H3C S5600 SERIES Operation Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Switch
  5. H3C S5600 Series
  6. Operation manual

H3C S5600 SERIES Operation Manual

Hide thumbs Also See for S5600 SERIES:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Table of Contents

Advertisement

Quick Links

Download this manual See also: Operating Manual
H3C S5600 Series Ethernet Switches
Operation Manual
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Manual Version: 20090703-C-1.02
Product Version: Release 1602

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the S5600 SERIES and is the answer not in the manual?

Questions and answers

Related Manuals for H3C S5600 SERIES

Summary of Contents for H3C S5600 SERIES

  • Page 1 H3C S5600 Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: 20090703-C-1.02 Product Version: Release 1602...
  • Page 2 SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V G, V G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.

  • Page 3: About This Manual

    About This Manual Organization H3C S5600 Series Ethernet Switches Operation Manual-Release 1602 is organized as follows: Chapter Contents Introduces the characteristics and implementations of the 00-2Product Overview Ethernet switch. Introduces the command hierarchy, command view and CLI 01-CLI features of the Ethernet switch.
  • Page 4 Chapter Contents Introduces DHCP server, DHCP relay, DHCP-Snooping, and the 24-DHCP related configurations. 25-ACL Introduces ACL and the related configuration. 26-QoS-QoS Profile Introduces QoS, QoS profile and the related configuration. 27-Mirroring Introduces port mirroring and the related configuration. 28 IRF Fabric Introduces IRF fabric-related configuration.
  • Page 5 Means reader be careful. Improper operation may cause data loss or damage to equipment. Means a complementary description. Related Documentation In addition to this manual, each H3C S5600 Series Ethernet Switches documentation set includes the following: Manual Description H3C S5600 Series Ethernet Switches...
  • Page 6 Obtaining Documentation You can access the most up-to-date H3C product documentation on the World Wide Web at this URL: http://www.h3c.com. The following are the columns from which you can obtain different categories of product documentation: [Products & Solutions]: Provides information about products and technologies, as well as solutions.

  • Page 7: Table Of Contents

    Table of Contents 1 Obtaining the Documentation ··················································································································1-1 CD-ROM ·················································································································································1-1 H3C Website ···········································································································································1-1 Software Release Notes ·························································································································1-1 2 Correspondence Between Documentation and Software ·····································································2-1 Software Version·····································································································································2-1 Manual List··············································································································································2-4 3 Product Overview ······································································································································3-1 Preface····················································································································································3-1 Switch Models ·········································································································································3-1 Software Features···································································································································3-2 4 Networking Applications ··························································································································4-1 Application in Small/Middle-Scaled Enterprise Networks ·······································································4-1...

  • Page 8: Obtaining The Documentation

    Obtaining the Documentation Hangzhou H3C Technologies Co., Ltd. (hereafter referred to as H3C) provides various ways for you to obtain product documents and new feature releases in a convenient and timely manner. The documentations are available with: CD-ROMs shipped with the devices...

  • Page 9: Correspondence Between Documentation And Software

    Correspondence Between Documentation and Software Software Version H3C S5600 Series Ethernet Switches Operation Manual-Release 1602 and H3C S5600 Series Ethernet Switches Command Manual-Release 1602 are for the software version of Release1602 of the S5600 series products. Compared with Release 1510, many new features are added in Release 1602. For details, refer to Table 2-1.
  • Page 10 Added feature in Release 1602 Manual Multicast data packet cache mechanism Support of multicast source lifetime configuration Support of IGMPv3 Snooping Support of IGMPv3 Snooping simulated joining 17-Multicast Protocol Support of suppressing flooding of unknown multicast traffic in the VLAN Support of static member port configuration Support of static router port configuration Support of VLAN tag configuration for query messages...
  • Page 11 Added feature in Release 1602 Manual Redirecting traffic to an aggregation port group and removing the outer VLAN tag after the traffic is redirected to the uplink port or the aggregation port group Burst function Configuration of IRF automatic fabric 28-IRF Fabric Online upgrade of PSE processing software 30-PoE-PoE Profile...

  • Page 12: Manual List

    Manual List Manual name H3C S5600 Series Ethernet Switches Installation Manual H3C S5600 Series Ethernet Switches Operation Manual-Release 1602 H3C S5600 Series Ethernet Switches Command Manual-Release 1602...

  • Page 13: Product Overview

    An S5600 series switch provides one 2-port fabric port and one expansion module slot on its rear panel. The available expansion modules you can select include: 8-port 1000 Mbps SFP module, 1-port 10G XENPAK module, and 2-port 10G XFP module.

  • Page 14: Software Features

    Software Features S5600 Series Ethernet Switches have abundant software features and can meet the requirements of different applications. Table 3-2 summarizes the features provided by each module. Table 3-2 Service features of the S5600 series Part Features 1 CLI Hierarchically grouped commands...
  • Page 15 TC-BPDU attack guard, and BPDU drop 15 MSTP Digest snooping Rapid transition VLAN-VPN TUNNEL H3C-proprietary MSTP path cost standard Static route Routing Information Protocol (RIP) v1/v2 Open Shortest Path First (OSPF) 16 Routing Protocols. Border Gateway Protocol (BGP)
  • Page 16 Part Features DHCP client/BOOTP client DHCP server DHCP relay DHCP Snooping 24 DHCP DHCP accounting Using Option184 in DHCP server Using Option82 in DHCP relay and DHCP Snooping DHCP packet rate limitation Basic ACLs Advanced ACLs Layer 2 ACLs 25 ACL User-defined ACLs Applying ACLs on ports Applying ACLs to VLANs...
  • Page 17 Part Features VLAN VPN (QinQ) Selective QinQ 39 VLAN-VPN BPDU Tunnel Configuring VLAN interior-layer priority replication Operating as a HWPing server/HWPing client Nine test types, including ICMP test, DHCP test, 40 HWPing FTP test, HTTP test, DNS test, SNMP test, jitter test, TCP test, and UDP test IPv6 management 41 IPv6 Management...

  • Page 18: Networking Applications

    Networking Applications The S5600 series support flexible networking. They can be used as broadband access devices, as well as networking devices in enterprise networks. The following describes several typical networking methods for the S5600 series. Application in Small/Middle-Scaled Enterprise Networks...
  • Page 19 GE expansion module slot. In this way, the S5600 series can provide a full solution for building enterprise networks in various size (from Gigabit backbone network, 100 Mbps network to desktop network). Figure 4-2 Application in large-scaled/campus networks...
  • Page 20 Table of Contents 1 CLI Configuration ······································································································································1-1 Introduction to the CLI·····························································································································1-1 Command Hierarchy ·······························································································································1-2 Command Level and User Privilege Level ······················································································1-2 Modifying the Command Level········································································································1-2 Switching User Level ·······················································································································1-3 CLI Views ················································································································································1-6 CLI Features ·········································································································································1-11 Online Help····································································································································1-11 Terminal Display····························································································································1-12 Command History··························································································································1-12 Error Prompts ································································································································1-13 Command Edit·······························································································································1-13...

  • Page 21: Cli Configuration

    Each S5600 series Ethernet switch provides an easy-to-use CLI and a set of configuration commands for the convenience of the user to configure and manage the switch. The CLI on S5600 series Ethernet switches provides the following features, and so has good manageability and operability.

  • Page 22: Command Hierarchy

    Command Level and User Privilege Level Command level The S5600 series Ethernet switches use hierarchical command protection for command lines, so as to inhibit users at lower levels from using higher-level commands to configure the switches. Based on user privilege, commands are classified into four levels, which default to: Visit level (level 0): Commands at this level are mainly used to diagnose network, and they cannot be saved in configuration file.

  • Page 23: Switching User Level

    To do… Use the command… Remarks Enter system view system-view — Configure the level of a command in a command-privilege level level view Required specific view view command It is recommended not to change the level of a command arbitrarily, for it may cause inconvenience to maintenance and operation.
  • Page 24 The configuration of authentication mode for user level switching is performed by Level-3 users. Follow these steps to specify the authentication mode for user level switching: To do… Use the command… Remarks Enter system view system-view — user-interface [ type ] Enter user interface view —...
  • Page 25 Adopting HWTACACS authentication for user level switching To implement HWTACACS authentication for user level switching, a level-3 user must perform the commands listed in the following table to configure the HWTACACS authentication scheme used for low-to-high user level switching. With HWTACACS authentication enabled, you can pass the HWTACACS authentication successfully only after you provide the right user name and the corresponding password as prompted.

  • Page 26: Cli Views

    Configuration examples After a general user telnets to the switch, his/her user level is 0. Now, the network administrator wants to allow general users to switch to level 3, so that they are able to configure the switch. Super password authentication configuration example # A level 3 user sets a switching password for user level 3.
  • Page 27 Table 1-1 lists the CLI views provided by S5600 series Ethernet switches, operations that can be performed in different CLI views and the commands used to enter specific CLI views. Table 1-1 CLI views...
  • Page 28 Available View Prompt example Enter method Quit method operation Execute the Configure user User interface [Sysname-ui-aux user-interface interface view command in parameters system view. Execute the ftp Configure FTP FTP client view [ftp] command in user client parameters view. Execute the sftp Configure SFTP SFTP client view sftp-client>...
  • Page 29 Available View Prompt example Enter method Quit method operation Configure OSPF Execute the ospf OSPF view protocol [Sysname-ospf-1] command in parameters system view. Execute the quit command to return to OSPF view. Execute the area Configure OSPF [Sysname-ospf-1 OSPF area view command in OSPF Execute the area parameters...
  • Page 30 Available View Prompt example Enter method Quit method operation Execute the Define QoS [Sysname-qos-pr qos-profile QoS profile view profile ofile-a123] command in system view. Configure Execute the radius RADIUS scheme [Sysname-radius RADIUS scheme scheme command view parameters in system view. Configure ISP Execute the [Sysname-isp-aa...

  • Page 31: Cli Features

    CLI Features Online Help When configuring the switch, you can use the online help to get related help information. The CLI provides two types of online help: complete and partial. Complete online help Enter a question mark (?) in any view on your terminal to display all the commands available in the view and their brief descriptions.

  • Page 32: Terminal Display

    Enter a command, a space, a character/string and a question mark (?) next to it. All the keywords beginning with the character/string (if available) are displayed on your terminal. For example: <Sysname> display v? version vlan voice vrrp Enter the first several characters of a keyword of a command and then press <Tab>. If there is a unique keyword beginning with the characters just typed, the unique keyword is displayed in its complete form.

  • Page 33: Error Prompts

    The Windows 9x HyperTerminal explains the up and down arrow keys in a different way, and therefore the two keys are invalid when you access history commands in such an environment. However, you can use <Ctrl+ P> and <Ctrl+ N> instead to achieve the same purpose. When you enter the same command multiple times consecutively, only one history command entry is created by the command line interface.
  • Page 34 Press… To… Use the partial online help. That is, when you input an incomplete keyword and press <Tab>, if the input parameter uniquely identifies a complete keyword, the system substitutes the complete keyword for the input <Tab> parameter; if more than one keywords match the input parameter, you can display them one by one (in complete form) by pressing <Tab>...
  • Page 35 Table of Contents 1 Logging In to an Ethernet Switch ············································································································1-1 Logging In to an Ethernet Switch ············································································································1-1 Introduction to the User Interface············································································································1-1 Supported User Interfaces ··············································································································1-1 User Interface Index ························································································································1-2 Common User Interface Configuration····························································································1-2 2 Logging In Through the Console Port·····································································································2-1 Introduction ·············································································································································2-1 Logging In Through the Console Port ·····································································································2-1 Console Port Login Configuration ···········································································································2-4...
  • Page 36 Modem Connection Establishment ·········································································································4-2 5 Logging In Through the Web-based Network Management System····················································5-1 Introduction ·············································································································································5-1 Establishing an HTTP Connection ··········································································································5-1 Configuring the Login Banner ·················································································································5-2 Configuration Procedure··················································································································5-2 Configuration Example ····················································································································5-3 Enabling/Disabling the WEB Server ·······································································································5-3 6 Logging In Through NMS··························································································································6-1 Introduction ·············································································································································6-1 Connection Establishment Using NMS ···································································································6-1 7 Configuring Source IP Address for Telnet Service Packets ·································································7-1...

  • Page 37: Logging In To An Ethernet Switch

    Supported User Interfaces The auxiliary (AUX) port and the console port of an H3C low-end and mid-range Ethernet switch are the same port (referred to as console port in the following part). You will be in the AUX user interface if you log in through this port.

  • Page 38: User Interface Index

    VTY user interfaces are numbered VTY0, VTY1, and so on. S5600 series Ethernet switches support Fabric. A Fabric can contain up to eight devices. Accordingly, the AUX user interfaces in a Fabric can be numbered from AUX0 to AUX7, through which all the console ports of the units in a Fabric can be identified.
  • Page 39 ] text configured Optional Set a system name for the sysname string By default, the system name switch is H3C. Optional By default, copyright Enable copyright displaying is enabled. That is, copyright-info enable information displaying the copy right information is displayed on the terminal after a user logs in successfully.

  • Page 40: Logging In Through The Console Port

    Logging In Through the Console Port Go to these sections for information you are interested in: Introduction Logging In Through the Console Port Console Port Login Configuration Console Port Login Configuration with Authentication Mode Being None Console Port Login Configuration with Authentication Mode Being Password Console Port Login Configuration with Authentication Mode Being Scheme Introduction To log in through the console port is the most common way to log in to a switch.
  • Page 41 If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP. The following assumes that you are running Windows XP) and perform the configuration shown in Figure 2-2 through Figure 2-4...
  • Page 42 Figure 2-4 Set port parameters Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <H3C>) appears after you press the Enter key, as shown in Figure 2-5.

  • Page 43: Console Port Login Configuration

    Console Port Login Configuration Common Configuration Table 2-2 Common configuration of console port login Configuration Remarks Optional Baud rate The default baud rate is 9,600 bps. Optional Check mode By default, the check mode of the console port is set to Console port “none”, which means no check bit.

  • Page 44: Console Port Login Configurations For Different Authentication Modes

    Console Port Login Configurations for Different Authentication Modes Table 2-3 Console port login configurations for different authentication modes Authentication Console port login configuration Remarks mode Perform Perform common Optional None common configuration for console Refer to Table 2-2. configuration port login Configure the Configure the password for Required...
  • Page 45 To do… Use the command… Remarks Enter system view — system-view Enter AUX user interface view user-interface aux 0 — Required Configure not to authenticate authentication-mode By default, users logging in through users none the console port (AUX user interface) are not authenticated.

  • Page 46: Configuration Example

    Configuration Example Network requirements Assume that the switch is configured to allow users to log in through Telnet, and the current user level is set to the administrator level (level 3). Perform the following configurations for users logging in through the console port (AUX user interface).

  • Page 47: Console Port Login Configuration With Authentication Mode Being Password

    # Set the maximum number of commands the history command buffer can store to 20. [Sysname-ui-aux0] history-command max-size 20 # Set the timeout time of the AUX user interface to 6 minutes. [Sysname-ui-aux0] idle-timeout 6 After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 2-4 to log in to the switch successfully.

  • Page 48: Configuration Example

    To do… Use the command… Remarks Optional By default, the screen can contain up to Set the maximum number screen-length 24 lines. of lines the screen can screen-length You can use the screen-length 0 contain command to disable the function to display information in pages.
  • Page 49 Network diagram Figure 2-7 Network diagram for AUX user interface configuration (with the authentication mode being password) Configuration procedure # Enter system view. <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify to authenticate users logging in through the console port using the local password. [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text).

  • Page 50: Console Port Login Configuration With Authentication Mode Being Scheme

    Console Port Login Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to configure console port login with the authentication mode being scheme: To do… Use the command… Remarks Enter system view system-view — Enter the Optional default ISP domain domain-name By default, the local AAA scheme domain view...
  • Page 51 To do… Use the command… Remarks Optional Set the check By default, the check mode of a parity { even | none | odd } mode console port is set to none, that is, no check bit. Optional Set the stop stopbits { 1 | 1.5 | 2 } The default stop bits of a console bits...

  • Page 52: Configuration Example

    Configuration Example Network requirements Assume the switch is configured to allow users to log in through Telnet, and the user level is set to the administrator level (level 3). Perform the following configurations for users logging in through the console port (AUX user interface). Configure the local user name as guest.
  • Page 53 # Configure to authenticate users logging in through the console port in the scheme mode. [Sysname-ui-aux0] authentication-mode scheme # Set the baud rate of the console port to 19,200 bps. [Sysname-ui-aux0] speed 19200 # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-aux0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20.

  • Page 54: Logging In Through Telnet

    Telnet Configuration with Authentication Mode Being Password Introduction S5600 series Ethernet switches support Telnet. You can manage and maintain a switch remotely by Telnetting to the switch. To log in to a switch through Telnet, the corresponding configuration is required on both the switch and the Telnet terminal.

  • Page 55: Telnet Configurations For Different Authentication Modes

    Configuration Description Optional Configure the protocols the By default, Telnet and SSH protocol are user interface supports supported. Optional Set the commands to be executed automatically after By default, no command is executed a user log in to the user automatically after a user logs into the VTY user interface successfully interface.

  • Page 56: Telnet Configuration With Authentication Mode Being None

    Authentication Telnet configuration Description mode Manage VTY Set service type for Required users VTY users Optional Perform common Perform common configuration Telnet configuration Refer to Table 3-2. To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations.

  • Page 57: Configuration Example

    To do… Use the command… Remarks Optional Make terminal services shell By default, terminal services are available available in all user interfaces. Optional By default, the screen can contain Set the maximum number of screen-length up to 24 lines. lines the screen can contain screen-length You can use the screen-length 0 command to disable the function to...

  • Page 58: Telnet Configuration With Authentication Mode Being Password

    Configuration procedure # Enter system view. <Sysname> system-view # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging in to VTY 0. [Sysname-ui-vty0] authentication-mode none # Specify commands of level 2 are available to users logging in to VTY 0. [Sysname-ui-vty0] user privilege level 2 # Configure Telnet protocol is supported.

  • Page 59: Configuration Example

    To do… Use the command… Remarks Optional Set the commands to be executed automatically By default, no command is executed auto-execute command text after a user login to the automatically after a user logs into the user interface successfully user interface. Optional Make terminal services shell...

  • Page 60: Telnet Configuration With Authentication Mode Being Scheme

    Network diagram Figure 3-2 Network diagram for Telnet configuration (with the authentication mode being password) Configuration procedure # Enter system view. <Sysname> system-view # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure to authenticate users logging in to VTY 0 using the password. [Sysname-ui-vty0] authentication-mode password # Set the local password to 123456 (in plain text).
  • Page 61 To do… Use the command… Remarks you need to perform the following configuration as well: Perform AAA&RADIUS configuration on the switch. (Refer Quit to to the AAA part for more.) quit system view Configure the user name and password accordingly on the AAA server.
  • Page 62 To do… Use the command… Remarks Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, the connection to a user Set the timeout time for the idle-timeout minutes interface is terminated if no user interface [ seconds ] operation is performed in the user...

  • Page 63: Configuration Example

    Scenario Command Authentication level User type Command mode The user privilege level level command is executed, and the service-type command specifies the available command level. The user privilege level level command is not executed, and the Level 0 service-type command does not specify the available command level.

  • Page 64: Telnetting To A Switch

    Network diagram Figure 3-3 Network diagram for Telnet configuration (with the authentication mode being scheme) Configuration procedure # Enter system view. <Sysname> system-view # Create a local user named guest and enter local user view. [Sysname] local-user guest # Set the authentication password of the local user to 123456 (in plain text). [Sysname-luser-guest] password simple 123456 # Set the service type to Telnet, Specify commands of level 2 are available to users logging in to VTY 0..
  • Page 65 9,600 bps, data bits set to 8, parity check set to none, and flow control set to none. Turn on the switch and press Enter as prompted. The prompt (such as <H3C>) appears, as shown in the following figure.

  • Page 66: Telnetting To Another Switch From The Current Switch

    <Sysname>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”. A H3C series Ethernet switch can accommodate up to five Telnet connections at same time.
  • Page 67 Perform Telnet-related configuration on the switch operating as the Telnet server. Refer to Telnet Configuration with Authentication Mode Being None, Telnet Configuration with Authentication Mode Being Password, and Telnet Configuration with Authentication Mode Being Scheme for more. Telnet to the switch operating as the Telnet client. Execute the following command on the switch operating as the Telnet client: <Sysname>...

  • Page 68: Logging In Using A Modem

    Logging In Using a Modem Go to these sections for information you are interested in: Introduction Configuration on the Switch Side Modem Connection Establishment Introduction The administrator can log in to the console port of a remote switch using a modem through public switched telephone network (PSTN) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely.

  • Page 69: Switch Configuration

    You can verify your configuration by executing the AT&V command. The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch Configuration After logging in to a switch through its console port by using a modem, you will enter the AUX user interface.
  • Page 70 Figure 4-1 Establish the connection by using modems Modem serial cable Telephone line Modem PSTN Modem Telephone number of the romote end: 82882285 Console port Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in Figure 4-2 through...
  • Page 71 Figure 4-3 Set the telephone number Figure 4-4 Call the modem If the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt (such as <Sysname>) appears. You can then configure or manage the switch.

  • Page 72: Introduction

    Logging In Through the Web-based Network Management System Go to these sections for information you are interested in: Introduction Establishing an HTTP Connection Configuring the Login Banner Enabling/Disabling the WEB Server Introduction An S5600 Ethernet switch has a Web server built in. It enables you to log in to an S5600 Ethernet switch through a Web browser and then manage and maintain the switch intuitively by interacting with the built-in Web server.

  • Page 73: Configuring The Login Banner

    [Sysname-luser-admin] service-type telnet level 3 [Sysname-luser-admin] password simple admin Establish an HTTP connection between your PC and the switch, as shown in Figure 5-1. Figure 5-1 Establish an HTTP connection between your PC and the switch Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch in the address bar.

  • Page 74: Configuration Example

    Configuration Example Network requirements A user logs in to the switch through Web. The banner page is desired when a user logs into the switch. Network diagram Figure 5-3 Network diagram for login banner configuration Configuration Procedure # Enter system view. <Sysname>...
  • Page 75 To do… Use the command… Remarks Enter system view — system-view Required Enable the Web server ip http shutdown By default, the Web server is enabled. Disable the Web server undo ip http shutdown Required To improve security and prevent attack to the unused Sockets, TCP 80 port (which is for HTTP service) is enabled/disabled after the corresponding configuration.

  • Page 76: Logging In Through Nms

    Logging In Through NMS Go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through a network management station (NMS), and then configure and manage the switch through the agent module on the switch. Simple network management protocol (SNMP) is applied between the NMS and the agent.

  • Page 77: Configuring Source Ip Address For Telnet Service Packets

    Configuring Source IP Address for Telnet Service Packets Go to these sections for information you are interested in: Overview Configuring Source IP Address for Telnet Service Packets Displaying Source IP Address Configuration Overview You can configure the source IP address for Telnet service packets for an S5600 switch operating as a Telnet client.

  • Page 78: Displaying Source Ip Address Configuration

    The IP address specified is that of a Layer 3 interface of the local device. Otherwise, the system prompts configuration failure. The source interface specified must exist. Otherwise, the system prompts configuration failure. Configuring the source interface of Telnet service packets equals configuring the IP address of this interface as the source IP address of the Telnet service packets.

  • Page 79: User Control

    User Control Go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Controlling Web Users by Source IP Address Refer to the ACL part for information about ACL. Introduction You can control users logging in through Telnet, SNMP and WEB by defining Access Control List (ACL), as listed in...

  • Page 80: Controlling Telnet Users By Source Ip Addresses

    Controlling Telnet Users by Source IP Addresses Controlling Telnet users by source IP addresses is achieved by applying basic ACLs, which are numbered from 2000 to 2999. Follow these steps to control Telnet users by source IP addresses: To do… Use the command…...

  • Page 81: Controlling Telnet Users By Source Mac Addresses

    To do… Use the command… Remarks Required The inbound keyword specifies to Apply the ACL to control filter the users trying to Telnet to Telnet users by specified acl acl-number { inbound | the current switch. source and destination IP outbound } The outbound keyword specifies addresses...

  • Page 82: Controlling Network Management Users By Source Ip Addresses

    Network diagram Figure 8-1 Network diagram for controlling Telnet users using ACLs 10.110.100.46 Host A IP network Switch Host B 10.110.100.52 Configuration procedure # Define a basic ACL. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the ACL.

  • Page 83: Configuration Example

    To do… Use the command… Remarks As for the acl number Create a basic ACL or acl number acl-number [ match-order command, the config enter basic ACL view { auto | config } ] keyword is specified by default. Define rules for the ACL rule [ rule-id ] { deny | permit } [ rule-string ] Required Quit to system view...

  • Page 84: Controlling Web Users By Source Ip Address

    [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 to access the switch. [Sysname] snmp-agent community read aaa acl 2000 [Sysname] snmp-agent group v2c groupa acl 2000 [Sysname] snmp-agent usm-user v2c usera groupa acl 2000 Controlling Web Users by Source IP Address...

  • Page 85: Configuration Example

    To do… Use the command… Remarks Required Disconnect a Web user free web-users { all | user-id user-id | by force user-name user-name } Available in user view Configuration Example Network requirements Only the Web users sourced from the IP address of 10.110.100.52 are permitted to access the switch. Network diagram Figure 8-3 Network diagram for controlling Web users using ACLs 10.110.100.46...
  • Page 86 Table of Contents 1 Configuration File Management···············································································································1-1 Introduction to Configuration File ············································································································1-1 Configuration Task List ···························································································································1-2 Saving the Current Configuration ····································································································1-2 Erasing the Startup Configuration File ····························································································1-4 Specifying a Configuration File for Next Startup ·············································································1-4 Displaying Switch Configuration······································································································1-5...

  • Page 87: Configuration File Management

    Configuration File Management When configuring configuration file management, go to these sections for information you are interested in: Introduction to Configuration File Configuration Task List Introduction to Configuration File A configuration file records and stores user configurations performed to a switch. It also enables users to check switch configurations easily.

  • Page 88: Configuration Task List

    When saving the current configuration, you can specify the file to be a main or backup or normal configuration file. When removing a configuration file from a switch, you can specify to remove the main or backup configuration file. Or, if it is a file having both main and backup attribute, you can specify to erase the main or backup attribute of the file.
  • Page 89 Modes in saving the configuration Fast saving mode. This is the mode when you use the save command without the safely keyword. The mode saves the file quicker but is likely to lose the original configuration file if the switch reboots or the power fails during the process.

  • Page 90: Erasing The Startup Configuration File

    It is recommended to adopt the fast saving mode in the conditions of stable power and adopt the safe mode in the conditions of unstable power or remote maintenance. If you use the save command after a fabric is formed on the switch, the units in the fabric save their own startup configuration files automatically.

  • Page 91: Displaying Switch Configuration

    You can specify a configuration file to be used for the next startup and configure the main/backup attribute for the configuration file. Assigning main attribute to the startup configuration file If you save the current configuration to the main configuration file, the system will automatically set the file as the main startup configuration file.
  • Page 92 Table of Contents 1 VLAN Overview ··········································································································································1-1 VLAN Overview·······································································································································1-1 Introduction to VLAN ·······················································································································1-1 Advantages of VLANs ·····················································································································1-2 VLAN Fundamentals ·······················································································································1-2 VLAN Interface ································································································································1-4 VLAN Classification ·························································································································1-4 Port-Based VLAN····································································································································1-4 Link Types of Ethernet Ports ···········································································································1-4 Assigning an Ethernet Port to Specified VLANs ·············································································1-5 Configuring the Default VLAN ID for a Port·····················································································1-5 Protocol-Based VLAN ·····························································································································1-6 Introduction to Protocol-Based VLAN······························································································1-6...

  • Page 93: Vlan Overview

    VLAN Overview This chapter covers these topics: VLAN Overview Port-Based VLAN Protocol-Based VLAN VLAN Overview Introduction to VLAN The traditional Ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches. Hubs and switches, which are the basic network connection devices, have limited forwarding functions.

  • Page 94: Advantages Of Vlans

    Figure 1-1 A VLAN implementation Advantages of VLANs Compared with traditional Ethernet technology, VLAN technology delivers the following benefits: Confining broadcast traffic within individual VLANs. This saves bandwidth and improves network performance. Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2.
  • Page 95 A VLAN tag comprises four fields: tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID. The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN tagged. On the H3C series Ethernet switches, the default TPID is 0x8100.

  • Page 96: Vlan Interface

    Link Types of Ethernet Ports The link type of an Ethernet port on the S5600 series can be one of the following: Access: An access port can belong to only one VLAN, and is generally connected to a user PC.

  • Page 97: Assigning An Ethernet Port To Specified Vlans

    Hybrid: A hybrid port can belong to more than one VLAN to forward packets for multiple VLANs. It can be connected to either a switch or a user PC. A hybrid port allows the packets of multiple VLANs to be sent untagged, but a trunk port only allows the packets of the default VLAN to be sent untagged.

  • Page 98: Protocol-Based Vlan

    Table 1-2 Packet processing of a trunk port Processing of an incoming packet Processing of an outgoing packet For an untagged packet For a tagged packet If the VLAN ID is just the If the port has already been If the VLAN ID is one of the default VLAN ID, strip off added to its default VLAN, tag VLAN IDs allowed to pass...
  • Page 99 The switch identifies whether a packet is an Ethernet II packet or an 802.2/802.3 packet according to the ranges of the two fields. The H3C S5600 series switches recognize packets with the value of the type field being in the range 0x05DD to 0x05FF as 802.2/802.3 encapsulated packets.
  • Page 100 Figure 1-7 802.2 LLC encapsulation format The DSAP field and the SSAP field in the 802.2 LLC encapsulation are used to identify the upper layer protocol. For example, if the two fields are both 0xE0, the upper layer protocol is IPX protocol. 802.2 Sub-Network Access Protocol (SNAP) encapsulation: encapsulates packets according to the 802.3 standard packet format, including the length, DSAP, SSAP, control, organizationally unique identifier (OUI), and protocol-ID (PID) fields.

  • Page 101: Procedure For The Switch To Judge Packet Protocol

    Procedure for the Switch to Judge Packet Protocol Figure 1-9 Protocol identification procedure Receive packets Ethernet II Type(Length) 0x0600~0xFFFF Encapsulation field 0x0000 to 0x05FF Match the 802.2/802.3 type value Encapsulation 802.3 raw DSAP/SSAP Both are AA Both are FF Encapsulation value Other value 802.2 LLC...

  • Page 102: Implementation Of Protocol-Based Vlan

    Implementation of Protocol-Based VLAN S5600 series Ethernet switches assign the packet to the specific VLAN by matching the packet with the protocol template. The protocol template is the standard to determine the protocol to which a packet belongs. Protocol templates include standard templates and user-defined templates: The standard template adopts the RFC-defined packet encapsulation formats and values of some specific fields as the matching criteria.

  • Page 103: Vlan Configuration

    VLAN Configuration When configuring a VLAN, go to these sections for information you are interested in: VLAN Configuration Configuring a Port-Based VLAN Configuring a Protocol-Based VLAN VLAN Configuration VLAN Configuration Task List Complete the following tasks to configure VLAN: Task Remarks Basic VLAN Configuration Required...

  • Page 104: Basic Vlan Interface Configuration

    VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either. The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered through GVRP. For details, refer to “GVRP” part of this manual.

  • Page 105: Displaying Vlan Configuration

    The operation of enabling/disabling a VLAN’s VLAN interface does not influence the physical status of the Ethernet ports belonging to this VLAN. Displaying VLAN Configuration To do... Use the command... Remarks Display the VLAN interface display interface Vlan-interface information [ vlan-id ] Available in any view.

  • Page 106: Assigning An Ethernet Port To A Vlan

    Assigning an Ethernet Port to a VLAN You can assign an Ethernet port to a VLAN in Ethernet port view or VLAN view. In Ethernet port view Follow these steps to assign an Ethernet port to one or multiple VLANs: To do…...

  • Page 107: Displaying And Maintaining Port-Based Vlan

    To do… Use the command… Remarks the default VLAN 1 is the default VLAN for the VLAN by default. Hybrid port port hybrid pvid vlan vlan-id port After configuring the default VLAN for a trunk or hybrid port, you need to use the port trunk permit command or the port hybrid vlan command to configure the port to allow traffic of the default VLAN to pass through.
  • Page 108 Network diagram Figure 2-1 Network diagram for VLAN configuration Server2 Server1 SwitchA GE1/0/12 GE1/0/13 GE1/0/2 GE1/0/10 GE1/0/11 GE1/0/1 SwitchB Configuration procedure Configure Switch A. # Create VLAN 100, specify its descriptive string as Dept1, and add GigabitEthernet 1/0/1 to VLAN 100. <SwitchA>...

  • Page 109: Configuring A Protocol-Based Vlan

    # Create VLAN 200, specify its descriptive string as Dept2 and add GigabitEthernet 1/0/11 and GigabitEthernet 1/0/12 to VLAN 200. [SwitchB] vlan 200 [SwitchB-vlan200] description Dept2 [SwotchB-vlan200] port GigabitEthernet1/0/11 GigabitEthernet 1/0/12 [SwitchB-vlan200] quit Configure the link between Switch A and Switch B. Because the link between Switch A and Switch B needs to transmit data of both VLAN 100 and VLAN 200, you can configure the ports at both ends of the link as trunk ports and permit packets of the two VLANs to pass through the two ports.

  • Page 110: Associating A Port With A Protocol-Based Vlan

    To do... Use the command... Remarks protocol-vlan [ protocol-index ] { at | ip | Required ipx { ethernetii | llc | raw | snap } | mode Configure the protocol By default, no protocol { ethernetii etype etype-id | llc dsap template for the VLAN template is configured dsap-id ssap ssap-id | snap etype...

  • Page 111: Displaying Protocol-Based Vlan Configuration

    To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter port view — interface-number Required Associate the port with the port hybrid protocol-vlan vlan By default, a port is not specified protocol-based vlan-id { protocol-index [ to associated with any VLAN protocol-index-end ] | all }...
  • Page 112 Network diagram Figure 2-2 Network diagram for protocol-based VLAN configuration IP Server AppleTalk Server GE1/0/11 GE1/0/12 GE1/0/10 IP Host AppleTalk Host Workroom Configuration procedure # Create VLAN 100 and VLAN 200, and add GigabitEthernet 1/0/11 and GigabitEthernet 1/0/12 to VLAN 100 and VLAN 200 respectively. <Switch>...
  • Page 113 # Configure GigabitEthernet 1/0/10 as a hybrid port, which removes the VLAN tag of the packets of VLAN 100 and VLAN 200 before forwarding the packets. [Switch-vlan100] quit [Switch] interface GigabitEthernet 1/0/10 [Switch-GigabitEthernet1/0/10] port link-type hybrid [Switch-GigabitEthernet1/0/10] port hybrid vlan 100 200 untagged # Associate GigabitEthernet 1/0/10 with protocol template 0 and 1 of VLAN 100, and protocol template 0 of VLAN 200.
  • Page 114 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special Case IP Addresses·············································································································1-2 Subnetting and Masking ··················································································································1-2 Configuring IP Addresses ·······················································································································1-3 Displaying IP Addressing Configuration··································································································1-4 IP Address Configuration Examples ·······································································································1-4 IP Address Configuration Example I ·······························································································1-4 IP Address Configuration Example II ······························································································1-5 2 IP Performance Configuration··················································································································2-1 IP Performance Overview ·······················································································································2-1...

  • Page 115: Ip Addressing Configuration

    IP Addressing Configuration When configuring IP addressing, go to these sections for information you are interested in: IP Addressing Overview Configuring IP Addresses Displaying IP Addressing Configuration IP Address Configuration Examples IP Addressing Overview IP Address Classes IP addressing uses a 32-bit address to identify each host on a network. An example is 01010000100000001000000010000000 in binary.

  • Page 116: Special Case Ip Addresses

    Table 1-1 IP address classes and ranges Class Address range Description Address 0.0.0.0 means this host no this network. This address is used by a host at bootstrap when it does not know its IP address. This address is never a valid destination address.

  • Page 117: Configuring Ip Addresses

    255.0.0.0, 255.255.0.0, and 255.255.255.0 respectively. Configuring IP Addresses S5600 Series Ethernet Switches support assigning IP addresses to VLAN interfaces and loopback interfaces. Besides directly assigning an IP address to a VLAN interface, you may configure a VLAN interface to obtain an IP address through BOOTP or DHCP as alternatives. If you change the way an interface obtains an IP address, from manual assignment to BOOTP for example, the IP address obtained from BOOTP will overwrite the old one manually assigned.

  • Page 118: Displaying Ip Addressing Configuration

    You can assign at most seven IP addresses to an interface, among which one is the primary IP address and the others are secondary IP addresses. A newly specified primary IP address overwrites the previous one if there is any. The primary and secondary IP addresses of an interface cannot reside on the same network segment;...

  • Page 119: Ip Address Configuration Example Ii

    IP Address Configuration Example II Network requirements As shown in Figure 1-4, VLAN-interface 1 on a switch is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24. To enable the hosts on the two network segments to communicate with the external network through the switch, and the hosts on the LAN can communicate with each other, do the following: Assign two IP addresses to VLAN-interface 1 on the switch.
  • Page 120 --- 172.16.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/26/27 ms The output information shows the switch can communicate with the hosts on the subnet 172.16.1.0/24. # Ping a host on the subnet 172.16.2.0/24 from the switch to check the connectivity. <Switch>...

  • Page 121: Ip Performance Configuration

    IP Performance Overview Introduction to IP Performance Configuration In some network environments, you need to adjust the IP parameters to achieve best network performance. The IP performance configuration supported by S5600 Series Ethernet Switches includes: Configuring TCP attributes Enabling reception of directed broadcasts to a directly connected network...

  • Page 122: Enabling Reception And Forwarding Of Directed Broadcasts To A Directly Connected Network

    Forwarding of directed broadcasts to a directly connected network is disabled on S5600 series Ethernet switches by default. However, you should enable the feature when: Using the UDP Helper function to convert broadcasts to unicasts and forward them to a specified server.

  • Page 123: Disabling Icmp To Send Error Packets

    Disabling ICMP to Send Error Packets Sending error packets is a major function of ICMP protocol. In case of network abnormalities, ICMP packets are usually sent by the network or transport layer protocols to notify corresponding devices so as to facilitate control and management. Although sending ICMP error packets facilitate control and management, it still has the following disadvantages: Sending a lot of ICMP packets will increase network traffic.

  • Page 124: Ip Performance Configuration Example

    To do… Use the command… Remarks Display the FIB entries in the buffer which display fib | { begin | begin with, include or exclude the specified include | exclude } character string. regular-expression Display the FIB entries filtering through a display fib ip-prefix specific prefix list ip-prefix-name...
  • Page 125 Configure Switch B # Enable Switch B to receive directed broadcasts. <SwitchB> system-view [SwitchB] ip forward-broadcast # Configure a static route to Host. [SwitchB] ip route-static 1.1.1.1 24 2.2.2.2 # Configure an IP address for VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 2.2.2.1 24 After the above configurations, if you ping the subnet broadcast address 2.2.2.255 on Host, the ping packets can be received by VLAN-interface 2 of Switch B.
  • Page 126 1 Voice VLAN Configuration························································································································1-1 Voice VLAN Overview·····························································································································1-1 How an IP Phone Works ·················································································································1-1 How S5600 Series Switches Identify Voice Traffic ·········································································1-3 Setting the Voice Traffic Transmission Priority ···············································································1-3 Configuring Voice VLAN Assignment Mode of a Port ·····································································1-4 Support for Voice VLAN on Various Ports·······················································································1-4 Security Mode of Voice VLAN ·········································································································1-6...

  • Page 127: Voice Vlan Configuration

    Voice VLAN Configuration When configuring voice VLAN, go to these sections for information you are interested in: Voice VLAN Overview Voice VLAN Configuration Displaying and Maintaining Voice VLAN Voice VLAN Configuration Example Voice VLAN Overview Voice VLANs are VLANs configured specially for voice traffic. By adding the ports connected with voice devices to voice VLANs, you can have voice traffic transmitted within voice VLANs and perform QoS-related configuration for voice traffic as required, thus ensuring the transmission priority of voice traffic and voice quality.
  • Page 128 Following describes the way an IP phone acquires an IP address. Figure 1-1 Network diagram for IP phones As shown in Figure 1-1, the IP phone needs to work in conjunction with the DHCP server and the NCP to establish a path for voice data transmission. An IP phone goes through the following three phases to become capable of transmitting voice data.

  • Page 129: How S5600 Series Switches Identify Voice Traffic

    NCP is reachable to the IP address to be set. How S5600 Series Switches Identify Voice Traffic S5600 series Ethernet switches determine whether a received packet is a voice packet by checking its source MAC address against an organizationally unique identifier (OUI) list. If a match is found, the packet is considered as a voice packet.

  • Page 130: Configuring Voice Vlan Assignment Mode Of A Port

    Set the DSCP value to 46. Configuring Voice VLAN Assignment Mode of a Port A port can work in automatic voice VLAN assignment mode or manual voice VLAN assignment mode. You can configure the voice VLAN assignment mode for a port according to data traffic passing through the port.
  • Page 131 Table 1-2 Matching relationship between port types and voice devices capable of acquiring IP address and voice VLAN automatically Voice VLAN Voice assignment traffic Port type Supported or not mode type Access Not supported Supported Make sure the default VLAN of the port exists and is not Trunk Tagged a voice VLAN, and the access port permits the traffic of...

  • Page 132: Security Mode Of Voice Vlan

    Security Mode of Voice VLAN On S5600 series Ethernet switches, a voice VLAN can operate in the security mode. Voice VLANs operating in this mode only permit voice data, enabling you to perform voice traffic-specific priority configuration. With the security mode disabled, both voice data and service data can be transmitted in a voice VLAN.
  • Page 133 To do… Use the command… Remarks Optional voice vlan mac-address oui By default, the switch Set an OUI address that can be mask oui-mask [ description determines the voice traffic identified by the voice VLAN text ] according to the default OUI address.

  • Page 134: Configuring The Voice Vlan To Operate In Manual Voice Vlan Assignment Mode

    Configuring the Voice VLAN to Operate in Manual Voice VLAN Assignment Mode Follow these steps to configure a voice VLAN to operate in manual voice VLAN assignment mode: To do… Use the command… Remarks — Enter system view system-view Optional voice vlan mac-address Set an OUI address that can be identified Without this address,...

  • Page 135: Displaying And Maintaining Voice Vlan

    VLAN. If you have to do so, make sure that the voice VLAN does not operate in security mode. The voice VLAN legacy feature realizes the communication between H3C device and other vendor's voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’...

  • Page 136: Voice Vlan Configuration Example

    Voice VLAN Configuration Example Voice VLAN Configuration Example (Automatic Voice VLAN Assignment Mode) Network requirements Create a voice VLAN and configure it to operate in automatic voice VLAN assignment mode to enable the port to which an IP phone is connected to join or exit the voice VLAN automatically and voice traffic to be transmitted within the voice VLAN.

  • Page 137: Voice Vlan Configuration Example (Manual Voice Vlan Assignment Mode)

    # Configure GigabitEthernet 1/0/1 as a hybrid port. [DeviceA-GigabitEthernet1/0/1] port link-type hybrid # Configure VLAN 6 as the default VLAN of GigabitEthernet 1/0/1, and configure GigabitEthernet 1/0/1 to permit packets with the tag of VLAN 6. [DeviceA-GigabitEthernet1/0/1] port hybrid pvid vlan 6 [DeviceA-GigabitEthernet1/0/1] port hybrid vlan 6 tagged # Enable the voice VLAN function on GigabitEthernet 1/0/1.
  • Page 138 # Display the OUI addresses, the corresponding OUI address masks and the corresponding description strings that the system supports. <DeviceA> display voice vlan oui Oui Address Mask Description 0003-6b00-0000 ffff-ff00-0000 Cisco phone 000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone 0011-2200-0000 ffff-ff00-0000 test 00d0-1e00-0000 ffff-ff00-0000 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000...
  • Page 139 Table of Contents 1 GVRP Configuration ··································································································································1-1 Introduction to GVRP ······························································································································1-1 GARP···············································································································································1-1 GVRP···············································································································································1-4 Protocol Specifications ····················································································································1-4 GVRP Configuration································································································································1-4 GVRP Configuration Tasks ·············································································································1-4 Enabling GVRP ·······························································································································1-4 Configuring GVRP Timers ···············································································································1-5 Configuring GVRP Port Registration Mode ·····················································································1-6 Displaying and Maintaining GVRP··········································································································1-7 GVRP Configuration Example ················································································································1-7 GVRP Configuration Example·········································································································1-7...

  • Page 140: Gvrp Configuration

    GVRP Configuration When configuring GVRP, go to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Displaying and Maintaining GVRP GVRP Configuration Example Introduction to GVRP GARP VLAN registration protocol (GVRP) is an implementation of generic attribute registration protocol (GARP).
  • Page 141 GARP timers Timers determine the intervals of sending different types of GARP messages. GARP defines four timers to control the period of sending GARP messages. Hold: When a GARP entity receives a piece of registration information, it does not send out a Join message immediately.
  • Page 142 Figure 1-1 Format of GARP packets The following table describes the fields of a GARP packet. Table 1-1 Description of GARP packet fields Field Description Value Protocol ID Protocol ID Each message consists of two Message parts: Attribute Type and —...

  • Page 143: Gvrp

    GVRP As an implementation of GARP, GARP VLAN registration protocol (GVRP) maintains dynamic VLAN registration information and propagates the information to the other switches through GARP. With GVRP enabled on a device, the VLAN registration information received by the device from other devices is used to dynamically update the local VLAN registration information, including the information about the VLAN members, the ports through which the VLAN members can be reached, and so on.

  • Page 144: Configuring Gvrp Timers

    To do ... Use the command ... Remarks Enter system view system-view — Required Enable GVRP globally gvrp By default, GVRP is disabled globally. interface interface-type Enter Ethernet port view — interface-number Required Enable GVRP on the port gvrp By default, GVRP is disabled on the port.

  • Page 145: Configuring Gvrp Port Registration Mode

    Table 1-2 Relations between the timers Timer Lower threshold Upper threshold This upper threshold is less than or equal to one-half of the timeout time of the Join timer. Hold 10 centiseconds You can change the threshold by changing the timeout time of the Join timer.

  • Page 146: Displaying And Maintaining Gvrp

    Displaying and Maintaining GVRP To do … Use the command … Remarks display garp statistics Display GARP statistics [ interface interface-list ] Display the settings of the display garp timer [ interface GARP timers interface-list ] Available in any view display gvrp statistics Display GVRP statistics [ interface interface-list ]...
  • Page 147 [SwitchA-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet1/0/1. [SwitchA-GigabitEthernet1/0/1] gvrp [SwitchA-GigabitEthernet1/0/1] quit # Configure GigabitEthernet1/0/2 to be a trunk port and to permit the packets of all the VLANs. [SwitchA] interface GigabitEthernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type trunk [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan all # Enable GVRP on GigabitEthernet1/0/2.
  • Page 148 5, 7, 8, # Display the VLAN information dynamically registered on Switch B. [SwitchB] display vlan dynamic Total 3 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 7, 8, # Display the VLAN information dynamically registered on Switch E. [SwitchE] display vlan dynamic Total 1 dynamic VLAN exist(s).
  • Page 149 5, 8, # Display the VLAN information dynamically registered on Switch E. [SwitchE] display vlan dynamic No dynamic vlans exist! 1-10...
  • Page 150 Table of Contents 1 Port Basic Configuration ··························································································································1-1 Ethernet Port Configuration ····················································································································1-1 Initially Configuring a Port ···············································································································1-1 Configuring Port Auto-Negotiation Speed ·······················································································1-2 Limiting Traffic on individual Ports···································································································1-3 Enabling Flow Control on a Port······································································································1-3 Copying the Configuration of a Port to Other Ports·········································································1-4 Configuring Loopback Detection for an Ethernet Port·····································································1-5 Enabling Loopback Test··················································································································1-6 Enabling the System to Test Connected Cable ··············································································1-6...

  • Page 151: Port Basic Configuration

    Port Basic Configuration The auto-negotiation speed configuration on a port is added to this manual. For details, refer to section Configuring Port Auto-Negotiation Speed. The configuration for port Up/Down log output is added to this manual. For details, refer to section Disabling Up/Down Log Output on a Port.

  • Page 152: Configuring Port Auto-Negotiation Speed

    To do... Use the command... Remarks Optional Set the medium Be default, the MDI mode of the port is dependent interface mdi { across | auto | normal } auto. (MDI) mode of the Currently, the devices do not support Ethernet port across or normal mode.

  • Page 153: Limiting Traffic On Individual Ports

    Only combo optical ports on the front panel of the device support the auto-negotiation speed configuration feature. And ports on the extended interface card do not support this feature currently. After you configure auto-negotiation speed(s) for a port, if you execute the undo speed command or the speed auto command, the auto-negotiation speed setting of the port restores to the default setting.

  • Page 154: Copying The Configuration Of A Port To Other Ports

    Follow these steps to enable flow control on a port: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Enable flow control on the By default, flow control is not flow-control Ethernet port enabled on the port.

  • Page 155: Configuring Loopback Detection For An Ethernet Port

    If you specify a source aggregation group ID, the system will use the port with the smallest port number in the aggregation group as the source. If you specify a destination aggregation group ID, the configuration of the source port will be copied to all ports in the aggregation group and all ports in the group will have the same configuration as that of the source port.

  • Page 156: Enabling Loopback Test

    To enable loopback detection on a specific port, you must use the loopback-detection enable command in both system view and the specific port view. After you use the undo loopback-detection enable command in system view, loopback detection will be disabled on all ports. Enabling Loopback Test You can configure the Ethernet port to run loopback test to check if it operates normally.

  • Page 157: Configuring The Interval To Perform Statistical Analysis On Port Traffic

    To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Enable the system to test virtual-cable-test Required connected cables Optical port (including Combo optical port) does not support VCT (virtual-cable-test) function. Combo electrical port supports VCT function only when it is in UP condition (using undo shutdown command), normal Ethernet electrical port always supports this function.

  • Page 158: Disabling Up/Down Log Output On A Port

    To do... Use the command... Remarks Required Enable the giant-frame By default, the giant-frame giant-frame statistics enable statistics function statistics function is not enabled. Disabling Up/Down Log Output on a Port An Ethernet port has two physical link statuses: UP and Down. When the physical link status of an Ethernet port changes, the switch will send log to the log server, which in turn acts accordingly.

  • Page 159: Setting The Port State Change Delay

    To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Set the upper and lower storm-constrain { broadcast | thresholds of multicast | unicast } Required broadcast/multicast/unicast max-packets min-packets pps traffic received on the port Optional Set the action to be taken when a type of traffic received on the...

  • Page 160: Displaying And Maintaining Basic Port Configuration

    The port state change delay takes effect when the port goes down but not when the port goes up. Follow these steps to set the port state change delay: To do … Use the command … Remarks — Enter system view system-view Enter Ethernet interface interface interface-type...

  • Page 161: Ethernet Port Configuration Example

    To do... Use the command... Remarks display packet-drop { interface Display the statistics on [ interface-type interface-number ] | Available in any view dropped packets summary } reset counters interface Clear port statistics [ interface-type | interface-type Available in user view interface-number ] Clear the statistics on dropped reset packet-drop interface...

  • Page 162: Troubleshooting Ethernet Port Configuration

    [Sysname-GigabitEthernet1/0/1] port trunk pvid vlan 100 Troubleshooting Ethernet Port Configuration Symptom: Fail to configure the default VLAN ID of an Ethernet port. Solution: Take the following steps. Use the display interface or display port command to check if the port is a trunk port or a hybrid port.
  • Page 163 Table of Contents 1 Link Aggregation Configuration ··············································································································1-1 Overview ·················································································································································1-1 Introduction to Link Aggregation······································································································1-1 Introduction to LACP ·······················································································································1-1 Requirements on Ports for Link Aggregation ··················································································1-1 Link Aggregation Classification···············································································································1-2 Manual Aggregation Group ·············································································································1-2 Static LACP Aggregation Group······································································································1-3 Dynamic LACP Aggregation Group·································································································1-3 Aggregation Group Categories ···············································································································1-4 Link Aggregation Configuration···············································································································1-5 Configuring a Manual Aggregation Group·······················································································1-6...

  • Page 164: Link Aggregation Configuration

    Link Aggregation Configuration When configuring link aggregation, go to these sections for information you are interested in: Overview Link Aggregation Classification Aggregation Group Categories Link Aggregation Configuration Displaying and Maintaining Link Aggregation Configuration Link Aggregation Configuration Example Overview Introduction to Link Aggregation Link aggregation can aggregate multiple Ethernet ports together to form a logical aggregation group.

  • Page 165: Link Aggregation Classification

    VLAN-VPN configuration, including VLAN-VPN state (enabled/disabled), Set the TPID value for the port, Enable the inner-to-outer tag priority replicating feature. S5600 series Ethernet switches support cross-device link aggregation if IRF fabric is enabled. Link Aggregation Classification Depending on different aggregation modes, the following three types of link aggregation exist:...

  • Page 166: Static Lacp Aggregation Group

    There is a limit on the number of selected ports in an aggregation group. Therefore, if the number of the selected ports in an aggregation group exceeds the maximum number supported by the device, those with lower port numbers operate as the selected ports, and others as unselected ports. Among the selected ports in an aggregation group, the one with smallest port number operates as the master port.

  • Page 167: Aggregation Group Categories

    are connected to the same peer device and have the same speed, duplex mode, and basic configurations, and so are/do their peer ports. Besides multiple-port aggregation groups, the system is also able to create single-port aggregation groups, each of which contains only one port. LACP is enabled on the member ports of dynamic aggregation groups.

  • Page 168: Link Aggregation Configuration

    In general, the system only provides limited load-sharing aggregation resources, so the system needs to reasonably allocate the resources among different aggregation groups. The system always allocates hardware aggregation resources to the aggregation groups with higher priorities. When load-sharing aggregation resources are used up by existing aggregation groups, newly-created aggregation groups will be non-load-sharing ones.

  • Page 169: Configuring A Manual Aggregation Group

    The commands of link aggregation cannot be configured with the commands of port loopback detection feature at the same time. The ports where the mac-address max-mac-count command is configured cannot be added to an aggregation group. Contrarily, the mac-address max-mac-count command cannot be configured on a port that has already been added to an aggregation group.

  • Page 170: Configuring A Static Lacp Aggregation Group

    If the aggregation group you are creating already exists and contains ports, the possible type changes may be: changing from dynamic or static to manual, and changing from dynamic to static; and no other kinds of type change can occur. When you change a dynamic/static group to a manual group, the system will automatically disable LACP on the member ports.

  • Page 171: Configuring A Dynamic Lacp Aggregation Group

    Configuring a Dynamic LACP Aggregation Group A dynamic LACP aggregation group is automatically created by the system based on LACP-enabled ports. The adding and removing of ports to/from a dynamic aggregation group are automatically accomplished by LACP. You need to enable LACP on the ports which you want to participate in dynamic aggregation of the system, because, only when LACP is enabled on those ports at both ends, can the two parties reach agreement in adding/removing ports to/from dynamic aggregation groups.

  • Page 172: Displaying And Maintaining Link Aggregation Configuration

    If you have saved the current configuration with the save command, after system reboot, the configuration concerning manual and static aggregation groups and their descriptions still exists, but that of dynamic aggregation groups and their descriptions gets lost. Displaying and Maintaining Link Aggregation Configuration To do…...
  • Page 173 Configuration procedure The following only lists the configuration on Switch A; you must perform the similar configuration on Switch B to implement link aggregation. Adopting manual aggregation mode # Create manual aggregation group 1. <Sysname> system-view [Sysname] link-aggregation group 1 mode manual # Add GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to aggregation group 1.
  • Page 174 [Sysname] interface GigabitEthernet1/0/3 [Sysname-GigabitEthernet1/0/3] lacp enable The three LACP-enabled ports can be aggregated into one dynamic aggregation group to implement load sharing only when they have the same basic configuration (such as rate, duplex mode, and so on). 1-11...
  • Page 175 Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Port Isolation Overview ···························································································································1-1 Port Isolation Configuration·····················································································································1-1 Displaying and Maintaining Port Isolation Configuration ········································································1-2 Port Isolation Configuration Example······································································································1-2...
  • Page 176 Layer 2 and Layer 3 data between each port in the isolation group. Thus, you can construct your network in a more flexible way and improve your network security. Currently, you can create only one isolation group on an S5600 Series Ethernet switch. The number of Ethernet ports in an isolation group is not limited.

  • Page 177: Port Isolation Configuration Example

    S5600 series Ethernet switches support cross-device port isolation if IRF fabric is enabled. For S5600 series Ethernet switches belonging to the same IRF Fabric, the port isolation configuration performed on a port of a cross-device aggregation group cannot be synchronized to the other ports of the aggregation group if the ports reside on other units.
  • Page 178 Network diagram Figure 1-1 Network diagram for port isolation configuration Internet GE1/0/1 Switch Configuration procedure # Add GigabitEthernet1/0/2, GigabitEthernet1/0/3, and GigabitEthernet1/0/4 ports to the isolation group. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface GigabitEthernet1/0/2 [Sysname-GigabitEthernet1/0/2] port isolate [Sysname-GigabitEthernet1/0/2] quit [Sysname] interface GigabitEthernet1/0/3 [Sysname-GigabitEthernet1/0/3] port isolate...
  • Page 179 Table of Contents 1 Port Security Configuration······················································································································1-1 Port Security Overview····························································································································1-1 Introduction······································································································································1-1 Port Security Features·····················································································································1-1 Port Security Modes ························································································································1-2 Port Security Configuration Task List······································································································1-4 Enabling Port Security ·····················································································································1-4 Setting the Maximum Number of MAC Addresses Allowed on a Port ············································1-5 Setting the Port Security Mode········································································································1-6 Configuring Port Security Features ·································································································1-7 Ignoring the Authorization Information from the RADIUS Server····················································1-8 Configuring Security MAC Addresses ·····························································································1-8...

  • Page 180: Port Security Configuration

    Port Security Configuration When configuring port security, go to these sections for information you are interested in: Port Security Overview Port Security Configuration Task List Displaying and Maintaining Port Security Configuration Port Security Configuration Example port security modes were added: macAddressAndUserLoginSecure macAddressAndUserLoginSecureExt.

  • Page 181: Port Security Modes

    Trap feature: When special data packets (generated from illegal intrusion, abnormal login/logout or other special activities) are passing through the switch port, Trap feature enables the switch to send Trap messages to help the network administrator monitor special activities. Port Security Modes Table 1-1 describes the available port security modes: Table 1-1 Description of port security modes...
  • Page 182 Security mode Description Feature MAC-based 802.1x authentication is performed on the access user. The port is enabled only after the authentication succeeds. When the port is enabled, only the packets of the successfully authenticated user In any of these modes, can pass through the port.

  • Page 183: Port Security Configuration Task List

    Security mode Description Feature This mode is similar to the macAddressElseUs macAddressElseUserLoginSecure mode, erLoginSecureExt except that there can be more than one 802.1x-authenticated user on the port. In this mode, a port firstly performs MAC authentication for a user and then performs 802.1x authentication for the user if the user passes MAC authentication.

  • Page 184: Setting The Maximum Number Of Mac Addresses Allowed On A Port

    Enabling Port Security Follow these steps to enable port security: To do... Use the command... Remarks Enter system view system-view — Required Enable port security port-security enable Disabled by default Enabling port security resets the following configurations on the ports to the defaults (shown in parentheses below): 802.1x (disabled), port access control method (macbased), and port access control mode (auto) MAC authentication (disabled)

  • Page 185: Setting The Port Security Mode

    To do... Use the command... Remarks Set the maximum number of Required port-security max-mac-count MAC addresses allowed on the count-value Not limited by default port Setting the Port Security Mode Follow these steps to set the port security mode: To do... Use the command...

  • Page 186: Configuring Port Security Features

    Maximum number of MAC addresses that the port can learn Reflector port for port mirroring Fabric port Link aggregation Configuring Port Security Features Configuring the NTK feature Follow these steps to configure the NTK feature: To do... Use the command... Remarks Enter system view system-view...

  • Page 187: Ignoring The Authorization Information From The Radius Server

    If you configure the NTK feature and execute the port-security intrusion-mode blockmac command on the same port, the switch will be unable to disable the packets whose destination MAC address is illegal from being sent out that port; that is, the NTK feature configured will not take effect on the packets whose destination MAC address is illegal.

  • Page 188: Displaying And Maintaining Port Security Configuration

    If the amount of security MAC addresses has not yet reach the maximum number, the port will learn new MAC addresses and turn them to security MAC addresses; If the amount of security MAC addresses reaches the maximum number, the port will not be able to learn new MAC addresses and the port mode will be changed from autolearn to secure.

  • Page 189: Port Security Configuration Example

    Port Security Configuration Example Port Security Configuration Example Network requirements Implement access user restrictions through the following configuration on GigabitEthernet 1/0/1 of the switch. Allow a maximum of 80 users to access the port without authentication and permit the port to learn and add the MAC addresses of the users as security MAC addresses.

  • Page 190: Port Binding Configuration

    Port Binding Configuration When configuring port binding, go to these sections for information you are interested in: Port Binding Overview Displaying and Maintaining Port Binding Configuration Port Binding Configuration Example Port Binding Overview Introduction Port binding enables the network administrator to bind the MAC address and IP address of a user to a specific port.

  • Page 191: Port Binding Configuration Example

    Port Binding Configuration Example Port Binding Configuration Example Network requirements It is required to bind the MAC and IP addresses of Host A to GigabitEthernet 1/0/1 on Switch A, so as to prevent malicious users from using the IP address they steal from Host A to access the network. Network diagram Figure 2-1 Network diagram for port binding configuration Configuration procedure...
  • Page 192 Table of Contents 1 DLDP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Introduction······································································································································1-1 DLDP Fundamentals·······························································································································1-2 DLDP Implementation ·····················································································································1-2 DLDP Status····································································································································1-5 DLDP Timers ···································································································································1-5 DLDP Operating Mode ····················································································································1-6 DLDP Neighbor State ······················································································································1-7 Link Auto-recovery Mechanism ·······································································································1-7 DLDP Configuration ································································································································1-8 Performing Basic DLDP Configuration ····························································································1-8 Resetting DLDP State ·····················································································································1-9 Displaying and Maintaining DLDP·································································································1-10 DLDP Configuration Example ···············································································································1-10...

  • Page 193: Dldp Configuration

    DLDP Configuration When configuring DLDP, go to these sections for information you are interested in: Overview DLDP Configuration DLDP Configuration Example Overview Introduction A special kind of links, namely, unidirectional links, may occur in a network. When a unidirectional link appears, the local device can receive packets from the peer device through the link layer, but the peer device cannot receive packets from the local device.

  • Page 194: Dldp Fundamentals

    Figure 1-2 Fiber broken or not connected G E 1 /0/50 S w itch A S w itch A S w itch A S w itch A G E 1 /0/5 1 G E 1 /0 /50 G E 1/0 /51 S w itch B S w itch B S w itch B...
  • Page 195 Table 1-1 DLDP packet types DLDP packet type Function Notifies the neighbor devices of the existence of the local device. An advertisement packet carries only the local port information, and it Advertisement does not require response from the peer end. Advertisement packet with the RSY flag set to 1.
  • Page 196 DLDP packet type Function Recover echo packets are response to recover probe packets in the port auto-recovery mechanism. A link is considered to restore to the bidirectional state if a port on one end sends a recover probe packet, Recover Echo receives a recover echo packet, and the neighbor information contained in the recover echo packet is consistent with that of the local port.

  • Page 197: Dldp Status

    If no echo packet is received from the neighbor, DLDP performs the following processing: Table 1-4 Processing procedure when no echo packet is received from the neighbor No echo packet received from the Processing procedure neighbor In normal mode, no echo packet is DLDP switches to the disable state, outputs log and received when the echo waiting timer tracking information, and sends flush packets.

  • Page 198: Dldp Operating Mode

    Timer Description It is enabled when DLDP enters the probe state. The echo waiting timer length is 10 seconds. If no echo packet is received from the neighbor when the Echo waiting timer expires, the state of the local end is set to unidirectional link (one-way audio) and the state machine turns into Echo waiting timer the disable state.

  • Page 199: Dldp Neighbor State

    Table 1-7 DLDP operating mode and neighbor entry aging DLDP detects The entry aging timer The enhanced timer is whether neighbors DLDP operating is enabled or not enabled or not when exist or not when mode during neighbor entry the entry aging timer neighbor tables are aging expires...

  • Page 200: Dldp Configuration

    Only ports in the DLDP down state can send and process recover probe packets and recover echo packets. The auto-recovery mechanism does apply to ports that are shut down manually. DLDP Configuration Performing Basic DLDP Configuration Follow these steps to perform basic DLDP configuration: To do …...

  • Page 201: Resetting Dldp State

    The interval for sending advertisement packets ranges from 1 to 100 seconds and defaults to 5 seconds. You can adjust this setting as needed to enable DLDP to respond in time to link failures. If the interval is too long, STP loops may occur before unidirectional links are terminated; if the interval is too short, network traffic may increase in vain and available bandwidth decreases.

  • Page 202: Displaying And Maintaining Dldp

    Displaying and Maintaining DLDP To do … Use the command … Remarks display dldp { unit-id | Display the DLDP configuration interface-type Available in any view. of a unit or a port interface-number } DLDP Configuration Example Network requirements As shown in Figure 1-3, Switch A and Switch B are connected through two pairs of fibers.
  • Page 203 [SwitchA] dldp interval 15 # Configure DLDP to work in enhanced mode [SwitchA] dldp work-mode enhance # Set the DLDP handling mode for unidirectional links to auto. [SwitchA] dldp unidirectional-shutdown auto # Display the DLDP state [SwitchA] display dldp 1 When two switches are connected through fibers in a crossed way, two or three ports may be in the disable state, and the rest in the inactive state.
  • Page 204 Table of Contents 1 MAC Address Table Management············································································································1-1 Overview ·················································································································································1-1 Introduction to the MAC Address Table ··························································································1-1 Introduction to MAC Address Learning ···························································································1-2 Managing MAC Address Table ·······································································································1-4 MAC Address Table Management··········································································································1-5 MAC Address Table Management Configuration Task List ····························································1-5 Configuring a MAC Address Entry ··································································································1-5 Setting the MAC Address Aging Timer····························································································1-6 Setting the Maximum Number of MAC Addresses a Port Can Learn ·············································1-7...

  • Page 205: Mac Address Table Management

    MAC Address Table Management When configuring MAC address table management, go to these sections for information you are interested in: Overview MAC Address Table Management Displaying MAC Address Table Information Configuration Example This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to the part related to multicast protocol.

  • Page 206: Introduction To Mac Address Learning

    Introduction to MAC Address Learning MAC address table entries can be updated and maintained through the following two ways: Manual configuration MAC address learning Generally, the majority of MAC address entries are created and maintained through MAC address learning. The following describes the MAC address learning process of a switch: As shown in Figure 1-1, User A and User B are both in VLAN 1.
  • Page 207 Because the switch broadcasts the packet, both User B and User C can receive the packet. However, User C is not the destination device of the packet, and therefore does not process the packet. Normally, User B will respond to User A, as shown in Figure 1-4.

  • Page 208: Managing Mac Address Table

    Managing MAC Address Table Aging of MAC address table To fully utilize a MAC address table, which has a limited capacity, the switch uses an aging mechanism for updating the table. That is, the switch starts an aging timer for an entry when dynamically creating the entry.

  • Page 209: Mac Address Table Management

    MAC Address Table Management MAC Address Table Management Configuration Task List Complete the following tasks to configure MAC address table management: Task Remarks Configuring a MAC Address Entry Required Setting the MAC Address Aging Timer Optional Setting the Maximum Number of MAC Addresses a Port Can Learn Optional Enabling Destination MAC Address Triggered Update Optional...

  • Page 210: Setting The Mac Address Aging Timer

    To do… Use the command… Remarks mac-address { static | Add a MAC address entry dynamic | blackhole } Required mac-address vlan vlan-id When you add a MAC address entry, the current port must belong to the VLAN specified by the vlan argument in the command.

  • Page 211: Setting The Maximum Number Of Mac Addresses A Port Can Learn

    Setting the Maximum Number of MAC Addresses a Port Can Learn The MAC address learning mechanism enables an Ethernet switch to acquire the MAC addresses of the network devices on the segment connected to the ports of the switch. By searching the MAC address table, the switch directly forwards the packets destined for these MAC addresses through the hardware, improving the forwarding efficiency.

  • Page 212: Assigning Mac Addresses For Ethernet Ports

    Assigning MAC Addresses for Ethernet Ports By default, no Ethernet port of an S5600 switch is configured with a MAC address. Therefore, when the switch sends Layer 2 protocol packets, for example, BPDUs of STP, it uses the MAC address predefined in the protocol as the source address to send the BPDUs.

  • Page 213: Configuration Example

    Configuration Example Adding a Static MAC Address Entry Manually Network requirements The server connects to the switch through GigabitEthernet 1/0/2. To prevent the switch from broadcasting packets destined for the server, it is required to add the MAC address of the server to the MAC address table of the switch, which then forwards packets destined for the server through GigabitEthernet 1/0/2.
  • Page 214 Table of Contents 1 Auto Detect Configuration························································································································1-1 Introduction to the Auto Detect Function·································································································1-1 Auto Detect Configuration·······················································································································1-1 1.1.1 Auto Detect Basic Configuration ····························································································1-2 Auto Detect Implementation in Static Routing·················································································1-2 Auto Detect Implementation in VRRP ·····························································································1-3 Auto Detect Implementation in VLAN Interface Backup··································································1-3 Auto Detect Configuration Examples ······································································································1-4 Configuration Example for Auto Detect Implementation in Static Routing······································1-4 Configuration Example for Auto Detect Implementation in VRRP ··················································1-5...

  • Page 215: Auto Detect Configuration

    Auto Detect Configuration When configuring the auto detect function, go to these sections for information you are interested in: Introduction to the Auto Detect Function Auto Detect Configuration Auto Detect Configuration Examples Introduction to the Auto Detect Function The Auto Detect function uses ICMP request/reply packets to test network connectivity regularly. The detected object of the Auto Detect function is a detected group, which is a set of IP addresses.

  • Page 216: Auto Detect Basic Configuration

    Auto Detect Basic Configuration Follow these steps to configure the auto detect function: To do… Use the command… Remarks Enter system view system-view — Create a detected group and detect-group group-number Required enter detected group view detect-list list-number ip Add an IP address to be address ip-address Required detected to the detected group...

  • Page 217: Auto Detect Implementation In Vrrp

    Follow these steps to configure the auto detect function for a static route: To do… Use the command… Remarks Enter system view system-view — ip route-static ip-address { mask | mask-length } Bind a detected group { interface-type interface-number | next-hop } Required to a static route [ preference preference-value ] [ reject |...

  • Page 218: Auto Detect Configuration Examples

    When the link between the active VLAN interface and the destination faults (that is, the detected group is unreachable), the system enables the backup VLAN interface. When the link between the active VLAN interface and the destination recovers (that is, the detected group becomes reachable again), the system shuts down the standby VLAN interface again.

  • Page 219: Configuration Example For Auto Detect Implementation In Vrrp

    # Enter system view. <SwitchA> system-view # Create detected group 8. [SwitchA] detect-group 8 # Detect the reachability of 10.1.1.4/24, with 192.168.1.2/24 as the next hop, and the detecting number set to 1. [SwitchA-detect-group-8] detect-list 1 ip address 10.1.1.4 nexthop 192.168.1.2 [SwitchA-detect-group-8] quit # Enable the static route when the detected group is reachable.

  • Page 220: Configuration Example For Auto Detect Implementation In Vlan Interface Backup

    Configuration procedure Configure the IP addresses of all the interfaces as shown in Figure 1-2. The configuration procedure is omitted. Configure Switch A. # Create detected group 9. <SwitchA> system-view [SwitchA] detect-group 9 # Specify to detect the reachability of the IP address 10.1.1.4/24, setting the detect number to 1. [SwitchA-detect-group-9] detect-list 1 ip address 10.1.1.4 [SwitchA-detect-group-9] quit # Enable VRRP on VLAN-interface 1 and assign a virtual IP address to the VRRP group.
  • Page 221 Network diagram Figure 1-3 Network diagram for VLAN interface backup Configuration procedure Configure the IP addresses of all the interfaces as shown in Figure 1-3. The configuration procedure is omitted. # Enter system view. <SwitchA> system-view # Create auto detected group 10. [SwitchA] detect-group 10 # Add the IP address of 10.1.1.4 to detected group 10 to detect the reachability of the IP address, with the IP address of 192.168.1.2 as the next hop, and the detecting number set to 1.
  • Page 222 Table of Contents 1 MSTP Configuration ··································································································································1-1 STP Overview ·········································································································································1-1 MSTP Overview ······································································································································1-9 Background of MSTP ······················································································································1-9 Basic MSTP Terminologies ···········································································································1-10 Principle of MSTP··························································································································1-14 MSTP Implementation on Switches ······························································································1-15 STP-related Standards ··················································································································1-15 Configuring Root Bridge························································································································1-15 Configuration Prerequisites ···········································································································1-16 Configuring an MST Region ··········································································································1-16 Specifying the Current Switch as a Root Bridge/Secondary Root Bridge·····································1-18 Configuring the Bridge Priority of the Current Switch····································································1-20 Configuring How a Port Recognizes and Sends MSTP Packets ··················································1-20...
  • Page 223 Configuring Loop Guard ················································································································1-38 Configuring TC-BPDU Attack Guard ·····························································································1-38 Configuring BPDU Dropping ·········································································································1-39 Configuring Digest Snooping ················································································································1-39 Introduction····································································································································1-39 Configuring Digest Snooping·········································································································1-40 Configuring Rapid Transition ················································································································1-41 Introduction····································································································································1-41 Configuring Rapid Transition·········································································································1-43 Configuring VLAN-VPN Tunnel·············································································································1-44 Introduction····································································································································1-44 Configuring VLAN-VPN tunnel ······································································································1-44 STP Maintenance Configuration ···········································································································1-45 Introduction····································································································································1-45 Enabling Log/Trap Output for Ports of MSTP Instance·································································1-45 Configuration Example ··················································································································1-45...

  • Page 224: Mstp Configuration

    MSTP Configuration Go to these sections for information you are interested in: MSTP Overview Configuring Root Bridge Configuring Leaf Nodes Performing mCheck Operation Configuring Guard Functions Configuring Digest Snooping Configuring Rapid Transition Configuring VLAN-VPN Tunnel STP Maintenance Configuration Enabling Trap Messages Conforming to 802.1d Standard Displaying and Maintaining MSTP MSTP Configuration Example VLAN-VPN tunnel Configuration Example...
  • Page 225 STP identifies the network topology by transmitting BPDUs between STP compliant network devices. BPDUs contain sufficient information for the network devices to complete the spanning tree calculation. In STP, BPDUs come in two types: Configuration BPDUs, used to calculate spanning trees and maintain the spanning tree topology. Topology change notification (TCN) BPDUs, used to notify concerned devices of network topology changes, if any.
  • Page 226 Figure 1-1 A schematic diagram of designated bridges and designated ports All the ports on the root bridge are designated ports. Path cost Path cost is a value used for measuring link capacity. By comparing the path costs of different links, STP selects the most robust links and blocks the other links to prune the network into a tree.
  • Page 227 For the convenience of description, the description and examples below involve only four parts of a configuration BPDU: Root bridge ID (in the form of device priority) Root path cost Designated bridge ID (in the form of device priority) Designated port ID (in the form of port name) Detailed calculation process of the STP algorithm Initial state Upon initialization of a device, each device generates a BPDU with itself as the root bridge, in which the...
  • Page 228 Selection of the root bridge At network initialization, each STP-compliant device on the network assumes itself to be the root bridge, with the root bridge ID being its own bridge ID. By exchanging configuration BPDUs, the devices compare one another’s root bridge ID. The device with the smallest root bridge ID is elected as the root bridge.
  • Page 229 Figure 1-2 Network diagram for STP algorithm Initial state of each device The following table shows the initial state of each device. Table 1-4 Initial state of each device Device Port name BPDU of port {0, 0, 0, AP1} Device A {0, 0, 0, AP2} {1, 0, 1, BP1} Device B...
  • Page 230 BPDU of port after Device Comparison process comparison Port BP1 receives the configuration BPDU of Device A {0, 0, 0, AP1}. Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port {1, 0,1, BP1}, and updates the configuration BPDU of BP1.
  • Page 231 BPDU of port after Device Comparison process comparison By comparison: Because the root path cost of CP2 (9) (root path cost of the BPDU (5) + path cost corresponding to CP2 (4)) is smaller than the root path cost of CP1 (10) (root path cost of the BPDU (0) + path cost corresponding to CP2 (10)), the BPDU Blocked port CP2: of CP2 is elected as the optimum BPDU, and CP2 is elected...

  • Page 232: Mstp Overview

    If a path becomes faulty, the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout. In this case, the device generates configuration BPDUs with itself as the root bridge and sends configuration BPDUs and TCN BPDUs.

  • Page 233: Basic Mstp Terminologies

    In RSTP, the state of a root port can transit fast under the following conditions: the old root port on the device has stopped forwarding data and the upstream designated port has started forwarding data. In RSTP, the state of a designated port can transit fast under the following conditions: the designated port is an edge port or a port connected with a point-to-point link.
  • Page 234 Figure 1-4 Basic MSTP terminologies Region A0: VLAN 1 mapped to MSTI 1 VLAN 2 mapped to MSTI 2 Other VLANs mapped to CIST BPDU BPDU BPDU Region B0: VLAN 1 mapped to MSTI 1 Region D0: VLAN 2 mapped to MSTI 2 VLAN 1 mapped to MSTI 1, B Other VLANs mapped to CIST as the regional root bridge...
  • Page 235 An internal spanning tree (IST) is a spanning tree in an MST region. ISTs together with the common spanning tree (CST) form the common and internal spanning tree (CIST) of the entire switched network. An IST is a special MSTI; it is a branch of CIST in the MST region. Figure 1-4, each MST region has an IST, which is a branch of the CIST.
  • Page 236 Figure 1-5, switch A, switch B, switch C, and switch D form an MST region. Port 1 and port 2 on switch A connect upstream to the common root. Port 5 and port 6 on switch C form a loop. Port 3 and port 4 on switch D connect downstream to other MST regions.

  • Page 237: Principle Of Mstp

    Table 1-6 Combinations of port states and port roles Port role Region Root/master Designated Alternate Backup Boundary port port port port port Port state Forwarding √ √ √ — — Learning √ √ √ — — Discarding √ √ √ √...

  • Page 238: Mstp Implementation On Switches

    MSTP is compatible with both STP and RSTP. That is, MSTP-enabled switches can recognize the protocol packets of STP and RSTP and use them for spanning tree calculation. In addition to the basic MSTP functions, H3C series switches also provide the following functions for users to manage their switches.

  • Page 239: Configuration Prerequisites

    Task Remarks Required To prevent network topology jitter caused by other Enabling MSTP related configurations, you are recommended to enable MSTP after other related configurations are performed. Configuring an MST Region Required Specifying the Current Switch as a Root Required Bridge/Secondary Root Bridge Optional Configuring the Bridge Priority of the Current...
  • Page 240 To do... Use the command... Remarks Enter system view — system-view Enter MST region view — stp region-configuration Required Configure the name of the MST region-name name The default MST region name of a region switch is its MAC address. Required instance instance-id vlan vlan-list...

  • Page 241: Specifying The Current Switch As A Root Bridge/Secondary Root Bridge

    802.1s-defined protocol selector, which is 0 by default and cannot be configured), MST region name, VLAN-to-MSTI mapping table, and revision level. The H3C series support only the MST region name, VLAN-to-MSTI mapping table, and revision level. Switches with the settings of these parameters being the same are assigned to the same MST region.
  • Page 242 Specify the current switch as the secondary root bridge of a spanning tree Follow these steps to specify the current switch as the secondary root bridge of a spanning tree: To do... Use the command... Remarks Enter system view — system-view stp [ instance instance-id ] root Specify the current switch as...

  • Page 243: Configuring The Bridge Priority Of The Current Switch

    Configuring the Bridge Priority of the Current Switch Root bridges are selected according to the bridge priorities of switches. You can make a specific switch be selected as a root bridge by setting a lower bridge priority for the switch. An MSTP-enabled switch can have different bridge priorities in different MSTIs.

  • Page 244: Configuring The Mstp Operation Mode

    The port recognizes and sends MSTP packets in legacy format. In this case, the port can only communicate with the peer through packets in legacy format. If packets in dot1s format are received, the port turns to discarding state to prevent network storm. When a port operates in the 802.1s mode: The port recognizes and sends MSTP packets in dot1s format.

  • Page 245: Configuring The Maximum Hop Count Of An Mst Region

    STP-compatible mode, where the ports of a switch send STP BPDUs to neighboring devices. If STP-enabled switches exist in a switched network, you can use the stp mode stp command to configure an MSTP-enabled switch to operate in STP-compatible mode. RSTP-compatible mode, where the ports of a switch send RSTP BPDUs to neighboring devices.

  • Page 246: Configuring The Network Diameter Of The Switched Network

    To do... Use the command... Remarks Required Configure the maximum hop stp max-hops hops By default, the maximum hop count of the MST region count of an MST region is 20. The bigger the maximum hop count, the larger the MST region is. Note that only the maximum hop settings on the switch operating as a region root can limit the size of the MST region.
  • Page 247 Configuration procedure Follow these steps to configure MSTP time-related parameters: To do... Use the command... Remarks Enter system view — system-view Required Configure the forward delay stp timer forward-delay The forward delay parameter parameter centiseconds defaults to 1,500 centiseconds (namely, 15 seconds). Required Configure the hello time The hello time parameter defaults to...

  • Page 248: Configuring The Timeout Time Factor

    Configuration example # Configure the forward delay parameter to be 1,600 centiseconds, the hello time parameter to be 300 centiseconds, and the max age parameter to be 2,100 centiseconds (assuming that the current switch operates as the CIST root bridge). <Sysname>...

  • Page 249: Configuring The Current Port As An Edge Port

    To do... Use the command... Remarks Enter system view — system-view Required Configure the maximum stp interface interface-list The maximum transmitting rate transmitting rate for specified transmit-limit packetnum of all Ethernet ports on a switch ports defaults to 10. Configure the maximum transmitting rate in Ethernet port view Follow these steps to configure the maximum transmitting rate in Ethernet port view: To do...

  • Page 250: Specifying Whether The Link Connected To A Port Is Point-To-Point Link

    To do... Use the command... Remarks Required Configure the specified ports as stp interface interface-list By default, all the Ethernet edge ports edged-port enable ports of a switch are non-edge ports. Configure a port as an edge port in Ethernet port view Follow these steps to configure a port as an edge port in Ethernet port view: To do...
  • Page 251 You can determine whether or not the link connected to a port is a point-to-point link in one of the following two ways. Specify whether the link connected to a port is point-to-point link in system view Follow these steps to specify whether the link connected to a port is point-to-point link in system view: To do...

  • Page 252: Enabling Mstp

    Enabling MSTP Configuration procedure Follow these steps to enable MSTP in system view: Use the To do... Remarks command... Enter system view — system-view Required Enable MSTP stp enable MSTP is disabled by default. Optional By default, MSTP is enabled on all ports after you enable MSTP in system view.

  • Page 253: Configuring Leaf Nodes

    [Sysname-GigabitEthernet1/0/1] stp disable Configuring Leaf Nodes Complete the following tasks to configure leaf nodes: Task Remarks Required To prevent network topology jitter caused by Enabling MSTP other related configurations, you are recommended to enable MSTP after performing other configurations. Configuring an MST Region Required Configuring How a Port Recognizes and Sends Optional...

  • Page 254: Configuring The Maximum Transmitting Rate On The Current Port

    Configuring the Maximum Transmitting Rate on the Current Port Refer to Configuring the Maximum Transmitting Rate on the Current Port. Configuring a Port as an Edge Port Refer to Configuring the Current Port as an Edge Port. Configuring the Path Cost for a Port The path cost parameter reflects the rate of the link connected to the port.
  • Page 255 Operation mode Latency Rate 802.1D-1998 IEEE 802.1t (half-/full-duplex) standard Full-duplex 2,000 Aggregated link 2 ports 1,000 10 Gbps Aggregated link 3 ports Aggregated link 4 ports Normally, the path cost of a port operating in full-duplex mode is slightly less than that of the port operating in half-duplex mode.

  • Page 256: Configuring Port Priority

    <Sysname> system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] stp instance 1 cost 2000 Configuration example (B) # Configure the path cost of GigabitEthernet 1/0/1 in MSTI 1 to be calculated by the MSTP-enabled switch according to the IEEE 802.1D-1998 standard. Perform this configuration in system view <Sysname>...

  • Page 257: Specifying Whether The Link Connected To A Port Is A Point-To-Point Link

    Changing port priority of a port may change the role of the port and put the port into state transition. A smaller port priority value indicates a higher possibility for the port to become the root port. If all the ports of a switch have the same port priority value, the port priorities are determined by the port indexes.

  • Page 258: Configuring Guard Functions

    To do... Use the command... Remarks Enter system view — system-view stp [ interface interface-list ] Perform the mCheck operation Required mcheck Perform the mCheck operation in Ethernet port view Follow these steps to perform the mCheck operation in Ethernet port view: To do...
  • Page 259 Root guard A root bridge and its secondary root bridges must reside in the same region. The root bridge of the CIST and its secondary root bridges are usually located in the high-bandwidth core region. Configuration errors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge, which causes a new root bridge to be elected and network topology jitter to occur.

  • Page 260: Configuration Prerequisites

    maximum times for a switch to remove the MAC address table and ARP entries to 100 and the switch receives 200 TC-BPDUs in the period, the switch removes the MAC address table and ARP entries for only 100 times within the period. BPDU dropping In a STP-enabled network, some users may send BPDU packets to the switch continuously in order to destroy the network.

  • Page 261: Configuring Loop Guard

    To do... Use the command... Remarks Enter system view — system-view Interface interface-type Enter Ethernet port view — interface-number Required Enable the root guard function stp root-protection The root guard function is on the current port disabled by default. Configuration example # Enable the root guard function on GigabitEthernet 1/0/1.

  • Page 262: Configuring Bpdu Dropping

    Configuration procedure Follow these steps to configure the TC-BPDU attack guard function: To do... Use the command... Remarks Enter system view — system-view Required Enable the TC-BPDU attack stp tc-protection enable The TC-BPDU attack guard guard function function is disabled by default. Set the maximum times that a switch can remove the MAC stp tc-protection threshold...

  • Page 263: Configuring Digest Snooping

    checking the configuration IDs of the BPDUs between them (A configuration ID contains information such as region ID and configuration digest). As some other manufacturers' switches adopt proprietary spanning tree protocols, they cannot communicate with the other switches in an MST region even if they are configured with the same MST region-related settings as the other switches in the MST region.

  • Page 264: Configuring Rapid Transition

    To do... Use the command... Remarks Display the current Available in any view display current-configuration configuration When the digest snooping feature is enabled on a port, the port state turns to the discarding state. That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port.
  • Page 265 MSTP is connected in the upstream direction to another manufacturer's switch running proprietary spanning tree protocols, you can enable the rapid transition feature on the ports of the H3C series switch operating as the downstream switch. Among these ports, those operating as the root ports will then send agreement packets to their upstream ports after they receive proposal packets from the upstream designated ports, instead of waiting for agreement packets from the upstream switch.

  • Page 266: Configuring Rapid Transition

    Configuration prerequisites As shown in Figure 1-8, a H3C series switch is connected to another manufacturer's switch. The former operates as the downstream switch, and the latter operates as the upstream switch. The network operates normally. The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports.

  • Page 267: Configuring Vlan-Vpn Tunnel

    The rapid transition feature can be enabled on only root ports or alternate ports. If you configure the rapid transition feature on a designated port, the feature does not take effect on the port. Configuring VLAN-VPN Tunnel Introduction The VLAN-VPN Tunnel function enables STP packets to be transparently transmitted between geographically dispersed customer networks through specified VLAN VPNs in service provider networks, through which spanning trees can be generated across these customer networks and are independent of those of the service provider network.

  • Page 268: Stp Maintenance Configuration

    To do... Use the command... Remarks Required Enable the VLAN-VPN vlan-vpn tunnel The VLAN-VPN tunnel function is tunnel function globally disabled by default. Make sure that you enter the Ethernet port view of the port for which you interface interface-type Enter Ethernet port view want to enable the VLAN-VPN tunnel interface-number...

  • Page 269: Enabling Trap Messages Conforming To 802.1D Standard

    <Sysname> system-view [Sysname] stp instance 1 portlog # Enable log/trap output for the ports of all instances. <Sysname> system-view [Sysname] stp portlog all Enabling Trap Messages Conforming to 802.1d Standard A switch sends trap messages conforming to 802.1d standard to the network management device in the following two cases: The switch becomes the root bridge of an instance.

  • Page 270: Mstp Configuration Example

    MSTP Configuration Example Network requirements Implement MSTP in the network shown in Figure 1-10 to enable packets of different VLANs to be forwarded along different MSTIs. The detailed configurations are as follows: All switches in the network belong to the same MST region. Packets of VLAN 10, VLAN 30, VLAN 40, and VLAN 20 are forwarded along MSTI 1, MSTI 3, MSTI 4, and MSTI 0 respectively.
  • Page 271 # Specify Switch A as the root bridge of MSTI 1. [Sysname] stp instance 1 root primary Configure Switch B # Enter MST region view. <Sysname> system-view [Sysname] stp region-configuration # Configure the region name, VLAN-to-MSTI mapping table, and revision level for the MST region. [Sysname-mst-region] region-name example [Sysname-mst-region] instance 1 vlan 10 [Sysname-mst-region] instance 3 vlan 30...

  • Page 272: Vlan-Vpn Tunnel Configuration Example

    VLAN-VPN tunnel Configuration Example Network requirements S5600 switches operate as the access devices of the service provider network, that is, Switch C and Switch D in the network diagram. Switch A and Switch B are the access devices for the customer networks. Switch C and Switch D are connected to each other through the configured trunk ports of the switches.
  • Page 273 [Sysname] vlan-vpn tunnel # Add GigabitEthernet 1/0/1 to VLAN 10. [Sysname] vlan 10 [Sysname-Vlan10] port GigabitEthernet 1/0/1 [Sysname-Vlan10] quit # Disable STP on GigabitEthernet 1/0/1 and then enable the VLAN VPN function on it. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port access vlan 10 [Sysname-GigabitEthernet1/0/1] vlan-vpn enable [Sysname-GigabitEthernet1/0/1] quit # Configure GigabitEthernet 1/0/2 as a trunk port.
  • Page 274 Table of Contents 1 IP Routing Protocol Overview ··················································································································1-1 Introduction to IP Route and Routing Table····························································································1-1 IP Route···········································································································································1-1 Routing Table ··································································································································1-1 Routing Protocol Overview ·····················································································································1-3 Static Routing and Dynamic Routing·······························································································1-3 Classification of Dynamic Routing Protocols···················································································1-3 Routing Protocols and Routing Priority ···························································································1-4 Load Sharing and Route Backup ····································································································1-4 Routing Information Sharing············································································································1-5 Displaying and Maintaining a Routing Table···························································································1-5...
  • Page 275 OSPF Route Calculation ·················································································································4-1 Basic OSPF Concepts·····················································································································4-2 OSPF Area Partition and Route Summarization ·············································································4-4 OSPF Network Type························································································································4-8 DR/BDR···········································································································································4-9 OSPF Features······························································································································4-11 OSPF Configuration Task List ··············································································································4-11 Basic OSPF Configuration ····················································································································4-12 Configuration Prerequisites ···········································································································4-12 Basic OSPF Configuration ············································································································4-12 OSPF Area Attribute Configuration·······································································································4-13 Configuration Prerequisites ···········································································································4-14 Configuring OSPF Area Attributes ································································································4-14 OSPF Network Type Configuration·······································································································4-14...
  • Page 276 Problems in Large-Scale BGP Networks ························································································5-9 MP-BGP ········································································································································5-13 Protocol Standard··························································································································5-13 BGP Configuration Task List·················································································································5-14 Basic BGP Configuration ······················································································································5-14 Configuration Prerequisites ···········································································································5-14 Configuring BGP Multicast Address Family ··················································································5-15 Configuring Basic BGP Functions ·································································································5-15 Configuring the Way to Advertise/Receive Routing Information···························································5-16 Configuration Prerequisites ···········································································································5-16 Importing Routes ···························································································································5-17 Configuring BGP Route Summarization························································································5-17 Enabling Default Route Advertising·······························································································5-18...
  • Page 277 Configuration Prerequisites ·············································································································6-6 Configuring an ip-prefix list··············································································································6-6 AS Path List Configuration······················································································································6-6 Community List Configuration·················································································································6-7 Displaying IP Routing Policy ···················································································································6-7 IP Routing Policy Configuration Example ·······························································································6-7 Configuring to Filter Received Routing Information ········································································6-7 Controlling RIP Packet Cost to Implement Dynamic Route Backup ···············································6-9 Troubleshooting IP Routing Policy········································································································6-13 7 Route Capacity Configuration··················································································································7-1 Route Capacity Configuration Overview ·································································································7-1...

  • Page 278: Ip Routing Protocol Overview

    IP Routing Protocol Overview Go to these sections for information you are interested in: Introduction to IP Route and Routing Table Routing Protocol Overview Displaying and Maintaining a Routing Table The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.
  • Page 279 host or router resides. For example, if the destination address is 129.102.8.10 and the mask is 255.255.0.0, the address of the network segment where the destination host or router resides is 129.102.0.0. A mask consists of some consecutive 1s, represented either in dotted decimal notation or by the number of the consecutive 1s in the mask.

  • Page 280: Routing Protocol Overview

    17.0.0.0 17.0.0.1 Routing Protocol Overview Static Routing and Dynamic Routing Static routing is easy to configure and requires less system resources. It works well in small, stable networks with simple topologies. It cannot adapt itself to any network topology change automatically so that you must perform routing configuration again whenever the network topology changes.

  • Page 281: Routing Protocols And Routing Priority

    Routing Protocols and Routing Priority Different routing protocols may find different routes (including static routes) to the same destination. However, not all of those routes are optimal. In fact, at a particular moment, only one protocol can uniquely determine the current optimal routing to the destination. For the purpose of route selection, each routing protocol (including static routes) is assigned a priority.

  • Page 282: Routing Information Sharing

    When the primary route recovers, the route selection process is performed again and the primary route is selected again to forward packets. Routing Information Sharing As different routing protocols use different algorithms to calculate routes, they may discover different routes. In a large network with multiple routing protocols, it is required for routing protocols to share their routing information.

  • Page 283: Static Route Configuration

    Static Route Configuration When configuring a static route, go to these sections for information you are interested in: Introduction to Static Route Static Route Configuration Displaying and Maintaining Static Routes Static Route Configuration Example Troubleshooting a Static Route The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 284: Default Route

    Default Route To avoid too large a routing table, you can configure a default route. When the destination address of a packet fails to match any entry in the routing table, If there is default route in the routing table, the default route will be selected to forward the packet. If there is no default route, the packet will be discarded and an ICMP Destination Unreachable or Network Unreachable packet will be returned to the source.

  • Page 285: Static Route Configuration Example

    To do... Use the command... Remarks Display the brief information of a display ip routing-table routing table Display the detailed information of display ip routing-table verbose a routing table Display the information of static display ip routing-table protocol static routes [ inactive | verbose ] Available in Delete all static routes...

  • Page 286: Troubleshooting A Static Route

    Perform the following configurations on the switch. # Approach 1: Configure static routes on Switch A. <SwitchA> system-view [SwitchA] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 # Approach 2: Configure a static route on Switch A. <SwitchA>...

  • Page 287: Rip Configuration

    RIP Configuration When configuring RIP, go to these sections for information you are interested in: RIP Overview RIP Configuration Task List RIP Configuration Example Troubleshooting RIP Configuration The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 288: Rip Startup And Operation

    Interface: Outbound interface on this router, through which IP packets should be forwarded to reach the destination. Metric: Cost from the local router to the destination. Route time: Time elapsed since the routing entry was last updated. The time is reset to 0 every time the routing entry is updated.

  • Page 289: Basic Rip Configuration

    Task Remarks Enabling RIP on the interfaces attached to a specified Required network segment Configuring Basic RIP Functions Setting the RIP operating status on an interface Optional Specifying the RIP version on an interface Optional Setting the additional routing metrics of an interface Optional Configuring RIP route summarization Optional...

  • Page 290: Rip Route Control

    Related RIP commands configured in interface view can take effect only after RIP is enabled. RIP operates on the interfaces attached to a specified network segment. When RIP is disabled on an interface, it does not operate on the interface, that is, it neither receives/sends routes on the interface, nor forwards any interface route.

  • Page 291: Configuration Prerequisites

    Set the preference of RIP to change the preference order of routing protocols. This order makes sense when more than one route to the same destination is discovered by multiple routing protocols. Redistribute external routes in an environment with multiple routing protocols. Configuration Prerequisites Before configuring RIP route control, perform the following tasks: Configuring network layer addresses of interfaces so that adjacent nodes are reachable to each...
  • Page 292 To do... Use the command... Remarks Enter system view — system-view Enter RIP view — Required Enable RIP-2 automatic route summary summarization Enabled by default Disabling the router from receiving host routes In some special cases, the router can receive a lot of host routes from the same segment, and these routes are of little help in route addressing but consume a lot of network resources.
  • Page 293 The filter-policy import command filters the RIP routes received from neighbors, and the routes being filtered out will neither be added to the routing table nor be advertised to any neighbors. The filter-policy export command filters all the routes to be advertised, including the routes redistributed with the import-route command and routes learned from neighbors.

  • Page 294: Rip Network Adjustment And Optimization

    RIP Network Adjustment and Optimization In some special network environments, some RIP features need to be configured and RIP network performance needs to be adjusted and optimized. By performing the configuration mentioned in this section, the following can be implemented: Changing the convergence speed of RIP network by adjusting RIP timers;...
  • Page 295 Split horizon cannot be disabled on a point-to-point link. Configuring RIP-1 packet zero field check Follow these steps to configure RIP-1 packet zero field check: To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required Enable the check of the must be zero checkzero...

  • Page 296: Displaying And Maintaining Rip Configuration

    Configuring RIP to unicast RIP packets Follow these steps to configure RIP to unicast RIP packets: To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required Configure RIP to When RIP runs on the link that does not support peer ip-address unicast RIP packets broadcast or multicast, you must configure RIP to...

  • Page 297: Troubleshooting Rip Configuration

    Switch C Vlan-int1 110.11.2.3/24 Vlan-int4 117.102.0.1/16 Configuration procedure Only the configuration related to RIP is listed below. Before the following configuration, make sure the Ethernet link layer works normally and the IP addresses of VLAN interfaces are configured correctly. Configure Switch A: # Configure RIP.
  • Page 298 3-12...

  • Page 299: Ospf Configuration

    OSPF Configuration When configuring OSPF, go to these sections for information you are interested in: OSPF Overview OSPF Configuration Task List Displaying and Maintaining OSPF Configuration OSPF Configuration Examples Troubleshooting OSPF Configuration The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 300: Basic Ospf Concepts

    link state advertisement (LSA). Routers on the network exchange LSAs with each other by transmitting protocol packets. Thus, each router receives the LSAs of other routers and all these LSAs form the LSDB of the router. An LSA describes the network topology around a router, whereas an LSDB describes the network topology of the whole network.
  • Page 301 because the header of an LSA only occupies a small portion of the LSA. With the header, the peer router can judge whether it has the LSA or not. LSR packet: After exchanging DD packets, the two routers know which LSAs of the peer router are lacked in the local LSDB, and send link state request (LSR) packets requesting for the lacked LSAs to the peer.

  • Page 302: Ospf Area Partition And Route Summarization

    Adjacency: A relationship formed between selected neighboring routers for the purpose of exchanging routing information. Not every pair of neighboring routers become adjacent, which depends on network types. Only by synchronizing the LSDB via exchanging DD packets and LSAs can two routers become adjacent.
  • Page 303 An area border router belongs to more than two areas, one of which must be the backbone area. It connects the backbone area to a non-backbone area. The connection between an area border router and the backbone area can be physical or logical. Backbone router At least one interface of a backbone router must be attached to the backbone area.
  • Page 304 In practice, due to physical limitations, the requirements may not be satisfied. In this case, configuring OSPF virtual links is a solution. Virtual link A virtual link is established between two area border routers through a non-backbone area and is configured on both ABRs to take effect.
  • Page 305 Note the following when configuring a (totally) stub area: The backbone area cannot be a (totally) stub area The stub command must be configured on routers in a (totally) stub area A (totally) stub area cannot have an ASBR because AS external routes cannot be distributed into the stub area.

  • Page 306: Ospf Network Type

    Figure 4-6 Route summarization Router A 19.1.0.0/16 19.1.1.0/24 19.1.2.0/24 Router B Area 0 19.1.3.0/24 …… Area 1 OSPF has two types of route summarization: ABR route summarization To distribute routing information to other areas, an ABR generates Type-3 LSAs on a per network segment basis for an attached non-backbone area.

  • Page 307: Dr/Bdr

    Broadcast: If Ethernet or FDDI is adopted, OSPF defaults the network type to broadcast. In a broadcast network, protocol packets are sent in multicast (224.0.0.5 and 224.0.0.6) by default. Non-broadcast multi-access (NBMA): If Frame Relay, ATM, or X.25 is adopted, OSPF defaults the network type to NBMA.
  • Page 308 exchanged between them. Once the DR becomes invalid, the BDR becomes a DR. Since no re-election is needed and the adjacencies already exist, the switchover process is very short. Now, a new BDR should be elected. Although this election process will also take quite a long time, route calculation will not be affected.

  • Page 309: Ospf Features

    OSPF Features The switches support the following OSPF features: Stub area: Stub area is defined to reduce the cost for the routers in the area to receive ASE routes. NSSA: NSSA is defined to remove the limit on the topology in a Stub area. OSPF multi-process: Multiple OSPF processes can be run on a router.

  • Page 310: Basic Ospf Configuration

    Task Remarks Configuring the LSA transmission delay Optional Configuring the SPF Calculation Interval Optional Disabling OSPF Packet Transmission on an Optional Interface Configuring OSPF Authentication Optional Configuring the MTU Field in DD Packets Optional Enabling OSPF Logging of Neighbor State Optional Changes Configuring OSPF Network Management...

  • Page 311: Ospf Area Attribute Configuration

    To do... Use the command... Remarks Enter system view — system-view Optional If multiple OSPF processes run on a router, you are recommended to use Configure the router ID router id router-id the router-id keyword in the ospf command to specify different router IDs for different processes.

  • Page 312: Configuration Prerequisites

    Configuration Prerequisites Before configuring OSPF area attributes, perform the following tasks: Configuring the network layer addresses of interfaces so that the adjacent nodes are reachable to each other at the network layer Performing basic OSPF configuration Configuring OSPF Area Attributes Follow these steps to configure OSPF area attributes: To do...

  • Page 313: Configuration Prerequisites

    reachable to each other through a virtual circuit. However, in many cases, this cannot be implemented and you need to use a command to change the network type forcibly. Configure the network type of an interface as P2MP if not all the routers are directly accessible on an NBMA network.

  • Page 314: Configuring The Dr Priority On An Ospf Interface

    P2MP ( required only when the interface sends packets in the unicast mode) Since the neighbor routers cannot be discovered by broadcasting Hello packets, you must manually specify the IP address of the neighbor router. For an NBMA network, you can determine whether the neighbor has the DR election right.

  • Page 315: Configuration Prerequisites

    Configuration Prerequisites Before configuring OSPF route control, perform the following tasks: Configuring the network layer addresses of interfaces so that the adjacent nodes are reachable to each other at the network layer Completing basic OSPF configuration Configuring matching rules for routing information Configuring OSPF Route Summarization The configuration of OSPF route summarization includes: Configuring ABR route summarization,...

  • Page 316: Configuring The Ospf Cost On An Interface

    OSPF is a dynamic routing protocol based on link state, with routing information hidden in LSAs. Therefore, OSPF cannot filter any advertised or received LSA. In fact, the filter-policy import command filters the routes calculated by SPF algorithm (namely, routes in the OSPF routing table); only the routes passing the filter can be added to the routing table.

  • Page 317: Configuring Ospf To Redistribute External Routes

    To do... Use the command... Remarks ospf [ process-id [ router-id — Enter OSPF view router-id ] ] Optional Configure the maximum multi-path-number value number of OSPF ECMP routes 4 by default Configuring OSPF to Redistribute External Routes Follow these steps to configure OSPF to redistribute external routes: To do...

  • Page 318: Ospf Network Adjustment And Optimization

    OSPF Network Adjustment and Optimization You can adjust and optimize an OSPF network in the following aspects: By changing the OSPF packet timers, you can adjust the convergence speed of the OSPF network and the network load brought by OSPF packets. On some low-speed links, you need to consider the delay experienced when the interfaces transmit LSAs.

  • Page 319: Configuring The Lsa Transmission Delay

    To do... Use the command... Remarks Configure the interval for Optional retransmitting an LSA on an ospf timer retransmit interval 5 seconds by default interface Default Hello and Dead timer values will be restored once the network type is changed. Do not set an LSA retransmission interval that is too short.

  • Page 320: Disabling Ospf Packet Transmission On An Interface

    To do... Use the command... Remarks Required Configure the SPF spf-schedule-interval interval calculation interval 5 seconds by default Disabling OSPF Packet Transmission on an Interface To prevent OSPF routing information from being acquired by the routers on a certain network, use the silent-interface command to disable OSPF packet transmission on the corresponding interface.

  • Page 321: Configuring The Mtu Field In Dd Packets

    To do... Use the command... Remarks interface interface-type Enter interface view — interface-number Optional ospf authentication-mode Configure the authentication By default, OSPF packets { simple password | md5 key-id mode of the OSPF interface are not authenticated on an key } interface.

  • Page 322: Configuring Ospf Network Management

    Configuring OSPF Network Management Follow these steps to configure OSPF network management (NM): To do... Use the command... Remarks Enter system view system-view — Optional Configure OSPF MIB By default, OSPF MIB is bound ospf mib-binding process-id binding to the first enabled OSPF process.

  • Page 323: Ospf Configuration Examples

    To do... Use the command... Remarks display ospf [ process-id ] interface Display OSPF interface information interface-type interface-number Display OSPF errors display ospf [ process-id ] error Display OSPF ASBR summarization display ospf [ process-id ] information asbr-summary [ ip-address mask ] Reset OSPF process(es) reset ospf { all | process-id } Available in...
  • Page 324 [SwitchA] ospf [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255 # Configure Switch B. <SwitchB> system-view [SwitchB] interface Vlan-interface 1 [SwitchB-Vlan-interface1] ip address 196.1.1.2 255.255.255.0 [SwitchB-Vlan-interface1] ospf dr-priority 0 [SwitchB-Vlan-interface1] quit [SwitchB] router id 2.2.2.2 [SwitchB] ospf [SwitchB-ospf-1] area 0 [SwitchB-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255 # Configure Switch C.

  • Page 325: Configuring Ospf Virtual Link

    command on Switch D to display its neighbors. Note that the original BDR (Switch C) becomes the DR and Switch B becomes BDR now. If all Ethernet Switches on the network are removed from and then added to the network again, Switch B will be elected as the DR (with a priority of 200), and Switch A will be the BDR (with a priority of 100).

  • Page 326: Troubleshooting Ospf Configuration

    [SwitchA] router id 1.1.1.1 [SwitchA] ospf [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255 # Configure Switch B. <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 196.1.1.2 255.255.255.0 [SwitchB-Vlan-interface1] quit [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 197.1.1.2 255.255.255.0 [SwitchB-Vlan-interface2] quit [SwitchB] router id 2.2.2.2 [SwitchB] ospf [SwitchB-ospf-1] area 0...

  • Page 327: Unable To Learn A Complete Network Topology

    OSPF parameters on the interconnected interfaces must be consistent. Area IDs on the interconnected interfaces must be the same. Network ID and subnet masks of the interconnected interfaces must be consistent. (P2P networks and virtual link are excluded.) The interconnected interfaces have the same type of network. If the network type of the interface on the local router is NBMA, a neighbor must be specified by using the peer command.

  • Page 328: Bgp Configuration

    BGP Configuration When configuring BGP, go to these sections for information you are interested in: BGP Overview BGP Configuration Task List Displaying and Maintaining BGP Configuration BGP Configuration Example Troubleshooting BGP Configuration The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 329: Bgp Message Type

    In BGP, the routers that send BGP messages are known as BGP speakers. A BGP speaker receives and generates new routing information and advertises the information to other BGP speakers. When a BGP speaker receives a route from other AS, if the route is better than the existing routes or the route is new to the BGP speaker, the BGP speaker advertises the route to all other BGP speakers in the AS it belongs to.
  • Page 330 Figure 5-2 BGP Open message format The fields are described as follows. Version: BGP version. As for BGP-4, the value is 4. My Autonomous System: Local AS number. By comparing this filed of both sides, a router can determine whether the connection between itself and the BGP peer is of EBGP or IBGP. Hold time: Hold time is to be determined when two BGP speakers negotiate for the connection between them.

  • Page 331: Bgp Route Attributes

    Total Path Attribute Length: Length (in bytes) of the Path Attributes field. A value of 0 indicates that there is no Path Attributes filed in the message. Path Attributes: Attributes list of all the paths related to NLRI. Each path attribute is a TLV (Type-Length-Value) triplet.
  • Page 332 In fact, all the BGP route attributes can be classified into the following four categories. Well-known mandatory attributes, which can be identified by any BGP routers. Route attributes of this type are carried in Update messages. Without these attributes, routing information goes wrong. Well-known discretionary attributes, which can be identified by any BGP routers.
  • Page 333 AS numbers are listed by the distances between the ASs and the local AS. The number of the AS that is closest to the local AS is listed in the head, as shown in Figure 5-6. Figure 5-6 AS_PATH attribute 8.0.0.0 AS 10 D=8.0.0.0...
  • Page 334 When a BGP speaker sends a received route to one of its EBGP peer, it sets the NEXT_HOP attribute of the routing information to the address of its interface connecting to the EBGP peer. When a BGP speaker sends a route received from one of its EBGP peer to one of its IBGP neighbor, it does not change the NEXT_HOP attribute of the routing information.
  • Page 335 You can force BGP to compare MED values of routes coming from different ASs. LOCAL_PREF The LOCAL_PREF attribute is only valid among IBGP peers. It is not advertised to other ASs. It indicates the priority of a BGP router. LOCAL_PREF attribute is used to determine the optimal route for traffic leaving an AS. For multiple routes a BGP receives from different IBGP peers, if they have the same destination address but different next hops, the route with the smallest LOCAL_PREF value is chosen as the optimal route provided other conditions are the same.

  • Page 336: Bgp Routing Policy

    BGP Routing Policy BGP routing policy A BGP router filters routes in the following order. Drops the NEXT_HOP unreachable route. With Prefered-value specified, chooses the route with highest Prefered-value value. Prefers the route with highest LOCAL_PREF value. Prefers the routes starting from the local router. Prefers the route with the shortest AS path.
  • Page 337 BGP route dampening uses penalty value to judge the stability of a route. A higher penalty value indicates a more instable route. Each time a route flaps, BGP adds a certain penalty value (fixed to 1000) to the route. When the penalty value excesses the suppression threshold, the route will be suppressed and will neither be added to the routing table nor send update packets to other BGP peers.
  • Page 338 Before sending a route with the COMMUNITY attribute to its peers, a BGP router can change the original COMMUNITY attribute of the route. Besides the well-known COMMUNITY attributes, you can also use the COMMUNITY attributes list to customize extended COMMUNITY attributes, so as to control the routing policy with more flexibility. Router reflector To ensure the connectivity among the IBGP peers in an AS, you need to make the IBGP peers fully connected.
  • Page 339 Figure 5-12 A cluster containing two RRs RR is unnecessary for clients that are already fully connected. You can disable routing information reflection using corresponding commands provided by the switches. The configuration to disable routing information reflection only applies to clients. That is, routing information can still be reflected between a client and a non-client even if you disable routing information reflection.

  • Page 340: Mp-Bgp

    To a BGP speaker that does not belong to any confederation, the sub-ASs of a confederation are a whole, and the information about the sub-ASs is invisible to the BGP speaker. The confederation ID, which is usually the corresponding AS number, uniquely identifies a confederation. In Figure 5-13, AS 200 is a confederation ID.

  • Page 341: Bgp Configuration Task List

    BGP Configuration Task List Complete the following tasks to configure BGP: Task Remarks Basic BGP Configuration Required Importing Routes Optional Configuring BGP Route Optional Enabling Default Route Advertising Optional Configuring the Way to Configuring BGP Route Distribution Filtering Policies Optional Advertise/Receive Routing Information Configuring BGP Route Reception Filtering Policies...

  • Page 342: Configuring Bgp Multicast Address Family

    Configuring BGP Multicast Address Family Follow these steps to configure BGP multicast address family To do… Use the command… Remarks Enter system view system-view — Enter BGP view bgp as-number — Enter multicast address family ipv4-family multicast Required view Configuration in multicast address family view is similar to that in BGP view. So, unless otherwise noted, refer to configuration in BGP view for information about the configuration in multicast address family view.

  • Page 343: Configuring The Way To Advertise/Receive Routing Information

    To do... Use the command... Remarks Optional By default, routers that belong to Allow routers that belong to two non-directly connected peer group-name non-directly connected networks cannot establish EBGP ebgp-max-hop networks to establish EBGP connections. [ hop-count ] connections. You can configure the maximum hops of EBGP connection by specifying the hop-count argument.

  • Page 344: Importing Routes

    Importing Routes With BGP employed, an AS can send its interior routing information to its neighbor ASs. However, the interior routing information is not generated by BGP, it is obtained by importing IGP routing information to BGP routing table. Once IGP routing information is imported to BGP routing table, it is advertised to BGP peers.

  • Page 345: Enabling Default Route Advertising

    information. For example, if automatic route summarization is configured, the routes 160.10.1.0/24, 160.10.2.0/24, and 160.10.3.0/24 in the routing table are summarized with 160.10.0.0/16 which is advertised instead. Manual summarization mode, where local BGP routes are summarized. In this mode, BGP summarizes multiple routes with one route.

  • Page 346: Configuring Bgp Route Reception Filtering Policies

    To do... Use the command... Remarks Enter system view — system-view Enter BGP view bgp as-number — Required filter-policy { acl-number | Filter the advertised routes ip-prefix ip-prefix-name } By default, advertised export [ protocol [ process-id ] ] routes are not filtered. Required By default, no route Specify a route advertising policy for...

  • Page 347: Disable Bgp-Igp Route Synchronization

    To do... Use the command... Remarks Specify an peer { group-name | ACL-based BGP ip-address } filter-policy route filtering policy Required acl-number import for a peer/peer group By default, no ACL-based Filter the BGP route filtering policy, routing Specify an AS path peer { group-name | AS path ACL-based BGP information...

  • Page 348: Configuring Bgp Route Attributes

    Assessing the stability of a route is based on the behavior of the route in the previous time. Once a route flaps, it receives a certain penalty value. When the penalty value reaches the suppression threshold, this route is suppressed. The penalty value decreases with time. When the penalty value of a suppressed route decreases to the reuse threshold, the route gets valid and is thus advertised again.
  • Page 349 To do... Use the command... Remarks Optional Configure the default local default med med-value By default, the med-value MED value argument is 0. Configure Permit to Optional the MED compare the attribute MED values of By default, the compare of MED compare-different-as-me the routes values of the routes coming from...

  • Page 350: Tuning And Optimizing A Bgp Network

    Using routing policy, you can configure the preference for the routes that match the filtering conditions. As for the unmatched routes, the default preference is adopted. If other conditions are the same, the route with the lowest MED value is preferred to be the exterior route of the AS.

  • Page 351: Configuration Prerequisites

    authentication password for TCP connection, and the authentication is performed by TCP. If authentication fails, the TCP connection cannot be established. Configuration Prerequisites Before adjusting the BGP clock, enable basic BGP functions. Before configuring BGP clock and authentication, make sure the following information is available. Value of BGP timer Interval for sending the update packets MD5 authentication password...

  • Page 352: Configuring A Large-Scale Bgp Network

    The reasonable maximum interval for sending Keepalive message is one third of the Holdtime, and the interval cannot be less than 1 second, therefore, if the Holdtime is not 0, it must be 3 seconds at least. BGP soft reset can refresh the BGP routing table and apply a new routing policy without breaking the BGP connections.

  • Page 353: Configuring Bgp Community

    To do... Use the command... Remarks Create an IBGP peer Optional group group-name group [ internal ] If the command is executed without the internal or external keyword, an IBGP peer group will Create an be created. You can add multiple IBGP peer peer ip-address group peers to the group, and the...

  • Page 354: Configuring Bgp

    To do... Use the command... Remarks Required Specify routing policy peer group-name route-policy By default, no routing policy is for the routes exported route-policy-name export specified for the routes exported to the to the peer group peer group. When configuring BGP community, you must use a routing policy to define the specific COMMUNITY attribute, and then apply the routing policy when a peer sends routing information.

  • Page 355: Displaying And Maintaining Bgp Configuration

    To do... Use the command... Remarks Enter system view — system-view Enter BGP view bgp as-number — Required Configure a confederation ID confederation id as-number Not configured by default Required Configure the sub-ASs to be confederation peer-as included in the confederation as-number&<1-32>...

  • Page 356: Resetting Bgp Connections

    To do... Use the command... Remarks display bgp [ multicast ] routing Display the route matching with community-list community-list-number the specific BGP community ACL. [ whole-match ] Display information about BGP display bgp routing dampened route dampening Display routes with different display bgp [ multicast ] routing source ASs different-origin-as...

  • Page 357: Bgp Configuration Examples

    BGP Configuration Examples Configuring BGP Confederation Attribute Network requirements BGP runs in a large AS of a company. As the number of IBGP peers increases rapidly in the AS, more network resources for BGP communication are occupied. The customer hopes to reduce IBGP peers to minimize the CPU and network resources consumption by BGP without affecting device performance.
  • Page 358 [SwitchA-bgp] group confed1003 external [SwitchA-bgp] peer 172.68.10.3 group confed1003 as-number 1003 # Configure Switch B. <SwitchB> system-view [SwitchB] bgp 1002 [SwitchB-bgp] confederation id 100 [SwitchB-bgp] confederation peer-as 1001 1003 [SwitchB-bgp] group confed1001 external [SwitchB-bgp] peer 172.68.10.1 group confed1001 as-number 1001 [SwitchB-bgp] group confed1003 external [SwitchB-bgp] peer 172.68.10.3 group confed1003 as-number 1003 # Configure Switch C.
  • Page 359 Figure 5-15 Network diagram for BGP RR configuration Device Interface IP address Switch A Vlan-int 100 1.1.1.1/8 Vlan-int 2 192.1.1.1/24 Switch B Vlan-int 2 192.1.1.2/24 Vlan-int 3 193.1.1.2/24 Switch C Vlan-int 3 193.1.1.1/24 Vlan-int 4 194.1.1.1/24 Switch D Vlan-int 4 194.1.1.2/24 Configuration plan Run EBGP between the peers in AS 100 and AS 200.

  • Page 360: Configuring Bgp Path Selection

    [SwitchB] bgp 200 [SwitchB-bgp] group ex external [SwitchB-bgp] peer 192.1.1.1 group ex as-number 100 [SwitchB-bgp] group in internal [SwitchB-bgp] peer 193.1.1.1 group in Configure Switch C. # Configure VLAN interface IP addresses. <SwitchC> system-view [SwitchC] interface Vlan-interface 3 [SwitchC-Vlan-interface3] ip address 193.1.1.1 255.255.255.0 [SwitchC-Vlan-interface3] quit [SwitchC] interface vlan-Interface 4 [SwitchC-Vlan-interface4] ip address 194.1.1.1 255.255.255.0...
  • Page 361 Network diagram Figure 5-16 shows the network diagram. Figure 5-16 Network diagram for BGP path selection Device Interface IP address Switch A Vlan-int 101 1.1.1.1/8 Vlan-int 2 192.1.1.1/24 Vlan-int 3 193.1.1.1/24 Switch B Vlan-int 2 192.1.1.2/24 Vlan-int 4 194.1.1.2/24 Switch C Vlan-int 3 193.1.1.2/24 Vlan-int 5...
  • Page 362 [SwitchA-bgp] network 1.0.0.0 # Configure BGP peers. [SwitchA-bgp] group ex192 external [SwitchA-bgp] peer 192.1.1.2 group ex192 as-number 200 [SwitchA-bgp] group ex193 external [SwitchA-bgp] peer 193.1.1.2 group ex193 as-number 200 [SwitchA-bgp] quit # Define ACL 2000 to permit the route 1.0.0.0/8. [SwitchA] acl number 2000 [SwitchA-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255 [SwitchA-acl-basic-2000] rule deny source any...
  • Page 363 [SwitchB-ospf-1-area-0.0.0.0] quit [SwitchB-ospf-1] quit # Enable BGP, create a peer group, and add peers to the peer group. [SwitchB] bgp 200 [SwitchB-bgp] undo synchronization [SwitchB-bgp] group ex external [SwitchB-bgp] peer 192.1.1.1 group ex as-number 100 [SwitchB-bgp] group in internal [SwitchB-bgp] peer 194.1.1.1 group in [SwitchB-bgp] peer 195.1.1.2 group in Configure Switch C.
  • Page 364 [SwitchD-ospf-1] area 0 [SwitchD-ospf-1-area-0.0.0.0] network 194.1.1.0 0.0.0.255 [SwitchD-ospf-1-area-0.0.0.0] network 195.1.1.0 0.0.0.255 [SwitchD-ospf-1-area-0.0.0.0] network 4.0.0.0 0.255.255.255 [SwitchD-ospf-1-area-0.0.0.0] quit [SwitchD-ospf-1] quit # Enable BGP, create a peer group, and add peers to the peer group. [SwitchD] bgp 200 [SwitchD-bgp] undo synchronization [SwitchD-bgp] group in internal [SwitchD-bgp] peer 195.1.1.2 group in [SwitchD-bgp] peer 194.1.1.2 group in To make the configuration take effect, all BGP neighbors need to execute the reset bgp all...

  • Page 365: Troubleshooting Bgp Configuration

    Troubleshooting BGP Configuration BGP Peer Connection Establishment Error Symptom When you use the display bgp peer command to display the BGP peer information, the connection with the opposite peer cannot be established. Analysis To establish a BGP peering relationship: Both ends need to use the 179 port to establish TCP sessions. Both ends need to exchange Open messages correctly.

  • Page 366: Ip Routing Policy Configuration

    IP Routing Policy Configuration When configuring an IP routing policy, go to these sections for information you are interested in: IP Routing Policy Overview IP Routing Policy Configuration Task List Displaying IP Routing Policy IP Routing Policy Configuration Example Troubleshooting IP Routing Policy The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 367: Ip Routing Policy Configuration Task List

    IP-prefix list IP-prefix list plays a role similar to ACL. But it is more flexible than ACL and easier to understand. When IP-prefix list is applied to filter routing information, its matching object is the destination address field in routing information. Moreover, with IP-prefix list, you can use the gateway option to specify that only routing information advertised by certain routers will be received.

  • Page 368: Routing Policy Configuration

    Task Remarks Community List Configuration Required Routing Policy Configuration A routing policy is used to match given routing information or some attributes of routing information and change the attributes of the routing information if the conditions are met. The above-mentioned filtering lists can serve as the match conditions: A routing policy can comprise multiple nodes and each node comprises: if-match clause: Defines matching rules;...

  • Page 369: Defining If-Match Clauses And Apply Clauses

    The permit argument specifies the matching mode for a defined node in the routing policy to be in permit mode. If a route matches the rules for the node, the apply clauses for the node will be executed and the test of the next node will not be taken. If not, however, the route takes the test of the next node.
  • Page 370 To do... Use the command... Remarks Optional Define a rule to match the By default, no matching is tag field of OSPF routing if-match tag value performed on the tag field of OSPF information routing information. Add specified AS number apply as-path for as-path in BGP routing Optional...

  • Page 371: Ip-Prefix Configuration

    IP-Prefix Configuration IP-prefix plays a role similar to ACL and but is more flexible and easier to understand. When IP-prefix is applied to filtering routing information, its matching object is the destination address information field of routing information. Configuration Prerequisites Before configuring a filter list, prepare the following data: IP-prefix name Range of addresses to be matched...

  • Page 372: Community List Configuration

    To do... Use the command... Remarks Optional ip as-path-acl acl-number { permit | Configure AS path list By default, no AS path list is deny } as-regular-expression defined Community List Configuration In BGP, COMMUNITY attributes are optional transitive. Some COMMUNITY attributes are globally recognized and they are called standard COMMUNITY attributes.
  • Page 373 Configure three static routes and enable OSPF on Switch A. By configuring route filtering rules on Switch A make the three received static routes partially visible and partially shielded: the routes of network segments 20.0.0.0 and 40.0.0.0 are visible, and the route of network segment 30.0.0.0 is shielded.

  • Page 374: Controlling Rip Packet Cost To Implement Dynamic Route Backup

    # Configure a routing policy. [SwitchA] route-policy ospf permit node 10 [SwitchA-route-policy] if-match acl 2000 [SwitchA-route-policy] quit # Apply routing policy when the static routes are imported. [SwitchA] ospf [SwitchA-ospf-1] import-route static route-policy ospf Configure Switch B: # Configure the IP address of the interface. <SwitchB>...
  • Page 375 Network diagram According to the network requirements, the network topology is designed as shown in Figure 6-2. Figure 6-2 Network diagram Device Interface IP address Switch A Vlan-int 2 2.2.2.1/8 Vlan-int 3 3.3.3.254/8 Vlan-int 10 1.1.1.254/8 Switch B Vlan-int 3 3.3.3.253/8 Vlan-int 6 6.6.6.5/8...
  • Page 376 [SwitchA] rip [SwitchA-rip] network 1.0.0.0 [SwitchA-rip] network 2.0.0.0 [SwitchA-rip] network 3.0.0.0 Configure Switch B. # Create VLANs and configure IP addresses for the VLAN interfaces. The configuration procedure is omitted. # Configure RIP. <SwitchB> system-view [SwitchB] rip [SwitchB-rip] network 1.0.0.0 [SwitchB-rip] network 3.0.0.0 [SwitchB-rip] network 6.0.0.0 Configure Switch C.
  • Page 377 [SwitchC] route-policy in permit node 40 [SwitchC-route-policy] if-match interface Vlan-interface6 [SwitchC-route-policy] if-match ip-prefix 2 [SwitchC-route-policy] apply cost 5 [SwitchC-route-policy] quit # Create node 50 with the matching mode being permit, to allow all routing information to pass. [SwitchC] route-policy in permit node 50 [SwitchC-route-policy] quit # Configure RIP and apply the routing policy in to the incoming routing information.

  • Page 378: Troubleshooting Ip Routing Policy

    The new cost should be greater than the original one to prevent RIP from generating routing loop in the case that a loop exists in the topology. The cost will become 16 if you try to set it to a value greater than 16. The cost will become the original one if you try to set it to 0.

  • Page 379: Route Capacity Configuration

    Route Capacity Configuration When configuring route capacity, go to these sections for information you are interested in: Route Capacity Configuration Overview Route Capacity Limitation Configuration Displaying and Maintaining Route Capacity Limitation Configuration The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 380: Route Capacity Limitation Configuration

    When the free memory of the switch is equal to or lower than the lower limit, OSPF or BGP connection will be disconnected and OSPF or BGP routes will be removed from the routing table. If automatic protocol connection recovery is enabled, when the free memory of the switch restores to a value larger than the safety value, the switch automatically re-establishes the OSPF or BGP connection.

  • Page 381: Displaying And Maintaining Route Capacity Limitation Configuration

    If automatic protocol recovery is disabled, the OSPF or BGP connection will not recover even when the free memory exceeds the safety value. Therefore, take cautions when disabling the function. Displaying and Maintaining Route Capacity Limitation Configuration To do... Use the command... Remarks display memory [ unit Display memory occupancy of a switch...
  • Page 382 Table of Contents 1 Multicast Overview ····································································································································1-1 Multicast Overview ··································································································································1-1 Information Transmission in the Unicast Mode ···············································································1-1 Information Transmission in the Broadcast Mode···········································································1-2 Information Transmission in the Multicast Mode·············································································1-3 Roles in Multicast ····························································································································1-4 Common Notations in Multicast·······································································································1-5 Advantages and Applications of Multicast·······················································································1-5 Multicast Models ·····································································································································1-6 Multicast Architecture······························································································································1-6 Multicast Address ····························································································································1-7...
  • Page 383 Displaying and Maintaining IGMP·········································································································3-12 4 PIM Configuration······································································································································4-1 PIM Overview··········································································································································4-1 Introduction to PIM-DM····················································································································4-2 How PIM-DM Works ························································································································4-2 Introduction to PIM-SM····················································································································4-4 How PIM-SM Works ························································································································4-5 Configuring PIM-DM······························································································································4-10 Enabling PIM-DM ··························································································································4-10 Configuring PIM-SM······························································································································4-10 Enabling PIM-SM···························································································································4-10 Configuring an RP ·························································································································4-11 Configuring a BSR·························································································································4-12 Filtering the Registration Packets from DR to RP ·········································································4-14 Disabling RPT-to-SPT Switchover ································································································4-14 Configuring Common PIM Parameters ·································································································4-15 Configuring a Multicast Data Filter ································································································4-15...
  • Page 384 MSDP Configuration Example ··············································································································5-14 Anycast RP Configuration ·············································································································5-14 Troubleshooting MSDP Configuration ··································································································5-17 MSDP Peer Always in the Down State··························································································5-17 No SA Entry in the SA Cache of the Router··················································································5-18 6 IGMP Snooping Configuration ·················································································································6-1 IGMP Snooping Overview·······················································································································6-1 Principle of IGMP Snooping ············································································································6-1 Basic Concepts in IGMP Snooping ·································································································6-2 Work Mechanism of IGMP Snooping ······························································································6-3 Configuring IGMP Snooping ···················································································································6-5...

  • Page 385: Multicast Overview

    Multicast Overview In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol. The following features are added in this version: Enabling Multicast Packet Buffering Configuring Multicast Source Lifetime IGMPv3 Snooping features.

  • Page 386: Information Transmission In The Broadcast Mode

    Figure 1-1 Information transmission in the unicast mode Assume that Hosts B, D and E need this information. The source server establishes transmission channels for the devices of these users respectively. As the transmitted traffic over the network is in direct proportion to the number of users that receive this information, when a large number of users need the same information, the server must send many packets of information with the same content to the users.

  • Page 387: Information Transmission In The Multicast Mode

    Figure 1-2 Information transmission in the broadcast mode Assume that Hosts B, D, and E need the information. The source server broadcasts this information through the routers, reaching the targets, but also Hosts A and C on the network receive this information.

  • Page 388: Roles In Multicast

    Figure 1-3 Information transmission in the multicast mode Host A Receiver Host B Source Host C Server Receiver Host D Receiver Packets for the multicast group Host E Assume that Hosts B, D and E need the information. To transmit the information to the right users, it is necessary to group Hosts B, D and E into a receiver set.

  • Page 389: Common Notations In Multicast

    Table 1-1 An analogy between TV transmission and multicast transmission Step TV transmission Multicast transmission A TV station transmits a TV program A multicast source sends multicast data to a through a television channel. multicast group. A user tunes the TV set to the channel. A receiver joins the multicast group.

  • Page 390: Multicast Models

    Application of multicast The multicast technology effectively addresses the issue of point-to-multipoint data transmission. By enabling high-efficiency point-to-multipoint data transmission, over an IP network, multicast greatly saves network bandwidth and reduces network load. Multicast supports the following applications: Applications of multimedia and flow media, such as Web TV, Web radio, and real-time video/audio conferencing.

  • Page 391: Multicast Address

    Host registration: What receivers reside on the network? Technologies of discovering a multicast source: Which multicast source should the receivers receive information from? Multicast addressing mechanism: Where should the multicast source transports information? Multicast routing: How is information transported? IP multicast is a kind of peer-to-peer service. Based on the protocol layer sequence from bottom to top, the multicast mechanism contains addressing mechanism, host registration, multicast routing, and multicast application: Addressing mechanism: Information is sent from a multicast source to a group of receivers through...
  • Page 392 Note that: The IP addresses of a permanent multicast group keep unchanged, while the members of the group can be changed. There can be any number of, or even zero, members in a permanent multicast group. Those IP multicast addresses not assigned to permanent multicast groups can be used by temporary multicast groups.

  • Page 393: Multicast Protocols

    Class D address range Description 224.0.0.18 Virtual Router Redundancy Protocol (VRRP) 224.0.0.19 to 224.0.0.255 Other protocols Like having reserved the private network segment 10.0.0.0/8 for unicast, IANA has also reserved the network segment 239.0.0.0/8 for multicast. These are administratively scoped addresses. With the administratively scoped addresses, you can define the range of multicast domains flexibly to isolate IP addresses between different multicast domains, so that the same multicast address can be used in different multicast domains without causing collisions.
  • Page 394 Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols, which include IGMP, PIM, and MSDP; we refer to IP multicast working at the data link layer as Layer 2 multicast and the corresponding multicast protocols as Layer 2 multicast protocols, which include IGMP Snooping.

  • Page 395: Multicast Packet Forwarding Mechanism

    An inter-domain multicast routing protocol is used for delivery of multicast information between two ASs. So far, mature solutions include Multicast Source Discovery Protocol (MSDP). For the SSM model, multicast routes are not divided into inter-domain routes and intra-domain routes. Since receivers know the position of the multicast source, channels established through PIM-SM are sufficient for multicast information transport.

  • Page 396: Implementation Of The Rpf Mechanism

    To process the same multicast information from different peers received on different interfaces of the same device, every multicast packet is subject to a Reverse Path Forwarding (RPF) check on the incoming interface. The result of the RPF check determines whether the packet will be forwarded or discarded.
  • Page 397 Figure 1-7 RPF check process Receiver Switch B Vlan-int2 Vlan-int1 Source Router A 192.168.0.1/24 Receiver Multicast packets Vlan-int1 Vlan-int2 IP Routing Table on Switch C Destination/Mask Interface Switch C 192.168.0.0/24 Vlan-int2 A multicast packet from Source arrives to VLAN-interface 1 of Switch C, and the corresponding forwarding entry does not exist in the multicast forwarding table of Switch C.

  • Page 398: Common Multicast Configuration

    Common Multicast Configuration In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol. Common Multicast Configuration Table 2-1 Complete the following tasks to perform common multicast configurations: Task Remarks Enabling Multicast Packet Buffering...

  • Page 399: Enabling Multicast Routing

    Disabled by default. To guard against attacks on any socket not in use, S5600 series provide the following functions to achieve enhanced security: The system opens the RAW Socket used for multicast routing only if multicast routing is enabled.

  • Page 400: Configuring Suppression On The Multicast Source Port

    Configuring Suppression on the Multicast Source Port Some users may deploy unauthorized multicast servers on the network. This affects the use of network bandwidth and transmission of multicast data of authorized users by taking network resources. You can configure multicast source port suppression on certain ports to prevent unauthorized multicast servers attached to these ports from sending multicast traffic to the network.

  • Page 401: Configuring A Multicast Mac Address Entry

    You cannot configure a multicast MAC address starting with 01005e on S5600 series switches. You cannot enable link aggregation on a port on which you have configured a multicast MAC address, and you cannot configure a multicast MAC address on an aggregation port.

  • Page 402: Tracing A Multicast Path

    Follow these steps to configure dropping unknown multicast packet: To do... Use the command... Remarks Enter system view system-view — Required Configure dropping unknown unknown-multicast drop By default, the function of multicast packets enable dropping unknown multicast packets is disabled. Tracing a Multicast Path You can run the mtracert command to trace the path down which the multicast traffic flows from a given first-hop router to the last-hop router.
  • Page 403 To do... Use the command... Remarks Display the information about the IP multicast Available in any groups and MAC display mpm group [ vlan vlan-id ] view multicast groups in a VLAN or all VLANs Display the created display mac-address multicast [ static Available in any multicast MAC table { { { mac-address vlan vlan-id | vlan vlan-id }...

  • Page 404: Igmp Configuration

    IGMP Configuration In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol. When configuring IGMP, go to these sections for information you are interested in: IGMP Overview Configuring IGMP Displaying and Maintaining IGMP...
  • Page 405 Figure 3-1 Joining multicast groups IP network Router A Router B Ethernet Host A Host B Host C (G2) (G1) (G1) Query Report Assume that Host B and Host C are expected to receive multicast data addressed to multicast group G1, while Host A is expected to receive multicast data addressed to G2, as shown in Figure 3-1.

  • Page 406: Enhancements Provided By Igmpv2

    Enhancements Provided by IGMPv2 Compared with IGMPv1, IGMPv2 provides the querier election mechanism and Leave Group mechanism. Querier election mechanism In IGMPv1, the DR elected by the Layer 3 multicast routing protocol (such as PIM) serves as the querier among multiple routers on the same subnet. In IGMPv2, an independent querier election mechanism is introduced.
  • Page 407 If it does not expect multicast data from specific sources like S1, S2, …, it sends a report with the Filter-Mode denoted as “Exclude Sources (S1, S2, …). As shown in Figure 3-2, the network comprises two multicast sources, Source 1 (S1) and Source 2 (S2), both of which can send multicast data to multicast group G.

  • Page 408: Igmp Proxy

    If the change was to an Include source list, these are the addresses that were deleted from the list; if the change was to an Exclude source list, these are the addresses that were added to the list. Currently, only the IGMPv1 and IGMPv2 are supported on S5600 series Ethernet switches. IGMP Proxy A lot of stub networks (stub domains) are involved in the application of a multicast routing protocol (PIM-DM for example) over a large-scaled network.

  • Page 409: Configuring Igmp

    Enable multicast routing, and then enable PIM and IGMP on VLAN-interface 1 and VLAN-interface 2. Run the igmp proxy command on VLAN-interface 1 to configure it as the proxy interface for VLAN-interface 2. Configure Switch A as follows: Enable multicast routing, enable IGMP and PIM on VLAN-interface 1. Configure the pim neighbor-policy command to filter PIM neighbors in the network segment 33.33.33.0/24.

  • Page 410: Configuring Igmp Version

    Before performing the following configurations described in this chapter, you must enable multicast routing and enable IGMP on the specific interfaces. Configuring IGMP Version Follow these steps to configure IGMP version: To do... Use the command... Remarks Enter system view system-view —...
  • Page 411 If the IGMP querier receives IGMP report messages from other hosts within the period of robust-value x lastmember-queryinterval, it will maintain the membership of the group. If the IGMP querier does not receive IGMP report messages from other hosts after the period of robust-value x lastmember-queryinterval, it considers that the group has no members on the local subnet and removes the forwarding table entry for the group.

  • Page 412: Configuring The Maximum Allowed Number Of Multicast Groups

    To do... Use the command... Remarks Configure the maximum Optional igmp max-response-time response time of IGMP general seconds 10 seconds by default. queries Configuring the Maximum Allowed Number of Multicast Groups By configuring the maximum number of IGMP multicast groups allowed to be joined on an interface of the switch, you can control the number of programs on demand available for users attached to the interface, thus to control the bandwidth usage on the interface.

  • Page 413: Configuring Simulated Joining

    To do... Use the command... Remarks Enter system view — system-view Enter interface view interface interface-type interface-number — igmp group-policy In VLAN acl-number [ 1 | 2 | port interface view Optional interface-list ] Configuring a multicast No multicast group filter group filter is configured by default In LoopBack...

  • Page 414: Configuring Igmp Proxy

    Configuring simulated joining in interface view Follow these steps to configure simulated joining in interface view: To do... Use the command... Remarks Enter system view system-view — Enter interface view interface interface-type interface-number — igmp host-join VLAN interface Configure one or more ports in group-address port Required view...

  • Page 415: Removing Joined Igmp Groups From An Interface

    You must enable the PIM protocol on the interface before configuring the igmp proxy command. Otherwise, the IGMP Proxy feature does not take effect. One interface cannot serve as the proxy interface for two or more interfaces. Generally, an interface serving as an IGMP querier cannot act as an IGMP proxy interface. If it is necessary to configure an IGMP querier interface as an IGMP proxy interface, you must configure the port that belongs to the proxy interface and connects to the upstream multicast device as a static router port.

  • Page 416: Pim Configuration

    PIM Configuration When configuring PIM, go to these sections for information you are interested in: PIM Overview Configuring PIM-DM Configuring PIM-SM Configuring Common PIM Parameters Displaying and Maintaining PIM PIM Configuration Examples Troubleshooting PIM In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol.

  • Page 417: Introduction To Pim

    Introduction to PIM-DM PIM-DM is a type of dense mode multicast protocol. It uses the “push mode” for multicast forwarding, and is suitable for small-sized networks with densely distributed multicast members. The basic implementation of PIM-DM is as follows: PIM-DM assumes that at least one multicast group member exists on each subnet of a network, and therefore multicast data is flooded to all nodes on the network.
  • Page 418 corresponding interface from the outgoing interface list in the (S, G) entry and stop forwarding subsequent packets addressed to that multicast group down to this node. An (S, G) entry contains the multicast source address S, multicast group address G, outgoing interface list, and incoming interface.

  • Page 419: Introduction To Pim

    The node that need to receive multicast data sends a graft message hop by hop toward the source, as a request to join the SPT again. Upon receiving this graft message, the upstream node puts the interface on which the graft was received into the forwarding state and responds with a graft-ack message to the graft sender.

  • Page 420: How Pim-Sm Works

    and is suitable for large- and medium-sized networks with sparsely and widely distributed multicast group members. The basic implementation of PIM-SM is as follows: PIM-SM assumes that no hosts need to receive multicast data. In the PIM-SM mode, routers must specifically request a particular multicast stream before the data is forwarded to them.
  • Page 421 When the DR fails, a timeout in receiving hello message triggers a new DR election process among the other routers. S5600 series Ethernet switches do not support DR priority. DR election is based on IP addresses. In a PIM-DM domain, a DR serves as an IGMPv1 querier.
  • Page 422 RP discovery The RP is the core of a PIM-SM domain. For a small-sized, simple network, one RP is enough for forwarding information throughout the network, and the position of the RP can be statically specified on each router in the PIM-SM domain. In most cases, however, a PIM-SM network covers a wide area and a huge amount of multicast traffic needs to be forwarded through the RP.
  • Page 423 RPT building Figure 4-5 Building an RPT in PIM-SM As shown in Figure 4-5, the process of building an RPT is as follows: When a receiver joins a multicast group G, it uses an IGMP message to inform the directly connected DR.
  • Page 424 Figure 4-6 Multicast registration As shown in Figure 4-6, the multicast source registers with the RP as follows: When the multicast source S sends the first multicast packet to a multicast group G, the DR directly connected with the multicast source, upon receiving the multicast packet, encapsulates the packet in a PIM register message, and sends the message to the corresponding RP by unicast.

  • Page 425: Configuring Pim

    Assert PIM-SM uses exactly the same assert mechanism as PIM-DM does. Refer to Assert. Configuring PIM-DM Enabling PIM-DM With PIM-DM enabled, a router sends hello messages periodically to discover PIM neighbors and processes messages from PIM neighbors. When deploying a PIM-DM domain, you are recommended to enable PIM-DM on all interfaces of non-border routers.

  • Page 426: Configuring An

    To do... Use the command... Remarks interface interface-type Enter interface view — interface-number Required Enable PIM-SM pim sm Disabled by default Configuring an RP An RP can be manually configured or dynamically elected through the BSR mechanism. For a large PIM network, static RP configuration is a tedious job.

  • Page 427: Configuring A Bsr

    To do... Use the command... Remarks c-rp interface-type Optional Configure candidate interface-number By default, candidate RPs are not set for [ group-policy acl-number | the switch and the value of priority is 0. priority priority ]* Optional Limit the range of crp-policy acl-number By default, the range of valid C-RPs is valid C-RPs...
  • Page 428 the right of advertising RP information in the network. After being configured as a C-BSR, a router automatically floods the network with bootstrap messages. As a bootstrap message has a TTL value of 1, the whole network will not be affected as long as the neighbor router discards these bootstrap messages.

  • Page 429: Filtering The Registration Packets From Dr To

    After this feature is configured, Bootstrap messages cannot pass the border. However, the other PIM messages can pass the domain border. The network can be effectively divided into domains that use different BSRs. Filtering the Registration Packets from DR to RP Within a PIM-SM domain, the source-side DR sends register messages to the RP, and these register messages have different multicast source or group addresses.

  • Page 430: Configuring Common Pim Parameters

    Typically, you need to configure the above-mentioned parameters on the receiver-side DR and the RP only. Since both the DR and RP are elected, however, you should carry out these configurations on the routers that may win DR election and on the C-RPs that may win RP election. Configuring Common PIM Parameters Complete the following tasks to configure common PIM parameters: Task...

  • Page 431: Configuring The Hello Interval

    Configuring the Hello Interval In a PIM domain, a PIM router discovers PIM neighbors and maintains PIM neighboring relationships with other routers by periodically sending hello messages. Follow these steps to configure the Hello interval: To do... Use the command... Remarks Enter system view system-view...

  • Page 432: Configuring Multicast Source Lifetime

    If the number of existing PIM neighbors exceeds the user-defined limit, the existing PIM neighbors will not be deleted. Configuring Multicast Source Lifetime Initially, some data is lost when multicast receivers receive multicast data from a multicast source. The reason is that (S, G) entries in the PIM routing table and multicast routing table age out if no data stream is received within a configurable period of time, known as multicast source lifetime or (S, G) aging time.

  • Page 433: Displaying And Maintaining Pim

    Displaying and Maintaining PIM Configuration Use the command... Remarks display pim routing-table [ { { *g [ group-address [ mask { mask-length | mask } ] ] | **rp [ rp-address [ mask { mask-length | mask } ] ] } | { group-address Display PIM multicast routing Available in [ mask { mask-length | mask } ] |...
  • Page 434 Network diagram Figure 4-7 Network diagram for PIM-DM configuration Device Interface IP address Device Interface IP address Switch A Vlan-int100 10.110.1.1/24 Switch D Vlan-int300 10.110.5.1/24 Vlan-int103 192.168.1.1/24 Vlan-int103 192.168.1.2/24 Switch B Vlan-int200 10.110.2.1/24 Vlan-int101 192.168.2.2/24 Vlan-int101 192.168.2.1/24 Vlan-int102 192.168.3.2/24 Switch C Vlan-int200 10.110.2.2/24 Vlan-int102...
  • Page 435 [SwitchA-Vlan-interface103] quit The configuration on Switch B and Switch C is similar to the configuration on Switch A. # Enable IP multicast routing on Switch D, and enable PIM-DM on each interface. <SwitchD> system-view [SwitchD] multicast routing-enable [SwitchD] interface vlan-interface 300 [SwitchD-Vlan-interface300] pim dm [SwitchD-Vlan-interface300] quit [SwitchD] interface vlan-interface 103...

  • Page 436: Pim-Sm Configuration Example

    PIM-DM Routing Table Total 1 (S,G) entry (10.110.5.100, 225.1.1.1) Protocol 0x40: PIMDM, Flag 0xC: SPT NEG_CACHE Uptime: 00:00:23, Timeout in 187 sec Upstream interface: Vlan-interface300, RPF neighbor: NULL Downstream interface list: Vlan-interface101, Protocol 0x200: SPT, timeout in 147 sec Vlan-interface103, Protocol 0x200: SPT, timeout in 145 sec Vlan-interface103, Protocol 0x200: SPT, timeout in 145 sec Matched 1 (S,G) entry PIM-SM Configuration Example...
  • Page 437 Network diagram Figure 4-8 Network diagram for PIM-SM domain configuration Device Interface IP address Device Interface IP address Switch A Vlanint100 10.110.1.1/24 Switch D Vlanint300 10.110.5.1/24 Vlanint101 192.168.1.1/24 Vlanint101 192.168.1.2/24 Vlanint102 192.168.9.1/24 Vlanint105 192.168.4.2/24 Switch B Vlanint200 10.110.2.1/24 Switch E Vlanint104 192.168.3.2/24 Vlanint103...

  • Page 438: Display Bsr Information

    [SwitchA-Vlan-interface100] quit [SwitchA] interface vlan-interface 101 [SwitchA-Vlan-interface101] pim sm [SwitchA-Vlan-interface101] quit [SwitchA] interface vlan-interface 102 [SwitchA-Vlan-interface102] pim sm [SwitchA-Vlan-interface102] quit The configuration on Switch B and Switch C is similar to that on Switch A. The configuration on Switch D and Switch E is also similar to that on Switch A except that it is not necessary to enable IGMP on the corresponding interfaces on these two switches.

  • Page 439: Display Pim Routing-Table

    Uptime: 00:49:44 Expires: 00:01:46 # Display PIM routing table information on Switch A. <SwitchA> display pim routing-table PIM-SM Routing Table Total 1 (S,G) entries, 1 (*,G) entries, 0 (*,*,RP) entry (*, 225.1.1.1), RP 192.168.9.2 Protocol 0x20: PIMSM, Flag 0x2003: RPT WC NULL_IIF Uptime: 00:23:21, never timeout Upstream interface: Vlan-interface102, RPF neighbor: 192.168.9.2 Downstream interface list:...

  • Page 440: Troubleshooting Pim

    (10.110.5.100, 225.1.1.1) Protocol 0x20: PIMSM, Flag 0x4: SPT Uptime: 00:03:03, Timeout in 27 sec Upstream interface: Vlan-interface105, RPF neighbor: 192.168.4.2 Downstream interface list: Vlan-interface102, Protocol 0x200: SPT, timeout in 147 sec Vlan-interface103, Protocol 0x200: SPT, timeout in 145 sec Matched 1 (S,G) entry, 1 (*,G) entry, 0 (*,*,RP) entry Troubleshooting PIM Symptom: The router cannot set up multicast routing tables correctly.

  • Page 441: Msdp Configuration

    MSDP Configuration When configuring MSDP, go to these sections for information you are interested in: MSDP Overview Configuring MSDP Basic Functions Configuring Connection Between MSDP Peers Configuring SA Message Transmission Displaying and Maintaining MSDP MSDP Configuration Example Troubleshooting MSDP Configuration In this manual, the term “router”...

  • Page 442: How Msdp Works

    MSDP is applicable only if the intra-domain multicast protocol is PIM-SM. MSDP is meaningful only for the any-source multicast (ASM) model. How MSDP Works MSDP peers With one or more pairs of MSDP peers configured in the network, an MSDP interconnection map is formed, where the RPs of different PIM-SM domains are interconnected in series.
  • Page 443 An RP is dynamically elected from C-RPs. To enhance network robustness, a PIM-SM network typically has more than one C-RP. As the RP election result is unpredictable, MSDP peering relationships should be built among all C-RPs so that the winner C-RP is always on the "MSDP interconnection map”, while loser C-RPs will assume the role of common PIM-SM routers on the “MSDP interconnection map”.
  • Page 444 addition, you can configure MSDP peers into an MSDP mesh group so as to avoid flooding of SA messages between MSDP peers. SA messages are forwarded from one MSDP peer to another, and finally the information of the multicast source traverses all PIM-SM domains with MSDP peers (PIM-SM 2 and PIM-SM 3 in this example).
  • Page 445 Figure 5-3 Diagram for RPF check for SA messages Source RP 1 RP 5 RP 9 RP 8 AS 1 AS 5 Mesh group AS 3 RP 2 RP 3 AS 2 MSDP peers RP 4 RP 6 RP 7 Static RPF peers AS 4 SA message...
  • Page 446 SA messages from other paths than described above will not be accepted nor forwarded by MSDP peers. Implementing intra-domain Anycast RP by leveraging MSDP peers Anycast RP refers to such an application that enables load balancing and redundancy backup between two or more RPs within a PIM-SM domain by configuring the same IP address for, and establishing MSDP peering relationships between, these RPs.

  • Page 447: Protocols And Standards

    Optimal RP path: A multicast source registers with the nearest RP so that an SPT with the optimal path is built; a receiver joins the nearest RP so that an RPT with the optimal path is built. Load balancing between RPs: Each RP just needs to maintain part of the source/group information within the PIM-SM domain and forward part of the multicast data, thus achieving load balancing between different RPs.

  • Page 448: Configuration Prerequisites

    Configuration Prerequisites Before configuring basic MSDP functions, you need to configure: A unicast routing protocol PIM-SM basic functions Configuring MSDP Basic Functions Follow these steps to configure MSDP basic functions: To do... Use the command... Remarks Enter system view system-view —...

  • Page 449: Configuring Description Information For Msdp Peers

    Task Remarks Configuring an MSDP Mesh Group Optional Configuring MSDP Peer Connection Control Optional Configuring Description Information for MSDP Peers You can configure description information for each MSDP peer to manage and memorize the MSDP peers. Follow these steps to configure description information for an MSDP peer: To do...

  • Page 450: Configuring Sa Message Transmission

    between faulty MSDP peers or bringing faulty MSDP peers back to work, you can adjust the retry interval of establishing a peering relationship through the following configuration. Follow these steps to configure MSDP peer connection control: To do... Use the command... Remarks Enter system view —...

  • Page 451: Configuring Rp Address In Sa Messages

    Task Remarks Configuring the Transmission and Filtering of SA Request Messages Optional Configuring a Rule for Filtering the Multicast Sources of SA Messages Optional Configuring a Rule for Filtering Received and Forwarded SA Messages Optional Configuring RP Address in SA Messages MSDP peers deliver SA messages to one another.

  • Page 452: Configuring The Transmission And Filtering Of Sa Request Messages

    To do... Use the command... Remarks Enter MSDP view — msdp Optional Enable SA message caching cache-sa-enable mechanism Enabled by default Configure the maximum Optional peer peer-address number of SA messages that sa-cache-maximum sa-limit The default is 2,048. can be cached Configuring the Transmission and Filtering of SA Request Messages After you enable the sending of SA request messages, when a router receives a Join message, it sends an SA request message to the specified remote MSDP peer, which responds with an SA message that...

  • Page 453: Configuring A Rule For Filtering Received And Forwarded Sa Messages

    To do... Use the command... Remarks Enter system view — system-view Enter MSDP view msdp — Optional Configure to filter import-source [ acl By default, all the (S, G) entries in the multicast sources using acl-number ] domain are advertised in the SA SA messages message.

  • Page 454: Msdp Configuration Example

    To do... Use the command... Remarks display msdp sa-cache Display the (S, G) state learned from [ group-address | source-address Available in any view MSDP peers | as-number ] * Display the number of sources and display msdp sa-count Available in any view groups in the MSDP cache [autonomous-system-number ] Reset the TCP connection with the...
  • Page 455 Network diagram Figure 5-5 Network diagram for anycast RP configuration Device Interface IP address Device Interface IP address Source 1 — 10.110.5.100/24 Switch C Vlan-int101 192.168.1.2/24 Source 2 — 10.110.6.100/24 Vlan-int102 192.168.2.2/24 Switch A Vlan-int300 10.110.5.1/24 Switch D Vlan-int200 10.110.3.1/24 Vlan-int103 10.110.2.2/24 Vlan-int104...
  • Page 456 [SwitchB-Vlan-interface103] pim sm [SwitchB-Vlan-interface103] quit [SwitchB] interface Vlan-interface 101 [SwitchB-Vlan-interface101] pim sm [SwitchB-Vlan-interface101] quit [SwitchB] interface loopback 0 [SwitchB-LoopBack0] pim sm [SwitchB-LoopBack0] quit [SwitchB] interface loopback 10 [SwitchB-LoopBack10] pim sm [SwitchB-LoopBack10] quit [SwitchB] interface loopback 20 [SwitchB-LoopBack20] pim sm [SwitchB-LoopBack20] quit The configuration on Switch A, Switch C, Switch D, and Switch E is similar to the configuration on Switch B.

  • Page 457: Troubleshooting Msdp Configuration

    MSDP Peer Brief Information Peer's Address State Up/Down time SA Count Reset Count 1.1.1.1 00:50:22 When Source 1 (10.110.5.100/24) sends multicast data to multicast group G (225.1.1.1), Receiver 1 joins multicast group G. By comparing the PIM routing information displayed on Switch B with that displayed on Switch D, you can see that Switch B now acts as the RP for Source 1 and Receiver 1.

  • Page 458: No Sa Entry In The Sa Cache Of The Router

    Solution Check the connectivity of the route between the routers. Use the display ip routing-table command to check that the unicast route between the routers is correct. Further check that a unicast route exists between two routers that will become MSDP peers and that the route leads to the two peers.

  • Page 459: Igmp Snooping Configuration

    IGMP Snooping Configuration When configuring IGMP snooping, go to these sections for information you are interested in: IGMP Snooping Overview Configuring IGMP Snooping Displaying and Maintaining IGMP Snooping IGMP Snooping Configuration Examples Troubleshooting IGMP Snooping In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol.

  • Page 460: Basic Concepts In Igmp Snooping

    Figure 6-1 Before and after IGMP Snooping is enabled on Layer 2 device Multicast packet transmission Multicast packet transmission without IGMP Snooping when IGMP Snooping runs Multicast router Multicast router Source Source Layer 2 switch Layer 2 switch Host A Host A Host C Host C...

  • Page 461: Work Mechanism Of Igmp Snooping

    1/0/2 of Switch B are member ports. The switch records all member ports on the local device in the IGMP Snooping forwarding table. Port aging timers in IGMP Snooping and related messages and actions Table 6-1 Port aging timers in IGMP Snooping and related messages and actions Message before Timer Description...
  • Page 462 A switch will not forward an IGMP report through a non-router port for the following reason: Due to the IGMP report suppression mechanism, if member hosts of that multicast group still exist under non-router ports, the hosts will stop sending reports when they receive the message, and this prevents the switch from knowing if members of that multicast group are still attached to these ports.

  • Page 463: Configuring Igmp Snooping

    Configuring IGMP Snooping Complete the following tasks to configure IGMP Snooping: Task Remarks Enabling IGMP Snooping Required Configuring the Version of IGMP Snooping Optional Configuring Timers Optional Configuring Fast Leave Processing Optional Configuring a Multicast Group Filter Optional Configuring the Maximum Number of Multicast Groups on a Port Optional Configuring IGMP Snooping Querier Optional...

  • Page 464: Configuring The Version Of Igmp Snooping

    Although both Layer 2 and Layer 3 multicast protocols can run on the same switch simultaneously, they cannot run simultaneously on a VLAN or its corresponding VLAN interface. Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally in system view;...

  • Page 465: Configuring Fast Leave Processing

    To do... Use the command... Remarks Optional Configure the aging igmp-snooping By default, the aging time of the router timer of the router port router-aging-time seconds port is 105 seconds. Optional igmp-snooping Configure the query max-response-time By default, the query response timeout response timer seconds time is 10 seconds.

  • Page 466: Configuring A Multicast Group Filter

    The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3. The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified; if one or more VLANs are specified, the configuration takes effect on all ports in the specified VLAN(s).

  • Page 467: Configuring The Maximum Number Of Multicast Groups On A Port

    A port can belong to multiple VLANs, you can configure only one ACL rule per VLAN on a port. If no ACL rule is configured, all the multicast groups will be filtered. Since most devices broadcast unknown multicast packets by default, this function is often used together with the function of dropping unknown multicast packets to prevent multicast streams from being broadcast as unknown multicast packets to a port blocked by this function.

  • Page 468: Configuring Igmp Snooping Querier

    Configuring IGMP Snooping Querier In an IP multicast network running IGMP, a multicast router is responsible for sending IGMP general queries, so that all Layer 3 multicast devices can establish and maintain multicast forwarding entries, thus to forward multicast traffic correctly at the network layer. This router or Layer 3 switch is called IGMP querier.

  • Page 469: Configuring Static Member Port For A Multicast Group

    To do... Use the command... Remarks Enter system view — system-view Required Enable unknown igmp-snooping multicast flooding By default, unknown multicast flooding nonflooding-enable suppression suppression If the function of dropping unknown multicast packets or the IRF fabric function is enabled, you cannot enable unknown multicast flooding suppression.

  • Page 470: Configuring A Static Router Port

    You can configure up to 200 static member ports on an S5600 series switch. If a port has been configured as an IRF fabric port or a reflect port, it cannot be configured as a static member port. Configuring a Static Router Port...

  • Page 471: Configuring A Vlan Tag For Query Messages

    To do… Use the command… Remarks Enter VLAN interface — interface Vlan-interface interface-number view Required igmp host-join group-address [ source-ip Enable simulated joining source-address ] port interface-list Disabled by default Configuring simulated joining in Ethernet port view Follow these steps to configure a port as a simulated group member: To do...

  • Page 472: Configuring Multicast Vlan

    It is not recommended to configure this function while the multicast VLAN function is in effect. Configuring Multicast VLAN In traditional multicast implementations, when users in different VLANs listen to the same multicast group, the multicast data is copied on the multicast router for each VLAN that contains receivers. This is a big waste of network bandwidth.

  • Page 473: Displaying And Maintaining Igmp Snooping

    To do... Use the command... Remarks Enter VLAN view — vlan vlan-id Enable IGMP Snooping igmp-snooping enable Required Enable multicast VLAN service-type multicast Required Return to system view quit — Enter Ethernet port view for the interface interface-type — Layer 3 switch interface-number Define the port as a trunk or port link-type { trunk | hybrid }...

  • Page 474: Igmp Snooping Configuration Examples

    To do... Use the command… Remarks Display the information about display igmp-snooping IP and MAC multicast groups in Available in any view group [ vlan vlan-id ] one or all VLANs reset igmp-snooping Clear IGMP Snooping statistics Available in user view statistics IGMP Snooping Configuration Examples Configuring IGMP Snooping...
  • Page 475 [RouterA] multicast routing-enable [RouterA] interface GigabitEthernet 1/0/1 [RouterA-GigabitEthernet1/0/1] igmp enable [RouterA-GigabitEthernet1/0/1] pim dm [RouterA-GigabitEthernet1/0/1] quit [RouterA] interface GigabitEthernet 1/0/2 [RouterA-GigabitEthernet1/0/2] pim dm [RouterA-GigabitEthernet1/0/2] quit Configure Switch A # Enable IGMP Snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping enable Enable IGMP-Snooping ok. # Create VLAN 100, assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 to this VLAN, and enable IGMP Snooping in the VLAN.

  • Page 476: Configuring Multicast Vlan

    Configuring Multicast VLAN Network requirements As shown in Figure 6-4, Workstation is a multicast source. Switch A forwards multicast data from the multicast source. A Layer 2 switch, Switch B forwards the multicast data to the end users Host A and Host B.
  • Page 477 Network diagram Figure 6-4 Network diagram for multicast VLAN configuration Configuration procedure The following configuration is based on the prerequisite that the devices are properly connected and all the required IP addresses are already configured. Configure Switch A: # Set the interface IP address of VLAN 20 to 168.10.1.1 and enable PIM DM on the VLAN interface. <SwitchA>...

  • Page 478: Troubleshooting Igmp Snooping

    # Create VLAN 2, VLAN 3 and VLAN 10, configure VLAN 10 as the multicast VLAN, and then enable IGMP Snooping on it. [SwitchB] vlan 2 to 3 Please wait..Done. [SwitchB] vlan 10 [SwitchB-vlan10] service-type multicast [SwitchB-vlan10] igmp-snooping enable [SwitchB-vlan10] quit # Define GigabitEthernet 1/0/10 as a hybrid port, add the port to VLAN 2, VLAN 3, and VLAN 10, and configure the port to forward tagged packets for VLAN 2, VLAN 3, and VLAN 10.
  • Page 479 The Mechanism of an 802.1x Authentication System ·····································································1-3 Encapsulation of EAPoL Messages ································································································1-3 802.1x Authentication Procedure ····································································································1-5 Timers Used in 802.1x·····················································································································1-9 802.1x Implementation on an S5600 Series Switch······································································1-10 Introduction to 802.1x Configuration ·····································································································1-13 Basic 802.1x Configuration ···················································································································1-14 Configuration Prerequisites ···········································································································1-14 Configuring Basic 802.1x Functions······························································································1-14...
  • Page 480 Layer 3 Error Control ·······················································································································4-1 Configuring System Guard······················································································································4-1 Configuring System Guard Against IP Attacks················································································4-1 Configuring System Guard Against TCN Attacks············································································4-2 Enabling Layer 3 Error Control········································································································4-3 Displaying and Maintaining System Guard Configuration ······································································4-3...

  • Page 481: 802.1X Configuration

    The Mechanism of an 802.1x Authentication System Encapsulation of EAPoL Messages 802.1x Authentication Procedure Timers Used in 802.1x 802.1x Implementation on an S5600 Series Switch Architecture of 802.1x Authentication As shown in Figure 1-1, 802.1x adopts a client/server architecture with three entities: a supplicant...
  • Page 482 The authenticator system is another entity residing at one end of a LAN segment. It authenticates the connected supplicant systems. The authenticator system is usually an 802.1x-supported network device (such as a H3C series switch). It provides the port (physical or logical) for the supplicant system to access the LAN.

  • Page 483: The Mechanism Of An 802.1X Authentication System

    By default, a controlled port is a unidirectional port. The way a port is controlled A port of a H3C series switch can be controlled in the following two ways. Port-based authentication. When a port is controlled in this way, all the supplicant systems connected to the port can access the network without being authenticated after one supplicant system among them passes the authentication.
  • Page 484 Figure 1-3 The format of an EAPoL packet In an EAPoL packet: The PAE Ethernet type field holds the protocol identifier. The identifier for 802.1x is 0x888E. The Protocol version field holds the version of the protocol supported by the sender of the EAPoL packet.

  • Page 485: 802.1X Authentication Procedure

    EAP-message field must also have the Message-authenticator field. Otherwise, the packet is regarded as invalid and is discarded. Figure 1-7 The format of an Message-authenticator field 802.1x Authentication Procedure A H3C S5600 series Ethernet switch can authenticate supplicant systems in EAP terminating mode or EAP relay mode.
  • Page 486 EAP relay mode This mode is defined in 802.1x. In this mode, EAP packets are encapsulated in higher level protocol (such as EAPoR) packets to enable them to successfully reach the authentication server. Normally, this mode requires that the RADIUS server support the two newly-added fields: the EAP-message field (with a value of 79) and the Message-authenticator field (with a value of 80).
  • Page 487 Figure 1-8 802.1x authentication procedure (in EAP relay mode) EAPOL EAPOR Authenticator system RADUIS Supplicant system server EAPOL - Start EAP- Request / Identity RADIUS Access - Request EAP- Response / Identity (EAP- Response / Identity) RADIUS Access -Challenge EAP- Request / MD5 challenge ( EAP- Request / MD5 challenge) RADIUS Access - Request EAP- Response / MD5 challenge...
  • Page 488 feedbacks (through a RADIUS access-accept packet and an EAP-success packet) to the switch to indicate that the supplicant system is authenticated. The switch changes the state of the corresponding port to accepted state to allow the supplicant system to access the network. The supplicant system can also terminate the authenticated state by sending EAPoL-Logoff packets to the switch.

  • Page 489: Timers Used

    Figure 1-9 802.1x authentication procedure (in EAP terminating mode) Supplicant RADIUS EAPOL Authenticator system RADIUS server system PAE EAPOL- Start EAP- Request /Identity EAP- Response/Identity EAP- Request/ MD5 Challenge EAP- Response/MD5 Challenge RADIUS Access-Request ( CHAP- Response/MD5 Challenge) RADIUS Access - Accept ( CHAP-Success) EAP- Success Port...

  • Page 490: 802.1X Implementation On An S5600 Series Switch

    802.1x Implementation on an S5600 Series Switch In addition to the earlier mentioned 802.1x features, an S5600 series switch is also capable of the following: Checking supplicant systems for proxies, multiple network adapters, and so on (This function needs the cooperation of a CAMS server.)
  • Page 491 This function makes the switch to send version-requesting packets again if the 802.1x client fails to send version-reply packet to the switch when the version-checking timer times out. The 802.1x client version-checking function needs the support of H3C’s 802.1x client program. The guest VLAN function The guest VLAN function enables supplicant systems that are not authenticated to access network resources in a restrained way.
  • Page 492 The switch sends authentication triggering request (EAP-Request/Identity) packets to all the 802.1x-enabled ports. After the maximum number retries have been made and there are still ports that have not sent any response back, the switch will then add these ports to the guest VLAN. Users belonging to the guest VLAN can access the resources of the guest VLAN without being authenticated.

  • Page 493: Introduction To 802.1X Configuration

    The RADIUS server has the switch perform 802.1x re-authentication of users. The RADIUS server sends the switch an Access-Accept packet with the Termination-Action attribute field of 1. Upon receiving the packet, the switch re-authenticates the user periodically. You enable 802.1x re-authentication on the switch. With 802.1x re-authentication enabled, the switch re-authenticates users periodically.

  • Page 494: Basic 802.1X Configuration

    Basic 802.1x Configuration Configuration Prerequisites Configure ISP domain and the AAA scheme to be adopted. You can specify a RADIUS scheme or a local scheme. Ensure that the service type is configured as lan-access (by using the service-type command) if local authentication scheme is adopted.

  • Page 495: Timer And Maximum User Number Configuration

    When a device operates as an authentication server, its authentication method for 802.1x users cannot be configured as EAP. With the support of the H3C proprietary client, handshake packets are used to test whether or not a user is online.

  • Page 496: Advanced 802.1X Configuration

    To do… Use the command... Remarks Optional By default, the maximum retry times to send a request packet is Set the maximum retry times dot1x retry max-retry-value 2. That is, the authenticator to send request packets system sends a request packet to a supplicant system for up to two times by default.

  • Page 497: Configuring Proxy Checking

    { logoff | trap } quit The proxy checking function needs the cooperation of H3C's 802.1x client (iNode) program. The proxy checking function depends on the online user handshaking function. To enable the proxy detecting function, you need to enable the online user handshaking function first.

  • Page 498: Enabling Dhcp-Triggered Authentication

    To do... Use the command... Remarks Optional Set the client version dot1x timer ver-period By default, the timer is set to 30 checking period timer ver-period-value seconds. As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports.

  • Page 499: Configuring 802.1X Re-Authentication

    The guest VLAN function is available only when the switch operates in the port-based authentication mode. Only one guest VLAN can be configured for each switch. The guest VLAN function cannot be implemented if you configure the dot1x dhcp-launch command on the switch to enable DHCP-triggered authentication. This is because the switch does not send authentication packets in that case.

  • Page 500: Displaying And Maintaining 802.1X Configuration

    During re-authentication, the switch always uses the latest re-authentication interval configured, no matter which of the above-mentioned two ways is used to determine the re-authentication interval. For example, if you configure a re-authentication interval on the switch and the switch receives an Access-Accept packet whose Termination-Action attribute field is 1, the switch will ultimately use the value of the Session-timeout attribute field as the re-authentication interval.
  • Page 501 a real-time accounting packet to the RADIUS servers once in every 15 minutes. A user name is sent to the RADIUS servers with the domain name truncated. The user name and password for local 802.1x authentication are “localuser” and “localpass” (in plain text) respectively.
  • Page 502 [Sysname-radius-radius1] secondary authentication 10.11.1.2 [Sysname-radius-radius1] secondary accounting 10.11.1.1 # Set the password for the switch and the authentication RADIUS servers to exchange messages. [Sysname-radius-radius1] key authentication name # Set the password for the switch and the accounting RADIUS servers to exchange messages. [Sysname-radius-radius1] key accounting money # Set the interval and the number of the retries for the switch to send packets to the RADIUS servers.

  • Page 503: Quick Ead Deployment Configuration

    In real applications, however, deploying EAD clients proves to be time consuming and inconvenient. To address the issue, the H3C S5600 series provides the forcible deployment of EAD clients with 802.1x authentication, easing the work of EAD client deployment.

  • Page 504: Configuring Quick Ead Deployment

    Configuring Quick EAD Deployment Configuration Prerequisites Enable 802.1x on the switch. Set the access mode to auto for 802.1x-enabled ports. Configuration Procedure Configuring a free IP range A free IP range is an IP range that users can access before passing 802.1x authentication. Follow these steps to configure a free IP range: To do...

  • Page 505: Displaying And Maintaining Quick Ead Deployment

    You can control the usage of ACL resources by setting the ACL timer. The ACL timer starts once a user gets online. If the user has not passed authentication when the ACL timer expires, the occupied ACL resources are released for other users to use. When a tremendous of access requests are present, you can decrease the timeout period of the ACL timer appropriately for higher utilization of ACL resources.

  • Page 506: Troubleshooting

    Configuration procedure Before enabling quick EAD deployment, be sure that: The Web server is configured properly. The default gateway of the user’s PC is configured as the IP address of the connected VLAN interface on the switch. # Configure the URL for HTTP redirection. <Sysname>...

  • Page 507: Habp Configuration

    HABP Configuration When configuring HABP, go to these sections for information you are interested in: Introduction to HABP HABP Server Configuration HABP Client Configuration Displaying and Maintaining HABP Configuration Introduction to HABP When a switch is configured with the 802.1x function, 802.1x will authenticate and authorize 802.1x-enabled ports and allow only the authorized ports to forward packets.

  • Page 508: Habp Client Configuration

    To do... Use the command... Remarks Required By default, a switch operates as an HABP client after you enable Configure the current switch HABP on the switch. If you want habp server vlan vlan-id to be an HABP server to use the switch as a management switch, you need to configure the switch to be an HABP server.

  • Page 509: System Guard Configuration

    System Guard Configuration When configuring System Guard, go to these sections for information you are interested in: System Guard Overview Configuring System Guard Displaying and Maintaining System Guard Configuration System Guard Overview Guard Against IP Attacks System-guard operates to inspect the IP packets over 10-second intervals for the CPU for suspicious source IP addresses.

  • Page 510: Configuring System Guard Against Tcn Attacks

    To do... Use the command... Remarks Required Enable System Guard against system-guard ip enable IP attacks Disabled by default Set the maximum number of Optional system-guard ip infected hosts that can be detect-maxnum number 30 by default concurrently monitored Set the maximum number of addresses that the system can learn, the maximum number of system-guard ip...

  • Page 511: Enabling Layer 3 Error Control

    As the system monitoring cycle is 10 seconds, the system sends trap and log information if more than 10 TCN/TC packets are received within 10 seconds by default. If the TCN/TC packet receiving rate is lower than the set threshold within a 10-second monitoring cycle, the system will not send trap or log information in the next 10-second monitoring cycle.
  • Page 512 Table of Contents 1 AAA Overview ············································································································································1-1 Introduction to AAA ·································································································································1-1 Authentication··································································································································1-1 Authorization····································································································································1-2 Accounting·······································································································································1-2 Introduction to ISP Domain ·············································································································1-2 Introduction to AAA Services ··················································································································1-2 Introduction to RADIUS ···················································································································1-2 Introduction to HWTACACS ············································································································1-7 2 AAA Configuration ····································································································································2-1 AAA Configuration Task List ···················································································································2-1 Creating an ISP Domain and Configuring Its Attributes ··································································2-2 Configuring an AAA Scheme for an ISP Domain ············································································2-3 Configuring Dynamic VLAN Assignment·························································································2-6...
  • Page 513 Remote RADIUS Authentication of Telnet/SSH Users ·································································2-27 Local Authentication of FTP/Telnet Users·····················································································2-28 HWTACACS Authentication and Authorization of Telnet Users ···················································2-30 Troubleshooting AAA ····························································································································2-31 Troubleshooting RADIUS Configuration························································································2-31 Troubleshooting HWTACACS Configuration ················································································2-31 3 EAD Configuration·····································································································································3-1 Introduction to EAD ·································································································································3-1 Typical Network Application of EAD ·······································································································3-1 EAD Configuration ··································································································································3-2 EAD Configuration Example ···················································································································3-2...

  • Page 514: Aaa Overview

    AAA Overview The configuration of ISP domain delimiter is added. See Creating an ISP Domain and Configuring Attributes. The configuration of HWTACACS authentication scheme for user level switching is added. See Configuring an AAA Scheme for an ISP Domain. The configuration of the MAC address format for the Calling-Station-Id field in RADIUS packets is added.

  • Page 515: Authorization

    Remote authentication: Users are authenticated remotely through RADIUS or HWTACACS protocol. This device (for example, a H3C series switch) acts as the client to communicate with the RADIUS or TACACS server. You can use standard or extended RADIUS protocols in conjunction with such systems as iTELLIN/CAMS for user authentication.
  • Page 516 The RADIUS service involves three components: Protocol: Based on the UDP/IP layer, RFC 2865 and 2866 define the message format and message transfer mechanism of RADIUS, and define 1812 as the authentication port and 1813 as the accounting port. Server: RADIUS Server runs on a computer or workstation at the center. It stores and maintains user authentication information and network service access information.
  • Page 517 Figure 1-2 Basic message exchange procedure of RADIUS The basic message exchange procedure of RADIUS is as follows: The user enters the username and password. The RADIUS client receives the username and password, and then sends an authentication request (Access-Request) to the RADIUS server. The RADIUS server compares the received user information with that in the Users database to authenticate the user.
  • Page 518 Figure 1-3 RADIUS message format The Code field (one byte) decides the type of RADIUS message, as shown in Table 1-1. Table 1-1 Description on the major values of the Code field Code Message type Message description Direction: client->server. The client transmits this message to the server to determine if the user can access the network.
  • Page 519 The Length field (two bytes) specifies the total length of the message (including the Code, Identifier, Length, Authenticator and Attributes fields). The bytes beyond the length are regarded as padding and are ignored upon reception. If a received message is shorter than what the Length field indicates, it is discarded.

  • Page 520: Introduction To Hwtacacs

    The RADIUS protocol has good scalability. Attribute 26 (Vender-Specific) defined in this protocol allows a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS. Figure 1-4 depicts the format of attribute 26. The Vendor-ID field used to identify a vendor occupies four bytes, where the first byte is 0, and the other three bytes are defined in RFC 1700.
  • Page 521 password to the TACACS server for authentication. After passing authentication and being authorized, the user successfully logs into the switch to perform operations. Figure 1-5 Network diagram for a typical HWTACACS application HWTACACS server HWTACACS client Host HWTACACS server Basic message exchange procedure in HWTACACS The following text takes telnet user as an example to describe how HWTACACS implements authentication, authorization, and accounting for a user.
  • Page 522 The basic message exchange procedure is as follows: A user sends a login request to the switch acting as a TACACS client, which then sends an authentication start request to the TACACS server. The TACACS server returns an authentication response, asking for the username. Upon receiving the response, the TACACS client requests the user for the username.

  • Page 523: Aaa Configuration

    AAA Configuration AAA Configuration Task List You need to configure AAA to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior. Complete the following tasks to configure AAA (configuring a combined AAA scheme for an ISP domain): Task Remarks...

  • Page 524: Creating An Isp Domain And Configuring Its Attributes

    Task Remarks Creating an ISP Domain and Configuring Its Required Attributes Configuring separate AAA schemes Required Required With separate AAA schemes, you can specify authentication, authorization and accounting Configuring an AAA Scheme for an ISP schemes respectively. Domain configuration You need to configure RADIUS or HWATACACS before performing RADIUS or HWTACACS authentication.

  • Page 525: Configuring An Aaa Scheme For An Isp Domain

    Note that: On an S5600 series switch, each access user belongs to an ISP domain. You can configure up to 16 ISP domains on the switch. When a user logs in, if no ISP domain name is carried in the username, the switch assumes that the user belongs to the default ISP domain.
  • Page 526 To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and enter its view, or enter the view domain isp-name Required of an existing ISP domain Required scheme { local | none | radius-scheme Configure an AAA scheme for radius-scheme-name [ local ] | By default, an ISP the ISP domain...
  • Page 527 RADIUS or local scheme still takes effect even if the authorization none command is executed. The S5600 series switches adopt hierarchical protection for command lines so as to inhibit users at lower levels from using higher level commands to configure the switches. For details about configuring a HWTACACS authentication scheme for low-to-high user level switching, refer to Switching User Level in the Command Line Interface Operation.

  • Page 528: Configuring Dynamic Vlan Assignment

    If you configure only a separate authentication scheme (that is, there are no separate authorization and accounting schemes configured), the combined scheme is used for authorization and accounting. In this case, if the combined scheme uses RADIUS or HWTACACS, the system never uses the secondary scheme for authorization and accounting.

  • Page 529: Configuring The Attributes Of A Local User

    In string mode, if the VLAN ID assigned by the RADIUS server is a character string containing only digits (for example, 1024), the switch first regards it as an integer VLAN ID: the switch transforms the string to an integer value and judges if the value is in the valid VLAN ID range; if it is, the switch adds the authenticated port to the VLAN with the integer value as the VLAN ID (VLAN 1024, for example).
  • Page 530 To do… Use the command… Remarks Enter system view system-view — Optional By default, the password local-user display mode of all access Set the password display mode password-display-mode users is auto, indicating the of all local users { cipher-force | auto } passwords of access users are displayed in the modes set by the password command.

  • Page 531: Cutting Down User Connections Forcibly

    RADIUS Configuration Task List H3C’s Ethernet switches can function not only as RADIUS clients but also as local RADIUS servers. Complete the following tasks to configure RADIUS (the switch functions as a RADIUS client):...

  • Page 532: Creating A Radius Scheme

    Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authorization Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS Messages Optional Configuring the Maximum Number of RADIUS Request Optional Transmission Attempts Configuring the Configuring the Type of RADIUS Servers to be Supported Optional RADIUS client Configuring the Status of RADIUS Servers...
  • Page 533 creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme. These RADIUS servers fall into two types: authentication/authorization, and accounting. And for each type of server, you can configure two servers in a RADIUS scheme: primary server and secondary server.

  • Page 534: Configuring Radius Accounting Servers

    Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Required Set the IP address and port By default, the IP address and number of the primary RADIUS primary authentication UDP port number of the authentication/authorization...

  • Page 535: Configuring Shared Keys For Radius Messages

    Optional Set the IP address and By default, the IP address and UDP port port number of the secondary accounting number of the secondary accounting secondary RADIUS ip-address [ port-number ] server are 0.0.0.0 and 1813 for a newly accounting server created RADIUS scheme.

  • Page 536: Configuring The Maximum Number Of Radius Request Transmission Attempts

    To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Required Set a shared key for RADIUS authentication/authorization key authentication string By default, no shared key is...

  • Page 537: Configuring The Status Of Radius Servers

    Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Configure the type of RADIUS server-type { extended | Optional servers to be supported standard } If you change the RADIUS server type, the units of data flows sent to RADIUS servers will be restored to the defaults.

  • Page 538: Configuring The Attributes Of Data To Be Sent To Radius Servers

    Set the status of the secondary state secondary RADIUS authentication { block | authentication/authorization active } server Set the status of the secondary state secondary accounting RADIUS accounting server { block | active } Configuring the Attributes of Data to be Sent to RADIUS Servers Follow these steps to configure the attributes of data to be sent to RADIUS servers: To do…...

  • Page 539: Configuring The Local Radius Server

    Generally, the access users are named in the userid@isp-name or userid.isp-name format. Here, isp-name after the “@” or “.” character represents the ISP domain name, by which the device determines which ISP domain a user belongs to. However, some old RADIUS servers cannot accept the usernames that carry ISP domain names.

  • Page 540: Configuring Timers For Radius Servers

    adopt local RADIUS server function, port number authentication/authorization server must be 1645, the UDP port number of the accounting server must be 1646, and the IP addresses of the servers must be set to the addresses of this switch. The message encryption key set by the local-server nas-ip ip-address key password command must be identical with the authentication/authorization message encryption key set by the key authentication command in the RADIUS scheme view of the RADIUS scheme on the specified NAS that uses this switch as its authentication server.

  • Page 541: Enabling Sending Trap Message When A Radius Server Goes Down

    Optional Set the response timeout time timer response-timeout By default, the response of RADIUS servers seconds timeout time of RADIUS servers is three seconds. Optional Set the time that the switch waits before it try to By default, the switch waits five re-communicate with primary timer quiet minutes minutes before it restores the...
  • Page 542 user cannot get authenticated. In this case, the user can access the network again only when the CAMS administrator manually removes the user's online information. The user re-authentication at restart function is designed to resolve this problem. After this function is enabled, every time the switch restarts: The switch generates an Accounting-On message, which mainly contains the following information: NAS-ID, NAS-IP-address (source IP address), and session ID.

  • Page 543: Hwtacacs Configuration Task List

    HWTACACS Configuration Task List Complete the following tasks to configure HWTACACS: Task Remarks Creating a HWTACACS Scheme Required Configuring TACACS Authentication Servers Required Configuring TACACS Authorization Servers Required Configuring the Configuring TACACS Accounting Servers Optional TACACS client Configuring Shared Keys for RADIUS Messages Optional Configuring the Attributes of Data to be Sent to TACACS Optional...
  • Page 544 Required Create a HWTACACS scheme hwtacacs scheme By default, no HWTACACS and enter its view hwtacacs-scheme-name scheme exists. Required Set the IP address and port By default, the IP address of primary authentication number of the primary the primary authentication ip-address [ port ] TACACS authentication server server is 0.0.0.0, and the port...
  • Page 545 You are not allowed to configure the same IP address for both primary and secondary authorization servers. If you do this, the system will prompt that the configuration fails. You can remove a server only when it is not used by any active TCP connection for sending authorization messages.
  • Page 546 The TACACS client and server adopt MD5 algorithm to encrypt HWTACACS messages before they are exchanged between the two parties. The two parties verify the validity of the HWTACACS messages received from each other by using the shared keys that have been set on them, and can accept and respond to the messages only when both parties have the same shared key.

  • Page 547: Configuring The Timers Regarding Tacacs Servers

    Generally, the access users are named in the userid@isp-name or userid.isp-name format. Where, isp-name after the “@” or “.” character represents the ISP domain name. If the TACACS server does not accept the usernames that carry ISP domain names, it is necessary to remove domain names from usernames before they are sent to TACACS server.

  • Page 548: Available In

    Displaying and Maintaining AAA Configuration Displaying and Maintaining AAA Configuration To do… Use the command… Remarks Display configuration information about one specific display domain [ isp-name ] or all ISP domains display connection [ access-type { dot1x | mac-authentication } | domain isp-name | interface interface-type interface-number | ip Display information about user Available in...

  • Page 549: Aaa Configuration Examples

    Display buffered display stop-accounting-buffer non-response { hwtacacs-scheme stop-accounting requests hwtacacs-scheme-name Clear HWTACACS message reset hwtacacs statistics { accounting | statistics authentication | authorization | all } Available in user reset stop-accounting-buffer view Delete buffered non-response hwtacacs-scheme stop-accounting requests hwtacacs-scheme-name AAA Configuration Examples Remote RADIUS Authentication of Telnet/SSH Users The configuration procedure for remote authentication of SSH users by RADIUS server is similar to that for Telnet users.

  • Page 550: Local Authentication Of Ftp/Telnet Users

    Network diagram Figure 2-1 Remote RADIUS authentication of Telnet users RADIUS server 10.110.91.164/16 Internet Telnet user Configuration procedure # Enter system view. <Sysname> system-view # Adopt AAA authentication for Telnet users. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] authentication-mode scheme [Sysname-ui-vty0-4] quit # Configure an ISP domain.
  • Page 551 The configuration procedure for local authentication of FTP users is similar to that for Telnet users. The following text only takes Telnet users as example to describe the configuration procedure for local authentication. Network requirements In the network environment shown in Figure 2-2, you are required to configure the switch so that the Telnet users logging into the switch are authenticated locally.

  • Page 552: Hwtacacs Authentication And Authorization Of Telnet Users

    Change the server IP address, and the UDP port number of the authentication server to 127.0.0.1, and 1645 respectively in the configuration step "Configure a RADIUS scheme" in Remote RADIUS Authentication of Telnet/SSH Users. Enable the local RADIUS server function, set the IP address and shared key for the network access server to 127.0.0.1 and aabbcc, respectively.

  • Page 553: Troubleshooting Hwtacacs Configuration

    [Sysname-isp-hwtacacs] scheme hwtacacs-scheme hwtac Troubleshooting AAA Troubleshooting RADIUS Configuration The RADIUS protocol operates at the application layer in the TCP/IP protocol suite. This protocol prescribes how the switch and the RADIUS server of the ISP exchange user information with each other.

  • Page 554: Ead Configuration

    EAD Configuration Introduction to EAD Endpoint Admission Defense (EAD) is an attack defense solution. Using this solution, you can enhance the active defense capability of network endpoints, prevents viruses and worms from spreading on the network, and protects the entire network by limiting the access rights of insecure endpoints.

  • Page 555: Ead Configuration

    After the client is patched and compliant with the required security standard, the security policy server reissues an ACL to the switch, which then assigns access right to the client so that the client can access more network resources. EAD Configuration The EAD configuration includes: Configuring the attributes of access users (such as username, user type, and password).
  • Page 556 Network diagram Figure 3-2 EAD configuration Configuration procedure # Configure 802.1x on the switch. Refer to “Configuring 802.1x” in 802.1x and System Guard Configuration. # Configure a domain. <Sysname> system-view [Sysname] domain system [Sysname-isp-system] quit # Configure a RADIUS scheme. [Sysname] radius scheme cams [Sysname-radius-cams] primary authentication 10.110.91.164 1812 [Sysname-radius-cams] accounting optional...
  • Page 557 Table of Contents 1 Web Authentication Configuration ··········································································································1-1 Introduction to Web Authentication ·········································································································1-1 Web Authentication Configuration ··········································································································1-1 Configuration Prerequisites ·············································································································1-1 Configuring Web Authentication······································································································1-1 Displaying and Maintaining Web Authentication·····················································································1-3 Web Authentication Configuration Example ···························································································1-3...
  • Page 558 Web Authentication Configuration When configuring Web authentication, go to these sections for information you are interested in: Introduction to Web Authentication Web Authentication Configuration Displaying and Maintaining Web Authentication Web Authentication Configuration Example Introduction to Web Authentication Web authentication is a port-based authentication method that is used to control the network access rights of users.
  • Page 559 To do… Use the command… Remarks Required Set the IP address and port If no port number is specified, web-authentication number of the Web web-server ip ip-address port 80 will be used. authentication server [ port port-number ] No Web authentication server is set by default.

  • Page 560: Displaying And Maintaining Web Authentication

    Before enabling global Web authentication, you should first set the IP address of a Web authentication server. Web authentication cannot be enabled when one of the following features is enabled, and vice versa: 802.1x, MAC authentication, port security, port aggregation and IRF. You can make Web authentication settings on individual ports before Web authentication is enabled globally, but they will not take effect.
  • Page 561 Network diagram Figure 1-1 Web authentication for user Configuration procedure # Perform DHCP-related configuration on the DHCP server. (It is assumed that the user will automatically obtain an IP address through the DHCP server.) # Set the IP address and port number of the Web authentication server. <Sysname>...
  • Page 562 # Create ISP domain aabbcc.net for Web authentication users and enter the domain view. [Sysname] domain aabbcc.net # Configure domain aabbcc.net as the default user domain. [Sysname] domain default enable aabbcc.net # Reference scheme radius1 in domain aabbcc.net. [Sysname-isp-aabbcc.net] scheme radius-scheme radius1 # Enable Web authentication globally.
  • Page 563 Table of Contents 1 MAC Address Authentication Configuration ··························································································1-1 MAC Address Authentication Overview ··································································································1-1 Performing MAC Address Authentication on a RADIUS Server ·····················································1-1 Performing MAC Address Authentication Locally ···········································································1-2 Related Concepts····································································································································1-2 MAC Address Authentication Timers ······························································································1-2 Quiet MAC Address·························································································································1-2 Configuring Basic MAC Address Authentication Functions ····································································1-3 MAC Address Authentication Enhanced Function Configuration ···························································1-4 MAC Address Authentication Enhanced Function Configuration Task List ····································1-4 Configuring a Guest VLAN ··············································································································1-4...

  • Page 564: Mac Address Authentication Overview

    During authentication, the user does not need to enter username or password manually. For S5600 Series Ethernet switches, MAC address authentication can be implemented locally or on a RADIUS server. After determining the authentication method, users can select one of the following types of user name as required: MAC address mode, where the MAC address of a user serves as the user name for authentication.

  • Page 565: Related Concepts

    In MAC address mode, the switch sends the MAC addresses detected to the RADIUS server as both the user names and passwords, or sends the MAC addresses detected to the RADIUS server as the user names and uses the configured fixed password as the password. In fixed mode, the switch sends the user name and password previously configured for the user to the RADIUS server for authentication.

  • Page 566: Configuring Basic Mac Address Authentication Functions

    Configuring Basic MAC Address Authentication Functions Follow these steps to configure basic MAC address authentication functions: To do... Use the command... Remarks Enter system view system-view — Enable MAC address Required authentication mac-authentication Disabled by default globally mac-authentication interface In system view interface-list Enable MAC address interface interface-type...

  • Page 567: Configuring A Guest Vlan

    If MAC address authentication is enabled on a port, you cannot configure the maximum number of dynamic MAC address entries for that port (through the mac-address max-mac-count command), and vice versa. If MAC address authentication is enabled on a port, you cannot configure port security (through the port-security enable command) on that port, and vice versa.
  • Page 568 passes the re-authentication, this port will exit the Guest VLAN, and thus the user can access the network normally. Guest VLANs are implemented in the mode of adding a port to a VLAN. For example, when multiple users are connected to a port, if the first user fails in the authentication, the other users can access only the contents of the Guest VLAN.
  • Page 569 If more than one client are connected to a port, you cannot configure a Guest VLAN for this port. When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on the number of MAC address authentication users to more than one, the configuration does not take effect.

  • Page 570: Displaying And Maintaining Mac Address Authentication Configuration

    If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port, the smaller value of the two configured limits is adopted as the maximum number of MAC address authentication users allowed to access this port.
  • Page 571 # Set the user name in MAC address mode for MAC address authentication, requiring hyphened lowercase MAC addresses as the usernames and passwords. [Sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase # Add a local user. Specify the user name and password. [Sysname] local-user 00-0d-88-f6-44-c1 [Sysname-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1 Set the service type to lan-access.
  • Page 572 Table of Contents 1 VRRP Configuration ··································································································································1-1 VRRP Overview ······································································································································1-1 Introduction to VRRP Group············································································································1-2 Virtual Router Overview···················································································································1-4 VRRP Timer ····································································································································1-5 VRRP Tracking································································································································1-6 Operation Procedure of VRRP ········································································································1-6 Periodical sending of ARP packets in a VRRP Group ····································································1-7 VRRP Configuration································································································································1-7 Configuring Basic VRRP Functions·································································································1-7 Configuring Advanced VRRP Functions ·························································································1-8 Displaying and Maintaining VRRP ········································································································1-10 VRRP Configuration Examples·············································································································1-10...

  • Page 573: Vrrp Configuration

    VRRP Configuration When configuring VRRP, go to these sections for information you are interested in: VRRP Overview VRRP Configuration Displaying and Maintaining VRRP VRRP Configuration Examples Troubleshooting VRRP For modifications of command keywords, refer to Configuring VRRP authentication type and authentication key for a member switch, Configuring VRRP...

  • Page 574: Introduction To Vrrp Group

    Figure 1-1 LAN networking Network Switch 10.100.10.1/24 Ethernet 10.100.10.7/24 10.100.10.8/24 10.100.10.9/24 Host 1 Host 2 Host 3 The networking illustrated in Figure 1-1 requires high stability of the default gateway. Normally, adding egress gateways is used to improve the system reliability. In this case, how to route between multiple egresses needs to be solved.
  • Page 575 Hosts in the LAN only know the IP address of this virtual router, that is, 10.100.10.1, but not the specific IP addresses 10.100.10.2 of the master and 10.100.10.3 of the backup. If the master in the VRRP group goes down, the backups in the VRRP group will reelect a master by priority.

  • Page 576: Virtual Router Overview

    IP address of a virtual router is successful. For S5600 series Ethernet switches, you can specify whether the switches in a VRRP group respond to the ping operations destined for the virtual router IP addresses.

  • Page 577: Vrrp Timer

    IP address is configured. Hosts send packets to gateways for layer 3 forwarding according to this virtual MAC address. For S5600 series Ethernet switches, you can map multiple virtual router IP addresses of the VRRP group to one virtual MAC address.

  • Page 578: Vrrp Tracking

    If you configure the preemption delay for a backup, the switch preempts the master if it does not receive a VRRP advertisement from the master after it waits for a period three times of the advertisement interval and the period specified by the preemption delay. VRRP Tracking If an IP address owner exists in a VRRP group, you can configure a priority for the IP address owner.

  • Page 579: Periodical Sending Of Arp Packets In A Vrrp Group

    Periodical sending of ARP packets in a VRRP Group If a VRRP group exists on a network, the master sends gratuitous ARP packets periodically to hosts on the network, which then update their local ARP tables, ensuring that no device on this network uses the same IP address with the VRRP virtual router.

  • Page 580: Configuring Advanced Vrrp Functions

    To do… Use the command… Remarks Optional Configure the priority of the vrrp vrid virtual-router-id VRRP group priority priority 100 by default. It is not recommended to configure features related to VRRP group on the Layer 3 interface of a remote-probe VLAN.
  • Page 581 To do… Use the command… Remarks vrrp vrid virtual-router-id Optional Configure the authentication authentication-mode No authentication is performed type and authentication key authentication-type by default. authentication-key Configuring VRRP timer To do… Use the command… Remarks Enter system view system-view — interface Vlan-interface Enter VLAN interface view —...

  • Page 582: Vlan-Interface

    Displaying and Maintaining VRRP To do… Use the command… Remarks display vrrp statistics [ interface Display VRRP statistics vlan-interface vlan-id [ vrid information virtual-router-id ] ] Available in any view display vrrp [ verbose ] [ interface Display VRRP state information vlan-interface vlan-id [ vrid virtual-router-id ] ] reset vrrp statistics [ interface...
  • Page 583 Network diagram Figure 1-3 Network diagram for single-VRRP group configuration Host B 10.2.3.1/24 Internet Vlan-int3 Vlan-int3 10.100.10.3/24 10.100.10.2/24 LSW A LSW B Vlan-int2 Vlan-int2 Virtual IP address 202.38.160.1/24 202.38.160.111/24 202.38.160.2/24 202.38.160.3/24 Host A Configuration procedure Configure Switch A. # Configure VLAN 3. <LSW-A>...
  • Page 584 # Configure the preemptive mode for the VRRP group. [LSW-A-Vlan-interface2] vrrp vrid 1 preempt-mode By default, a VRRP group adopts the preemptive mode. Configure Switch B. # Configure VLAN 3. <LSW-B> system-view [LSW-B] vlan 3 [LSW-B-vlan3] port GigabitEthernet1/0/10 [LSW-B-vlan3] quit [LSW-B] interface Vlan-interface 3 [LSW-B-Vlan-interface3] ip address 10.100.10.3 255.255.255.0 [LSW-B-Vlan-interface3] quit...

  • Page 585: Vrrp Tracking Interface Configuration

    VRRP Tracking Interface Configuration Network requirements Even when Switch A is still functioning, Switch B (with another link to connect with the outside) can function as a gateway when the interface on Switch A and connecting to Internet does not function properly.
  • Page 586 # Configure that the virtual router can be pinged. [LSW-A] vrrp ping-enable # Create a VRRP group. [LSW-A] interface Vlan-interface 2 [LSW-A-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Set the priority for the VRRP group. [LSW-A-Vlan-interface2] vrrp vrid 1 priority 110 # Set the authentication type for the VRRP group to md5, and the password to abc123.

  • Page 587: Multiple-Vrrp Group Configuration

    When VLAN-interface 3 recovers, switch A will resume its gateway function as the master. Multiple-VRRP Group Configuration Network requirements A switch can function as a backup of multiple VRRP groups. Multiple-VRRP group configuration can implement load balancing. For example, Switch A acts as the master of VRRP group 1 and a backup in VRRP group 2.

  • Page 588: Port Tracking Configuration Examples

    [LSW-A-vlan2] port GigabitEthernet 1/0/6 [LSW-A-vlan2] quit [LSW-A] interface Vlan-interface 2 [LSW-A-Vlan-interface2] ip address 202.38.160.1 255.255.255.0 # Create VRRP group 1. [LSW-A-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Set the priority for VRRP group 1. [LSW-A-Vlan-interface2] vrrp vrid 1 priority 150 # Create VRRP group 2.
  • Page 589 The actual IP addresses of the master and the backups are 10.100.10.2 and 10.100.10.3 respectively. The master is connected to the upstream network through its GigabitEthernet 1/0/1 port. The backup is connected to the upstream network through its GigabitEthernet 1/0/2 port. The virtual router IP address of the VRRP group is 10.100.10.1.

  • Page 590: Troubleshooting Vrrp

    [Sysname] interface Vlan-interface 2 [Sysname-Vlan-interface2] ip address 202.38.160.1 255.255.255.0 [Sysname-Vlan-interface2] quit # Create a VRRP group. [Sysname] interface Vlan-interface 2 [Sysname-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Enter GigabitEthernet 1/0/1 port view and enable the VRRP tracking function. [Sysname] interface GigabitEthernet1/0/1 [Sysname-GigabitEthernet1/0/1] vrrp Vlan-interface 2 vrid 1 track reduced 50 Troubleshooting VRRP You can locate VRRP problems through the configuration and debugging information.
  • Page 591 Table of Contents 1 ARP Configuration·····································································································································1-1 Introduction to ARP ·································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ·····················································································································1-2 ARP Table ·······································································································································1-3 ARP Process ···································································································································1-3 Introduction to ARP Attack Detection ······························································································1-4 Introduction to ARP Packet Rate Limit ····························································································1-5 Introduction to Gratuitous ARP········································································································1-6 Configuring ARP ·····································································································································1-6 Configuring ARP Basic Functions ···································································································1-6 Configuring ARP Attack Detection ··································································································1-7...

  • Page 592: Arp Configuration

    ARP Configuration When configuring ARP, go to these sections for information you are interested in: Introduction to ARP Configuring ARP Configuring Gratuitous ARP Displaying and Debugging ARP ARP Configuration Examples The ARP attack detection feature is added to this manual. For details, refer to section Introduction to ARP Attack Detection.

  • Page 593: Arp Message Format

    ARP Message Format ARP messages are classified as ARP request messages and ARP reply messages. Figure 1-1 illustrates the format of these two types of ARP messages. As for an ARP request, all the fields except the hardware address of the receiver field are set. The hardware address of the receiver is what the sender requests for.

  • Page 594: Arp Table

    S5600 series Ethernet switches provide the display arp command to display the information about ARP mapping entries. ARP entries in an S5600 series Ethernet switch can either be static entries or dynamic entries, as described in Table 1-3.

  • Page 595: Introduction To Arp Attack Detection

    Host A looks in its ARP mapping table to see whether there is an ARP entry for Host B. If Host A finds it, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.

  • Page 596: Introduction To Arp Packet Rate Limit

    To guard against such attacks, S5600 series Ethernet switches support the ARP packets rate limit function, which will shut down the attacked port, thus preventing serious impact on the CPU.

  • Page 597: Introduction To Gratuitous Arp

    value, the switch considers that the port is attacked by ARP packets. In this case, the switch will shut down the port. As the port does not receive any packet, the switch is protected from the ARP packet attack. At the same time, the switch supports automatic recovery of port state. If a port is shut down by the switch due to high packet rate, the port will revert to the Up state after a configured period of time.

  • Page 598: Configuring Arp Attack Detection

    To do… Use the command… Remarks Enable the ARP entry checking function (that is, disable the Optional switch from learning ARP arp check enable Enabled by default. entries with multicast MAC addresses) Static ARP entries are valid as long as the Ethernet switch operates normally. But some operations, such as removing a VLAN, or removing a port from a VLAN, will make the corresponding ARP entries invalid and therefore removed automatically.

  • Page 599: Configuring The Arp Packet Rate Limit Function

    DHCP Operation in this manual. Currently, the VLAN ID of an IP-to-MAC binding configured on a port of an S5600 series Ethernet switch is the same as the default VLAN ID of the port. If the VLAN tag of an ARP packet is different from the default VLAN ID of the receiving port, the ARP packet cannot pass the ARP attack detection based on the IP-to-MAC bindings.

  • Page 600: Configuring Gratuitous Arp

    VLAN interface) or whenever the IP address of a VLAN interface is changed. As for S5600 series Ethernet switches, before enabling the master switch of a VRRP backup group to send gratuitous ARP packets periodically, you need to create the VRRP backup group and perform corresponding configurations.

  • Page 601: Arp Configuration Examples

    To do… Use the command… Remarks Display the ARP mapping display arp [ dynamic | static ] | entries related to a specified { begin | include | exclude } string in a specified way regular-expression display arp count [ [ dynamic | static ] Display the number of the ARP [ | { begin | include | exclude } entries of a specified type...
  • Page 602 Enable the ARP packet rate limit function on GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 of Switch A, so as to prevent Client A and Client B from attacking Switch A through ARP traffic. Enable the port state auto recovery function on the ports of Switch A, and set the recovery interval to 200 seconds.
  • Page 603 [SwitchA-GigabitEthernet1/0/3] quit # Configure the port state auto recovery function, and set the recovery interval to 200 seconds. [SwitchA] arp protective-down recover enable [SwitchA] arp protective-down recover interval 200 1-12...

  • Page 604: Proxy Arp Configuration

    Proxy ARP Configuration When configuring proxy ARP, go to these sections for information you are interested in: Proxy ARP Overview Configuring Proxy ARP Proxy ARP Configuration Examples Proxy ARP Overview Introduction to Proxy ARP With the proxy ARP feature enabled on the switch, hosts on the same network segment but different physical networks appear as if they on the same physical network to users.

  • Page 605: Configuring Proxy Arp

    source IP address being the destination IP address of the ARP request). After receiving the ARP response, Host A creates an ARP entry, in which the destination IP address is the IP address of Host D (192.168.1.30/16), and the MAC address is that of VLAN-interface 3. The following packets sent from Host A to Host D will all be sent to VLAN-interface 3 of the switch, and then the switch forwards the packets in Layer 3 to Host D, so as to realize the Layer 3 connectivity between Host A and Host D.

  • Page 606: Proxy Arp Configuration In Port Isolation Application

    Proxy ARP Configuration in Port Isolation Application Network requirements Switch A (a S5600 series Ethernet switch) is connected to Switch B through GigabitEthernet 1/0/1. GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 on Switch B belong to VLAN 1, and are connected to Host A and Host B respectively.
  • Page 607 Network diagram Figure 2-3 Network diagram for Proxy ARP configuration in port isolation application Switch A GE1/0/1 GE1/0/1 GE1/0/2 GE1/0/3 Host A Switch B Host B Configuration procedure Configure Switch B # Add GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 into an isolation group, disabling Host A and Host B from communicating with each other at Layer 2.

  • Page 608: Resilient Arp Configuration

    Resilient ARP Configuration When configuring resilient ARP, go to these sections for information you are interested in: Introduction to Resilient ARP Configuring Resilient ARP Resilient ARP Configuration Example Introduction to Resilient ARP In intelligent resilient framework (IRF) network application, normally you need to connect redundancy links between the fabric and other devices to support the resilient network.

  • Page 609: Resilient Arp Configuration Example

    To do… Use the command… Remarks Optional Configure the VLAN interface By default, Resilient ARP resilient-arp interface through which Resilient packets are sent through the vlan-interface vlan-id packets are sent interface of VLAN 1 (VLAN-interface 1). Display information about the display resilient-arp [ unit Available in any view Resilient ARP state...
  • Page 610 Table of Contents 1 DHCP Overview··········································································································································1-1 Introduction to DHCP ······························································································································1-1 DHCP IP Address Assignment ···············································································································1-2 IP Address Assignment Policy ········································································································1-2 Obtaining IP Addresses Dynamically ······························································································1-2 Updating IP Address Lease·············································································································1-3 DHCP Packet Format······························································································································1-3 Protocol Specification······························································································································1-4 2 DHCP Server Configuration······················································································································2-1 Introduction to DHCP Server ··················································································································2-1 Usage of DHCP Server ···················································································································2-1 DHCP Address Pool ························································································································2-1 DHCP IP Address Preferences ·······································································································2-3...
  • Page 611 Configuring IP Address Detecting ·································································································2-25 Configuring DHCP Accounting Functions ·····························································································2-25 Introduction to DHCP Accounting··································································································2-25 DHCP Accounting Fundamentals··································································································2-25 DHCP Accounting Configuration ···································································································2-26 Enabling the DHCP Server to Process Option 82 ················································································2-26 Displaying and Maintaining the DHCP Server ······················································································2-27 DHCP Server Configuration Examples ·································································································2-27 DHCP Server Configuration Example ···························································································2-28 DHCP Server with Option 184 Support Configuration Example ···················································2-30 DHCP Accounting Configuration Example ····················································································2-31...
  • Page 612 Introduction to BOOTP Client ·················································································································6-1 Configuring a DHCP/BOOTP Client········································································································6-1 DHCP Client Configuration Example·······························································································6-2 BOOTP Client Configuration Example ····························································································6-3 Displaying DHCP/BOOTP Client Configuration······················································································6-3...

  • Page 613: Dhcp Overview

    DHCP Overview When configuring DHCP, go to these sections for information you are interested in: Introduction to DHCP DHCP IP Address Assignment DHCP Packet Format Protocol Specification Support for assigning a TFTP server address and bootfile name from the DHCP server to the client with auto-configuration function is added.

  • Page 614: Dhcp Ip Address Assignment

    Figure 1-1 Typical DHCP application DHCP IP Address Assignment IP Address Assignment Policy Currently, DHCP provides the following three IP address assignment policies to meet the requirements of different clients: Manual assignment. The administrator configures static IP-to-MAC bindings for some special clients, such as a WWW server.

  • Page 615: Updating Ip Address Lease

    DHCP-ACK packet, it broadcasts an ARP packet with the assigned IP address as the destination address to detect the assigned IP address, and uses the IP address only if it does not receive any response within a specified period. After the client receives the DHCP-ACK message, it will probe whether the IP address assigned by the server is in use by broadcasting a gratuitous ARP packet.

  • Page 616: Protocol Specification

    Figure 1-2 DHCP packet format The fields are described as follows: op: Operation types of DHCP packets, 1 for request packets and 2 for response packets. htype, hlen: Hardware address type and length of the DHCP client. hops: Number of DHCP relay agents which a DHCP packet passes. For each DHCP relay agent that the DHCP request packet passes, the field value increases by 1.

  • Page 617: Dhcp Server Configuration

    DHCP Server Configuration When configuring the DHCP server, go to these sections for information you are interested in: Introduction to DHCP Server DHCP Server Configuration Task List Enabling DHCP Configuring the Global Address Pool Based DHCP Server Configuring the Interface Address Pool Based DHCP Server Configuring DHCP Server Security Functions Configuring DHCP Accounting Functions Enabling the DHCP Server to Process Option 82...
  • Page 618 Types of address pool The address pools of a DHCP server fall into two types: global address pool and interface address pool. A global address pool is created by executing the dhcp server ip-pool command in system view. It is valid on the current device. If an interface is configured with a valid unicast IP address, you can create an interface-based address pool for the interface by executing the dhcp select interface command in interface view.

  • Page 619: Dhcp Ip Address Preferences

    If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server will select this address pool and assign the statically bound IP address to the client. Otherwise, the DHCP server observes the following principles to select a dynamic address pool.

  • Page 620: Dhcp Server Configuration Task List

    When you merge two or more IRF systems into one IRF system, a new master unit is elected, and the new IRF system adopts new configurations accordingly. This may result in the existing system configurations (including the address pools configured for the DHCP servers) being lost. As the new IRF system cannot inherit the original DHCP server configurations, you need to perform DHCP server configurations for it.

  • Page 621: Configuring The Global Address Pool Based Dhcp Server

    To improve security and avoid malicious attacks to unused sockets, S5600 Ethernet switches provide the following functions: UDP port 67 and UDP port 68 ports used by DHCP are enabled only when DHCP is enabled. UDP port 67 and UDP port 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After DHCP is enabled with the dhcp enable command, if the DHCP server and DHCP relay agent functions are not configured, UDP port 67 and UDP port 68 ports are kept disabled;...

  • Page 622: Creating A Dhcp Global Address Pool

    Follow these steps to configure the global address pool mode on interface(s): To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number Configure the Configure the specified current interface dhcp select global Optional interface(s) or all the By default, the interface quit interfaces to...
  • Page 623 address, the DHCP server will find the corresponding IP address based on the client ID and assign it to the DHCP client. Currently, only one IP address in a global DHCP address pool can be statically bound to a MAC address or a client ID.
  • Page 624 To improve security and avoid malicious attack to the unused sockets, S5600 Ethernet switches provide the following functions: UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. UDP 67 and UDP 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After a DHCP address pool is created by executing the dhcp server ip-pool command, the UDP 67 and UDP 68 ports used by DHCP are enabled.

  • Page 625: Configuring A Domain Name Suffix For The Dhcp Client

    In the same DHCP global address pool, the network command can be executed repeatedly. In this case, the new configuration overwrites the previous one. The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients. If an IP address that is not to be automatically assigned has been configured as a statically-bound IP address, the DHCP server still assigns this IP address to the client whose MAC address or ID has been bound.

  • Page 626: Configuring Wins Servers For The Dhcp Client

    Follow these steps to configure DNS servers for the DHCP client: To do… Use the command… Remarks Enter system view system-view — dhcp server ip-pool Enter DHCP address pool view — pool-name Required Configure DNS server dns-list ip-address&<1-8> By default, no DNS server addresses for DHCP clients address is configured.

  • Page 627: Configuring Gateways For The Dhcp Client

    To do… Use the command… Remarks Optional Configure DHCP clients to be netbios-type { b-node | By default, no NetBIOS node of a specific NetBIOS node h-node | m-node | p-node } type of the DHCP client is type specified. If b-node is specified for the client, you don’t need to specify any WINS server address.

  • Page 628: Configuring Option 184 Parameters For The Client With Voice Service

    Configuring Option 184 Parameters for the Client with Voice Service Option 184 is a reserved option, and the information it carries can be customized. You can define four sub-options for this option after enabling the DHCP server. Thus, besides obtaining an IP address, the DHCP client with voice services can obtain voice related parameters from the DHCP address pool.
  • Page 629 Sub-option Feature Function Note The fail-over call routing sub-option carries the IP address When the NCP server for fail-over call routing is unreachable, a SIP and the associated dial user can use the number. The IP configured IP address Fail-Over Call Routing address for fail-over and dial number of the —...

  • Page 630: Configuring The Tftp Server And Bootfile Name For The Dhcp Client

    To do… Use the command… Remarks Specify the IP address of the Required voice-config ncp-ip primary network calling ip-address Not specified by default. processor Specify the IP address of the Optional backup network calling voice-config as-ip ip-address Not specified by default. processor Optional voice-config voice-vlan...

  • Page 631: Configuring A Self-Defined Dhcp Option

    To do… Use the command… Remarks Optional Specify the name of the TFTP tftp-server domain-name server domain-name Not specified by default. Optional Specify the bootfile name bootfile-name bootfile-name Not specified by default. Configuring a Self-Defined DHCP Option By configuring self-defined DHCP options, you can: Define new DHCP options.

  • Page 632: Configuring The Interface Address Pool Based Dhcp Server

    Configuring the Interface Address Pool Based DHCP Server In the interface address pool mode, after the addresses in the interface address pool have been assigned, the DHCP server picks IP addresses from the global interface address pool containing the network segment of the interface address pool and assigns them to the DHCP clients. As a result, the IP addresses obtained from global address pools and those obtained from interface address pools are not on the same network segment, so the clients cannot communicate with each other.

  • Page 633: Enabling The Interface Address Pool Mode On Interface

    Note: When an S5600 Ethernet switch works in the interface address pool mode as a DHCP server, the only gateway address it can assign to a client is the primary IP address of the interface. Enabling the Interface Address Pool Mode on Interface(s) If the DHCP server works in the interface address pool mode, it picks IP addresses from the interface address pools and assigns them to the DHCP clients.

  • Page 634: Configuring An Address Allocation Mode For An Interface Address Pool

    Configuring an Address Allocation Mode for an Interface Address Pool IP addresses of an interface address pool can be statically bound to DHCP clients or dynamically allocated to DHCP clients. Configuring the static IP address allocation mode Some DHCP clients, such as WWW servers, need fixed IP addresses. This is achieved by binding IP addresses to the MAC addresses of these DHCP clients.

  • Page 635: Configuring A Domain Name Suffix For The Dhcp Client

    To avoid address conflicts, the DHCP server automatically excludes IP addresses (used by the gateway, FTP server and so forth) specified with the dhcp server forbidden-ip command from dynamic allocation. To avoid IP address conflicts, the IP addresses to be dynamically assigned to DHCP clients are those not occupied by specific network devices (such as gateways and FTP servers).

  • Page 636: Configuring Dns Servers For The Dhcp Client

    To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number In the current dhcp server domain-name interface Configure domain-name address pool Required a domain quit name Not configured by suffix for default. In multiple dhcp server domain-name the clients interface domain-name { all | interface...

  • Page 637: Configuring Bims Server Information For The Dhcp Client

    B-node. Nodes of this type establish their mappings through broadcasting (The character b stands for the word broadcast). The source node obtains the IP address of the destination node by sending the broadcast packet containing the host name of the destination node. After receiving the broadcast packet, the destination node returns its IP address to the source node.

  • Page 638: Configuring Option 184 Parameters For The Client With Voice Service

    Follow these steps to configure BIMS server information for the DHCP client: To do… Use the command… Remarks Enter system view system-view — dhcp server bims-server ip ip-address [ port port-number ] Required Configure the BIMS server sharekey key { interface information to be assigned to By default, no BIMS server interface-type interface-number...

  • Page 639: Configuring The Tftp Server And Bootfile Name For The Dhcp Client

    To do… Use the command… Remarks dhcp server voice-config Specify the fail-over ip-address dialer-string Optional failover IP { all | interface interface-type Not specified by default. address interface-number [ to interface-type interface-number ] } Specify an IP address for the network calling processor before performing other configuration. Configuring the TFTP Server and Bootfile Name for the DHCP Client For related principles, refer to Configuring the TFTP Server and Bootfile Name for the DHCP...

  • Page 640: Configuring Dhcp Server Security Functions

    Extend existing DHCP options. When the current DHCP options cannot meet customers’ requirements (for example, you cannot use the dns-list command to configure more than eight DNS server addresses), you can configure a self defined option for extension. Follow these steps to customize the DHCP service: To do…...

  • Page 641: Configuring Ip Address Detecting

    With the unauthorized DHCP server detection enabled, the relay agent will log all DHCP servers, including authorized ones, and each server is recorded only once. The administrator needs to find unauthorized DHCP servers from the system log information. Configuring IP Address Detecting To avoid IP address conflicts caused by assigning the same IP address to multiple DHCP clients simultaneously, you can configure a DHCP server to detect an IP address before it assigns the address to a DHCP client.

  • Page 642: Dhcp Accounting Configuration

    Once releasing a lease, the DHCP server sends an Accounting STOP packet to the RADIUS server. The RADIUS server processes the packet, stops the recording for the DHCP client, and sends a response to the DHCP server. A lease can be released for the reasons such as lease expiration, a release request received from the DHCP client, a manual release operation, an address pool removal operation.

  • Page 643: Displaying And Maintaining The Dhcp Server

    Follow these steps to configure the DHCP server to process Option 82: To do… Use the command… Remarks Enter system view system-view — Optional Enable the DHCP server to dhcp server relay By default, the DHCP server process Option 82 information enable supports Option 82.

  • Page 644: Dhcp Server Configuration Example

    case, IP address assigning is carried out through DHCP relay agent. Note that DHCP server configuration is the same in both scenarios. DHCP Server Configuration Example Network requirements The DHCP server (Switch A) assigns IP address to clients in subnet 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25.
  • Page 645 Network diagram Figure 2-1 Network diagram for DHCP configuration Configuration procedure Configure a VLAN and add a port in this VLAN, and then configure the IP address of the VLAN interface (omitted). Configure DHCP service. # Enable DHCP. <SwitchA> system-view [SwitchA] dhcp enable # Configure the IP addresses that are not dynamically assigned.

  • Page 646: Dhcp Server With Option 184 Support Configuration Example

    A 3COM VCX device operating as a DHCP client requests the DHCP server for all sub-options of Option 184. An H3C series switch operates as the DHCP server. The Option 184 support function is configured for a global DHCP address pool. The sub-options of Option 184 are as follows: NCP-IP: 3.3.3.3...

  • Page 647: Dhcp Accounting Configuration Example

    # Configure VLAN-interface 2 to operate in the DHCP server mode. [Sysname] dhcp select global interface Vlan-interface 2 # Enter DHCP address pool view. [Sysname] dhcp server ip-pool 123 # Configure sub-options of Option 184 in global DHCP address pool view. [Sysname-dhcp-pool-123] network 10.1.1.1 mask 255.255.255.0 [Sysname-dhcp-pool-123] voice-config ncp-ip 3.3.3.3 [Sysname-dhcp-pool-123] voice-config as-ip 2.2.2.2...

  • Page 648: Troubleshooting A Dhcp Server

    [Sysname-GigabitEthernet1/0/1] quit # Enter GigabitEthernet 1/0/2 port view and add the port to VLAN 3. [Sysname] interface GigabitEthernet 1/0/2 [Sysname-GigabitEthernet1/0/2] port access vlan 3 [Sysname-GigabitEthernet1/0/2] quit # Enter VLAN 2 interface view and assign the IP address 10.1.1.1/24 to the VLAN interface. [Sysname] interface Vlan-interface 2 [Sysname-Vlan-interface2] ip address 10.1.1.1 24 [Sysname-Vlan-interface2] quit...
  • Page 649 then release the IP address by executing the ipconfig/release command. Then obtain an IP address again by executing the ipconfig/renew command. 2-33...

  • Page 650: Dhcp Relay Agent Configuration

    DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: Introduction to DHCP Relay Agent Configuring the DHCP Relay Agent Displaying and Maintaining DHCP Relay Agent ConfigurationDHCP Relay Agent Configuration Example Troubleshooting DHCP Relay Agent Configuration Currently, the interface-related DHCP relay agent configurations can only be made on VLAN...

  • Page 651: Option 82 Support On Dhcp Relay Agent

    Option 82 has no unified definition in RFC 3046. Its padding information varies with vendors. Currently, S5600 Series Ethernet Switches that operate as DHCP relay agents support the extended padding format of Option 82 sub-options. By default, the sub-options of Option 82 are padded as follows, as...

  • Page 652: Configuring The Dhcp Relay Agent

    Figure 3-2 Padding contents for sub-option 1 of Option 82 Figure 3-3 Padding contents for sub-option 2 of Option 82 Mechanism of Option 82 supported on DHCP relay agent The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay agent is similar to that for the client to obtain an IP address from a DHCP server directly.

  • Page 653: Dhcp Relay Agent Configuration Task List

    If a switch belongs to an IRF fabric, you need to enable the UDP Helper function on it before configuring it as a DHCP relay agent. DHCP Relay Agent Configuration Task List Complete the following tasks to configure the DHCP relay agent: Task Remarks Enabling DHCP...

  • Page 654: Configuring Dhcp Relay Agent Security Functions

    To do… Use the command… Remarks not mapped to any DHCP server group. dhcp-server groupNo To improve security and avoid malicious attack to the unused SOCKETs, S5600 Ethernet switches provide the following functions: UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. UDP 67 and UDP 68 ports are disabled when DHCP is disabled.
  • Page 655 To do… Use the command… Remarks Enter system view — system-view Optional Create a static IP-to-MAC dhcp-security static binding ip-address mac-address Not created by default. interface interface-type Enter interface view — interface-number Required Enable the address checking address-check enable function Disabled by default.

  • Page 656: Configuring The Dhcp Relay Agent To Support Option 82

    Currently, the DHCP relay agent handshake function on a S5600 series switch can only interoperate with a Windows 2000 DHCP server. Enabling unauthorized DHCP server detection If there is an unauthorized DHCP server in the network, when a client applies for an IP address, the unauthorized DHCP server may assign an incorrect IP address to the DHCP client.

  • Page 657: Displaying And Maintaining Dhcp Relay Agent Configuration

    To do… Use the command… Remarks Required Enable Option 82 support on dhcp relay information the DHCP relay agent enable Disabled by default. Configure the strategy for the Optional dhcp relay information DHCP relay agent to process strategy { drop | keep | By default, the replace strategy request packets containing replace }...

  • Page 658: Troubleshooting Dhcp Relay Agent Configuration

    Network diagram Figure 3-4 Network diagram for DHCP relay agent DHCP client DHCP client Vlan-int1 Vlan-int2 10.10.1.1/24 10.1.1.2/24 Vlan-int2 10.1.1.1/24 Switch A Switch B DHCP relay DHCP server DHCP client DHCP client Configuration procedure # Create DHCP server group 1 and configure an IP address of 10.1.1.1 for it. <SwitchA>...
  • Page 659 Check if an address pool that is on the same network segment with the DHCP clients is configured on the DHCP server. Check if a reachable route is configured between the DHCP relay agent and the DHCP server. Check the DHCP relay agent. Check if the correct DHCP server group is configured on the interface connecting the network segment where the DHCP client resides.

  • Page 660: Dhcp Snooping Configuration

    Untrusted: An untrusted port is connected to an unauthorized DHCP server. The DHCP-ACK or DHCP-OFFER packets received from the port are discarded, preventing DHCP clients from receiving invalid IP addresses. Figure 4-1 illustrates a typical network diagram for DHCP snooping application, where Switch A is an S5600 series Ethernet switch.

  • Page 661: Introduction To Dhcp-Snooping Option 82

    Padding content and frame format of Option 82 There is no specification for what should be padded in Option 82. Manufacturers can pad it as required. By default, the sub-options of Option 82 for S5600 Series Ethernet Switches (enabled with DHCP snooping) are padded as follows: sub-option 1 (circuit ID sub-option): Padded with the port index (smaller than the physical port number by 1) and VLAN ID of the port that received the client’s request.
  • Page 662 Figure 4-3 Extended format of the remote ID sub-option In practice, some network devices do not support the type and length identifiers of the Circuit ID and Remote ID sub-options. To interwork with these devices, S5600 Series Ethernet Switches support Option 82 in the standard format. Refer to...

  • Page 663: Introduction To Ip Filtering

    Handling policy Sub-option configuration The DHCP Snooping device will… Forward the packet after replacing the Remote ID sub-option is remote ID sub-option of the original Option configured 82 with the configured remote ID sub-option in ASCII format. When receiving a DHCP client’s request without Option 82, the DHCP snooping device will add the option field with the configured sub-option and then forward the packet.

  • Page 664: Configuring Dhcp Snooping

    IP static binding table The DHCP-snooping table only records information about clients that obtains IP address dynamically through DHCP. If a fixed IP address is configured for a client, the IP address and MAC address of the client cannot be recorded in the DHCP-snooping table. Consequently, this client cannot pass the IP filtering of the DHCP-snooping table, thus it cannot access external networks.

  • Page 665: Configuring Dhcp Snooping To Support Option 82

    If an S5600 Ethernet switch is enabled with DHCP snooping, the clients connected to it cannot dynamically obtain IP addresses through BOOTP. You need to specify the ports connected to the valid DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses.
  • Page 666 Configuring the storage format of Option 82 S5600 Series Ethernet Switches support the HEX or ASCII format for the Option 82 field. Follow these steps to configure a storage format for the Option 82 field: To do…...
  • Page 667 To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Optional By default, the circuit ID dhcp-snooping information sub-option contains the VLAN Configure the circuit ID [ vlan vlan-id ] circuit-id string ID and port index related to the sub-option in Option 82 string port that receives DHCP...

  • Page 668: Configuring Ip Filtering

    To do… Use the command… Remarks Optional By default, the remote ID dhcp-snooping information Configure the remote ID sub-option is the MAC address [ vlan vlan-id ] remote-id sub-option in Ethernet port view of the DHCP snooping device string string that received the client’s request.

  • Page 669: Dhcp Snooping Configuration Examples

    To do… Use the command… Remarks Optional ip source static binding ip-address Create a static binding ip-address [ mac-address By default, no static binding mac-address ] entry is created. Enable DHCP snooping and specify trusted ports on the switch before configuring IP filtering. You are not recommended to configure IP filtering on the ports of a fabric or an aggregation group.

  • Page 670: Ip Filtering Configuration Example

    Network diagram Figure 4-6 Network diagram for DHCP-snooping Option 82 support configuration Configuration procedure # Enable DHCP snooping on the switch. <Switch> system-view [Switch] dhcp-snooping # Specify GigabitEthernet 1/0/5 as the trusted port. [Switch] interface GigabitEthernet1/0/5 [Switch-GigabitEthernet1/0/5] dhcp-snooping trust [Switch-GigabitEthernet1/0/5] quit # Enable DHCP-snooping Option 82 support.
  • Page 671 Enable IP filtering on GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 to prevent attacks to the server from clients using fake source IP addresses. Create static binding entries on the switch, so that Host A using a fixed IP address can access external networks.

  • Page 672: Displaying Dhcp Snooping Configuration

    Displaying DHCP Snooping Configuration To do… Use the command… Remarks Display the user IP-MAC address mapping entries display dhcp-snooping [ unit unit-id ] recorded by the DHCP snooping function Available in any Display the (enabled/disabled) view state of the DHCP snooping display dhcp-snooping trust function and the trusted ports display ip source static binding [ vlan...

  • Page 673: Dhcp Packet Rate Limit Configuration

    S5600 series Ethernet switches support ARP and DHCP packet rate limit on a port and shut down the port under attack to prevent hazardous impact on the device CPU. For details about ARP packet rate limit, refer to ARP Operation in this manual.

  • Page 674: Configuring Port State Auto Recovery

    To do… Use the command… Remarks interface interface-type Enter port view — interface-number Required Enable the DHCP packet rate dhcp rate-limit enable By default, DHCP packet rate limit function limit is disabled. Optional Configure the maximum DHCP dhcp rate-limit rate By default, the maximum rate is packet rate allowed on the port 15 pps.
  • Page 675 Configure DHCP packet rate limit on GigabitEthernet 1/0/11 and set the maximum DHCP packet rate allowed on the port to 100 pps. Set the port state auto-recovery interval to 30 seconds on the switch. Networking diagram Figure 5-1 Network diagram for DHCP packet rate limit configuration Configuration procedure # Enable DHCP snooping on the switch.

  • Page 676: Dhcp/Bootp Client Configuration

    DHCP/BOOTP Client Configuration When configuring the DHCP/BOOTP client, go to these sections for information you are interested in: Introduction to DHCP Client Introduction to BOOTP Client Configuring a DHCP/BOOTP Client Displaying DHCP/BOOTP Client Configuration Introduction to DHCP Client After you specify a VLAN interface as a DHCP client, the device can use DHCP to obtain parameters such as IP address dynamically from the DHCP server, which facilitates user configuration and management.

  • Page 677: Dhcp Client Configuration Example

    To do… Use the command… Remarks Enter system view — system-view interface vlan-interface Enter VLAN interface view — vlan-id Required Configure the VLAN interface ip address { bootp-alloc | By default, no IP address is to obtain IP address through dhcp-alloc } configured for the VLAN DHCP or BOOTP...

  • Page 678: Bootp Client Configuration Example

    BOOTP Client Configuration Example Network requirement Switch B’s port belonging to VLAN1 is connected to the LAN. VLAN-interface 1 obtains an IP address from the DHCP server by using BOOTP. Network diagram Figure 2-1. Configuration procedure The following describes only the configuration on Switch B serving as a client. # Configure VLAN-interface 1 to dynamically obtain an IP address from the DHCP server.
  • Page 679 ACL Overview ············································································································· 1-1 ACL Matching Order ····························································································· 1-2 Ways to Apply an ACL on a Switch ········································································ 1-3 Types of ACLs Supported by S5600 Series Ethernet Switches ······························· 1-3 ACL Configuration Task List ························································································ 1-4 Configuring Time Range ······················································································· 1-4 Configuring Basic ACL ··························································································...

  • Page 680: Acl Configuration

    ACL Configuration When configuring ACL, go to these sections for information you are interested in: ACL Overview ACL Configuration Task List Displaying and Maintaining ACL Configuration Examples for Upper-layer Software Referencing ACLs Examples for Applying ACLs to Hardware The feature of applying ACL rules to a VLAN is newly added, which is described in Applying ACLs to a VLAN.

  • Page 681: Acl Matching Order

    Layer 2 ACL. Rules are created based on the Layer 2 information such as source and destination MAC addresses, VLAN priorities, type of Layer 2 protocol, and so on. User-defined ACL. An ACL of this type matches packets by comparing the strings retrieved from the packets with specified strings.

  • Page 682: Ways To Apply An Acl On A Switch

    In this case, the rules in an ACL are matched in the order determined by the hardware instead of that defined in the ACL. For S5600 series Ethernet switches, the later the rule applies, the higher the match priority.

  • Page 683: Acl Configuration Task List

    Periodic time range, which recurs periodically on the day or days of the week. Absolute time range, which takes effect only in a period of time and does not recur. An absolute time range on an H3C S5600 Series Ethernet Switches can be within the range 1970/1/1 00:00 to 2100/12/31 24:00.
  • Page 684 To do... Use the command... Remarks time-range time-name { start-time to end-time days-of-the-week [ from start-time Create a time range start-date ] [ to end-time end-date ] | from Required start-time start-date [ to end-time end-date ] | to end-time end-date } Note that: If only a periodic time section is defined in a time range, the time range is active only when the system time is within the defined periodic time section.

  • Page 685: Configuring Basic Acl

    Configuring Basic ACL A basic ACL filters packets based on their source IP addresses. A basic ACL can be numbered from 2000 to 2999. Configuration prerequisites To configure a time range-based basic ACL rule, you need to create the corresponding time range first.

  • Page 686: Configuring Advanced Acl

    Configuration example # Configure ACL 2000 to deny packets whose source IP addresses are 192.168.0.1. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 192.168.0.1 0 # Display the configuration information of ACL 2000. [Sysname-acl-basic-2000] display acl 2000 Basic ACL 2000, 1 rule Acl's step is 1 rule 0 deny source 192.168.0.1 0...

  • Page 687: Configuring Layer 2 Acl

    To do... Use the command... Remarks Optional Assign a description rule rule-id comment text string to the ACL rule No description by default Optional Assign a description description text string to the ACL No description by default Note that: With the config match order specified for the advanced ACL, you can modify any existent rule.
  • Page 688 A Layer 2 ACL can be numbered from 4000 to 4999. Configuration prerequisites To configure a time range-based Layer 2 ACL rule, you need to create the corresponding time ranges first. For information about time range configuration, refer Configuring Time Range The settings to be specified in the rule, such as source and destination MAC addresses, VLAN priorities, and Layer 2 protocol types, are determined.

  • Page 689: Configuring User-Defined Acl

    [Sysname-acl-ethernetframe-4000] rule deny source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff # Display the configuration information of ACL 4000. [Sysname-acl-ethernetframe-4000] display acl 4000 Ethernet frame ACL 4000, 1 rule Acl's step is 1 rule 0 deny cos excellent-effort source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff Configuring User-defined ACL A user-defined ACL filters packets by comparing specific bytes in packet headers with...

  • Page 690: Applying Acl Rules On Ports

    Note that: You can modify any existent rule of a user-defined ACL. If you modify only the time range and/or action, the unmodified parts of the rule remain the same. If you modify the rule-string rule-mask offset combinations, however, the new combinations will replace all of the original ones.

  • Page 691: Applying Acls To A Vlan

    To do... Use the command... Remarks Required Apply ACL rules on packet-filter inbound For information about acl-rule, the port acl-rule refer to ACL Commands. Configuration example # Apply ACL 2000 on GigabitEthernet 1/0/1 to filter inbound packets. <Sysname> system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] packet-filter inbound ip-group 2000 Applying ACLs to a VLAN By applying ACL rules to ports in a VLAN, you can add filtering of packets on all the ports...

  • Page 692: Displaying And Maintaining Acl Configuration

    Configuration example # Apply ACL 2000 to all ports of VLAN 1 in the inbound direction to filter packets. <Sysname> system-view [Sysname] packet-filter vlan 1 inbound ip-group 2000 Displaying and Maintaining ACL Configuration To do... Use the command... Remarks Display a configured ACL or display acl { all | acl-number } all the ACLs Display a time range or all...

  • Page 693: Example For Controlling Web Login Users By Source Ip

    [Sysname-acl-basic-2000] quit # Reference ACL 2000 on VTY user interface to control Telnet login users. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound Example for Controlling Web Login Users by Source IP Network requirements Apply an ACL to permit Web users with the source IP address of 10.110.100.46 to log in to the switch through HTTP.

  • Page 694: Advanced Acl Configuration Example

    Network diagram Figure 1-3 Network diagram for basic ACL configuration Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 2000 to filter packets with the source IP address of 10.1.1.1. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 deny source 10.1.1.1 0 time-range test [Sysname-acl-basic-2000] quit...

  • Page 695: Layer 2 Acl Configuration Example

    Network diagram Figure 1-4 Network diagram for advanced ACL configuration Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 working-day # Define ACL 3000 to filter packets destined for wage query server. [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 1 deny ip destination 192.168.1.2 0 time-range test [Sysname-acl-adv-3000] quit...

  • Page 696: User-Defined Acl Configuration Example

    Network diagram Figure 1-5 Network diagram for Layer 2 ACL Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 4000 to filter packets with the source MAC address of 0011-0011-0011 and the destination MAC address of 0011-0011-0012.

  • Page 697: Example For Applying An Acl To A Vlan

    Network diagram Figure 1-6 Network diagram for user-defined ACL Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 5000 to deny any ARP packet whose source IP address is 192.168.0.1 from 8:00 to 18:00 everyday.
  • Page 698 Network diagram Figure 1-7 Network diagram for applying an ACL to a VLAN Database server 192.168.1.2 GE1/0/1 GE1/0/3 GE1/0/2 VLAN 10 PC 1 PC 2 PC 3 Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 in working days. <Sysname>...
  • Page 699 Traditional Packet Forwarding Service ·································································· 1-2 New Applications and New Requirements ······························································ 1-2 Major Traffic Control Techniques ·········································································· 1-3 QoS Supported by the S5600 Series Ethernet Switches ··············································· 1-3 Introduction to QoS Functions ····················································································· 1-5 Traffic Classification ····························································································· 1-5 Priority Trust Mode ······························································································· 1-5 Protocol Priority ···································································································...
  • Page 700 Introduction to QoS Profile ··················································································· 2-1 QoS Profile Application Mode ··············································································· 2-1 QoS Profile Configuration Task List············································································· 2-2 Configuring a QoS Profile ····················································································· 2-2 Applying a QoS Profile ························································································· 2-3 Displaying and Maintaining QoS Profile Configuration ·················································· 2-4 Configuration Example ································································································ 2-5 QoS Profile Configuration Example ·······································································...

  • Page 701: Qos Configuration

    QoS Configuration When configuring QoS, go to these sections for information you are interested in: Overview QoS Supported by the S5600 Series Ethernet Switches QoS Configuration Displaying and Maintaining QoS QoS Configuration Examples The following features were added: VLAN mapping. For details, see section Configuring VLAN Mapping.

  • Page 702: Traditional Packet Forwarding Service

    Traditional Packet Forwarding Service In traditional IP networks, packets are treated equally. That is, the FIFO (first in first out) policy is adopted for packet processing. Network resources required for packet forwarding is determined by the order in which packets arrive. All the packets share the resources of the network.

  • Page 703: Major Traffic Control Techniques

    Traffic policing, traffic shaping, congestion management, and congestion avoidance are methods for implementing network traffic control and network resource management. They are occurrences of differentiated services. QoS Supported by the S5600 Series Ethernet Switches The S5600 series Ethernet switches support the QoS features listed in Table 1-1:...
  • Page 704 Table 1-1 QoS features supported by the S5600 series Ethernet switches QoS Feature Description Refer to … For information about Classify incoming traffic based on ACLs, refer to the ACL ACLs. The S5600 series support the Operation following types of ACLs: Command manuals.

  • Page 705: Introduction To Qos Functions

    Introduction to QoS Functions Traffic Classification Traffic here refers to service traffic; that is, all the packets passing the switch. Traffic classification means identifying packets that conform to certain characteristics according to certain rules. It is the foundation for providing differentiated services. In traffic classification, the priority bit in the type of service (ToS) field in IP packet header can be used to identify packets of different priorities.
  • Page 706 IP Precedence (decimal) IP Precedence (binary) Description immediate flash flash-override critical internet network In a network providing differentiated services, traffics are grouped into the following four classes, and packets are processed according to their DSCP values. Expedited Forwarding (EF) class: In this class, packets can be forwarded regardless of link share of other traffic.
  • Page 707 DSCP value (decimal) DSCP value (binary) Description 001000 010000 011000 100000 101000 110000 111000 000000 be (default) 2) 802.1p priority 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where the Layer 3 packet header does not need analysis but QoS must be assured at Layer 2. Figure 1-3 An Ethernet frame with an 802.1Q tag header As shown in the figure above, the 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two bytes in length), whose value is 0x8100, and the tag control...
  • Page 708 802.1p priority (decimal) 802.1p priority (binary) Description background spare excellent-effort controlled-load video voice network-management The precedence is called 802.1p priority because the related applications of this precedence are defined in detail in the 802.1p specifications. 3) Local precedence Local precedence is a locally significant precedence that the device assigns to a packet. A local precedence value corresponds to one of the eight hardware output queues.

  • Page 709: Protocol Priority

    Table 1-5 shows the default 802.1p priority-to-local precedence mapping table. You can modify the default mapping tables at the CLI. For detailed configuration procedure, refer to Configuring the Mapping between 802.1p Priority and Local Precedence. Table 1-5 802.1p priority-to-local precedence mapping table 802.1p priority Local precedence Protocol Priority...
  • Page 710 evaluation result on the premise of knowing whether the traffic exceeds the specification when traffic policing is performed. Normally, token bucket is used for traffic evaluation. Token bucket The token bucket can be considered as a container with a certain capacity to hold tokens. The system puts tokens into the bucket at the set rate.

  • Page 711: Line Rate

    Queue Scheduling When the network is congested, the problem that many packets compete for resources must be solved, usually through queue scheduling. The S5600 series switches support Strict Priority (SP) queuing and Weighted Round Robin (WRR) queuing. 1) SP queuing...
  • Page 712 Figure 1-6 Diagram for SP queuing SP queue-scheduling algorithm is specially designed for critical service applications. An important feature of critical services is that they demand preferential service in congestion in order to reduce the response delay. Assume that there are eight output queues on the port and the preferential queue classifies the eight output queues on the port into eight classes, which are queue7, queue6, queue5, queue4, queue3, queue2, queue1, and queue0.

  • Page 713: Flow-Based Traffic Accounting

    WRR queue-scheduling algorithm schedules all the queues in turn and every queue can be assured of a certain service time. In a typical H3C switch there are eight output queues on each port. WRR configures a weight value for each queue, for example: w7, w6, w5, w4, w3, w2, w1, and w0 respectively for queue 7 through queue 0.

  • Page 714: Traffic Mirroring

    Although the burst function helps reduce the packet loss ratio and improve packet processing capability in the networks mentioned above, it may affect QoS performance. So, use this function with caution. Traffic mirroring Traffic mirroring identifies traffic using ACLs and duplicates the matched packets to the destination mirroring port or CPU depending on your configuration.

  • Page 715: Configuring The Mapping Between 802.1P Priority And Local Precedence

    To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Optional Configure to trust port By default, the switch trusts priority and configure the priority priority-level port priority and the priority port priority of a port is 0.

  • Page 716: Setting The Priority Of Protocol Packets

    Configuration procedure Follow these steps to configure the mapping between 802.1p priority and local precedence: To do… Use the command… Remarks Enter system view — system-view cos-local-precedence-ma p cos0-map-local-prec cos1-map-local-prec Configure the mapping cos2-map-local-prec between 802.1p priority and Required cos3-map-local-prec local precedence cos4-map-local-prec cos5-map-local-prec...

  • Page 717: Marking Packet Priority

    On an S5600 switch, you can set the priority for protocol packets of Telnet, OSPF, SNMP, ICMP, and BGP. Configuration example # Set the IP precedence of ICMP packets to 3. Then, display the configuration. <Sysname> system-view [Sysname] protocol-priority protocol-type icmp ip-precedence 3 [Sysname] display protocol-priority Protocol: icmp IP-Precedence: flash(3)

  • Page 718: Configuring Traffic Policing

    To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number traffic-priority inbound Required acl-rule { { dscp dscp-value Mark the priorities for | ip-precedence { pre-value Refer to the command packets matching specific | from-cos } } | cos manual for information ACL rules { pre-value | from-ipprec } |...
  • Page 719 Configuration prerequisites The ACL rules used for traffic classification have been defined. Refer to the ACL module of this manual for information about defining ACL rules. The rate limit for traffic policing, and the actions for the packets exceeding the rate limit have been determined.

  • Page 720: Configuring Line Rate

    Configuring Line Rate Refer to section Line Rate for information about line rate. Configuration prerequisites The port on which line rate configuration is to be performed has been determined. The target rate has been determined. Configuration procedure Follow these steps to configure line rate: To do…...

  • Page 721: Configuring Vlan Mapping

    To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number traffic-redirect inbound Required acl-rule { cpu | { interface interface-type By default, traffic Configure traffic redirecting interface-number | redirecting is not link-aggregation-group configured.

  • Page 722: Configuring Queue Scheduling

    Configuration prerequisites The ACL rules used for traffic classification have been defined. Refer to the ACL module of this manual for information about defining ACL rules. The ports on which the configuration is to be performed have been determined. The VLAN ID to be set for the packets has been determined. Configuration procedure Follow these steps to configure VLAN mapping: To do…...
  • Page 723 To do… Use the command… Remarks Enter system view system-view — Required By default, the queue queue-scheduler scheduling algorithm { strict-priority | wrr adopted on all the ports is Configure queue queue0-weight queue1-weight WRR. The default weights scheduling queue2-weight queue3-weight of the eight output queues queue4-weight queue5-weight of a port are 1, 2, 3, 4, 5, 9,...

  • Page 724: Configuring Traffic Accounting

    The queue scheduling algorithm specified by using the queue-scheduler command in system view takes effect on all the ports. The queue scheduling algorithm configured in port view must be the same as that configured in system view. Otherwise, the system prompts configuration errors.

  • Page 725: Enabling The Burst Function

    Configuration procedure Follow these steps to configure traffic accounting: To do… Use the command… Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required traffic-statistic inbound Configure traffic accounting By default, traffic acl-rule accounting is disabled. reset traffic-statistic Clear the traffic statistics Required...

  • Page 726: Configuring Traffic Mirroring

    To do… Use the command… Remarks — Enter system view system-view Required Enable the burst function burst-mode enable By default, the burst function is disabled. With the IRF function enabled, do not enable the burst function. Otherwise, packets may be forwarded improperly.

  • Page 727: Displaying And Maintaining Qos

    To do… Use the command… Remarks mirroring-group group-id In system Configure monitor-port view the specified monitor-port-id Required port as the interface interface-type destination Use either approach. interface-number In Ethernet mirroring port view port monitor-port For information about the mirroring-group monitor-port command and the monitor-port command, refer to the part talking about mirroring.

  • Page 728: Qos Configuration Examples

    To do… Use the command… Remarks display qos-interface Display line rate { interface-type interface-number | configuration unit-id } line-rate display qos-interface Display traffic policing { interface-type interface-number | configuration unit-id } traffic-limit display qos-interface Display traffic redirecting { interface-type interface-number | configuration unit-id } traffic-redirect display qos-interface...

  • Page 729: Configuration Example Of Priority Marking And Queue Scheduling

    Network diagram Figure 1-8 Network diagram for traffic policing and rate limiting configuration To the router GE1/0/3 PC 1 GE1/0/1 GE1/0/2 192. 168.0.1 Switch R&D department Marketing department Configuration procedure 1) Define an ACL for traffic classification. # Create ACL 2000 and enter basic ACL view. <Sysname>...
  • Page 730 Configure priority marking and queue scheduling on the switch to mark traffic flows accessing Server 1, Server 2, and Server 3 with different priorities respectively and assign the three traffic flows to different queues for scheduling. Network diagram Figure 1-9 Network diagram for priority marking and queue scheduling configuration Configuration procedure 1) Define an ACL for traffic classification # Create ACL 3000 and enter advanced ACL view.

  • Page 731: Vlan Mapping Configuration Example

    [Sysname-GigabitEthernet1/0/2] traffic-priority inbound ip-group 3000 rule 2 local-precedence 2 [Sysname-GigabitEthernet1/0/2] quit 3) Configure queue scheduling # Apply SP queue scheduling algorithm. [Sysname] queue-scheduler strict-priority VLAN Mapping Configuration Example Network requirements Two customer networks are connected to the public network through Switch A and Switch B.
  • Page 732 Network diagram Figure 1-10 Network diagram for VLAN mapping configuration Configuration procedure # Create customer VLANs VLAN 100 and VLAN 200 and service VLANs VLAN 500 and VLAN 600 on Switch A. <SwitchA> system-view [SwitchA] vlan 100 [SwitchA-vlan100] quit [SwitchA] vlan 200 [SwitchA-vlan200] quit [SwitchA] vlan 500 [SwitchA-vlan500] quit...
  • Page 733 [SwitchA] interface GigabitEthernet 1/0/12 [SwitchA-GigabitEthernet1/0/12] port link-type trunk [SwitchA-GigabitEthernet1/0/12] port trunk pvid vlan 200 [SwitchA-GigabitEthernet1/0/12] port trunk permit vlan 200 600 [SwitchA-GigabitEthernet1/0/12] quit # Configure GigabitEthernet 1/0/10 of Switch A as a trunk port, and assign it to VLAN 100, VLAN 200, VLAN 500, and VLAN 600.

  • Page 734: Configuring Traffic Mirroring And Redirecting Traffic To A Port

    [SwitchA-GigabitEthernet1/0/10] traffic-remark-vlanid inbound link-group 4002 remark-vlan 100 [SwitchA-GigabitEthernet1/0/10] traffic-remark-vlanid inbound link-group 4003 remark-vlan 200 [SwitchA-GigabitEthernet1/0/10] quit Define the same VLAN mapping rules on Switch B. The detailed configuration procedure is similar to that of Switch A and thus is omitted here. Configuring Traffic Mirroring and Redirecting Traffic to a Port Network requirements A company uses a switch to interconnect all the departments.
  • Page 735 Configuration procedure 1) Define a time range for working days # Create a time range trname covering the period from 8:00 to 18:00 during working days. <Switch> system-view [Switch] time-range trname 8:00 to 18:00 working-day 2) Configure a policy for the traffic of the marketing department # Create basic ACL 2000 to permit the traffic of the hosts in the marketing department during the specified time range.

  • Page 736: Qos Profile Configuration

    QoS Profile Configuration When configuring QoS profile, go to these sections for information you are interested in: Overview QoS Profile Configuration Task List Displaying and Maintaining QoS Profile Configuration Configuration Example Overview Introduction to QoS Profile QoS profile is a set of QoS configurations. It provides an easy way for performing and managing QoS configuration.

  • Page 737: Qos Profile Configuration Task List

    A user-based QoS profile application fails if the traffic classification rule defined in the QoS profile contains source address information (including source MAC address information, source IP address information, and VLAN information). Manual application mode You can use the apply command to manually apply a QoS profile to a port. QoS Profile Configuration Task List Complete the following tasks to configure QoS profile: Operation...

  • Page 738: Applying A Qos Profile

    To do… Use the command… Remarks traffic-limit inbound acl-rule [ union-effect ] Configure traffic policing target-rate [ burst-bucket Optional burst-bucket-size ] [ exceed action ] Optional packet-filter inbound Refer to the ACL module of Configure packet filtering acl-rule this manual for information about packet filtering.

  • Page 739: Displaying And Maintaining Qos Profile Configuration

    To do… Use the command… Remarks Configure the Optional mode to apply a By default, the mode to qos-profile port-based QoS profile as apply a QoS profile is port-based user-based. 802.1x Specify authentication mode is address-based, mode to the mode to apply a apply a QoS profile must be Configure the...

  • Page 740: Qos Profile Configuration Example

    Configuration Example QoS Profile Configuration Example Network requirements All departments of a company are interconnected through a switch. The 802.1x protocol is used to authenticate users and control their access to network resources. A user name is someone, and the authentication password is hello. It is connected to GigabitEthernet 1/0/1 of the switch and belongs to the test.net domain.
  • Page 741 # Set the encryption passwords for the switch to exchange packets with the authentication RADIUS servers and accounting RADIUS servers. [Sysname-radius-radius1] key authentication money [Sysname-radius-radius1] key accounting money # Configure the switch to delete the user domain name from the user name and then send the user name to the RADIUS sever.
  • Page 742 Table of Contents 1 Mirroring Configuration································································································ 1-1 Mirroring Overview······································································································ 1-1 Local Port Mirroring ······························································································ 1-2 Remote Port Mirroring ·························································································· 1-2 Traffic Mirroring ···································································································· 1-3 Mirroring Configuration ······························································································· 1-4 Configuring Local Port Mirroring············································································ 1-4 Configuring Remote Port Mirroring ········································································ 1-5 Displaying and Maintaining Port Mirroring ···································································· 1-8 Mirroring Configuration Examples ················································································...

  • Page 743: Mirroring Configuration

    Figure 1-1 Mirroring The S5600 series Ethernet switches support three types of port mirroring: Local Port Mirroring Remote Port Mirroring Traffic Mirroring They are described in the following sections.

  • Page 744: Local Port Mirroring

    Local Port Mirroring In local port mirroring, packets passing through one or more source ports of a device are copied to the destination port on the same device for packet analysis and monitoring. In this case, the source ports and the destination port must be located on the same device. Remote Port Mirroring Remote port mirroring does not require the source and destination ports to be on the same device.

  • Page 745: Traffic Mirroring

    Table 1-1 describes how the ports on various switches are involved in the mirroring operation. Table 1-1 Ports involved in the mirroring operation Switch Ports involved Function Port monitored. It copies packets to the reflector Source port port through local port mirroring. There can be more than one source port.

  • Page 746: Mirroring Configuration

    Optional Configuring Remote Port Mirroring Optional On an S5600 series Ethernet switch, only one destination port for local port mirroring or one reflector port for remote port mirroring can be configured, and the two kinds of ports cannot both exist.

  • Page 747: Configuring Remote Port Mirroring

    LACP or STP. Configuring Remote Port Mirroring An S5600 series Ethernet switch can serve as a source switch, an intermediate switch, or a destination switch in a remote port mirroring networking environment. Configuration on a switch acting as a source switch 1) Configuration prerequisites The source port, the reflector port, and the remote-probe VLAN are determined.
  • Page 748 To do… Use the command… Remarks Enter system view system-view — Create a VLAN and enter vlan-id is the ID of the vlan vlan-id the VLAN view remote-probe VLAN. Configure the current VLAN remote-probe vlan enable Required as the remote-probe VLAN Return to system view quit —...
  • Page 749 Required remote-probe-vlan-id remote-probe VLAN Note that an S5600 series Ethernet switch acting as the intermediate switch in remote port mirroring networking does not support bidirectional packet mirroring (the both keyword). Configuration on a switch acting as a destination switch 1) Configuration prerequisites The destination port and the remote-probe VLAN are determined.

  • Page 750: Displaying And Maintaining Port Mirroring

    When configuring a destination switch, note that: An S5600 series Ethernet switch acting as the destination switch in remote port mirroring networking does not support bidirectional packet mirroring (the both keyword). The destination port of remote port mirroring cannot be a member port of an existing mirroring group, a fabric port, a member port of an aggregation group, or a port enabled with LACP or STP.

  • Page 751: Mirroring Configuration Examples

    Mirroring Configuration Examples Local Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through S5600 Ethernet switches: Research and Development (R&D) department is connected to Switch C through GigabitEthernet 1/0/1. Marketing department is connected to Switch C through GigabitEthernet 1/0/2. Data detection device is connected to Switch C through GigabitEthernet 1/0/3 The administrator wants to monitor the packets received on and sent from the R&D department and the marketing department through the data detection device.

  • Page 752: Remote Port Mirroring Configuration Example

    Network requirements The departments of a company connect to each other through S5600 Ethernet switches: Switch A, Switch B, and Switch C are S5600 series switches. Department 1 is connected to GigabitEthernet 1/0/1 of Switch A. Department 2 is connected to GigabitEthernet 1/0/2 of Switch A.
  • Page 753 Network diagram Figure 1-4 Network diagram for remote port mirroring Configuration procedure 1) Configure the source switch (Switch A) # Create remote source mirroring group 1. <Sysname> system-view [Sysname] mirroring-group 1 remote-source # Configure VLAN 10 as the remote-probe VLAN. [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit...
  • Page 754 GigabitEthernet1/0/2 inbound reflector port: GigabitEthernet1/0/4 remote-probe vlan: 10 2) Configure the intermediate switch (Switch B) # Configure VLAN 10 as the remote-probe VLAN. <Sysname> system-view [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure GigabitEthernet 1/0/1 as the trunk port, allowing packets of VLAN 10 to pass. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port link-type trunk [Sysname-GigabitEthernet1/0/1] port trunk permit vlan 10...
  • Page 755 monitor port: GigabitEthernet1/0/2 remote-probe vlan: 10 After the configurations, you can monitor all packets sent from Department 1 and 2 on the data detection device. 1-13...
  • Page 756 Table of Contents 1 IRF Fabric Configuration ··························································································································1-1 Introduction to IRF···································································································································1-1 Establishment of an IRF Fabric ·······································································································1-1 How IRF Works ·······························································································································1-4 IRF Fabric Configuration ·························································································································1-5 IRF Fabric Configuration Task List··································································································1-5 Specifying the Fabric Port of a Switch·····························································································1-5 Setting a Unit ID for a Switch ··········································································································1-6 Assigning a Unit Name to a Switch ·································································································1-8 Assigning an IRF Fabric Name to a Switch·····················································································1-8 Configuring IRF Automatic Fabric for a Switch ···············································································1-8...

  • Page 757: Irf Fabric Configuration

    IRF Fabric Configuration Example Introduction to IRF Intelligent Resilient Framework (IRF), a feature particular to H3C S5600 series switches, is a new technology for building the core of a network. This feature allows you to build an IRF fabric by interconnecting several S5600 series switches to provide more ports for network devices and improve the reliability of your network.
  • Page 758 Figure 1-3 Network diagram for IRF fabric with a bus topology Fabric ports On an S5600 series Ethernet switch, only the two cascade ports on its rear panel can be configured as the fabric ports. The two cascade ports are:...
  • Page 759 In case IRF automatic fabric is enabled, even if the software version of the local device is inconsistent with that used on the device in the fabric, you can still add a device to the fabric by automatic downloading and loading of the software. IRF fabric detection Forming a fabric requires a high consistency of connection modes between the devices and device information.

  • Page 760: How Irf Works

    H3C S5600 series switches provide the IRF automatic fabric function, which enables the device to automatically download the software and change the fabric name, thus reducing the manual maintenance workload.

  • Page 761: Irf Fabric Configuration

    The master in a fabric collects the newest configurations of the user and the slaves periodically synchronize the configurations from the master. In this way, the entire fabric can operate with the same configurations. Distributed Redundancy Routing (DRR) is used to implement redundancy routing backup. The devices in a fabric run their independent routing protocols and maintain their own routing tables.

  • Page 762: Setting A Unit Id For A Switch

    To do… Use the command… Remarks Required Specify the fabric port of a fabric-port interface-type switch interface-number enable Not specified by default Establishing an IRF system requires a high consistency of the configuration of each device. Hence, before you enable the fabric port, do not perform any configuration for the port, and do not configure some functions that affect the IRF (such as TACACS and VLAN-VPN) for other ports or globally.
  • Page 763 After an IRF fabric is established, you can use the following command to change the unit IDs of the switches in the IRF fabric. Follow these steps to set a unit ID to a new value: To do… Use the command… Remarks Enter system view system-view...

  • Page 764: Assigning A Unit Name To A Switch

    Assign a fabric name to the sysname sysname By default, the IRF fabric name switch is H3C. Configuring IRF Automatic Fabric for a Switch Configuration prerequisites Make sure that the Flash of the newly added device has enough space to download software used on the device in the fabric.

  • Page 765: Displaying And Maintaining Irf Fabric

    Configuration procedure Follow these steps to configure IRF automatic fabric for a switch: To do… Use the command… Remarks Enter system view system-view — Required Configure IRF automatic fabric fabric member-auto-update for a switch software enable Disabled by default You need to enable the IRF automatic fabric function on all the devices including the newly added device in the fabric to enable the newly added device to download software and discovery neighbors and thus be added to the fabric normally.

  • Page 766: Network Diagram

    The configuration details are as follows: Unit IDs: 1, 2, 3, 4 Unit names: unit 1, unit 2, unit 3, unit 4 Fabric name: hello Network Diagram Figure 1-4 Network diagram for forming an IRF fabric Configuration Procedure Configure Switch A. # Configure fabric ports.
  • Page 767 Table of Contents 1 Cluster ························································································································································1-1 Cluster Overview·····································································································································1-1 Introduction to HGMP ······················································································································1-1 Roles in a Cluster ····························································································································1-2 How a Cluster Works·······················································································································1-4 Cluster Configuration Task List···············································································································1-9 Configuring the Management Device ······························································································1-9 Configuring Member Devices ········································································································1-14 Managing a Cluster through the Management Device··································································1-16 Configuring the Enhanced Cluster Features ·················································································1-16 Displaying and Maintaining Cluster Configuration ················································································1-19 Cluster Configuration Examples ···········································································································1-19...

  • Page 768: Cluster

    Cluster When configuring cluster, go to these sections for information you are interested in: Cluster Overview Cluster Configuration Task List Displaying and Maintaining Cluster Configuration Cluster Configuration Examples Cluster Overview Introduction to HGMP A cluster contains a group of switches. Through cluster management, you can manage multiple geographically dispersed in a centralized way.

  • Page 769: Roles In A Cluster

    Figure 1-1 A cluster implementation Network Management Station Network 69.110.1. 100 69. 110 . 1.1 Management device Member device Cluster Member device Member device HGMP V2 has the following advantages: It eases the configuration and management of multiple switches: You just need to configure a public IP address for the management device instead of for all the devices in the cluster;...
  • Page 770 Table 1-1 Description on cluster roles Role Configuration Function Provides an interface for managing all the switches in a cluster Manages member devices through command redirection, that forwards commands intended specific member devices. Configured with a external IP Management device Discovers neighbors, address...

  • Page 771: How A Cluster Works

    A candidate device becomes a member device after being added to a cluster. A member device becomes a candidate device after it is removed from the cluster. A management device becomes a candidate device only after the cluster is removed. After you create a cluster on an S5600 switch, the switch collects the network topology information periodically and adds the candidate switches it finds to the cluster.
  • Page 772 packet data. The receiving devices store the information carried in the NDP packet into the NDP table but do not forward the NDP packet. When they receive another NDP packet, if the information carried in the packet is different from the stored one, the corresponding entry in the NDP table is updated, otherwise only the holdtime of the entry is updated.
  • Page 773 To implement NTDP, you need to enable NTDP both globally and on specific ports on the management device, and configure NTDP parameters. On member/candidate devices, you only need to enable NTDP globally and on specific ports. Member and candidate devices adopt the NTDP settings of the management device. Introduction to Cluster A cluster must have one and only one management device.
  • Page 774 Figure 1-3 State machine of the connection between the management device and a member device Active Receives the Fails to receive handshake or Disconnect state handshake management is recovered packets in three packets consecutive intervals State holdtime exceeds the specified value Connect Disconnect After a cluster is created and a candidate device is added to the cluster as a member device, both...
  • Page 775 Enabling the management packets (including NDP packets, NTDP packets, and handshake packets) to be transmitted in the management VLAN only, through which the management packets are isolated from other packets and network security is improved. Enabling the management device and the member devices to communicate with each other in the management VLAN.

  • Page 776: Cluster Configuration Task List

    downstream switch compares its own MAC address with the destination MAC address carried in the multicast packet: If the two MAC addresses are the same, the downstream switch sends a response to the switch sending the tracemac command, indicating the success of the tracemac command. If the two MAC addresses are different, the downstream switch will query the port connected with its downstream switch based on the MAC address and VLAN ID, and then forward the packet to its downstream switch.
  • Page 777 Optional To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the S5600 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.
  • Page 778 To do… Use the command… Remarks Enter system view system-view — Optional Configure the holdtime of NDP ndp timer aging By default, the holdtime of NDP information aging-in-seconds information is 180 seconds. Optional Configure the interval to send ndp timer hello seconds By default, the interval to send NDP packets NDP packets is 60 seconds.
  • Page 779 Enabling the cluster function Follow these steps to enable the cluster function: To do… Use the command… Remarks Enter system view system-view — Required Enable the cluster function cluster enable By default, the cluster function globally is enabled. Configuring cluster parameters The establishment of a cluster and the related configuration can be accomplished in manual mode or automatic mode, as described below.
  • Page 780 To do… Use the command… Remarks Enter system view system-view — Enter cluster view cluster — ip-pool Configure the IP address range administrator-ip-address Required for the cluster { ip-mask | ip-mask-length } Required Start automatic cluster auto-build [ recover ] Follow prompts to establish a establishment cluster.

  • Page 781: Configuring Member Devices

    Optional To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the S5600 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.
  • Page 782 Enabling NDP globally and on specific ports Follow these steps to enable NDP globally and on specific ports: To do… Use the command… Remarks Enter system view system-view — Enable NDP globally Required ndp enable ndp enable interface In system view port-list Enable Enter...

  • Page 783: Managing A Cluster Through The Management Device

    To do… Use the command… Remarks Optional Download a file from the shared tftp cluster get source-file TFTP server of the cluster [ destination-file ] Available in user view Optional Upload a file to the shared tftp cluster put source-file TFTP server of the cluster [ destination-file ] Available in user view...
  • Page 784 When errors occur to the cluster topology, you can replace the current topology with the standard cluster topology and restore the administrative device using the backup topology on the Flash memory, so that the devices in the cluster can resume normal operation. With the display cluster current-topology command, the switch can display the topology of the current cluster in a tree structure.
  • Page 785 To do… Use the command… Remarks Save the standard topology to the Flash memory of the topology save-to local-flash Required administrative device Restore the standard topology from the Flash memory of the topology restore-from local-flash Optional administrative device Display the detailed information display ntdp single-device about a single device mac-address mac-address...

  • Page 786: Displaying And Maintaining Cluster Configuration

    Basic Cluster Configuration Example Network requirements Three switches compose a cluster, where: An S5600 series switch serves as the management device. The rest are member devices. Serving as the management device, the S5600 switch manages the two member devices. The...
  • Page 787 The NMS and logging host use the same IP address: 69.172.55.4. Network diagram Figure 1-4 Network diagram for HGMP cluster configuration Configuration procedure Configure the member devices (taking one member as an example) # Enable NDP globally and on Ethernet 1/0/1. <Sysname>...
  • Page 788 [Sysname] ndp enable [Sysname] undo ndp enable interface GigabitEthernet 1/0/1 [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] undo ntdp enable [Sysname-GigabitEthernet1/0/1] quit # Enable NDP on GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3. [Sysname] interface GigabitEthernet 1/0/2 [Sysname-GigabitEthernet1/0/2] ndp enable [Sysname-GigabitEthernet1/0/2] quit [Sysname] interface GigabitEthernet 1/0/3 [Sysname-GigabitEthernet1/0/3] ndp enable [Sysname-GigabitEthernet1/0/3] quit # Set the hold time of NDP information to 200 seconds.
  • Page 789 [Sysname-cluster] build aaa [aaa_0.Sysname-cluster] # Add the attached two switches to the cluster. [aaa_0.Sysname-cluster] add-member 1 mac-address 000f-e201-0011 [aaa_0.Sysname-cluster] add-member 17 mac-address 000f-e201-0012 # Set the holdtime of member device information to 100 seconds. [aaa_0.Sysname-cluster] holdtime 100 # Set the interval between sending handshake packets to 10 seconds. [aaa_0.Sysname-cluster] timer 10 # Configure VLAN-interface 2 as the network management interface.

  • Page 790: Network Management Interface Configuration Example

    Network Management Interface Configuration Example Network requirements Configure VLAN-interface 2 as the network management interface of the switch; Configure VLAN 3 as the management VLAN; The IP address of the FTP server is 192.168.4.3; Switch A operates as the management switch; Switch B and Switch C are member switches.

  • Page 791: Enhanced Cluster Feature Configuration Example

    [Sysname-vlan2] quit # Set the IP address of VLAN-interface 2 to 192.168.4.22. [Sysname] interface Vlan-interface 2 [Sysname-Vlan-interface2] ip address 192.168.4.22 255.255.255.0 [Sysname-Vlan-interface2] quit # Enable the cluster function. [Sysname] cluster enable # Enter cluster view. [Sysname] cluster [Sysname-cluster] # Configure a private IP address pool for the cluster. The IP address pool contains 30 IP addresses, starting from 192.168.5.1.
  • Page 792 Network diagram Figure 1-6 Network diagram for the enhanced cluster feature configuration FTP server 192. 168.0.4 192. 168.0.1 Member Management device device Member Member device device 0001- 2034-a0e5 Configuration procedure # Enter cluster view. <aaa_0.Sysname> system-view [aaa_0.Sysname] cluster # Add the MAC address 0001-2034-a0e5 to the cluster blacklist. [aaa_0.Sysname-cluster] black-list add-mac 0001-2034-a0e5 # Backup the current topology.
  • Page 793 Table of Contents 1 PoE Configuration ········································································································ 1-1 PoE Overview ············································································································· 1-1 Introduction to PoE ······························································································· 1-1 PoE Features Supported by S5600 ········································································ 1-2 PoE Configuration······································································································· 1-3 PoE Configuration Task List ·················································································· 1-3 Enabling the PoE Feature on a Port ······································································ 1-3 Setting the Maximum Output Power on a Port ························································...

  • Page 794: Poe Configuration

    PoE Configuration When configuring PoE, go to these sections for information you are interested in: PoE Overview PoE Configuration PoE Configuration Example The newly added function is upgrading the PoE module of the fabric switch remotely. See Upgrading the PSE Processing Software of Fabric Switches Online for details.

  • Page 795: Poe Features Supported By S5600

    Standard PDs conform to the 802.3af standard, including IP phones, Wireless APs, network cameras and so on. PI: PIs are RJ45 interfaces which connect PSE/PDs to network cables. PoE Features Supported by S5600 PoE-enabled S5600 series Ethernet switches include: S5600-26C-PWR S5600-50C-PWR A PoE-enabled S5600 switch has the following features: As the PSE, it supports the IEEE802.3af standard.

  • Page 796: Poe Configuration

    When you use the PoE-enabled S5600 switch to supply power, the PDs need no external power supply. If a remote PD has an external power supply, the PoE-enabled S5600 switch and the external power supply will backup each other for the PD. Only the Ethernet electrical ports of the PoE-enabled S5600 switch support the PoE feature.
  • Page 797 When a switch is close to its full load in supplying power, you can adjust the power supply of the switch through the cooperation of the PoE management mode and the port PoE priority settings. S5600 series switches support two PoE management modes, auto and manual. The auto mode is adopted by default.
  • Page 798 Spare mode: DC power is carried over the spare pairs (4,5,7,and 8) of category-3/5 twisted pairs. Currently, S5600 series Ethernet switches do not support the spare mode. After the PoE feature is enabled on the port, perform the following configuration to set the PoE mode on a port.
  • Page 799 To do… Use the command… Remarks Enter system view — system-view Required Enable the PD compatibility poe legacy enable detection function Disabled by default. Configuring PoE Over-Temperature Protection on the Switch If this function is enabled, the switch disables the PoE feature on all ports when its internal temperature exceeds 65°C (149°F) for self-protection, and restores the PoE feature settings on all its ports when the temperature drops below 60°C (140°F).
  • Page 800 To do… Use the command… Remarks Enter system view — system-view Required Upgrade the PSE poe update { refresh | full } The specified PSE processing processing software filename software is a file with the online extension .s19. In the case that the PSE processing software is damaged (that is, no PoE command can be executed successfully), use the full update mode to upgrade and thus restore the software.

  • Page 801: Interface-Number ]

    PoE Configuration Example PoE Configuration Example Network requirements Switch A is an S5600 series Ethernet switch supporting PoE, Switch B can be PoE powered. The GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 ports of Switch A are connected to Switch B and an AP respectively; the GigabitEthernet 1/0/8 port is intended to be connected with an important AP.
  • Page 802 Network diagram Figure 1-1 Network diagram for PoE Network Switch A GE1/0/1 GE1/0/8 GE1/0/2 Switch B Configuration procedure # Upgrade the PSE processing software online. <SwitchA> system-view [SwitchA] poe update refresh 0290_021.s19 # Enable the PoE feature on GigabitEthernet 1/0/1, and set the PoE maximum output power of GigabitEthernet 1/0/1 to 12,000 mW.
  • Page 803 # Enable the PD compatibility detect of the switch to allow the switch to supply power to the devices noncompliant with the 802.3af standard. [SwitchA] poe legacy enable 1-10...

  • Page 804: Poe Profile Configuration

    On a large-sized network or a network with mobile users, to help network administrators to monitor the PoE features of the switch, S5600 series Ethernet switches provide the PoE profile features. A PoE profile is a set of PoE configurations, including multiple PoE features.
  • Page 805 When the apply poe-profile command is used to apply a PoE profile to a port, some PoE features in the PoE profile can be applied successfully while some cannot. PoE profiles are applied to S5600 series Ethernet switches according to the following rules:...

  • Page 806: Interface-Type Interface-Number ]

    PoE Profile Configuration Example PoE Profile Application Example Network requirements Switch A is an S5600 series Ethernet switch supporting PoE. GigabitEthernet 1/0/1 through GigabitEthernet 1/0/10 of Switch A are used by users of group A, who have the following requirements: The PoE function can be enabled on all ports in use.
  • Page 807 Network diagram Figure 2-1 PoE profile application Network Switch A GE1/0/1~GE1/0/5 GE1/0/6~GE1/0/10 IP Phone IP Phone IP Phone IP Phone Configuration procedure # Create Profile 1, and enter PoE profile view. <SwitchA> system-view [SwitchA] poe-profile Profile1 # In Profile 1, add the PoE policy configuration applicable to GigabitEthernet 1/0/1 through GigabitEthernet 1/0/5 ports for users of group A.
  • Page 808 [SwitchA] poe-profile Profile2 # In Profile 2, add the PoE policy configuration applicable to GigabitEthernet 1/0/6 through GigabitEthernet 1/0/10 ports for users of group A. [SwitchA-poe-profile-Profile2] poe enable [SwitchA-poe-profile-Profile2] poe mode signal [SwitchA-poe-profile-Profile2] poe priority high [SwitchA-poe-profile-Profile2] poe max-power 15400 [SwitchA-poe-profile-Profile2] quit # Display detailed configuration information for Profile2.
  • Page 809 Table of Contents 1 UDP Helper Configuration ························································································································1-1 Introduction to UDP Helper ·····················································································································1-1 Configuring UDP Helper ·························································································································1-2 Displaying and Maintaining UDP Helper·································································································1-3 UDP Helper Configuration Example ·······································································································1-3 Cross-Network Computer Search Through UDP Helper·································································1-3...

  • Page 810: Udp Helper Configuration

    To solve this problem, S5600 series Ethernet switches provide the UDP Helper function to relay specified UDP packets. In other words, UDP Helper functions as a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified destination server.

  • Page 811: Configuring Udp Helper

    On an S5600 Series Ethernet Switch, the reception of directed broadcast packets to a directly connected network is disabled by default. As a result, UDP Helper is available only when the ip forward-broadcast command is configured in system view. For details about the ip forward-broadcast command, refer to the IP Address and Performance part of this manual.

  • Page 812: Displaying And Maintaining Udp Helper

    Displaying and Maintaining UDP Helper To do… Use the command… Remarks Display the UDP broadcast relay display udp-helper server forwarding information of a specified [ interface vlan-interface Available in any view VLAN interface on the switch vlan-id ] Clear statistics about packets reset udp-helper packet Available in user view forwarded by UDP Helper...
  • Page 813 Table of Contents 1 SNMP Configuration··································································································································1-1 SNMP Overview······································································································································1-1 SNMP Operation Mechanism··········································································································1-1 SNMP Versions ·······························································································································1-2 Supported MIBs·······························································································································1-2 Configuring Basic SNMP Functions········································································································1-3 Configuring Trap-Related Functions ·······································································································1-6 Configuring Basic Trap Functions ···································································································1-6 Configuring Extended Trap Function·······························································································1-6 Enabling Logging for Network Management···························································································1-7 Displaying SNMP ····································································································································1-7 SNMP Configuration Example ················································································································1-8 SNMP Configuration Example·········································································································1-8 2 RMON Configuration ·································································································································2-1...

  • Page 814: Snmp Configuration

    SNMP Configuration When configuring SNMP, go to these sections for information you are interested in: SNMP Overview Configuring Basic SNMP Functions Configuring Trap-Related Functions Enabling Logging for Network Management Displaying SNMP SNMP Configuration Example The configuration of creating a MIB view with the mask of a MIB subtree is added. See section Configuring Basic SNMP Functions.

  • Page 815: Snmp Versions

    When a network device operates improperly or changes to other state, the agent on it can also send traps on its own initiative to the NMS to report the events. SNMP Versions Currently, SNMP agent on a switch supports SNMPv3, and is compatible with SNMPv1 and SNMPv2c. SNMPv3 adopts user name and password authentication.

  • Page 816: Configuring Basic Snmp Functions

    Table 1-1 Common MIBs MIB attribute MIB content Related RFC MIB II based on TCP/IP RFC 1213 network device RFC 1493 BRIDGE MIB RFC 2675 RIP MIB RFC 1724 Public MIB RMON MIB RFC 2819 Ethernet MIB RFC 2665 OSPF MIB RFC 1253 IF MIB RFC 1573...
  • Page 817 Set system information, and specify maintenance is "Hangzhou to enable SNMPv1 or SNMPv2c on location sys-location | H3C Technologies Co., the switch version { { v1 | v2c | v3 }* | Ltd.", the system location is all } } "Hangzhou China", and the...
  • Page 818 { contact sys-contact | maintenance is "Hangzhou specify to enable SNMPv3 on location sys-location | version H3C Technologies Co., Ltd.", the switch { { v1 | v2c | v3 }* | all } } the system location is "Hangzhou China", and the SNMP version is SNMPv3.

  • Page 819: Configuring Trap-Related Functions

    Configuring Trap-Related Functions Configuring Basic Trap Functions traps refer to those sent by managed devices to the NMS without request. They are used to report some urgent and important events (for example, the rebooting of managed devices). Note that basic SNMP configuration is performed before you configure basic trap function. Follow these steps to configure basic trap function: To do…...

  • Page 820: Enabling Logging For Network Management

    Follow these steps to configure extended trap function: To do… Use the command… Remarks Enter system view system-view — Optional By default, the linkUp/linkDown Configure the extended trap snmp-agent trap ifmib link trap adopts the standard format function extended defined in IF-MIB. For details, refer to RFC 1213.

  • Page 821: Snmp Configuration Example

    To do… Use the command… Remarks Display trap list information display snmp-agent trap-list Display the currently configured display snmp-agent community [ read | community name write ] Display the currently configured display snmp-agent mib-view [ exclude | MIB view include | viewname view-name ] SNMP Configuration Example SNMP Configuration Example Network requirements...
  • Page 822 Configuring the NMS The S5600 series Ethernet switches support H3C’s QuidView NMS. SNMPv3 adopts user name and password authentication. When you use H3C’s QuidView NMS, you need to set user names and choose the security level in [Quidview Authentication Parameter]. For each security level, you need to set authorization mode, authorization password, encryption mode, encryption password, and so on.

  • Page 823: Rmon Configuration

    RMON MIB): alarm group, event group, history group, and statistics group. An H3C S5600 Ethernet switch implements RMON in the second way. With an RMON agent embedded in, an S5600 Ethernet switch can serve as a network device with the RMON probe function. Through...

  • Page 824: Commonly Used Rmon Groups

    about the total traffic, error statistics and performance statistics of the network segments to which the ports of the managed network devices are connected. Thus, the NMS can further manage the networks. Commonly Used RMON Groups Event group Event group is used to define the indexes of events and the processing methods of the events. The events defined in an event group are mainly used by entries in the alarm group and extended alarm group to trigger alarms.

  • Page 825: Rmon Configuration

    Statistics group Statistics group contains the statistics of each monitored port on a switch. An entry in a statistics group is an accumulated value counting from the time when the statistics group is created. The statistics include the number of the following items: collisions, packets with Cyclic Redundancy Check (CRC) errors, undersize (or oversize) packets, broadcast packets, multicast packets, and received bytes and packets.

  • Page 826: Any View

    The rmon alarm and rmon prialarm commands take effect on existing nodes only. For each port, only one RMON statistics entry can be created. That is, if an RMON statistics entry is already created for a given port, you will fail to create another statistics entry with a different index for the same port.
  • Page 827 [Sysname-GigabitEthernet1/0/1] quit # Add the event entries numbered 1 and 2 to the event table, which will be triggered by the following extended alarm. [Sysname] rmon event 1 log [Sysname] rmon event 2 trap 10.21.30.55 # Add an entry numbered 2 to the extended alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1) formula to get the numbers of all the oversize and undersize packets received by GigabitEthernet 1/0/1 that are in correct data format and sample it in every 10 seconds.
  • Page 828 Table of Contents 1 NTP Configuration ·····································································································································1-1 Introduction to NTP ·································································································································1-1 Applications of NTP ·························································································································1-1 Implementation Principle of NTP·····································································································1-2 NTP Implementation Modes············································································································1-4 NTP Configuration Task List ···················································································································1-6 Configuring NTP Implementation Modes ································································································1-6 Configuring NTP Server/Client Mode ······························································································1-7 Configuring the NTP Symmetric Peer Mode ···················································································1-7 Configuring NTP Broadcast Mode···································································································1-8 Configuring NTP Multicast Mode·····································································································1-9 Configuring Access Control Right ·········································································································1-10...

  • Page 829: Ntp Configuration

    NTP Configuration When configuring NTP, go to these sections for information you are interested in: Introduction to NTP NTP Configuration Task List Configuring NTP Implementation Modes Configuring Access Control Right Configuring NTP Authentication Configuring Optional NTP Parameters Displaying NTP Configuration Configuration Examples Introduction to NTP Network Time Protocol (NTP) is a time synchronization protocol defined in RFC 1305.

  • Page 830: Implementation Principle Of Ntp

    Defining the accuracy of clocks by stratum to synchronize the clocks of all devices in a network quickly Supporting access control and MD5 encrypted authentication (see section Configuring NTP Authentication) Sending protocol packets in unicast, multicast, or broadcast mode The clock stratum determines the accuracy, which ranges from 1 to 16. The stratum of a reference clock ranges from 1 to 15.
  • Page 831 Figure 1-1 Implementation principle of NTP NTP message 10:00:00 am IP network Device A Device B NTP message 10:00:00 am 11:00:01 am IP network Device B Device A NTP message 10:00:00 am 11:00:01 am 11:00:02 am IP network Device B Device A NTP message received at 10:00:03 am IP network...

  • Page 832: Ntp Implementation Modes

    NTP Implementation Modes According to the network structure and the position of the local Ethernet switch in the network, the local Ethernet switch can work in multiple NTP modes to synchronize the clock. Server/client mode Figure 1-2 Server/client mode Symmetric peer mode Figure 1-3 Symmetric peer mode Active peer Passive peer...
  • Page 833 Figure 1-4 Broadcast mode Multicast mode Figure 1-5 Multicast mode Table 1-1 describes how the above mentioned NTP modes are implemented on H3C S5600 series Ethernet switches. Table 1-1 NTP implementation modes on H3C S5600 series Ethernet switches NTP implementation mode...

  • Page 834: Ntp Configuration Task List

    NTP messages through the VLAN interface configured on the switch. When an H3C S5600 Ethernet switch works in server mode or symmetric passive mode, you need not to perform related configurations on this switch but do that on the client or the symmetric-active peer.

  • Page 835: Configuring Ntp Server/Client Mode

    UDP port 123 is opened only when the NTP feature is enabled. UDP port 123 is closed as the NTP feature is disabled. These functions are implemented as follows: Execution of one of the ntp-service unicast-server, ntp-service unicast-peer, ntp-service broadcast-client, ntp-service broadcast-server, ntp-service multicast-client, and ntp-service multicast-server commands enables the NTP feature and opens UDP port 123 at the same time.

  • Page 836: Configuring Ntp Broadcast Mode

    255.255.255.255. The switches working in the NTP broadcast client mode will respond to the NTP messages, so as to start the clock synchronization. An H3C S5600 series Ethernet switch can work as a broadcast server or a broadcast client. A broadcast server can synchronize broadcast clients only after its clock has been synchronized.

  • Page 837: Configuring Ntp Multicast Mode

    NTP multicast client mode will respond to the NTP messages, so as to start the clock synchronization. An H3C S5600 series Ethernet switch can work as a multicast server or a multicast client. A multicast server can synchronize multicast clients only after its clock has been synchronized.

  • Page 838: Configuring Access Control Right

    To do… Use the command… Remarks ntp-service multicast-server [ ip-address ] Required Configure the switch to work in [ authentication-keyid keyid | the NTP multicast server mode Not configured by default. ttl ttl-number | version number ]* Configuring a switch to work in the multicast client mode Follow these steps to configure a switch to work in the NTP multicast client mode: To do…...

  • Page 839: Configuration Procedure

    Configuration Procedure Follow these steps to configure the NTP service access-control right to the local device for peer devices: To do… Use the command… Remarks Enter system view system-view — Configure the NTP service ntp-service access { peer | Optional access-control right to the local server | synchronization | peer by default...

  • Page 840: Configuration Procedure

    If the NTP authentication function is not enabled on the client, the clock of the client can be synchronized to a server no matter whether the NTP authentication function is enabled on the server (assuming that other related configurations are properly performed). For the NTP authentication function to take effect, a trusted key needs to be configured on both the client and server after the NTP authentication is enabled on them.

  • Page 841: Configuring Optional Ntp Parameters

    Configuring NTP authentication on the server Follow these steps to configure NTP authentication on the server: To do… Use the command… Remarks Enter system view system-view — Required ntp-service authentication Enable NTP authentication enable Disabled by default. Required ntp-service Configure an NTP authentication-keyid key-id By default, no NTP authentication key...

  • Page 842: Configuring An Interface On The Local Switch To Send Ntp Messages

    Task Remarks Configuring an Interface on the Local Switch to Send NTP Messages Optional Configuring the Number of Dynamic Sessions Allowed on the Local Optional Switch Disabling an Interface from Receiving NTP Messages Optional Configuring an Interface on the Local Switch to Send NTP Messages Follow these steps to configure an interface on the local switch to send NTP messages: To do…...

  • Page 843: Disabling An Interface From Receiving Ntp Messages

    Disabling an Interface from Receiving NTP Messages Follow these steps to disable an interface from receiving NTP messages: To do… Use the command… Remarks Enter system view system-view — interface Vlan-interface Enter VLAN interface view — vlan-id Required Disable an interface from ntp-service in-interface By default, a VLAN interface receiving NTP messages...

  • Page 844: Configuring Ntp Symmetric Peer Mode

    Reference clock ID: none Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.0000 ms Root delay: 0.00 ms Root dispersion: 0.00 ms Peer dispersion: 0.00 ms Reference time: 00:00:00.000 UTC Jan 1 1900 (00000000.00000000) # Set Device A as the NTP server of Device B. <DeviceB>...
  • Page 845 Network diagram Figure 1-7 Network diagram for NTP peer mode configuration Device A 3.0.1.31/24 3.0.1.32/24 3.0.1.33/24 Device B Device C Configuration procedure Configure Device C. # Set Device A as the NTP server. <DeviceC> system-view [DeviceC] ntp-service unicast-server 3.0.1.31 Configure Device B (after the Device C is synchronized to Device A). # Enter system view.

  • Page 846: Configuring Ntp Broadcast Mode

    # View the information about the NTP sessions of Device C (you can see that a connection is established between Device C and Device B). [DeviceC] display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************* [1234]3.0.1.32 LOCL -14.3 12.9...

  • Page 847: Configuring Ntp Multicast Mode

    <DeviceA> system-view # Set Device A as a broadcast client. [DeviceA] interface Vlan-interface 2 [DeviceA-Vlan-interface2] ntp-service broadcast-client After the above configurations, Device A and Device D will listen to broadcast messages through their own VLAN-interface 2, and Device C will send broadcast messages through VLAN-interface 2. Because Device A and Device C do not share the same network segment, Device A cannot receive broadcast messages from Device C, while Device D is synchronized to Device C after receiving broadcast messages from Device C.
  • Page 848 Network diagram Figure 1-9 Network diagram for NTP multicast mode configuration Vlan-int2 3.0.1.31/24 Device C Vlan-int2 1.0.1.31/24 Device A Device B Vlan-int2 3.0.1.32/24 Device D Configuration procedure Configure Device C. # Enter system view. <DeviceC> system-view # Set Device C as a multicast server to send multicast messages through VLAN-interface 2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service multicast-server Configure Device A (perform the same configuration on Device D).

  • Page 849: Configuring Ntp Server/Client Mode With Authentication

    Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The output information indicates that Device D is synchronized to Device C, with a clock stratum level of 3, one stratum level lower than that Device C. # View the information about the NTP sessions of Device D (you can see that a connection is established between Device D and Device C).
  • Page 850 After the above configurations, Device B is ready to synchronize with Device A. Because the NTP authentication function is not enabled on Device A, the clock of Device B will fail to be synchronized to that of Device A. To synchronize Device B, you need to perform the following configurations on Device A. # Enable the NTP authentication function.
  • Page 851 Table of Contents 1 SSH Configuration·····································································································································1-1 SSH Overview·········································································································································1-1 Introduction to SSH ·························································································································1-1 Algorithm and Key ···························································································································1-1 Asymmetric Key Algorithm ··············································································································1-2 SSH Operating Process ··················································································································1-2 SSH Server and Client Configuration Task List······················································································1-4 Configuring the SSH Server····················································································································1-5 Configuring the User Interfaces for SSH Clients·············································································1-6 Configuring the SSH Management Functions·················································································1-6 Configuring the SSH Server to Be Compatible with SSH1 Clients ·················································1-7 Generating/Destroying Key Pairs ····································································································1-7...

  • Page 852: Ssh Configuration

    SSH Configuration The DSA algorithm is newly added in SSH configuration. Click the following links for related information: Generating/Destroying Key Pairs Creating an SSH User and Specifying an Authentication Type Configuring the Public Key of a Client on the Server When configuring SSH, go to these sections for information you are interested: SSH Overview SSH Server and Client Configuration Task List...

  • Page 853: Asymmetric Key Algorithm

    and decryption are performed using a string of characters called a key, which controls the transformation between plain text and cipher text, for example, changing the plain text into cipher text or cipher text into plain text. Figure 1-1 Encryption and decryption Key-based algorithm is usually classified into symmetric key algorithm and asymmetric key algorithm.
  • Page 854 Stages Description The SSH server authenticates the client in response to the Authentication client’s authentication request. Session request This client sends a session request to the server. The client and the server start to communicate with each Data exchange other. Version negotiation The server opens port 22 to listen to connection requests from clients.

  • Page 855: Ssh Server And Client Configuration Task List

    The H3C switch acts as the SSH server to cooperate with software that supports the SSH client functions. The H3C switch acts as the SSH server to cooperate with another H3C switch that acts as an SSH client. Complete the following tasks to configure the SSH server and clients:...

  • Page 856: Configuring The Ssh Server

    Server Client Client side configuration configuration Configuring an SSH Client Configuring the SSH An H3C switch Another H3C switch Assumed by an Server SSH2-Capable Switch Configuring the SSH Server The session establishment between an SSH client and the SSH server involves five stages. Similarly, SSH server configuration involves five aspects, as shown in the following table.
  • Page 857 The SSH server needs to cooperate with an SSH client to complete the interactions between them. For SSH client configuration, refer to Configuring the SSH Client. Configuring the User Interfaces for SSH Clients An SSH client accesses the device through a VTY user interface. Therefore, you need to configure the user interfaces for SSH clients to allow SSH login.

  • Page 858: Generating/Destroying Key Pairs

    Table 1-4 Follow these steps to configure SSH management functions: To do... Use the command... Remarks Enter system view system-view — Optional Set the SSH authentication ssh server timeout By default, the SSH authentication timeout time seconds timeout time is 60 seconds. Optional ssh server Set the number of SSH...

  • Page 859: Creating An Ssh User And Specifying An Authentication Type

    prompted to enter the key length in bits, which is between 512 and 2048. The default length is 1024. In case a key pair already exists, the system will ask whether to replace the existing key pair. Table 1-5 Follow these steps to create or destroy key pairs: To do...
  • Page 860 To do... Use the command... Remarks specified. ssh user username Note that: If both commands are used and different authentication types are ssh user username specified, the authentication type Create an SSH user, authentication-type { all | specified with the ssh user and specify an password | authentication-type command takes...

  • Page 861: Configuring The Public Key Of A Client On The Server

    If the ssh user service-type command is executed with a username that does not exist, the system will automatically create the SSH user. However, the user cannot log in unless you specify an authentication type for it. Configuring the Public Key of a Client on the Server This configuration is not necessary if the password authentication mode is configured for SSH users.

  • Page 862: Assigning A Public Key To An Ssh User

    Table 1-9 Follow these steps to import the RSA public key from a public key file: To do... Use the command... Remarks Enter system view system-view — Import the public key from a public-key peer keyname import Required public key file sshkey filename Assigning a Public Key to an SSH User This configuration task is unnecessary if the SSH user’s authentication mode is password.

  • Page 863: Configuring The Ssh Client

    To do... Use the command... Remarks Display the DSA key on the screen in public-key local export dsa a specified format or export it to a Required { openssh | ssh2 } [ filename ] specified file The DSA public key format can be SSH2 and OpenSSH, while the RSA public key format can be SSH1, SSH2 and OpenSSH.
  • Page 864 Task Remarks Opening an SSH connection with password Required for password authentication; authentication unnecessary for publickey authentication Opening an SSH connection with publickey Required for publickey authentication; authentication unnecessary for password authentication Selecting the protocol for remote connection as SSH. Usually, a client can use a variety of remote connection protocols, such as Telnet, Rlogin, and SSH.
  • Page 865 Note that while generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 1-3. Otherwise, the process bar stops moving and the key pair generating process is stopped. Figure 1-3 Generate the client keys (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case) to save the public key.
  • Page 866 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any precaution. Click Yes and enter the name of the file for saving the private key (“private” in this case) to save the private key. Figure 1-5 Generate the client keys (4) To generate RSA public key in PKCS format, run SSHKEY.exe, click Browse and select the public key file, and then click Convert.
  • Page 867 Figure 1-7 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the server. Note that there must be a route available between the IP address of the server and the client. Selecting a protocol for remote connection As shown in Figure...
  • Page 868 Figure 1-8 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Some SSH client software, for example, Tectia client software, supports the DES algorithm only when the ssh1 version is selected. The PuTTY client software supports DES algorithm negotiation ssh2. Opening an SSH connection with password authentication From the window shown in Figure...

  • Page 869: Configuring An Ssh Client Assumed By An Ssh2-Capable Switch

    Figure 1-9 SSH client configuration interface 3 Click Browse… to bring up the file selection window, navigate to the private key file and click Open. If the connection is normal, a user will be prompted for a username. Once passing the authentication, the user can log in to the server.
  • Page 870 To configure the public key of a client on the server, refer to Configuring the Public Key of a Client on the Server. Configuring whether first-time authentication is supported When the device connects to the SSH server as an SSH client, you can configure whether the device supports first-time authentication.
  • Page 871 To do... Use the command... Remarks Optional Specify a source IP ssh2 source-ip ip-address By default, the system determines a address for the SSH client source IP address. Optional ssh2 source-interface Specify a source interface interface-type By default, the system determines a for the SSH client interface-number source interface.

  • Page 872: Displaying And Maintaining Ssh Configuration

    Displaying and Maintaining SSH Configuration To do... Use the command... Remarks Display the public key part of the current display public-key local { dsa | switch’s key pairs rsa } public Display information about locally saved display public-key peer [ brief | public keys of SSH peers name pubkey-name ] display ssh server { session |...

  • Page 873: Ssh Configuration Examples

    Operation Original commands Current commands Create an SSH user and specify pubblickey ssh user username ssh user username authentication as its authentication-type rsa authentication-type publickey authentication type After the RSA key pair is generated, the display rsa local-key-pair public command displays two public keys (the host public key and server public key) when the switch is working in SSH1-compatible mode, but only one public key (the host public key) when the switch is working in SSH2 mode.
  • Page 874 Generating the RSA and DSA key pairs on the server is prerequisite to SSH login. # Generate RSA and DSA key pairs. [Switch] public-key local create rsa [Switch] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
  • Page 875 Figure 1-11 SSH client configuration interface In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select SSH under Connection. The window as shown in Figure 1-12 appears.

  • Page 876: When Switch Acts As Server For Password And Radius Authentication

    Under Protocol options, select 2 from Preferred SSH protocol version. As shown in Figure 1-12, click Open. If the connection is normal, you will be prompted to enter the user name client001 and password abc. Once authentication succeeds, you will log in to the server.
  • Page 877 Select Extensible Protocol as the protocol type. Select Standard as the RADIUS packet type. Figure 1-14 Add an access device # Add a user for device management. From the navigation tree, select User Management > User for Device Management, and then in the right pane, click Add to enter the Add Account window and perform the following configurations: Add a user named hello, and specify the password.
  • Page 878 [Switch-Vlan-interface2] quit Generating the RSA and DSA key pairs on the server is prerequisite to SSH login. # Generate RSA and DSA key pairs. [Switch] public-key local create rsa [Switch] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
  • Page 879 Figure 1-16 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-17 appears.

  • Page 880: When Switch Acts As Server For Password And Hwtacacs Authentication

    Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name hello and the password. Once authentication succeeds, you will log in to the server. The level of commands that you can access after login is authorized by the CAMS server.
  • Page 881 # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Configure the HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 [Switch-hwtacacs-hwtac] key authentication expert...
  • Page 882 Figure 1-19 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-20 appears.

  • Page 883: When Switch Acts As Server For Publickey Authentication

    Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name client001 and the password. Once authentication succeeds, you will log in to the server. The level of commands that you can access after login is authorized by the HWTACACS server.
  • Page 884 [Switch] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh # Set the client’s command privilege level to 3 [Switch-ui-vty0-4] user privilege level 3 [Switch-ui-vty0-4] quit # Configure the authentication type of the SSH client named client 001 as publickey.
  • Page 885 Figure 1-22 Generate a client key pair (1) While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1-23. Otherwise, the process bar stops moving and the key pair generating process is stopped.
  • Page 886 Figure 1-23 Generate a client key pair (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case). Figure 1-24 Generate a client key pair (3) Likewise, to save the private key, click Save private key.
  • Page 887 Figure 1-25 Generate a client key pair (4) After a public key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP, and complete the server end configuration before you continue to configure the client. # Establish a connection with the SSH server Launch PuTTY.exe to enter the following interface.
  • Page 888 Figure 1-27 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Select Connection/SSH/Auth. The following window appears. Figure 1-28 SSH client configuration interface (2) 1-37...

  • Page 889: When Switch Acts As Client For Password Authentication

    Click Browse… to bring up the file selection window, navigate to the private key file and click OK. From the window shown in Figure 1-28, click Open. If the connection is normal, you will be prompted to enter the username. When Switch Acts as Client for Password Authentication Network requirements As shown in...

  • Page 890: When Switch Acts As Client For Publickey Authentication

    The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):n Enter password: ************************************************************************** Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ************************************************************************** <SwitchB>...
  • Page 891 Network diagram Figure 1-30 Switch acts as client for publickey authentication Configuration procedure In public key authentication, you can use either RSA or DSA public key. Here takes the DSA public key as an example. Configure Switch B # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection.
  • Page 892 [SwitchB] ssh user client001 authentication-type publickey Before doing the following steps, you must first generate a DSA public key pair on the client and save the key pair in a file named Switch001, and then upload the file to the SSH server through FTP or TFTP. For details, refer to “Configure Switch A”.

  • Page 893: When Switch Acts As Client And First-Time Authentication Is Not Supported

    Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ************************************************************************** <SwitchB> When Switch Acts as Client and First-Time Authentication is not Supported Network requirements As shown in...
  • Page 894 # Set the user command privilege level to 3. [SwitchB-ui-vty0-4] user privilege level 3 [SwitchB-ui-vty0-4] quit # Specify the authentication type for user client001 as publickey. [SwitchB] ssh user client001 authentication-type publickey Before doing the following steps, you must first generate a DSA key pair on the client and save the key pair in a file named Switch001, and then upload the file to the SSH server through FTP or TFTP.
  • Page 895 Username: client001 Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.165.87.136 ... ************************************************************************** Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ************************************************************************** <SwitchB> 1-44...
  • Page 896 Table of Contents 1 File System Management Configuration ·································································································1-1 File System Configuration·······················································································································1-1 Introduction to File System ··············································································································1-1 File System Configuration Task List································································································1-1 Directory Operations························································································································1-2 File Operations ································································································································1-3 Flash Memory Operations ···············································································································1-4 Prompt Mode Configuration ············································································································1-4 File System Configuration Examples ······························································································1-5 File Attribute Configuration ·····················································································································1-6 Introduction to File Attributes···········································································································1-6 Booting with the Startup File ···········································································································1-7...

  • Page 897: File System Management Configuration

    File System Configuration Introduction to File System To facilitate management on the switch memory, S5600 series Ethernet switches provide the file system function, allowing you to access and manage the files and directories. You can create, remove, copy or delete a file through command lines, and you can manage files using directories.

  • Page 898: Directory Operations

    The S5600 series Ethernet switches support Intelligent Resilient Framework (IRF), and allow you to access a file on a switch in one of the following ways: To access a file on the specified unit, you need to specify the file in universal resource locator (URL) format and starting with unit[No.]>flash:/, where [No.] represents the unit ID of the switch.

  • Page 899: File Operations

    File Operations Follow these steps to perform file-related operations: To do… Use the command… Remarks Optional A deleted file can be restored delete [ /unreserved ] file-url by using the undelete command if you delete it by delete { running-files | Delete a file executing the delete command standby-files } [ /fabric ]...

  • Page 900: Flash Memory Operations

    For deleted files whose names are the same, only the latest deleted file is kept in the recycle bin and can be restored. The files which are deleted by the delete command without the /unreserved keyword are actually moved to the recycle bin and thus still take storage space. You can clear the recycle bin by using the reset recycle-bin command.

  • Page 901: File System Configuration Examples

    File System Configuration Examples # Display all the files in the root directory of the file system on the local unit. <Sysname> dir /all Directory of unit1>flash:/ 1 (*) -rw- 5822215 Jan 01 1970 00:07:03 test.bin -rwh Apr 01 2000 23:55:49 snmpboots -rwh Apr 02 2000 00:47:30...

  • Page 902: File Attribute Configuration

    -rw- 1376 Apr 04 2000 04:50:30 1.cfg 15367 KB total (2025 KB free) (*) -with main attribute (b) -with backup attribute (*b) -with both main and backup attribute File Attribute Configuration Introduction to File Attributes The following three startup files support file attribute configuration: App files: An app file is an executable file, with .bin as the extension.

  • Page 903: Booting With The Startup File

    The device selects the main startup file as the preferred startup file. If the device fails to boot with the main startup file, it boots with the backup startup file. For the Web file and configuration file, Hangzhou H3C Technologies Co., Ltd (referred to as H3C hereinafter) may provide corresponding default file when releasing software versions. When booting, the device selects the startup files based on certain order.

  • Page 904: Configuration File Backup And Restoration

    To do… Use the command… Remarks Display the information about display boot-loader [ unit the app file used as the startup unit-id ] Optional file Available in any view Display information about the display web package Web file used by the device Before configuring the main or backup attribute for a file in the fabric, make sure the file already exists on all devices in the fabric.
  • Page 905 Configuration procedure Follow these steps to back up and restore configuration file: To do… Use the command… Remarks backup unit unit-id Optional Back up the current current-configuration to configuration of a specified unit { dest-addr | dest-hostname } Available in user view filename.cfg backup fabric Back up the current...
  • Page 906 Table of Contents 1 FTP and SFTP Configuration····················································································································1-1 Introduction to FTP and SFTP ················································································································1-1 Introduction to FTP ··························································································································1-1 Introduction to SFTP························································································································1-2 FTP Configuration ···································································································································1-2 FTP Configuration: A Switch Operating as an FTP Server ·····························································1-2 FTP Configuration: A Switch Operating as an FTP Client ······························································1-7 Configuration Example: A Switch Operating as an FTP Server······················································1-9 FTP Banner Display Configuration Example·················································································1-11 FTP Configuration: A Switch Operating as an FTP Client ····························································1-12...

  • Page 907: Ftp And Sftp Configuration

    Binary mode for program file transfer ASCII mode for text file transfer An H3C S5600 series Ethernet switch can act as an FTP client or the FTP server in FTP-employed data transmission: Table 1-1 Roles that an H3C S5600 series Ethernet switch acts as in FTP...

  • Page 908: Introduction To Sftp

    With an S5600 series Ethernet switch serving as an FTP server, the seven-segment digital LED on the front panel of the switch rotates clockwise when an FTP client is uploading files to the FTP server (the S5600 switch), and stops rotating when the file uploading is finished, as shown in Figure 1-1.
  • Page 909 Disabled by default. Only one user can access an H3C S5600 series Ethernet switch at a given time when the latter operates as an FTP server. Operating as an FTP server, an H3C S5600 series Ethernet switch cannot receive a file whose size exceeds its storage space.
  • Page 910 Configuring connection idle time After the idle time is configured, if the server does not receive service requests from a client within a specified time period, it terminates the connection with the client, thus preventing a user from occupying the connection for a long time without performing any operation. Follow these steps to configure connection idle time: To do…...
  • Page 911 Required server With an H3C S5600 series Ethernet switch acting as the FTP server, if a network administrator attempts to disconnect a user that is uploading/downloading data to/from the FTP server the S5600 Ethernet switch will disconnect the user after the data transmission is completed.
  • Page 912 Figure 1-2 Process of displaying a login banner Shell banner: After the connection between an FTP client and an FTP server is established and correct user name and password are provided, the FTP server outputs the configured shell banner to the FTP client terminal. Figure 1-3 Process of displaying a shell banner Follow these steps to configure the banner display for an FTP server: To do…...

  • Page 913: Ftp Configuration: A Switch Operating As An Ftp Client

    Displaying FTP server information To do… Use the command… Remarks Display the information about FTP server display ftp-server configurations on a switch Display the source IP address set for an display ftp-server source-ip Available in any view FTP server Display the login FTP client on an FTP display ftp-user server FTP Configuration: A Switch Operating as an FTP Client...
  • Page 914 To do… Use the command… Remarks dir [ remotefile ] [ localfile ] Optional If no file name is specified, all the files in the current directory are displayed. The difference between these Query a specified file on the two commands is that the dir FTP server ls [ remotefile ] [ localfile ] command can display the file...

  • Page 915: Configuration Example: A Switch Operating As An Ftp Server

    To do… Use the command… Remarks Specify an interface as the source interface the FTP client ftp source-interface uses every time it connects to interface-type interface-number an FTP server Use either command Not specified by default Specify an IP address as the source IP address the FTP ftp source-ip ip-address client uses every time it...
  • Page 916 Network diagram Figure 1-4 Network diagram for FTP configurations: a switch operating as an FTP server Configuration procedure Configure Switch A (the FTP server) # Log in to the switch and enable the FTP server function on the switch. Configure the user name and password used to access FTP services, and specify the service type as FTP (You can log in to a switch through the Console port or by telnetting the switch.

  • Page 917: Ftp Banner Display Configuration Example

    Boot ROM menu. H3C series switch is not shipped with FTP client application software. You need to purchase and install it by yourself. Configure Switch A (FTP server) # After uploading the application, use the boot boot-loader command to specify the uploaded file (switch.bin) to be the startup file used when the switch starts the next time, and restart the switch.

  • Page 918: Ftp Configuration: A Switch Operating As An Ftp Client

    Configure the login banner of the switch as “login banner appears” and the shell banner as “shell banner appears”. Network diagram Figure 1-5 Network diagram for FTP banner display configuration Configuration procedure Configure the switch (FTP server) # Configure the login banner of the switch as “login banner appears” and the shell banner as “shell banner appears”.
  • Page 919 Network diagram Figure 1-6 Network diagram for FTP configurations: a switch operating as an FTP client Configuration procedure Configure the PC (FTP server) Perform FTP server–related configurations on the PC, that is, create a user account on the FTP server with username switch and password hello.

  • Page 920: Sftp Configuration

    [ftp] get switch.bin # Execute the quit command to terminate the FTP connection and return to user view. [ftp] quit <Sysname> # After downloading the file, use the boot boot-loader command to specify the downloaded file (switch.bin) to be the application for next startup, and then restart the switch. Thus the switch application is upgraded.

  • Page 921: Sftp Configuration: A Switch Operating As An Sftp Client

    10 minutes by default. Supported SFTP client software An H3C S5600 series Ethernet switch operating as an SFTP server can interoperate with SFTP client software, including SSH Tectia Client v4.2.0 (SFTP), v5.0, and WINSCP. SFTP client software supports the following operations: logging in to a device; uploading a file;...
  • Page 922 To do… Use the command… Remarks Enter system view system-view — sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | Enter SFTP client view Required aes128 } | prefer_stoc_cipher { des | aes128 } |...

  • Page 923: Sftp Configuration Example

    If you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the SFTP server. Since both RSA and DSA are available for public key authentication, you need to use the identity-key key word to specify the algorithms to get correct local private key;...
  • Page 924 [Sysname] public-key local create dsa # Create a VLAN interface on the switch and assign to it an IP address, which is used as the destination address for the client to connect to the SFTP server. [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Sysname-Vlan-interface1] quit # Specify the SSH authentication mode as AAA.
  • Page 925 sftp-client> # Display the current directory of the server. Delete the file z and verify the result. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx...
  • Page 926 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 Received status: End of file Received status: Success # Download the file pubkey2 from the server and rename it as public.

  • Page 927: Tftp Configuration

    An H3C S5600 series Ethernet switch can act as a TFTP client only. When an S5600 series Ethernet switch serving as a TFTP client downloads files from the TFTP server, the seven-segment digital LED on the front panel of the switch rotates clockwise, and it stops rotating...

  • Page 928: Tftp Configuration

    TFTP Configuration Complete the following tasks to configure TFTP: Task Remarks Basic configurations on a TFTP client — TFTP Configuration: A Switch Specifying the source interface or source Operating as a TFTP Client Optional IP address for an FTP client For details, see the corresponding TFTP server configuration —...

  • Page 929: Tftp Configuration Example

    To do… Use the command… Remarks Enter system view system-view — Specify an interface as the source interface a TFTP client tftp source-interface interface-type uses every time it connects to a interface-number TFTP server Use either command Not specified by default. Specify an IP address as the source IP address a TFTP tftp source-ip ip-address...
  • Page 930 Network diagram Figure 2-1 Network diagram for TFTP configurations Configuration procedure Configure the TFTP server (PC) Start the TFTP server and configure the working directory on the PC. Configure the TFTP client (switch). # Log in to the switch. (You can log in to a switch through the Console port or by telnetting the switch. See the Login module for detailed information.) <Sysname>...
  • Page 931 For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging module of this manual.
  • Page 932 Table of Contents 1 Information Center·····································································································································1-1 Information Center Overview ··················································································································1-1 Introduction to Information Center···································································································1-1 System Information Format ·············································································································1-4 Information Center Configuration············································································································1-7 Information Center Configuration Task List·····················································································1-7 Configuring Synchronous Information Output ·················································································1-8 Configuring to Display the Time Stamp with the UTC Time Zone ··················································1-8 Setting to Output System Information to the Console ·····································································1-9 Setting to Output System Information to a Monitor Terminal ························································1-11 Setting to Output System Information to a Log Host·····································································1-12...

  • Page 933: Information Center Overview

    Information Center When configuring information center, go to these sections for information you are interested in: Information Center Overview Information Center Configuration Displaying and Maintaining Information Center Information Center Configuration Examples The information center now supports to add the UTC time zone in the time stamp of the output information.
  • Page 934 Table 1-1 Severity description Severity Severity value Description emergencies The system is unavailable. alerts Information that demands prompt reaction critical Critical information errors Error information warnings Warnings notifications Normal information that needs to be noticed informational Informational information to be recorded debugging Information generated during debugging Information filtering by severity works this way: information with the severity value greater than the...
  • Page 935 Information channel Default channel name Default output direction number Not specified (Receives log, trap, and debugging channel8 information.) Not specified (Receives log, trap, and debugging channel9 information.) Configurations for the six output directions function independently and take effect only after the information center is enabled.

  • Page 936: System Information Format

    Module name Description Internet protocol module LAGG Link aggregation module LINE Terminal line module MSTP Multiple spanning tree protocol module MTRACE Multicast traceroute query module Network address translation module Neighbor discovery protocol module NTDP Network topology discovery protocol module Network time protocol module OSPF Open shortest path first module Public key infrastructure module...
  • Page 937 The space, the forward slash /, and the colon are all required in the above format. Before <timestamp> may have %, “#, or * followed with a space, indicating log, alarm, or debugging information respectively. Below is an example of the format of log information to be output to a monitor terminal: %Dec 6 10:44:55:283 2006 Sysname NTP/5/NTP_LOG:- 1 - NTP service enable (“-1-“...
  • Page 938 %Dec 8 10:12:21:708 2006 [GMT+08:00:00] Sysname SHELL/5/LOGIN:- 1 - VTY(1.1.0.2) in unit1 login Sysname Sysname is the system name of the local switch and defaults to “H3C”. You can use the sysname command to modify the system name. Refer to the System Maintenance and Debugging part of this manual for details) Note that there is a space between the sysname and module fields.

  • Page 939: Information Center Configuration

    Module The module field represents the name of the module that generates system information. You can enter the info-center source ? command in system view to view the module list. Refer to Table 1-3 module name and description. Between “module” and “level” is a “/”. Level (Severity) System information can be divided into eight levels based on its severity, from 1 to 8.
  • Page 940 Configuring Synchronous Information Output Synchronous information output refers to the feature that if the system information such as log, trap, or debugging information is output when the user is inputting commands, the command line prompt (in command editing mode a prompt, or a [Y/N] string in interaction mode) and the input information are echoed after the output.
  • Page 941 To do… Use the command… Remarks Required Set to display the UTC time zone By default, no UTC time zone in the output information of the info-center timestamp utc is displayed in the output information center information Setting to Output System Information to the Console Setting to output system information to the console Follow these steps to set to output system information to the console: To do…...
  • Page 942 Table 1-4 Default output rules for different output directions TRAP DEBUG Output Modules Enable Severit Enabled/ Enabled/ direction allowed d/disab Severity Severity disabled disabled default (all warning debuggin debuggin Console Enabled Enabled Enabled modules) Monitor default (all warning debuggin debuggin Enabled Enabled Enabled...
  • Page 943 Setting to Output System Information to a Monitor Terminal System information can also be output to a monitor terminal, which is a user terminal that has login connections through the AUX, VTY, or TTY user interface. Setting to output system information to a monitor terminal Follow these steps to set to output system information to a monitor terminal To do…...
  • Page 944 To do… Use the command… Remarks Enable the debugging/log/trap Optional information terminal display terminal monitor Enabled by default function Optional Enable debugging information terminal debugging terminal display function Disabled by default Optional Enable log information terminal terminal logging display function Enabled by default Optional Enable trap information...
  • Page 945 To do… Use the command… Remarks Optional By default, no source interface Configure the source interface info-center loghost source is configured, and the system through which log information is interface-type interface-number automatically selects an sent to the log host interface as the source interface.
  • Page 946 To do… Use the command… Remarks info-center source Optional { modu-name | default } Configure the output rules of channel { channel-number | Refer to Table 1-4 for the system information channel-name } [ { log | trap | default output rules of system debug } { level severity | state information.

  • Page 947: Displaying And Maintaining Information Center

    To do… Use the command… Remarks info-center source Optional { modu-name | default } Configure the output rules of channel { channel-number | Refer to Table 1-4 for the system information channel-name } [ { log | trap | default output rules of system debug } { level severity | state information.

  • Page 948: Information Center Configuration Examples

    Information Center Configuration Examples Log Output to a UNIX Log Host Network requirements The switch sends the following log information to the Unix log host whose IP address is 202.38.1.10: the log information of the two modules ARP and IP, with severity higher than “informational”. Network diagram Figure 1-1 Network diagram for log output to a Unix log host Network...

  • Page 949: Log Output To A Linux Log Host

    When you edit the file “/etc/syslog.conf”, note that: A note must start in a new line, starting with a “#” sign. In each pair, a tab should be used as a separator instead of a space. No space is allowed at the end of a file name. The device name (facility) and received log information severity level specified in the file “/etc/syslog.conf”...
  • Page 950 <Switch> system-view [Switch] info-center enable # Configure the host whose IP address is 202.38.1.10 as the log host. Permit all modules to output log information with severity level higher than error to the log host. [Switch] info-center loghost 202.38.1.10 facility local7 [Switch] info-center source default channel loghost log level errors debug state off trap state off Configure the log host:...

  • Page 951: Log Output To The Console

    Through combined configuration of the device name (facility), information severity level threshold (severity), module name (filter) and the file “syslog.conf”, you can sort information precisely for filtering. Log Output to the Console Network requirements The switch sends the following information to the console: the log information of the two modules ARP and IP, with severity higher than “informational”.
  • Page 952 Network diagram Figure 1-4 Network diagram Configuration procedure # Name the local time zone z8 and configure it to be eight hours ahead of UTC time. <Switch> clock timezone z8 add 08:00:00 # Set the time stamp format of the log information to be output to the log host to date. <Switch>...
  • Page 953 Table of Contents 1 Boot ROM and Host Software Loading ···································································································1-1 Introduction to Loading Approaches ·······································································································1-1 Local Boot ROM and Software Loading··································································································1-2 BOOT Menu ····································································································································1-2 Loading by XModem through Console Port ····················································································1-3 Loading by TFTP through Ethernet Port ·························································································1-8 Loading by FTP through Ethernet Port··························································································1-10 Remote Boot ROM and Software Loading ···························································································1-11 Remote Loading Using FTP ··········································································································1-11 Remote Loading Using TFTP········································································································1-16...

  • Page 954: Boot Rom And Host Software Loading

    Boot ROM and Host Software Loading The configuration of real-time monitoring of the running status of the system is added. For the detailed configuration, refer to Configuring Real-time Monitoring of the Running Status of the System. The configuration of loading hot patch is added. For the detailed configuration, refer to Loading Hot Patch.

  • Page 955: Local Boot Rom And Software Loading

    BOOT Menu Starting..*********************************************************** H3C S5600-50C BOOTROM, Version 506 *********************************************************** Copyright (c) 2004-2007 Hangzhou H3C Technologies Co., Ltd. Creation date : May 30 2007, 09:57:40 CPU Clock Speed : 400MHz BUS Clock Speed : 33MHz Memory Size : 128MB...

  • Page 956: Loading By Xmodem Through Console Port

    To enter the BOOT menu, you should press <Ctrl+B> within five seconds (full startup mode) or one second (fast startup mode) after the information “Press Ctrl-B to enter BOOT Menu...” displays. Otherwise, the system starts to extract the program; and if you want to enter the BOOT Menu at this time, you will have to restart the switch.
  • Page 957 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): Step 2: Press 3 in the above menu to download the Boot ROM using XModem. The system displays the following setting menu for download baudrate: Please select your download baudrate: 1.* 9600 2.
  • Page 958 Figure 1-1 Properties dialog box Figure 1-2 Console port configuration dialog box Step 5: Click the <Disconnect> button to disconnect the HyperTerminal from the switch and then click the <Connect> button to reconnect the HyperTerminal to the switch, as shown in Figure 1-3.
  • Page 959 Figure 1-3 Connect and disconnect buttons The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program. Step 6: Press <Enter> to start downloading the program. The system displays the following information: Now please start transfer file with XMODEM protocol. If you want to exit, Press <Ctrl+X>.
  • Page 960 Figure 1-5 Sending file page Step 9: After the sending process completes, the system displays the following information: Loading ...CCCCCCCCCC done! Step 10: Reset HyperTerminal’s baudrate to 9600 bps (refer to Step 4 and 5). Then, press any key as prompted.

  • Page 961: Loading By Tftp Through Ethernet Port

    The subsequent steps are the same as those for loading the Boot ROM, except that the system gives the prompt for host software loading instead of Boot ROM loading. You can also use the xmodem get command to load host software through the Console port (of AUX type).
  • Page 962 TFTP server program is not provided with the H3C Series Ethernet Switches. Step 3: Run the HyperTerminal program on the configuration PC. Start the switch. Then enter the BOOT Menu. At the prompt "Enter your choice(0-9):" in the BOOT Menu, press <6> or <Ctrl+U>, and then press <Enter>...

  • Page 963: Loading By Ftp Through Ethernet Port

    When loading Boot ROM and host software using TFTP through BOOT menu, you are recommended to use the PC directly connected to the device as TFTP server to promote upgrading reliability. Loading by FTP through Ethernet Port Introduction to FTP FTP is an application-layer protocol in the TCP/IP protocol suite.

  • Page 964: Remote Boot Rom And Software Loading

    Enter your choice(0-3): Step 4: Enter 2 in the above menu to download the Boot ROM using FTP. Then set the following FTP-related parameters as required: Load File name :switch.btm Switch IP address :10.1.1.2 Server IP address :10.1.1.1 FTP User Name :Switch FTP User Password :abc...
  • Page 965 As shown in Figure 1-8, a PC is used as both the configuration device and the FTP server. You can telnet to the switch, and then execute the FTP commands to download the Boot ROM program switch.btm from the remote FTP server (whose IP address is 10.1.1.1) to the switch. Figure 1-8 Remote loading using FTP Client Step 1: Download the program to the switch using FTP commands.
  • Page 966 Loading the host software is the same as loading the Boot ROM program, except that the file to be downloaded is the host software file, and that you need to use the boot boot-loader command to select the host software used for next startup of the switch. After the above operations, the Boot ROM and host software loading is completed.
  • Page 967 New local user added. [Sysname-luser-test] password simple pass [Sysname-luser-test] service-type ftp Step 4: Enable FTP client software on the PC. Refer to Figure 1-10 for the command line interface in Windows operating system. Figure 1-10 Command line interface Step 5: Use the cd command on the interface to enter the path that the Boot ROM upgrade file is to be stored.
  • Page 968 Figure 1-12 Log on to the FTP server Step 7: Use the put command to upload the file switch.btm to the switch, as shown in Figure 1-13. Figure 1-13 Upload file switch.btm to the switch Step 8: Configure switch.btm to be the Boot ROM at next startup, and then restart the switch. <Sysname>...

  • Page 969: Remote Loading Using Tftp

    Loading host software Loading the host software is the same as loading the Boot ROM program, except that the file to be downloaded is the host software file, and that you need to use the boot boot-loader command to select the host software used for the next startup of the switch.

  • Page 970: Basic System Configuration And Debugging

    — view Optional Set the system name of the sysname sysname switch By default, the name is H3C. Optional Return from current view to quit If the current view is user view, you lower level view will quit the current user interface.

  • Page 971: Displaying The System Status

    To do… Use the command… Remarks Optional Return from current view to The composite key <Ctrl+Z> has return user view the same effect with the return command. Displaying the System Status To do… Use the command… Remarks Display the current date and time of the display clock system Available in...

  • Page 972: Displaying Debugging Status

    Displaying debugging information on the terminal is the most commonly used way to output debugging information. You can also output debugging information to other directions. For details, refer to Information Center Operation. You can use the following commands to enable the two switches. Follow these steps to enable debugging and terminal display for a specific module: To do…...
  • Page 973 To do… Use the command… Remarks You can use this command in any view. Display the current display You should execute this command operation information about diagnostic-information twice to find the difference the modules in the system. between the two executing results, thus helping locate the problem.

  • Page 974: Network Connectivity Test

    Network Connectivity Test When configuring network connectivity test, go to these sections for information you are interested in: ping tracert Network Connectivity Test ping You can use the ping command to check the network connectivity and the reachability of a host. To do…...

  • Page 976: Device Management

    Device Management When configuring device management, go to these sections for information you are interested in: Introduction to Device Management Device Management Configuration Displaying the Device Management Configuration Remote Switch APP Upgrade Configuration Example Introduction to Device Management Device Management includes the following: Reboot the Ethernet switch Configure real-time monitoring of the running status of the system Specify the APP to be used at the next reboot...

  • Page 977: Scheduling A Reboot On The Switch

    Before rebooting, the system checks whether there is any configuration change. If yes, it prompts whether or not to proceed. This prevents the system from losing the configurations in case of shutting down the system without saving the configurations Use the following command to reboot the Ethernet switch: To do…...

  • Page 978: Specifying The App To Be Used At Reboot

    Enabling of this function consumes some amounts of CPU resources. Therefore, if your network has a high CPU usage requirement, you can disable this function to release your CPU resources. Specifying the APP to be Used at Reboot APP is the host software of the switch. If multiple APPs exist in the Flash memory, you can use the command here to specify the one that will be used when the switch reboots.
  • Page 979 Patches can be added to a patch file incrementally. That is, any subsequent patch file contains all the patches for fixing errors in the previous patch file besides the patches for fixing the current errors. In this way, all the system errors found can be fixed once and for all by loading the latest patch file. In the device, a patch can be in one of the following four states: IDLE: The patch is initialized but not loaded.

  • Page 980: Identifying And Diagnosing Pluggable Transceivers

    XFP (10-Gigabit small Generally used for Form-factor 10G Ethernet Pluggable) interfaces XENPAK (10 Gigabit Generally used for EtherNet Transceiver 10G Ethernet Package) interfaces For pluggable transceivers supported by S5600 series Ethernet switches, refer to H3C S5600 Series Ethernet Switches Installation Manual.

  • Page 981: Displaying The Device Management Configuration

    H3C only You can use the Vendor Name field in the prompt information of the display transceiver interface command to identify an anti-spoofing pluggable transceiver customized by H3C. If the field is H3C, it is considered an H3C-customized pluggable transceiver.

  • Page 982: Configuration Example

    To do… Use the command… Remarks Display the module type and display device [ manuinfo [ unit operating status of each board unit-id ] | unit unit-id ] Display CPU usage of a switch display cpu [ unit unit-id ] Display the switch operating ambient display environment Display the operating status of the...
  • Page 983 Network diagram Figure 4-2 Network diagram for FTP configuration Configuration procedure Configure the following FTP server–related parameters on the PC: an FTP user with the username as switch and password as hello, who is authorized with the read-write right on the directory Switch on the PC.
  • Page 984 Execute the get command to download the switch.bin and boot.btm files on the FTP server to the Flash memory of the switch. [ftp] get switch.bin [ftp] get boot.btm Execute the quit command to terminate the FTP connection and return to user view. [ftp] quit <Sysname>...
  • Page 985 Table of Contents 1 VLAN-VPN Configuration··························································································································1-1 VLAN-VPN Overview ······························································································································1-1 Introduction to VLAN-VPN···············································································································1-1 Implementation of VLAN-VPN·········································································································1-2 Inner-to-Outer Tag Priority Replicating and Mapping······································································1-2 VLAN-VPN Configuration························································································································1-3 VLAN-VPN Configuration Task List·································································································1-3 Enabling the VLAN-VPN Feature for a Port ····················································································1-3 Configuring the Inner-to-Outer Tag Priority Replicating and Mapping Feature·······························1-3 Displaying and Maintaining VLAN-VPN Configuration ···········································································1-4 VLAN-VPN Configuration Example·········································································································1-4 Transmitting User Packets through a Tunnel in the Public Network by Using VLAN-VPN·············1-4...

  • Page 986: Vlan-Vpn Configuration

    VLAN-VPN Configuration When configuring VLAN-VPN, go to these sections for information you are interested in: VLAN-VPN Overview VLAN-VPN Configuration Displaying and Maintaining VLAN-VPN Configuration VLAN-VPN Configuration Example VLAN-VPN Overview Introduction to VLAN-VPN Virtual private network (VPN) is a new technology that emerges with the expansion of the Internet. It can be used for establishing private networks over the public network.

  • Page 987: Implementation Of Vlan-Vpn

    Figure 1-2 Structure of packets with double-layer VLAN tags Destination MAC address Source MAC address Outer VLAN Tag Inner VLAN Tag Data Compared with MPLS-based Layer 2 VPN, VLAN-VPN has the following features: It provides Layer 2 VPN tunnels that are simpler. VLAN-VPN can be implemented through manual configuration.

  • Page 988: Vlan-Vpn Configuration

    VLAN-VPN Configuration VLAN-VPN Configuration Task List Complete the following tasks to configure VLAN-VPN: Task Remarks Enabling the VLAN-VPN Feature for a Port Required Configuring the Inner-to-Outer Tag Priority Replicating and Mapping Feature Optional As IRF fabric is mutually exclusive with VLAN-VPN, make sure that IRF fabric is disabled on the switch before performing any of the configurations listed in the above table.

  • Page 989: Displaying And Maintaining Vlan-Vpn Configuration

    As shown in Figure 1-4, Switch A and Switch B are both S5600 series switches. They connect the users to the servers through the public network. PC users and PC servers are in VLAN 100 created in the private network, while terminal users and terminal servers are in VLAN 200, which is also created in the private network.
  • Page 990 Network diagram Figure 1-4 Network diagram for VLAN-VPN configuration Configuration procedure Configure Switch A. # Enable the VLAN-VPN feature on GigabitEthernet 1/0/11 of Switch A and tag the packets received on this port with the tag of VLAN 1040 as the outer VLAN tag. <SwitchA>...
  • Page 991 [SwitchB] interface GigabitEthernet 1/0/21 [SwitchB-GigabitEthernet1/0/22] port link-type trunk [SwitchB-GigabitEthernet1/0/22] port trunk permit vlan 1040 Do not configure VLAN 1040 as the default VLAN of GigabitEthernet 1/0/12 of Switch A and GigabitEthernet 1/0/22 of Switch B. Otherwise, the outer VLAN tag of a packet will be removed during transmission.

  • Page 992: Selective Qinq Configuration

    Selective QinQ Configuration The selective QinQ is new to H3C S5600 Series Ethernet Switches. When configuring selective QinQ, go to these sections for information you are interested in: Selective QinQ Overview Selective QinQ Configuration Selective QinQ Configuration Example Selective QinQ Overview Selective QinQ Overview Selective QinQ is an enhanced application of the VLAN-VPN feature.

  • Page 993: Mac Address Replicating

    Figure 2-1 Diagram for a selective QinQ implementation Server VLAN8~100 VIP Server VLAN101~200 Public Network VLAN1001/1002/1003 VoIP Device VLAN 1001~1003 VLAN201~300 SwitchA VLAN 8~300 User IP Phone VLAN8 ~100 VLAN101~200 VLAN201~300 In this implementation, Switch A is an access device of the service provider. The users connecting to it include common customers (in VLAN 8 to VLAN 100), VIPs (in VLAN 101 to VLAN 200), and IP telephone users (in VLAN 201 to VLAN 300).

  • Page 994: Selective Qinq Configuration

    VLAN 4, which wastes the network resources and incurs potential security risks. The S5600 series Ethernet switches provide the inter-VLAN MAC address replicating feature, which can replicate the entries in the MAC address table of the default VLAN to that of the VLAN corresponding to the outer tag.

  • Page 995: Enabling The Selective Qinq Feature For A Port

    Enabling the Selective QinQ Feature for a Port The following configurations are required for the selective QinQ feature: Enabling the VLAN-VPN feature on the current port Configuring the current port to permit packets of specific VLANs (the VLANs whose tags are to be used as the outer VLAN tags are required) Follow these steps to enable the selective QinQ feature: To do...

  • Page 996: Selective Qinq Configuration Example

    On a port, the inter-VLAN MAC address replicating feature can be configured only once for a destination VLAN. If the configuration needs to be modified, you need to remove the existing configuration first. With the inter-VLAN MAC address replicating feature disabled, all the MAC address entries that the destination VLAN learns from the other VLANs through this function are removed.
  • Page 997 Network diagram Figure 2-3 Network diagram for selective QinQ configuration For PC User VLAN100~108 GE1/0/12 Public Network SwitchB VLAN1000/VLAN1200 GE1/0/11 GE1/0/13 GE1/0/5 SwitchA For IP Phone VLAN200~230 GE1/0/3 PC User IP Phone User VLAN100~108 VLAN200~230 Configuration procedure Configure Switch A. # Create VLAN 1000, VLAN 1200 and VLAN 5 (the default VLAN of GigabitEthernet 1/0/3) on SwitchA.
  • Page 998 [SwitchA-GigabitEthernet1/0/3] port hybrid vlan 5 1000 1200 untagged # Enable the VLAN-VPN feature on GigabitEthernet 1/0/3. [SwitchA-GigabitEthernet1/0/3] vlan-vpn enable # Enable the selective QinQ feature on GigabitEthernet 1/0/3 to tag packets of VLAN 100 through VLAN 108 with the tag of VLAN 1000 as the outer VLAN tag, and tag packets of VLAN 200 through VLAN 230 with the tag of VLAN 1200 as the outer VLAN tag.
  • Page 999 [SwitchB] interface GigabitEthernet 1/0/12 [SwitchB-GigabitEthernet1/0/12] port link-type hybrid [SwitchB-GigabitEthernet1/0/12] port hybrid pvid vlan 12 [SwitchB-GigabitEthernet1/0/12] port hybrid vlan 12 1000 untagged [SwitchB-GigabitEthernet1/0/12] quit # Configure GigabitEthernet 1/0/13 as a hybrid port and configure VLAN 13 as its default VLAN . Configure GigabitEthernet 1/0/13 to remove VLAN tags when forwarding packets of VLAN 13 and VLAN 1200.

  • Page 1000: Bpdu Tunnel Configuration

    BPDU Tunnel Configuration Two features, the BPDU Tunnel support for packets of multiple protocols and adjusting tunnel packet MAC addresses, are newly added. For details, refer to BPDU Tunnel Configuration. When configuring BPDU tunnel, go to these sections for information you are interested in: BPDU Tunnel Overview BPDU Tunnel Configuration Displaying and Maintaining BPDU Tunnel Configuration...
  • Page 1001 Transmitting BPDU packets transparently As shown in Figure 3-1, the network on the top is the service provider network, and the one on the bottom is a customer network. The service provider network contains edge devices connecting the customer network to the service provider network. The customer network contains Network A and Network B.

Table of Contents