value.
43.7.3 DVMRP Configuration Examples As shown in the following figure, add the Ethernet interfaces of Switch A and Switch B to corresponding VLAN, and enable DVMRP on each VLAN int erface. SwitchA SwitchB Vlan 2 Vlan 1 Vlan 1 Figure 43-7-1 DVMRP Net work Topology Diagram The configuration procedure for SwitchA and SwitchB is as follows: (1) Configure SwitchA: XGS 3-42000R(config)#ip dvmrp multicast-routing...
Next, to assure the Prot ocol of Interface and Link is UP (use show interface command); Please check if the correct IP address is configured on the interface (use ip address c ommand); Afterwards, enable DVMRP Protoc ol on the interface (use ip dvmrp command and ip dv multicast-routing command);...
43.8.2 DCSCM Configuration Task List Source Cont rol Configuration Destination Control Configuration Multicast Strategy Configuration 1. Source Control Configuration Source Control Configuration has three parts, of which the first is to enable source cont rol. The command of source control is as follows: Command Explanation Global Configuration Mode...
Page 392
Command Explanation Port Configuration Mode [no] ip multica st source-control Used to configure the rules source control uses access-group <5000-5099> to port, the NO form cancels the configuration. 2. Destination Control Configuration Like source cont rol configuration, destination control configuration also has three steps. First, enable destination control globally.
[no] ip multica st de stination-control Used to configure the rules destination <1-4094> <macaddr> acce ss-group control uses to specify VLAN-MAC, the <6000-7999> NO form cancels the configuration. Used to configure the rules destination [no] ip multica st de stination-control control uses to specified IP address/net <IPA DDRESS/M>...
XGS 3-42000R(config)#access-list 6000 deny ip any 238.0.0. 0 0.255.255.255 XGS 3-42000R(config)#access-list 6000 permit ip any any XGS 3-42000R(config)#multicast destination-cont rol XGS 3-42000R(config)#ip multicast destination-control 10.0.0.0/8 access-group 6000 In this way, users of this network segment can only join groups other than 238.0.0.0/8. 3....
Page 395
group. Up to now, there are three versions of IGMP: IGMP version1 (defined by RFC1112), IGMP version2 (defined by RFC2236) and IGMP version3 (defined by RFC3376). The main improvements of IGMP version2 over version1 are: 1. The election mechanism of multicast switches on the shared network segment Shared network segment is the situation of there is more than one multicast switch on a network segment.
In order to increase strength, the host retransmits State-Change message. Additional data is defined to adapt future extension. Report group is sent to 224.0.0.22 to help with IGMP Snooping of Layer 2 Switch. Report group can include more than one group record, and it allows using small group to report complete current status.
Page 397
(1)Configure IGMP group parameters 1) Configure IGMP group filtering conditions 2) Configure IGMP to join in group 3) Configure IGMP to join in static group Command Explanation Interface Configuration Mode ip igmp access-group {<acl _num | Configure the filtering conditions of the interface acl_name>} to IGMP group;...
no ip dvmrp | no ip pim dense-mode | no ip pim sparse-mode | no ip dvmrp Disable IGMP Protocol. multicast-routing | no ip pim multicast-routing 43.9.3 IGMP Configuration Examples As shown in the following figure, add the Ethernet ports of Switch A and Switch B to corresponding VLAN, and start PIM-DM on eac h VLAN interface.
43.9.4 IGMP Troubleshooting In configuring and using IGMP Protocol, IGMP Protocol might not operate normally caused by physical connection or incorrect configuration. Therefore, user should pay attention to the following issues: Firstly to assure that physical connection is correct; ...
Page 400
Enables IGMP S nooping for specified VLA N. ip igmp snooping vlan <vlan-id> The no operation disables IGMP Snooping for no ip igmp snooping vlan <vlan-id> specified VLAN. ip igmp snooping vlan < vlan-id > limit Configure the max group count of vlan and {group <g_limit>...
Page 401
ip igmp snooping vlan <vlan-id> Configure the suppression query time. The suppre ssion-query-time <value> “no ip igmp snooping vlan <vlan-id> no ip igmp snooping vlan <vlan-id> suppre ssion-query-time” command restores suppre ssion-query-time to the default value. ip igmp snooping vlan <vlan-id> static-group <A.B.C.D>...
43.10.3 IGMP Snooping Examples Scenario 1: IGMP Snooping function Multicast router Multicast Server 1 Multicast Server 2 Multicast port IGMP Snooping Group 1 Group 1 Group 1 Group 2 Enabling IGMP Snooping function Figure 43-10-1 Example: As shown in the above figure, a VLA N 100 is configured in the switch and includes ports 1, 2, 6, 10 and 12.
Page 403
and port 12 will not receive the traffic of program 1. Scenario 2: L2-general-querier Multicast Server Group 1 Group 2 Switch A IGMP Snooping L2 general querier Multicast port Switch B IGMP Snooping Group 1 Group 1 Group 1 Group 2 The switches as IGMP Queries Figure 43-10-1 The configuration of S witch2 is the same as the switch in scenario 1, SwitchA takes the place of Multicast...
Scenario 3: To run in cooperation with lay er 3 multicast prot ocols. SWITCH which is used in Scenario 1 is replaced with ROUTE R with specific configurations remains the same. And multicast and IGMP snooping configurations are the same with what it is in Scenario 1. To configure PIM-SM on ROUTE R, and enable PIM-SM on vlan 100 (use the same PIM mode with the connected multicast router) Configurations are listed as below:...
The IGMP/MLD proxy works between the multicast router and the client, it works as both the multicast host and router. Upstream and downstream ports should be specified in the IGMP/MLD proxy configuration. The host protocol runs at upstream ports, while the router protocol runs at downstream ports. The s witch collects the join and leave messages received from downstream ports and forward them to the multicast router through upstream ports.
robustness <2-10> sending unsolicited reports. The no form of no ip igmp proxy unsolicited-report this command will restore the default value. robustness To configure non-query downstream ports to ip igmp proxy aggregate be able to aggregate the IGMP operations. no ip igmp proxy aggregate The no form of this command will restore the default configuration.
Page 408
The configuration steps are listed below: XGS 3-42000R#config XGS 3-42000R(config)#ip igmp proxy XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-if-Vlan1)#ip igmp proxy upstream XGS 3-42000R(config)#interface vlan 2 XGS 3-42000R(config-if-Vlan2)#ip igmp proxy downstream Multicast Configuration: Suppose the multicast server offers some programs through 224.1. 1.1. Some hosts subscribe that program at the edge of the net work.
Chapter 44 IPv6 Multicast Protocol 44.1 PIM-DM6 44.1.1 Introduction to PIM-DM6 PIM-DM6 ( P rotocol Independent Multicast, Dense Mode) is the IP v6 version of Protocol Independent Multicast Dens e Mode. It is a Multicast Routing Protocol in dense mode which adapted to small network. The members of multicast group are relatively dense under this kind of net work environment.
the multicast packet will be discarded as redundant message. The unicast routing message used as path judgment can root in any Unicast Routing Protocol, such as messages found by RIP, OSPF, etc. It doesn’t rely on any specific unicast routing protocol. 4.
Page 412
Configure static multica st routing entrie s Command Explanation Global configuration mode ipv6 mroute <X:X::X:X> To configure IP v6 static multicast routing entries. <X:X::X:X> <ifname> <.ifname> The no form of this command will remove the no ipv6 mroute <X:X::X:X> specified routing entry. <X:X::X:X>...
To configure PIM-DM6 management boundary for the interface and apply ACL for the management boundary. With default settings, ffx0::/13 is considered as the scope of the ipv6 pim scope-border management group. If ACL is configured, then <500-599>|<acl_name> the scope specified by ACL permit command is no ipv6 pim scope-border the scope of the management group.
XGS 3-42000R(config-if-Vlan1)#exit XGS 3-42000R(config)#interface vlan2 XGS 3-42000R(config-if-Vlan2)#ipv6 address 2000:12:1:1:: 1/64 XGS 3-42000R(config-if-Vlan2)#ipv6 pim dense-mode (2) Configure SwitchB: XGS 3-42000R(config)#ip pim multicast-routing XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-if-Vlan1)#ipv6 address 2000:12:1:1::2/64 XGS 3-42000R(config-if-Vlan1)#ipv6 pim dense-mode XGS 3-42000R(config-if-Vlan1)#exit XGS 3-42000R(config)#interface vlan 2 XGS 3-42000R(config-if-Vlan2)#ipv6 address 2000:20:1:1::1/64 XGS 3-42000R(config-if-Vlan2)#ipv6 pim dense-mode 44.1.4 PIM-DM6 Troubleshooting When configuring and using PIM-DM protocol, PIM-DM protocol may fail to work normally due to physical...
Page 415
RP. Consequently the network bandwidth occupied by data packets and control messages is cut down and the transaction cost of routers is reduced. Multicast data get to the network segment where the multicast group members are located along the shared t ree flow. When the data traffic reac hes a certain amount, multicast data stream can be switched to source-based SPT (S hort est Path Tree) to shorten network delay.
BSR through automatic selection. 44.2.2 PIM-SM6 Configuration Task List 1. Enable PIM-SM (Required) 2. Configure static multicast routing entries (Optional) 3. Configure additional paramet ers for PIM-SM (Optional) Configure parameters for PIM-SM interfaces 1) Configure the interval for PIM-SM hello messages 2) Configure the holdtime for P IM-SM hello messages 3) Configure ACL for PIM-SM6 neighbors 4) Configure the interface as the boundary interface of the P IM-SM6 protocol...
Page 417
ipv6 mroute <X:X::X:X> To configure a static multicast routing entry. The <X:X::X:X> <ifname> <.ifname> no form of this command will remove the no ipv6 mroute <X:X::X:X> specified static multicast routing entry. <X:X::X:X> [<ifname> <.ifname>] 3. Configure the additional parameters for PIM-SM (1)Configure parameters for PIM-SM interfaces 1) Configure the interval for PIM-SM hello messages Command...
Page 418
Interface Configuration Mode To configure PIM-SM6 management boundary for the interface and apply ACL for the management boundary. With default settings, ffx0::/13 is considered as the scope of the ipv6 pim scope-border management group. If ACL is configured, then <500-599>|<acl_name> the scope specified by ACL permit command is no ipv6 pim scope-border the scope of the management group.
4. Di sable PIM-SM protocol Command Explanation Interface Configuration Mode no ipv6 pim sparse-mode To disable the P IM-SM6 protocol. Global Configuration Mode no ipv6 pim sparse-mode To disable PIM-DM globally. 44.2.3 PIM-SM6 Typical Application As shown in the following figure, add the Ethernet interfaces of S witchA, SwitchB, SwitchC and S witchD to corresponding VLAN, and start PIM-SM Protocol on each VLAN interface.
44.2.4 PIM-SM6 Troubleshooting When configuring and using PIM-SM prot ocol, PIM-SM prot ocol may fail to work normally due to physical connections, incorrect configuration and so on. So, users shall note the following points: Assure the physical connection is correct. ...
Page 422
1. Enable A NYCAS T RP v6 function 2. Configure ANY CAST RP v6 1. Enable ANYCAST RP v6 function Command Explanation Global Configuration Mode Enable ANY CAST RP function. (necessary) ipv6 pim anycast-rp The no operation will globally disable the no ipv6 pim anycast-rp ANYCAS T RP function.
Page 423
message from other RP unicast, such as a register message whose destination is the self-rp-address of this router, it will create (S,G) state and send back a register-t erminating message, whose destination address is the source address of the register message. Pay attention: self-rp-address has to be the address of a t hree-layer interfac e on this router, but the configuration is allowed to be done with...
address register message into other-rp-address. 2 Multiple other-rp-addresses can be configured in accordance with one anycast-rp-addr, Once the register message from a DR is received, it should be forwarded to all of this RP one by one. operation will cancel other-rp-address communicating with this router.
group address and S for the source address of the multicast which sends datagram to G. (S,G) in a pair is named as a channel of SSM6. SSM6 serves best for the application of multicast service which is from one station to many ones, for example, the network sports video channel, and the news channel.
IP v6 DCSCM Cont rollable Multicast technology proceeds as the following way: 1. If source controlled multicast is configured on the edge switches, only the multicast data of the specified group from the specified source can pass. 2. The RP switches which are the core of PIM-SM will directly send REGIS TE R_S TOP as response to the REGIS TE R messages not from the specified source and specified group, and no entry is allowed to be creat ed.
Page 430
ACL number from 8000 to 8099, while each rule number can configure 10 rules. What should be paid attention to is that these rules have orders, the earliest configured rule is at the front. Once a rule is matched, the following ones will not take effect, so the globally enabled rules should be the last to configure. The following is the command: Command Explanation...
Page 431
Global Configuration Mode Used to configure destination control [no] ipv6 access-li st <9000-10099> rules, these rules can only take effect {deny|permit} {{< source/M>}|{host-source when applied to specified source IP, <source-host-ip>}|any-source} VLAN-MA C or port. The no operation {{<destination/M>}|{host-de stination of this rule will delete the specified <destination-host-ip>}|any-de stination} rule.
44.5.3 IPv6 DCSCM Typical Examples 1. Source control In order to prevent an edge switch sends multicast data at will, we configure on the edge switch that only the switch whose port is Ethernet1/5 can send multicast data, and the group of data should be ff1e::1. The uplink port Ethernet 1/25 can forward multicast data without being restricted, so we can configure as follows.
44.5.4 IPv6 DCSCM Troubleshooting IP v6 DCSCM module acts like ACL, so most problems are caused by improper configuration. Please read the instructions above carefully. 44.6 MLD 44.6.1 Introduction to MLD MLD (Multicast Listener Discovery) is the multicast group member (receiver) discovery protocol serving IP v6 multicast.
Page 434
1)Configure the interval of MLD sending query message 2)Configure the maximum response time of MLD query 3)Configure overtime of MLD query 3、 Shut down MLD Protoc ol Start MLD Protocol There is no special command for starting MLD Protoc ol on EDGECORE series layer 3 switches. MLD Protocol will aut omatically start up as long as any IP v6 multicast protocol is started on corresponding interface.
ipv6 mld query-max-response-time Configure the maximum response time of the <time_val> interface for MLD query; the NO operation of this no ipv6 mld command restores the default value. query-max-response -time Configure the overtime of the interface for MLD ipv6 mld query-timeout <time_val> query;...
XGS 3-42000R(config) #ipv6 pim multicast-routing XGS 3-42000R(config) #ipv6 pim rp-address 3FFE::1 XGS 3-42000R(config) #interfac e vlan1 XGS 3-42000R(Config-if-Vlan1) #ipv6 address 3FFE::2/64 XGS 3-42000R(Config-if-Vlan1) #ipv6 pim sparse-mode XGS 3-42000R(Config-if-Vlan1) #exit XGS 3-42000R(config) #interfac e vlan2 XGS 3-42000R(Config-if-Vlan2) #ipv6 address 3FFA::1/64 XGS 3-42000R(Config-if-Vlan2) #ipv6 pim sparse-mode XGS 3-42000R(Config-if-Vlan2) #ipv6 mld query-timeout 150 44.6.4 MLD Troubleshooting Help When configuring and using MLD protocol, MLD protocol may fail to work normally due to physical...
Page 437
The switch realizes the MLD Snooping function while supporting MLD v2. This way, the user can acquire IP v6 multicast with the switch. 44-28...
44.7.2 MLD Snooping Configuration Task 1. Enable the MLD S nooping function 2. Configure the MLD Snooping 1. Enable the MLD Snooping function Command Explanation Global Mode Enable global MLD S nooping, the “no ipv6 ipv6 mld snooping mld snooping” command disables the no ipv6 mld snooping global MLD snooping.
ipv6 mld snooping vlan <vlan-id> query-mrsp Configure the query maximum res ponse period. The <value> “no” form of this command restores to the default. no ipv6 mld snooping vlan <vlan-id> query-mrsp ipv6 mld snooping vlan <vlan-id> query-robustne ss < value> Configure the query robustness, the “no”...
Page 440
XGS 3-42000R#config XGS 3-42000R(config)#ipv6 mld snooping XGS 3-42000R(config)#ipv6 mld snooping vlan 100 XGS 3-42000R(config)#ipv6 mld snooping vlan 100 mrout er-port interface et hernet 1/1 Multicast configuration: Assume there are two multicast servers: the Multicast Server 1 and the Multicast Server 2, amongst program 1 and 2 are supplied on the Multicast Server 1 while program 3 on the Multicast server 2, using group addresses respectively the Group 1, Group 2 and Group 3.
Ensure there is a vlan configured as a L2 general querier, or there is a static mrouter configured in a segment, Use command to check if the MLD snooping information is correct Chapter 45 Multicast VLAN 45.1 Introductions to Multicast VLAN Based on current multicast order method, when orders from users in different VLAN, each VLAN will copy a multicast traffic in this VLAN, which is a great waste of the bandwidth.
3. Configure the MLD Snooping Command Explanation Global Mode Enable MLD Snooping on multicast VLAN; ipv6 mld snooping vlan <vlan-id> the “no” form of this command disables MLD no ipv6 mld snooping vlan <vlan-id> Snooping on multicast VLAN. Enable the MLD Snooping function. The “no” ipv6 mld snooping form of this command disables the MLD no ipv6 mld snooping...
Chapter 46 ACL Configuration 46.1 Introduction to ACL ACL (Access Control List) is an IP packet filtering mechanism employ ed in switches, providing network traffic control by granting or denying access the switches, effectively safeguarding the security of net works. The user can lay down a set of rules according to some information specific to packets, each rule describes the action for a packet with certain information matched: “permit”...
46.2 ACL Configuration Task List ACL Configuration Task Sequence: 1. Configuring access-list (1) Configuring a numbered standard IP access-list (2) Configuring a numbered extended IP access-list (3) Configuring a standard IP access-list based on nomenclature a) Create a standard IP access-list based on nomenclature b) Specify multiple “permit”...
Page 447
5. Clear the filtering information of the specified port 1. Configuring acce ss-li st (1) Configuring a numbered standard IP access-li st Command Explanation Global Mode Creates a numbered standard IP access-list, if the access-list already exists, then a rule will access-li st <num>...
Page 448
range <dPortMin> <dPortMax> }] [precedence using this number. <prec>] [tos <tos>][time-range<time-range-name>] Creates a numbered IP extended access-li st <num> {deny | permit} {eigrp | gre | igrp | IP access rule for other specific IP ipinip | ip | ospf | <protocol-num>} {{< sIpAddr> protocol or all IP protocols;...
Page 449
Creates extended access-list basing nomenclature; “no ip access-list extended <name> access-li st extended no ip access-list extended <name> <name> “ command deletes the name-based extended IP access-list. b. Specify multiple “permit” or “deny” rules Command Explanation Extended IP ACL Mode [no] {deny | permit} icmp {{<sIpAddr>...
Page 450
c. Exit extended IP ACL configuration mode Command Explanation Extended IP ACL Mode Exits extended name-based exit IP ACL configuration mode. (5) Configuring a numbered standard MAC access-li st Command Explanation Global Mode Creates a numbered standard access-list, access-list already exists, access-li st<num>{deny|permit}{any-source-mac|{ho then a rule will add to the...
Page 451
b. Specify multiple “permit” or “deny” rule entries Command Explanation Extended name-based MA C access rule Mode [no]{deny|permit}{any-source-mac|{host-source-ma c<host_smac>}|{< smac>< smac-mask>}} {any-de stination-mac|{host-destination-mac <host_dmac>} |{<dmac> <dmac-mask>}} [cos <cos-val> [<cos-bitmask> ] [vlanId <vid-value> [<vid-mask>][ethertype<protocol>[<protocol-mask>] Creates extended name-based MAC access rule [no]{deny|permit}{any-source-mac|{host-source-ma matching MAC frame;...
Page 452
{any-de stination-mac|{host-destination-mac<host_d “no” form command mac>}|{<dmac><dmac-mask>}} [tagged-802-3 [cos deletes this MAC access rule. <cos-val> [<cos-bitmask> ]] [vlanId <vid-value> [<vid-mask>]]] c. Exit ACL Configuration Mode Command Explanation Extended name-based MA C access configure Mode Quit extended exit name-based MA C access configure mode.
Page 453
range <sPortMin> <sPortMax> }] be creat ed using this number. {{<destination><destination-wildcard>}|any-de stinati on| {host-de stination <destination-host-ip>}} [d-port { <port3> | range <sPortMin> <sPortMax> }] [ack+fin+psh+rst+urg+ syn] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] access-li st<num>{deny|permit}{any-source-mac| {host-source-mac<host_sm ac>}|{< sm ac>< smac-ma sk>}}{any-de stination-mac|{host-destination-mac Creates a numbered mac-udp <host_dmac>}|{<dmac><dmac-mask>}}udp extended mac-ip access rule;...
Page 454
b. Specify multiple “permit” or “deny” rule entries Command Explanation Extended name-based MA C-IP access Mode [no]{deny|permit} {any-source-mac|{host-source-mac <host_smac>}|{< sm ac>< sm ac-m ask>}} {any-de stination-mac|{host-destination-mac Creates an extended <host_dmac>}|{<dmac><dmac-mask>}}icmp name-based MA C-ICMP {{< source>< source-wildcard>}|any-source| access rule; the “no” form {host-source<...
Page 456
(11) Configuring a numbered extensive IPV6 access-li st Command Explanation Global Mode ipv6 access-li st <num-ext> {deny | permit} icmp {{< sIPv6Prefix/sPrefixlen>} | any-source | {host-source <sIPv6Addr>}} {<dIPv6Prefix/dPrefixlen> | any-destination | {host-de stination <dIPv6Addr>}} [<icmp-type> [<icmp-code>]] [dscp <dscp>] [flow-label <flowlabel>] [time-range <time-range-name>] ipv6 access-li st <num-ext>...
Page 457
ipv6 access-li st standard <name> Creates standard no ipv6 access-li st standard <name> access-list based nomenclature; command delete name-based standard IPV6 access-list. b. Specify multiple permit or deny rules Command Explanation Standard IPV6 ACL Mode [no] {deny | permit} {{< sIPv6Prefix/sPrefixlen>} | Creates standard any-source | {host-source <...
Page 458
[time-range <time-range-name>] access rule. [no] {deny | permit} tcp {< sIPv6Prefix/sPrefixlen> | Creates extended any-source | {host-source < sIPv6Addr>}} [s-port name-based IPV6 { <sPort> | range <sPortMin> <sPortMax> }] access rule; the no form {<dIPv6Prefix/dPrefi xlen> | any-destination | command deletes this {host-de stination <dIPv6Addr>}} [dPort { <dPort>...
Page 459
Enables global packet firewall enable filtering function. Disables global packet firewall disable filtering function. (2) Configure default action. Command Explanation Global Mode Sets default action firewall default {permit |deny}[ipv4|ipv6|all]} firewall. 3. Configuring time range function (1)Create the name of the time range Command Explanation Global Mode...
(3)Configure absolute time range Command Explanation Global Mode absolute start < start_time> < start_data> [end Configure absolute time <end_time> <end_data>] range. [no] absolute start < start_time> < start_data> [end Stop the function of the time <end_time> <end_data>] range. 4. Bind access-li st to a specific direction of the specified port. Command Explanation Physical Port Mode, VLAN Port Mode...
interface name:Ethernet1/10 IP v6 Ingress access-list used is 600, traffic-statistics Disable. Scenario 5: The configuration requirement is stated as below: The interface 1, 2, 5, 7 belongs to vlan100, Hosts with 192.168.0.1 as its IP address should be disabled from accessing the listed interfaces. Configuration description: 1....
Page 465
The number of ACLs that can be successfully bound depends on the content of the A CL bound and the hardware resource limit. Users will be prompted if an A CL cannot be bound due to hardware res ourc e limitation.
Chapter 47 802.1x Configuration 47.1 Introduction to 802.1x The 802.1x protocol originates from 802.11 protocol, the wireless LAN protocol of IEEE, which is designed to provide a solution to doing authentication when users access a wireless LAN. The LAN defined in IEEE 802 LAN protocol does not provide access authentication, which means as long as the users can access a LAN controlling device (s uch as a LA N Switch), they will be able to get all the devices or resources in the LAN.
Page 467
The authenticator system is another entity on one end of the LA N segment to authenticate the supplicant systems connected. An authenticator system usually is a network device supporting 802,1x prot ocol, providing ports to access the LA N for s upplicant systems. The ports provided can either be physical or logical.
47.1.2 The Work Mechanism of 802.1x IEEE 802.1x authentication system uses EAP (Extensible Authentication P rotocol) to implement exchange of authentication information bet ween the supplicant system, authenticator system and authentication server system. the Work Mechanism of 802.1x Figure 47-1-2 ...
Page 469
PAE Ethernet Type: Represents the type of the protocol whose value is 0x888E. Protocol Version: Represents the version of the protocol supported by the sender of EAPOL data packets. Ty pe: repres ents the type of the EAPOL data packets, including: ...
the Format of Data Domain in Request and Response Packets Figure 47-1-5 Identifier: to assist matching the Request and Response messages. Length: the length of the EAP packet, covering the domains of Code, Identifier, Lengt h and Data, in byte. Data: the content of the EAP packet, depending on the Code type.
authentication system privately. The devices are layer 2 switch and the authentication server is RA DIUS server. EAP protocol is used for t he authentication message pattern. EAPOL encapsulation is used bet ween client and the authentication proxy switch, that is to say, EAP message is encapsulated in the Ethernet frame to authenticate and communicate, however, EAPOR encapsulation is used between authentication proxy switch and authentication s erver, that is to say, EAP message is loaded on the Radius protocol to authenticate and communicate.
Page 472
EAP is a widely-used aut hentication frame to transmit the actual authentication protocol rather than a special authentication mechanism. EAP provides some common function and allows the authentication mechanisms expected in the negotiation, which are called EAP Method. The advantage of EAP lies in that EAP mechanism working as a bas e needs no adjustment when a new authentication protoc ol appears.
Page 473
the Authentication Flow of 802.1x EAP-MD5 Figure 47-1-9 2. EAP -TLS Authenti cation Method EAP-TLS is brought up by Mic rosoft based on EAP and TLS protocols. It uses PKI t o protect the id authentication bet ween the supplicant system and the RADIUS server and the dynamically generated session keys, requiring both the supplicant system and t he Radius authentication server t o possess digital certificate to implement bidirectional authentication.
Page 474
The following figure illustrates the basic operation flow of the EAP-TLS authentication method. the Authentication Flow of 802.1x EAP-TLS Figure 47-1-10 3. EAP -TTLS Authentication Method EAP-TTLS is a product of the cooperation of Funk Software and Certicom. It can provide an authentication as strong as that provided by EAP-TLS, but without requiring users to have their own digital certificate.
Page 475
PEAP Authentication Method EAP-PEAP is brought up by Cisco, Microsoft and RAS Security as a recommended open standard. It has long been utilized in products and provides very good sec urity. Its design of protocol and security is similar to that of EAP-TTLS, using a server’s PKI certificate to establish a safe TLS tunnel in order to protect user authentication.
the Authentication Flow of 802.1x EAP Termination Mode Figure 47-1-12 47.1.7 The Extension and Optimization of 802.1x Besides supporting the port- based access authentication method specified by the protocol, devices also extend and optimize it when implementing the EAP relay mode and EAP termination mode of 802.1x. ...
resources, whic h means all users of t his port can access limited resources before being authenticated. The user-based advanced control will restrict the access to limited resources, only some particular users of the port can access limited resources before being authenticated. Once those users pass the aut hentication, they can access all resources.
because of lacking exclusive authentication supplicant system or the version of the supplicant system being too low. Once the 802. 1x feature is enabled and the Guest VLAN is configured properly, a port will be added into Guest VLAN, just like Auto VLAN, if there is no response message from the supplicant system after the device sends more authentication-triggering messages than the upper limit (EAP-Request/Identity) from the port.
Page 479
2. Configure Web authentication agent function Command Explanation Global Mode dot1x web authentication enable Enable Web authentication agent, the no command no dot1x web authentication disable Web authentication agent. enable dot1x web redirect <URL> Set the HTTP s erver address for Web redirection, the no no dot1x web redirect command clears the address.
Page 480
dot1x macfilter enable Enables the 802.1x address filter function in the switch; the no dot1x macfilter enable no command disables the 802.1x address filter function. dot1x accept-mac <mac-address> [interface <interface-name> ] Adds 802.1x address filter table entry, the no command no dot1x accept-mac deletes 802.1x filter address table entries.
47.3 802.1x Application Example 47.3.1 Examples of Guest Vlan Applications Update server Authenticator server VLAN2 VLAN10 SWITCH VLAN100 VLAN5 Internet User The Network Topology of Guest VLAN Figure 47-3-1 Notes: in the figures in this session, E2 means Ethernet 1/2, E3 means Ethernet 1/3 and E6 means Ethernet 1/6.
Page 482
As illustrated in the up figure, on the switch port Ethernet1/2, the 802.1x feature is enabled, and the VLA N10 is set as the port’s Guest VLAN. Before the user gets authenticated or when the user fails to do so, port Ethernet1/2 is added into VLA N10, allowing the user to access the Update Server.
# Set the link type of the port as access mode. XGS 3-42000R(config-If-Ethernet1/2)#switch-port mode access # Set the access control mode on the port as portbased. XGS 3-42000R(config-If-Ethernet1/2)#dot1x port-method portbased # Set the access control mode on the port as auto. XGS 3-42000R(config-If-Ethernet1/2)#dot1x port-control auto # Set the port’s Guest VLAN as 100.
In the network topology shown as above, Ethernet 1/1 on SWITCH1 is connected to the Web server whose IP address is 192.168.20. 20/24, Ethernet 1/2 on SWITCH1 is connected to the RADIUS server whose IP address is 192.168.20.88/24 and authentication port is 1812. PC is connected to Ethernet 1/16 on SWITCH1 through an unknown network.
Chapter 48 The Number Limitation Function of Port, MAC in VLAN and IP Configuration 48.1 Introduction to the Number Limitation Function of Port, MAC in VLAN and IP MAC address list is used to identify the mapping relationship between the destination MAC addresses and the ports of switch.
1. Limiting the number of dynamic MA C. If the number of dynamically learnt MA C address by the switch is already larger than or equal with the max number of dynamic MAC address, then shutdown the MAC study function on this port, otherwis e, the port can continue its study. 2.
Page 489
vlan mac-address dynamic maximum <value> Enable and disable the number limitation no vlan mac-address dynamic function of MAC in the VLA N. maximum Interface configuration mode ip arp dynamic maximum <value> Enable and disable the number limitation no ip arp dynamic maximum function of ARP in the VLA N.
48.3 The Number Limitation Function of Port, MAC in VLAN and IP Typical Examples SWITCH A SWITCH B ……… The Number Limitation of Port, MAC in VLAN and IP Typical Configuration Example Figure 48-3-1 In the network topology above, SWITCH B connects to many PC users, before enabling the number limitation function of port, MAC in VLAN and IP, if the system hardware has no other limitation, SWTICH A and SWTICH B can get the MA C, ARP, ND list entries of all the P C, so limiting the MA C, ARP list entry can avoid DOS...
48.4 The Number Limitation Function of Port, MAC in VLAN and IP Troubleshooting Help The number limitation function of port, MAC in VLAN and IP is disabled by default, if users need to limit the number of user accessing the network, they can enable it. If the number limitation function of MAC address can not be configured, please check whether Spanning-tree, dot1x, TRUNK is running on the switch and whet her the port is configured as a MAC-binding port.
Chapter 49 Operational Configuration of AM Function 49.1 Introduction to AM Function AM (Access Management) means that when a s witch receives an IP or A RP message, it will compare the information extracted from the message (such as source IP address or source MAC-IP address) with the configured hardware address pool.
3. Configure the forwarding IP Command Explanation Port Mode am ip-pool <ip-address> <num> Configure the forwarding IP of the port. no am ip-pool <ip-address> <num> 4. Configure the forwarding MAC-IP Command Explanation Port Mode am mac-ip-pool <mac-address> <ip-address> Configure the forwarding MAC-IP of the no am mac-ip-pool <mac-address>...
In the topology above, 30 PCs, after converged by HUB1, connect with interface1 on the switch. The IP addresses of these 30 PCs range from 100. 10.10. 1 to 100.10.10.30. Considering security, the system manager will only take user with an IP address within that range as legal ones. And the switch will only forward data packets from legal users while dumping packets from other users.
Chapter 50 Security Feature Configuration 50.1 Introduction to Security Feature Before introducing t he security features, we here first introduc e the DoS. The DoS is short for Denial of Service, which is a simple but effective destructive attack on the internet. The server under DoS attack will drop normal user data packet due to non-stop processing the attacker’s data packet, leading to the denial of the servic e and worse can lead to leak of sensitive data of the server.
50.2.3 Anti Port Cheat Function Configuration Task Sequence 1. Enable the anti port cheat function Command Explanation Global Mode [no] dosattack-check Enable/disable the prevent-port-cheat function. srcport-equal-dstport enable Enable/disable checking IP v4 fragment. This command has no effect when used separately, dosattack-check ipv4-first-fragment but if this function is not enabled, the switch will enable...
Configure the max permitted ICMP v4 net load length. This command has not effect when dosattack-check icmpv4-size <size> used separat ely, the user have to enable the dosattack-check icmp-attacking enable. Configure the max permitted ICMP v6 net load length. This command has not effect when dosattack-check icmpv6-size <size>...
Chapter 51 TACACS+ Configuration 51.1 Introduction to TACACS+ TA CACS+ terminal access controller access control prot ocol is a protoc ol similar to the radius protocol for control the terminal access to the net work. Three independent functions of Authentication, Authorization, Accounting are also available in this protocol.
3. Configure the TACACS+ authentication timeout time Command Explanation Global Mode Configure the authentication timeout for the tacacs-server timeout <seconds> TA CACS+ server, the “no tacacs-server no tacacs-server timeout timeout” command restores the default configuration. 4. Configure the IP address of the TACACS+ NAS Command Explanation Global Mode...
51.4 TACACS+ Troubleshooting In configuring and using TACA CS+, the TACA CS+ may fail to authentication due to reasons such as physical connection failure or wrong configurations. The user should ensure the following: First good condition of the TACACS+ server physical connection. ...
Chapter 52 RADIUS Configuration 52.1 Introduction to RADIUS 52.1.1 AAA and RADIUS Introduction AAA is short for Authentication, Authorization and Accounting, it provide a consistency framework for the network management safely. According to the three functions of Authentication, Authorization, Accounting, the framework can meet the access control for the security net work: which one can visit the network device, which access-level the user can have and the accounting for the net work resource.
Length field (2 octets): The length of the overall RADIUS packet, including Code, Identifier, Length, Authenticator and Attributes Authenticator field (16 octets): used for validation of the packets received from the RADIUS server. Or it can be used to carry encrypted passwords. This field falls into t wo kinds: the Request Authenticator and the Response Authenticator.
Page 503
5. Configure the IP address of the RADIUS NAS. 1. Enable the authentication and accounting function. Command Explanation Global Mode To enable the AAA authentication function. aaa enable The no form of this command will disable no aaa enable the AAA authentication function. aaa-accounting enable To enable AAA accounting.
Page 504
4. Configure the parameter of the RADIUS servi ce Command Explanation Global Mode To configure the interval that the RADIUS radius-se rver dead-time <minutes> becomes available after it is down. The no no radius-se rver dead-time form of this command will restore the default configuration.
52.3 RADIUS Typical Examples 52.3.1 IPv4 Radius Example 10.1.1.2 10.1.1.1 Radius Server 10.1.1.3 Figure 52-3-1 The Topology of IEEE802.1x configuration A computer connects to a switch, of which the IP address is 10.1.1.2 and connected with a RA DIUS authentication server without Ethernet 1/2; IP address of the server is 10.1.1.3 and the authentication port is defaulted at 1812, accounting port is defaulted at 1813.
52.3.2 IPv6 RadiusExample 2004:1:2:3::2 2004:1:2:3::1 Radius Server 2004:1:2:3::3 Figure 52-3-2 The Topology of IP v6 Radius configuration A computer connects to a switch, of which the IP address is 2004:1:2:3::2 and connected with a RA DIUS authentication server wit hout Ethernet1/2; IP address of the server is 2004: 1:2:3::3 and the authentication port is defaulted at 1812, accounting port is defaulted at 1813.
Chapter 53 SSL Configuration 53.1 Introduction to SSL As the computer net working technology spreads, the security of the network has been taking more and more important impact on the availability and the usability of the networking application. The network security has become one of the greatest barriers of modern networking applications.
data transmission in the application layer will be encrypted. SSL handshake is done when the SSL session is being set up. The switch should be able to provide certification keys. Currently the keys provided by the switch are not the formal certification k eys issued by official authentic, but the private certification keys generated by SSL software under Linux which may not be recognized by the web brows er.
2. Configure/delete port number by SSL used Command Explanation Global Mode Configure port number by SSL used, the“no ip http secure-port <port-number> ip http secure-port” command deletes the no ip http secure-port port number. 3. Configure/delete secure cipher suite by SSL used Command Explanation Global Mode...
Configuration on the switch: XGS 3-42000R(config)# ip http secure-server XGS 3-42000R(config)# ip http secure-port 1025 XGS 3-42000R(config)# ip http secure-ciphersuite rc4-128-sha 53.4 SSL Troubleshooting In configuring and using SSL, the SSL function may fail due to reasons such as physical connection failure or wrong configurations.
Chapter 54 IPv6 Security RA Configuration 54.1 Introduction to IPv6 Security RA In IP v6 networks, the network topology is generally compromised of rout ers, layer-t wo switches and IP v6 hosts. Routers usually advertise RA, including link prefix, link MTU and other information, when the IP v6 hosts receive RA, they will create link address, and set the default router as the one sending RA in order to implement IP v6 network communication.
54.3 IPv6 Security RA Typical Examples Other IP v6 net work Ethernet1/1 Ethernet1/3 Ethernet1/2 PC user Illegal user Instructions: if the illegal user in t he graph advertises RA, the normal user will receive the RA, set the default router as the vicious IP v6 host user and change its own address. This will cause the normal user to not be able to connect the network.
Chapter 55 VLAN-ACL Configuration 55.1 Introduction to VLAN-ACL The user can configure ACL policy to VLAN to implement the accessing control of all ports in VLAN, and VLAN-A CL enables the user to expediently manage the net work. The user only needs to configure ACL policy in VLAN, the corresponding ACL action can takes effect on all member ports of VLAN, but it does not need to solely configure on each member port.
Page 514
2. Configure VLAN-ACL of MAC type Command Explanation Global mode vacl mac access-group {<700-1199> | WORD} {in | out} [traffic-stati stic] vlan WORD Configure or delete MA C VLAN-ACL. no vacl mac access-group {<700-1199> | WORD} {in | out} vlan WORD 3.
55.3 VLAN-ACL Configuration Example A company’s network configuration is as follows, all departments are divided by different VLANs, technique department is Vlan1, finance department is Vlan2. It is required that technique department can access the outside net work at timeout, but financ e department are not allowed to access the outside network at any time for the security.
Configure the extended acl_b of IP, at any time it only allows to access resource wit hin the int ernal network (such as 192.168.1.255). XGS 3-42000R(config)#ip access-list extended vacl_b XGS 3-42000R(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.1.0 0. 0.0.255 XGS 3-42000R(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination Apply the configuration to VLAN XGS 3-42000R(config)#vacl ip access-group vacl_a in vlan 1 XGS 3-42000R(config)#vacl ip access-group vacl_b in vlan 2...
55.7 Mirror Examples Example: The requirement of the configurations is shown as below: to monitor at interface 1 the data frames sent out by interface 9 and received from interfac e 7, sent and received by CPU, and the data frames received by interface 15 and matched by rule 120(The sourc e IP address is 1.2.3.4 and the destination IP address is 5.6.7.8).
Chapter 56 RSPAN Configuration 56.1 Introduction to RSPAN Port mirroring refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port. It is more convenience for network administrator to monitor and manage the network and diagnostic after the mirroring function achieved.
For Chassis Switches, at most 4 mirror destination ports are supported, and source or destination port of one mirror session can be configured on each line card. For box switches, only one mirror session can be configured. The number of the source mirror ports is not limited, and can be one or more. Multiple source ports are not restricted to be in the same V LAN.
Page 521
1. Configure RSPAN VLAN Command Explanation VLAN Configuration Mode To configure the specified VLAN as remote-span RSPAN VLAN. The no command will no remote-span remove the configuration of RSPA N VLAN. 2. Configure mirror source port (CPU) Command Explanation Global Mode monitor se ssion <...
56.3 Typical Examples of RSPAN Before RSPAN is invented, network administrators had to connect their P Cs directly to the switches, in order to check the statistics of the net work. However, with the help of RSPA N, the network administrators can c onfigure and supervise the switches remot ely, which brings more efficiency.
Page 523
Intermediate switch: Interface ethernet1/6 is the source port which is connected to the source switch. Interface ethernet1/7is the destination port which is connected to the intermediat e switch. The native VLAN of this port cannot be configured as RSPAN VLA N, or the mirrored data may not be carried by the destination switch.
XGS 3-42000R(config-If-Ethernet1/3)#switchport mode trunk XGS 3-42000R(config-If-Ethernet1/3)#exit XGS 3-42000R(config)#monitor session 1 source interface ethernet1/1 rx XGS 3-42000R(config)#monitor session 1 reflector-port ethernet 1/3 XGS 3-42000R(config)#monitor session 1 remote vlan 5 Intermediate switch: Interface ethernet1/6 is the source port which is connected to the source switch. Interface ethernet1/7 is the destination port which is connected to the destination switch.
Page 525
Whether the destination mirror port is a member of the Port -channel group. If so, please change the Port-channel group configuration; The throughput the destination port is less than the total throughput of the source mirror ports. If so, the destination cannot catch all the datagrams from every source ports.
Chapter 57 sFlow Configuration 57.1 Introduction to sFlow The sFlow (RFC 3176) is a protocol based on standard network export and used on monitoring the network traffic information developed by the InMon Company. The monitored s witch or router sends date to the client analyzer t hrough its main operations such as sampling and statistic, then the analyzer will analyze according to the user requirements so to monitor the network.
Page 527
2. Configure the sFlow proxy address Command Explanation Global Mode sflow agent-address <collector-address> Configure the sourc e IP address applied by no sflow agent-address the sFlow proxy; the “no” form of the command delet es this address. 3. Configure the sFlow proxy priority Command Explanation Global Mode...
57.3 sFlow Examples SWITCH sFlow configuration topology Figure 57-3-1 As shown in the figure, sFlow sampling is enabled on the port 1/1 and 1/2 of the switch. Assume the sFlow analysis software is installed on the PC with the address of 192.168.1.200. The address of the layer 3 interface on the SwitchA connected with PC is 192.168.1.100.
Chapter 58 VRRP Configuration 58.1 Introduction to VRRP VRRP (Virtual Router Redundancy Protocol) is a fault tolerant protocol designed to enhance connection reliability between routers (or L3 Ethernet switches) and external devices. It is developed by the IE TF for local area networks (LAN) with multicast/broadcast capability (Ethernet is a Configuration Example) and has wide applications.
Configuration of SwitchB: SwitchB(config)#int erface vlan 1 SwitchB (Config-if-Vlan1)# ip address 10.1.1. 7 255.255.255. 0 SwitchB(config)#router vrrp 1 SwitchB (Config-Router-Vrrp)# virtual-ip 10.1.1.5 SwitchB(Config-Router-Vrrp)# interfac e vlan 1 SwitchB(Config-Router-Vrrp)# enable 58.4 VRRP Troubleshooting In configuring and using VRRP protocol, the VRRP protocol may fail to run properly due to reasons such as physical connection failure or wrong configurations.
Chapter 59 IPv6 VRRPv3 Configuration 59.1 Introduction to VRRPv3 VRRP v3 is a virtual router redundancy protocol for IP v6. It is designed based on VRRP (V RRP v2) in IP v4 environment. The following is a brief int roduction to it. In a net work based on TCP/IP protocol, in order t o guarantee the communication between the devices which are not physically connected, routers should be specified.
take up the unavailable master router in about 3 seconds (default parameter), and this process needs no interaction with hosts, which means being transparent to hosts. 59.1.1 The Format of VRRPv3 Message VRRP v3 has its own message format, VRRP messages are used to communicate the priority of routers and the state of Master in the backup group, they are encapsulated in IP v6 messages to send, and are sent to the specified IP v6 multicast address.
59.1.2 VRRPv3 Working Mechanism The working mec hanism of VRRP v3 is the same with that of VRRP v2, which is mainly implemented via the interaction of V RRP advertisement messages. It will be briefly described as follows: Each VRRP router has a unique ID: VRIP, ranging from 1 to 255. This router has a unique virtual MA C address outwardly, and the format of which is 00-00-5E -00-02-{VRID} (the format of virtual MAC address in VRRP v2 is 00-00-5E -00-01-{VRID}).
Chapter 60 MRPP Configuration 60.1 Introduction to MRPP MRPP (Multi-layer Ring Protection Prot ocol), is a link layer protocol applied on Ethernet loop protection. It can avoid broadcast storm caused by data loop on Ethernet ring, and restore communication among every node on ring net work when the Ethernet ring has a break link.
3. nodes Each switch is named after a node on Ethernet. The node has some types: Primary node: each ring has a primary node, it is main node to detect and defend. Trans fer node: except for primary node, other nodes are trans fer nodes on each ring. The node role is determined by user configuration.
60.1.3 MRPP Protocol Operation System 1. Link Down Alarm System When trans fer node finds themselves belonging to MRPP ring port Down, it sends link Down packet to primary node immediately. The primary node receives link down packet and immediately releas es block state of secondary port, and sends LINK-DOWN-FLUSH-FDB packet to inform all of trans fer nodes, refres hing own MA C address forward list.
Page 542
Configure MRPP ring Command Explanation Global Mode mrpp ring <ring-id> Create MRPP ring. The “no” command no mrpp ring <ring-id> deletes MRPP ring and its configuration. MRPP ring mode control -vlan <vid> Configure control VLAN ID, format “no” no control-vlan deletes configured control VLAN ID.
60.3 MRPP Typical Scenario SWITCH A SWITCH B Master Node MRPP Ring 4000 SWITCH C SWITCH D MRPP typical configuration scenario Figure 60-3-1 The above topology often occurs on using MRPP protocol. The multi switch constitutes a single MRPP ring, all of the switches only are configured an MRPP ring 4000, thereby constitutes a single MRPP ring.
Page 544
SWITCH B configuration Task Sequence: XGS 3-42000R(config)#mrpp enable XGS 3-42000R(config)#mrpp ring 4000 XGS 3-42000R(mrpp-ring-4000)#control-vlan 4000 XGS 3-42000R(mrpp-ring-4000)#enable XGS 3-42000R(mrpp-ring-4000)#exit XGS 3-42000R(config)#interface ethernet 1/1 XGS 3-42000R(config-If-Ethernet1/1)#mrpp ring 4000 primary-port XGS 3-42000R(config-If-Ethernet1/1)#interface ethernet 1/2 XGS 3-42000R(config-If-Ethernet1/2)#mrpp ring 4000 secondary-port XGS 3-42000R(config-If-Ethernet1/2)#exit XGS 3-42000R(config)# SWITCH C configuration Task Sequence: XGS 3-42000R(config)#mrpp enable XGS 3-42000R(config)#mrpp ring 4000...
60.4 MRPP Troubleshooting The normal operation of MRPP protocol depends on normal configuration of each s witch on MRPP ring, otherwise it is very possible to form ring and broadcast storm: Configuring MRPP ring, you’d better disconnected the ring, and wait for each s witch configuration, then open the ring.
Chapter 61 ULPP Configuration 61.1 Introduction to ULPP Each ULPP group has two uplink ports, they are master port and slave port. The port may be a physical port or a port channel. The member ports of ULPP group have three states: Forwarding, Standby, Down. Normally, only one port at the forwarding state, the other port is blocked at the Standby state.
When configuring ULPP, it needs to specify the VLAN which is protected by this ULPP group through the method of MS TP instances, and ULPP does not provide the protection to other VLANs. When the uplink switch is happennig, the primary forwarding entries of the device will not be applied to new topology in the network.
Page 548
1. Create ULPP group globally Command Expalnation Global mode ulpp group <integer> Configure and delete ULPP group no ulpp group <integer> globally. 2. Configure ULPP group Command Explanation ULPP group configuration mode Configure the preemption mode of preemption mode ULPP group. The no operation no preemption mode deletes the preemption mode.
3. Show and debug the relating information of ULPP Command Explanation Admin mode Show t he configuration information of the show ulpp group [group-id] configured ULPP group. show ulpp flush counter interface Show the statistic information of the flus h <name>...
Page 550
SwitchA has two uplinks, they are SwitchB and SwitchC. When any protocols are not enabled, this topology forms a ring. For avoiding the loopback, SwitchA can configure ULPP protocol, the master port and the slave port of ULPP group. When both master port and slave port are up, the slave port will be set as standby state and will not forward t he data packets.
Chapter 62 ULSM Configuration 62.1 Introduction to ULSM ULSM (Uplink State Monitor) is used to process the port state synchronization. Each ULSM group is made up of the uplink port and the downlink port, both the uplink port and the downlink port may be multiple. The port may be a physical port or a port channel, but it can not be a member port of a port channel, and each port only belongs to one ULSM group.
62.2 ULSM Configuration Task List 1. Create ULSM group globally 2. Configure ULSM group 3. Show and debug the relating information of ULSM 1. Create ULSM group globally Command explanation Global mode ulsm group <group-id> Configure and delete ULSM group globally. no ulsm group <group-id>...
Page 555
The above topology is the typical application environment which is used by ULSM and ULPP protocol. ULSM is used to process the port state synchronization, its independent running is useless, so it usually associates with ULPP protocol to use. In the topology, SwitchA enables ULPP protocol, it is used to switch the uplink.
Chapter 63 SNTP Configuration 63.1 Introduction to SNTP The Network Time Protocol (NTP ) is widely used for clock synchronization for global computers connected to the Internet. NTP can assess packet sending/receiving delay in the network, and estimate the comput er’s clock deviation independently, so as to achieve high accuracy in network computer clocking.
63.2 Typical Examples of SNTP Configuration SNTP/NTP SNTP/NTP SERVER SERVER … … SWITCH SWITCH SWITCH Typical SNTP Configuration Figure 63-2-1 All switches in the autonomous zone are required to perform time synchronization, which is done through two redundant S NTP/NTP servers. For time to be synchronized, the net work must be properly configured. There should be reachable route between any switch and the two SNTP/ NTP servers.
Chapter 64 NTP Function Configuration 64.1 Introduction to NTP Function The NTP (Network Time P rotocol) synchronizes timekeeping spans WAN and LAN among distributed time servers and clients, it can get millisecond precision. The introduction of event, state, transmit function and action are defined in RFC-1305.
Page 560
3. To configure the max number of broadcast or multica st servers supported by the NTP client Command Explication Global Mode Set the max number of broadcast or ntp broadca st server count <number> multicast servers supported by the NTP no ntp broadca st server count client.
8. To configure some interface can’t receive NTP packets Command Explication Interface Configuration Mode ntp di sable To disable the NTP function. no ntp di sable 9. Di splay information Command Explication Admin Mode show ntp status To display the state of time synchronize. show ntp se ssion [ <ip-addre ss>...
The configuration of Switch C is as follows: (Switch A and Switch B may have the different command because of different companies, we not explain there, our switches are not support NTP server at present) Switch C: XGS 3-42000R(config)#ntp enable XGS 3-42000R(config)#interface vlan 1 XGS 3-42000R(config-if-Vlan1)#ip address 192.168.1.12 255.
Chapter 65 DNSv4/v6 Configuration 65.1 Introduction to DNS DNS (Domain Name System) is a distributed dat abase used by TCP/ IP applications to translate domain names into corresponding IP v4/ IP v6 addresses. With DNS, you can use easy-to-remember and signification domain names in some applications and let the DNS server translat e them into correct IP v4/IP v6 addresses.
65.2 DNSv4/v6 Configuration Task List To enable/disable DNS function To configure/delete DNS server To configure/delete domain name suffix To delete the domain ent ry of specified address in dynamic cache To enable DNS dynamic domain name resolution Enable/disable DNS SERVE R function Configure the max number of client information in the switch queue Configure the timeout value of caching the client information on the switch Monitor and diagnosis of DNS function...
Page 565
6. Enable/disable DNS SERV ER function Command Explanation Global Mode ip dns server Enable/disable DNS SERVE R function. no ip dns server 7. Configure the max number of client information in the switch queue Command Explanation Global Mode ip dns server queue maximum Configure number client...
65.3 Typical Examples of DNS DNS SERVER IP: 219.240.250.101 IP v6: 2001::1 ip domain-lookup dns-server 219.240.250.101 dns-server 2001::1 INTE RNE T SWITCH DNS CLIENT typical environment Figure 65-3-1 As shown in fig, the switch connected to DNS server through network, if the switch want to visit sina Website, it needn’t to know the IP v4/ IP v6 address of sina Website, only need is to rec ord t he domain name of sina Website is www.sina.com.cn.
Chapter 66 Monitor and Debug When the users configures the switch, they will need to verify whether the configurations are correct and the switch is operating as expected, and in net work failure, the users will also need to diagnostic the problem. Switch provides various debug commands including ping, telnet, show and debug, etc.
every time to discover another router, the Traceroute6 repeat this action till certain datagram reaches the destination. Traceroute6 Options and explanations of the parameters of the Traceroute6 command please refer to traceroute6 command chapt er in the command manual. 66.5 Show show command is used to dis play information about the system , port and protocol operation.
66.7 System log 66.7.1 System Log Introduction The system log takes all information output under it control, while making detailed catalogue, so to select the information effectively. Combining wit h Debug programs, it will provide a powerful support to the network administrator and developer in monitoring the net work operation state and locating the net work failures.
Page 571
66.7.1.2 Format and Severity of the Log Information The log information format is compatible with the BS D syslog protocol, so we can record and analyze the log by the systlog (system log prot ect session) on the UNIX/ LINUX, as well as syslog similar applications on PC. The log information is classified into eight classes by severity or emergency procedure.
66.7.2 System Log Configuration System Log Configuration Task Sequence: 1. Display and clear log buffer zone 2. Configure the log host output channel Di splay and clear log buffer zone Command Description Admin Mode show logging buffered [ level {critical | Show detailed log information in warnings} | range <begin-index>...
66.7.3 System Log Configuration Example Example 1: When managing VLA N the IP v4 address of the switch is 100.100.100.1, and the IP v4 address of the remote log server is 100.100.100.5. It is required to send the log information with a severity equal to or higher than warnings to this log server and save in the log record equipment local1.
Chapter 67 Reload Switch after Specified Time 67.1 Introduce to Reload Switch after Specifid Time Reload switch after specified time is to reboot the switch without shutdown its power after a specified period of time, usually when updating the switch version. The switch can be rebooted after a period of time instead of immediat ely after its version being updated successfully.
Chapter 68 Debugging and Diagnosis for Packets Received and Sent by CPU 68.1 Introduction to Debugging and Diagnosis for Packets Received and Sent by CPU The following commands are used to debug and diagnose the packets received and sent by CPU, and are supposed to be used with the help of the technical support.
Chapter 69 SWITCH OPERATION 69.1 Address Table The S witch is implemented with an address table. This address table composed of many entries. Each entry is used to store the address information of some node in net work, including MAC address, port no, etc. This in-formation comes from the learning process of Ethernet Switch.
69.5 Auto-Negotiation The S TP ports on the Switch have built-in "Auto-negotiation". This technology automatically sets the best possible bandwidth when a connection is established with another net work device (us ually at Power On or Reset). This is done by detect the modes and speeds at the second of both devic e is connected and capable of, bot h 10Base-T and 100Base-TX devices can connect with the port in either Half- or Full-Duplex mode.
Chapter 70 TROUBLE SHOOTING This chapter contains information to help you solve problems. If the Ethernet Switch is not functioning properly, make sure the Ethernet Switch was set up according to instructions in this manual. The Link LED i s not lit Solution: Check the cable connection and remove duplex mode of the Ethernet Switch Some stations cannot talk to other stations located on the other port...
Chapter 71 APPENDEX A 71.1 A.1 Switch's RJ-45 Pin Assignments 1000Mbps, 1000B ase T Contact MDI-X BI_DA+ BI_DB+ BI_DA- BI_DB- BI_DB+ BI_DA+ BI_DC+ BI_DD+ BI_DC- BI_DD- BI_DB- BI_DA- BI_DD+ BI_DC+ BI_DD- BI_DC- Implicit implementation of the crossover function within a t wisted-pair cable, or at a wiring panel, while not expressly forbidden, is beyond the scope of this standard.
Page 580
The standard RJ-45 receptacle/connector There are 8 wires on a standard UTP/STP cable and eac h wire is color-coded. The following shows the pin allocation and color of straight cable and crossover cable connection: Straight Cable SIDE 1 SIDE2 SIDE 1 1 = White / Orange 1 = White / Orange 2 = Orange...
Chapter 72 GLOSSARY Bandwidth Utilization The percentage of packets received over time as compared to overall bandwidth. BOOTP Boot prot ocol used to load the operating system for devices connected to the network. Di stance Vector Multica st Routing Protocol (DVMRP) A distance-vector-style routing protocol used for routing multicast datagrams through the Internet.
Page 582
IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree P rotocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry V LAN information. It allows switches to assign end-stations to different virtual LANs, and defines a standard way for VLA Ns to communicate across switched networks.
Page 583
Multicast Switching A process whereby the switch filters incoming multicast frames for services no attached host has registered for, or forwards them to all ports contained within the designated multicast VLAN group. Open Shortest Path First (OSPF) OSPF is a link state routing protocol that functions better over a larger network such as the Internet, as opposed to distance vector routing prot ocols such as RIP.
Page 584
Telnet Defines a remot e communication facility for interfacing to a terminal device over TCP/IP. Trivial File Transfer Protocol (TFTP) A TCP/ IP protoc ol commonly used for soft ware downloads. Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network.
*Model Number: XGS3-42000R * Produced by: Manufacturer‘s Name : Planet Technology Corp. Manufacturer‘s Address: 11F, No 96, Min Chuan Road, Hsin Tien, Taipei, Taiwan, R.O.C. is herewith confirmed to comply with the requirements set out in the Council Directive on the Approximation of the Laws of the Member States relating to Electromagnetic Compatibility Directive on (89/336/EEC).