H3C S5500-SI Series Operation Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Network Router
  5. S5500-SI Series
  6. Operation manual
H3C S5500-SI Series Operation Manual

H3C S5500-SI Series Operation Manual

Hide thumbs Also See for S5500-SI Series:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual, Installation Manual
H3C S5500-SI Series Ethernet Switches
Operation Manual
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Manual Version: 20090930-C-1.01
Product Version: Release 2202

Advertisement

Chapters

Table of Contents
loading
Need help?

Need help?

Do you have a question about the S5500-SI Series and is the answer not in the manual?

Questions and answers

Related Manuals for H3C S5500-SI Series

Summary of Contents for H3C S5500-SI Series

  • Page 1 H3C S5500-SI Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: 20090930-C-1.01 Product Version: Release 2202...
  • Page 2 SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V G, V G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.

  • Page 3: About This Manual

    About This Manual Organization H3C S5500-SI Series Ethernet Switches Operation Manual is organized as follows: Volume Features 00-Product Product Overview Acronyms Overview Ethernet Interface Link Aggregation Port Isolation MSTP 01-Access LLDP VLAN GVRP QinQ Volume BPDU Tunneling Port Mirroring IP Addressing...
  • Page 4 Conventions The manual uses the following conventions: Command conventions Convention Description Boldface The keywords of a command line are in Boldface. italic Command arguments are in italic. Items (keywords or arguments) in square brackets [ ] are optional. Alternative items are grouped in braces and separated by vertical bars. { x | y | ...
  • Page 5 Availability Volume and System Volume commands. Obtaining Documentation You can access the most up-to-date H3C product documentation on the World Wide Web at this URL: http://www.h3c.com. The following are the columns from which you can obtain different categories of product documentation: [Products &...

  • Page 6: Table Of Contents

    Table of Contents 1 Obtaining the Documentation ··················································································································1-1 CD-ROMs Shipped with the Devices ······································································································1-1 H3C Website ···········································································································································1-1 Software Release Notes ·························································································································1-1 2 Product Features ·······································································································································2-1 Introduction to Product ····························································································································2-1 Feature Lists ···········································································································································2-1 3 Features······················································································································································3-1 Access Volume ·······································································································································3-1 IP Services Volume·································································································································3-3 IP Routing Volume ··································································································································3-4...

  • Page 7: Obtaining The Documentation

    Obtaining the Documentation H3C Technologies Co., Ltd. provides various ways for you to obtain documentation, through which you can obtain the product documentations and those concerning newly added new features. The documentations are available in one of the following ways:...

  • Page 8: Product Features

    They are designed as distribution and access devices for intranets and metropolitan area networks (MANs). They can also be used for connecting server groups in data centers. Feature Lists The S5500-SI series support abundant features and the related documents are divided into the volumes as listed in Table 2-1.
  • Page 9 Volume Features Basic System Device File System Login Configuration Management Management MAC Address HTTP SNMP RMON Table Management 08-System System Information Volume Maintaining and Hotfix Center Debugging Cluster Stack Management Management Automatic Configuration...

  • Page 10: Features

    Features The following sections provide an overview of the main features of each module supported by the S5500-SI series. Access Volume Table 3-1 Features in Access volume Features Description This document describes: Combo Port Configuration Basic Ethernet Interface Configuration Configuring Flow Control on an Ethernet Interface...
  • Page 11 Features Description LLDP enables a device to maintain and manage its own and its immediate neighbor’s device information, based on which the network management system detects and determines the conditions of the communications links. This document describes: Introduction to LLDP LLDP Performing Basic LLDP Configuration Configuring the Encapsulation Format for LLDPDUs...

  • Page 12: Ip Services Volume

    IP Services Volume Table 3-2 Features in the IP Services volume Features Description An IP address is a 32-bit address allocated to a network interface on a device that is attached to the Internet. This document describes: IP Address Introduction to IP addresses IP address configuration Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address.

  • Page 13: Ip Routing Volume

    Features Description A network node that supports both IPv4 and IPv6 is called a dual stack node. A dual stack node configured with an IPv4 address and an IPv6 address can have both IPv4 and IPv6 packets transmitted. This document Dual Stack describes: Dual stack overview...

  • Page 14: Multicast Volume

    Multicast Volume Table 3-4 Features in Multicast volume Features Description This document describes the main concepts in multicast: Introduction to Multicast Multicast Overview Multicast Models Multicast Architecture Multicast Packets Forwarding Mechanism Running at the data link layer, IGMP Snooping is a multicast control mechanism on the Layer 2 Ethernet switch and it is used for multicast group management and control.

  • Page 15: Security Volume

    Security Volume Table 3-6 Features in the Security volume Features Description Authentication, Authorization and Accounting (AAA) provide a uniform framework used for configuring these three security functions to implement the network security management. This document describes: Introduction to AAA, RADIUS and HWTACACS AAA configuration RADIUS configuration HWTACACS configuration...

  • Page 16: High Availability Volume

    Features Description SSH ensures secure login to a remote device in a non-secure network environment. By encryption and strong authentication, it protects the device against attacks. This document describes: Configuring Asymmetric Keys SSH2.0 Configuring the Device as an SSH Server Configuring the Device as an SSH Client Configuring an SFTP Server Configuring an SFTP Client...
  • Page 17 Features Description RRPP is a link layer protocol designed for Ethernet rings. RRPP can prevent broadcast storms caused by data loops when an Ethernet ring is healthy, and rapidly restore the communication paths between the nodes after a link is disconnected on the ring. This document describes: RRPP overview Creating an RRPP Domain Configuring Control VLANs...

  • Page 18: System Volume

    System Volume Table 3-8 Features in the System volume Features Description Upon logging into a device, you can configure user interface properties and manage the system conveniently. This document describes: How to log in to your Ethernet switch Introduction to the user interface and common configurations Logging In Through the Console Port Login Logging In Through Telnet...
  • Page 19 Features Description Simple network management protocol (SNMP) offers a framework to monitor network devices through TCP/IP protocol suite. This document describes: SNMP overview SNMP Basic SNMP function configuration SNMP log configuration Trap configuration MIB style configuration RMON provides an efficient means of monitoring subnets and allows SNMP to monitor remote network devices in a more proactive and effective way.
  • Page 20 Features Description Hotfix is a fast, cost-effective method to fix software defects of the device without interrupting the running services. This document describes: Hotfix Overview Hotfix One-Step Patch Installation Step-by-Step Patch Installation Step-by-Step Patch Uninstallation One-Step Patch Uninstallation NQA analyzes network performance, services and service quality by sending test packets to provide you with network performance and service quality parameters.
  • Page 21 Appendix A Acronyms # A B C D E F G H I K L M N O P Q R S T U V W X Z Acronyms Full spelling Return 10GE Ten-GigabitEthernet Return Authentication, Authorization and Accounting Activity Based Costing Area Border Router Alternating Current ACKnowledgement...
  • Page 22 Acronyms Full spelling Border Gateway Protocol BIMS Branch Intelligent Management System BOOTP Bootstrap Protocol BPDU Bridge Protocol Data Unit Basic Rate Interface Bootstrap Router BitTorrent Burst Tolerance Return Call Appearance Certificate Authority Committed Access Rate Committed Burst Size Class Based Queuing Constant Bit Rate Core-Based Tree International Telephone and Telegraph Consultative...
  • Page 23 Acronyms Full spelling Connectivity Verification Return Deeper Application Recognition Data Circuit-terminal Equipment Database Description Digital Data Network DHCP Dynamic Host Configuration Protocol Designated IS DLCI Data Link Connection Identifier DLDP Device Link Detection Protocol Domain Name System Downstream on Demand Denial of Service Designated Router DSCP...
  • Page 24 Acronyms Full spelling Forward Defect Indication Forwarding Equivalence Class Fast Failure Detection Forwarding Group Forwarding information base FIFO First In First Out FQDN Full Qualified Domain Name Frame Relay Fast ReRoute FRTT Fairness Round Trip Time Functional Test File Transfer Protocol Return GARP Generic Attribute Registration Protocol...
  • Page 25 Acronyms Full spelling International Business Machines ICMP Internet Control Message Protocol ICMPv6 Internet Control Message Protocol for IPv6 IDentification/IDentity IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force IGMP Internet Group Management Protocol IGMP-Snooping Internet Group Management Protocol Snooping Interior Gateway Protocol Incoming Label Map Internet Locator Service...
  • Page 26 Acronyms Full spelling LACPDU Link Aggregation Control Protocol Data Unit Local Area Network Link Control Protocol LDAP Lightweight Directory Access Protocol Label Distribution Protocol Label Edge Router LFIB Label Forwarding Information Base Label Information Base Link Layer Control LLDP Link Layer Discovery Protocol Loss of continuity Call Logging Line Rate...
  • Page 27 Acronyms Full spelling MLD-Snooping Multicast Listener Discovery Snooping Meet-Me Conference MODEM MOdulator-DEModulator Multilink PPP MP-BGP Multiprotocol extensions for BGP-4 Middle-level PE MP-group Multilink Point to Point Protocol group MPLS Multiprotocol Label Switching MPLSFW Multi-protocol Label Switch Forward Multicast Port Management Mobile Switching Center MSDP Multicast Source Discovery Protocol...
  • Page 28 Acronyms Full spelling NPDU Network Protocol Data Unit Network Provider Edge Network Quality Analyzer NSAP Network Service Access Point NetStream Collector N-SEL NSAP Selector NSSA Not-So-Stubby Area NTDP Neighbor Topology Discovery Protocol Network Time Protocol Return Operation Administration and Maintenance OAMPDU OAM Protocol Data Units OC-3...
  • Page 29 Acronyms Full spelling Point Of Presence Packet Over SDH Point-to-Point Protocol PPTP Point to Point Tunneling Protocol PPVPN Provider-provisioned Virtual Private Network Priority Queuing Primary Reference Clock Primary Rate Interface Protection Switching Power Sourcing Equipment PSNP Partial SNP Permanent Virtual Channel Pseudo wires Return QACL...
  • Page 30 Acronyms Full spelling Rendezvous Point Tree RRPP Rapid Ring Protection Protocol Reservation State Block RSOH Regenerator Section Overhead RSTP Rapid Spanning Tree Protocol RSVP Resource ReserVation Protocol RTCP Real-time Transport Control Protocol Route Table Entry Real-time Transport Protocol Real-time Transport Protocol Return Source Active Subnetwork Bandwidth Management...
  • Page 31 Acronyms Full spelling Shortest Path Tree Secure Shell Synchronization Status Marker Source-Specific Multicast Shared Tree STM-1 SDH Transport Module -1 STM-16 SDH Transport Module -16 STM-16c SDH Transport Module -16c STM-4c SDH Transport Module -4c Spanning Tree Protocol Signalling Virtual Connection Switch-MDT Switch-Multicast Distribution Tree Return...
  • Page 32 Acronyms Full spelling Virtual Channel Identifier Virtual Ethernet Virtual File System VLAN Virtual Local Area Network Virtual Leased Lines Video On Demand VoIP Voice over IP Virtual Operate System VPDN Virtual Private Dial-up Network VPDN Virtual Private Data Network Virtual Path Identifier VPLS Virtual Private Local Switch Virtual Private Network...
  • Page 33 Access Volume Organization Manual Version 20090930-C-1.01 Product Version Release 2202 Organization The Access Volume is organized as follows: Features Description This document describes: Combo Port Configuration Basic Ethernet Interface Configuration Configuring Flow Control on an Ethernet Interface Configuring the Suppression Time of Physical-Link-State Change on an Ethernet Interface Configuring Loopback Testing on an Ethernet Interface Ethernet Interface...
  • Page 34 Features Description MSTP is used to eliminate loops in a LAN. It is compatible with STP and RSTP. This document describes: MSTP Introduction to MSTP Configuring MSTP LLDP enables a device to maintain and manage its own and its immediate neighbor’s device information, based on which the network management system detects and determines the conditions of the communications links.
  • Page 35 Table of Contents 1 Ethernet Interface Configuration ·············································································································1-1 Ethernet Interface Configuration ·············································································································1-1 Combo Port Configuration ···············································································································1-1 Basic Ethernet Interface Configuration····························································································1-1 Configuring an Auto-negotiation Transmission Rate·······································································1-2 Configuring Flow Control on an Ethernet Interface ·········································································1-3 Configuring the Suppression Time of Physical-Link-State Change on an Ethernet Interface ········1-4 Configuring Loopback Testing on an Ethernet Interface·································································1-4 Configuring a Port Group·················································································································1-5 Configuring Storm Suppression ······································································································1-5...

  • Page 36: Ethernet Interface Configuration

    Ethernet Interface Configuration Ethernet Interface Configuration Combo Port Configuration Introduction to Combo port A Combo port can operate as either an optical port or an electrical port. Inside the device there is only one forwarding interface. For a Combo port, the electrical port and the corresponding optical port are TX-SFP multiplexed.

  • Page 37: Configuring An Auto-Negotiation Transmission Rate

    Auto-negotiation mode (auto). Interfaces operating in this mode determine their duplex mode through auto-negotiation. Similarly, if you configure the transmission rate for an Ethernet interface by using the speed command with the auto keyword specified, the transmission rate is determined through auto-negotiation too. For a Gigabit Ethernet interface, you can specify the transmission rate by its auto-negotiation capacity.

  • Page 38: Configuring Flow Control On An Ethernet Interface

    Figure 1-1 An application diagram of auto-negotiation transmission rate As shown in Figure 1-1, the network card transmission rate of the server group (Server 1, Server 2, and Server 3) is 1000 Mbps, and the transmission rate of GigabitEthernet 1/0/4, which provides access to the external network for the server group, is 1000 Mbps too.

  • Page 39: Configuring The Suppression Time Of Physical-Link-State Change On An Ethernet Interface

    Follow these steps to enable flow control on an Ethernet interface: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet interface view — interface-number Required Enable flow control flow-control Disabled by default Configuring the Suppression Time of Physical-Link-State Change on an Ethernet Interface An Ethernet interface operates in one of the two physical link states: up or down.

  • Page 40: Configuring A Port Group

    To do… Use the command… Remarks Optional Enable loopback testing loopback { external | internal } Disabled by default. As for the internal loopback test and external loopback test, if an interface is down, only the former is available on it; if the interface is shut down, both are unavailable. The speed, duplex, mdi, and shutdown commands are not applicable during loopback testing.

  • Page 41: Setting The Interval For Collecting Ethernet Interface Statistics

    The storm suppression ratio settings configured for an Ethernet interface may get invalid if you enable the storm constrain for the interface. For information about the storm constrain function, see Configuring the Storm Constrain Function on an Ethernet Interface. Follow these steps to set storm suppression ratios for one or multiple Ethernet interfaces: To do…...

  • Page 42: Enabling Forwarding Of Jumbo Frames

    To do… Use the command… Remarks Optional Set the interval for collecting By default, the interval for flow-interval interval statistics on the Ethernet port collecting port statistics is 300 seconds. Enabling Forwarding of Jumbo Frames Due to tremendous amount of traffic occurring on an Ethernet interface, it is likely that some frames greater than the standard Ethernet frame size are received.

  • Page 43: Configuring The Mdi Mode For An Ethernet Interface

    To do… Use the command… Remarks Enter system view system-view — Required Enable global loopback loopback-detection enable detection Disabled by default Optional Configure the interval for port loopback-detection loopback detection interval-time time 30 seconds by default interface interface-type Enter Ethernet interface view —...

  • Page 44: Testing The Cable On An Ethernet Interface

    signals; pin 3 and pin 6 are used for transmitting signals. To enable normal communication, you should connect the local transmit pins to the remote receive pins. Therefore, you should configure the MDI mode depending on the cable types. Normally, the auto mode is recommended. The other two modes are useful only when the device cannot determine the cable type.
  • Page 45 periodically and takes corresponding actions (that is, blocking or shutting down the interface and sending trap messages and logs) when the traffic detected exceeds the threshold. Alternatively, you can configure the storm suppression function to control a specific type of traffic. As the function and the storm constrain function are mutually exclusive, do not enable them at the same time on an Ethernet interface.

  • Page 46: Displaying And Maintaining An Ethernet Interface

    To do… Use the command… Remarks Optional Specify to send log when the By default, the system sends traffic detected exceeds the log when the traffic detected upper threshold or drops down storm-constrain enable log exceeds the upper threshold or below the lower threshold from drops down below the lower a point higher than the upper...
  • Page 47 To do… Use the command… Remarks Display the information about a display port-group manual manual port group or all the Available in any view [ all | name port-group-name ] port groups Display the information about display loopback-detection Available in any view the loopback function display storm-constrain Display the information about...
  • Page 48 Table of Contents 1 Link Aggregation Configuration ··············································································································1-1 Overview ·················································································································································1-1 Basic Concepts of Link Aggregation ·······························································································1-1 Link Aggregation Modes··················································································································1-4 Load Sharing Mode of an Aggregation Group ················································································1-5 Link Aggregation Configuration Task List ·······························································································1-5 Configuring an Aggregation Group ·········································································································1-6 Configuring a Static Aggregation Group··························································································1-6 Configuring a Dynamic Aggregation Group·····················································································1-7 Configuring an Aggregate Interface ········································································································1-8 Configuring the Description of an Aggregate Interface ···································································1-8...

  • Page 49: Link Aggregation Configuration

    Link Aggregation Configuration When configuring link aggregation, go to these sections for information you are interested in: Overview Link Aggregation Configuration Task List Configuring an Aggregation Group Configuring an Aggregate Interface Configuring a Load Sharing Mode for Load-Sharing Link Aggregation Groups Displaying and Maintaining Link Aggregation Link Aggregation Configuration Examples Overview...
  • Page 50 LACP multi-active detection (MAD) mechanism in an Intelligent Resilient Framework (IRF). Switches of the S5500-SI series that support extended LACP functions can function as both member devices and intermediate devices in LACP MAD implementation. For details about IRF, member devices, intermediate devices, and the LACP MAD mechanism, see the operation manuals of IRF-supported devices.
  • Page 51 Currently, the S5500-SI series Ethernet switches support returning Marker Response PDUs only after dynamic link aggregation member ports receive Marker PDUs. Operational key When aggregating ports, link aggregation control automatically assigns each port an operational key based on port attributes, including the port rate and duplex mode.

  • Page 52: Link Aggregation Modes

    Link Aggregation Modes Depending on the link aggregation procedure, link aggregation operates in one of the following two modes: Static aggregation mode Dynamic aggregation mode Static aggregation mode LACP is disabled on the member ports in a static aggregation group. In a static aggregation group, the system sets a port to selected or unselected state by the following rules: Select a port as the reference port from the ports that are in up state and with the same class-two configurations as the corresponding aggregate interface.

  • Page 53: Load Sharing Mode Of An Aggregation Group

    Load Sharing Mode of an Aggregation Group The link aggregation groups created on the S5500-SI series Ethernet switches always operate in load sharing mode, even when they contain only one member port. Link Aggregation Configuration Task List...

  • Page 54: Configuring An Aggregation Group

    Task Remarks Shutting Down an Aggregate Interface Optional Configuring a Load Sharing Mode for Load-Sharing Link Aggregation Optional Groups Configuring an Aggregation Group The following ports cannot be assigned to an aggregation group: Stack ports, RRPP-enabled ports, MAC address authentication-enabled ports, port security-enabled ports, IP source guard-enabled ports, and 802.1x-enabled ports.

  • Page 55: Configuring A Dynamic Aggregation Group

    Configuring a Dynamic Aggregation Group Follow these steps to configure a Layer 2 dynamic aggregation group: To do... Use the command... Remarks Enter system view system-view — Optional By default, the system LACP priority is 32768. Set the system LACP lacp system-priority Changing the system LACP priority priority...

  • Page 56: Configuring An Aggregate Interface

    Removing a dynamic aggregate interface also removes the corresponding aggregation group. At the same time, the member ports of the aggregation group, if any, leave the aggregation group. To guarantee a successful dynamic aggregation, ensure that the peer ports of the ports aggregated at one end are also aggregated.

  • Page 57: Shutting Down An Aggregate Interface

    Follow these steps to enable linkUp/linkDown trap generation for an aggregate interface: To do... Use the command... Remarks Enter system view system-view — Optional snmp-agent trap enable Enable the trap function By default, linkUp/linkDown [ standard [ linkdown | linkup ] globally trap generation is enabled globally and on all interfaces.
  • Page 58 traffic as needed. For example, for Layer 3 traffic, you can use IP addresses as hash keys for load sharing calculation. You can configure a global load sharing mode for all link aggregation groups or a load sharing mode specific to a link aggregation group as needed. Configuring the global load sharing mode for link aggregation groups Follow these steps to configure load sharing mode for link aggregation groups: To do...

  • Page 59: Displaying And Maintaining Link Aggregation

    Currently, when you configure load-balancing link aggregation groups in Layer 2 aggregate interface view, the switch supports configuring hash keys in the following modes: Use a source IP address, a source MAC address, or a destination MAC address alone as a hash key.

  • Page 60: Layer 2 Static Aggregation Configuration Example

    Reference port: Select a port as the reference port from the ports that are in up state and with the same class-two configurations as the corresponding aggregate interface. The selection order is as follows: full duplex/high speed, full duplex/low speed, half duplex/high speed, and half duplex/low speed, with full duplex/high speed being the most preferred.

  • Page 61: Layer 2 Dynamic Aggregation Configuration Example

    [DeviceA-GigabitEthernet1/0/2] quit [DeviceA] interface GigabitEthernet 1/0/3 [DeviceA-GigabitEthernet1/0/3] port link-aggregation group 1 Configure Device B Follow the same configuration procedure performed on Device A to configure Device B. Layer 2 Dynamic Aggregation Configuration Example Network requirements As shown in Figure 1-2, Device A and Device B are connected through their respective Ethernet ports GigabitEthernet1/0/1 to GigabitEthernet1/0/3.

  • Page 62: Layer 2 Aggregation Load Sharing Mode Configuration Example

    [DeviceA-GigabitEthernet1/0/3] port link-aggregation group 1 Configure Device B Follow the same configuration procedure performed on Device A to configure Device B. Layer 2 Aggregation Load Sharing Mode Configuration Example Network requirements As shown in Figure 1-3, Device A is connection to Device B by their Ethernet ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4.
  • Page 63 # Assign ports GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to aggregation group 2. [DeviceA] interface gigabitethernet 1/0/3 [DeviceA-GigabitEthernet1/0/3] port link-aggregation group 2 [DeviceA-GigabitEthernet1/0/3] quit [DeviceA] interface gigabitethernet 1/0/4 [DeviceA-GigabitEthernet1/0/4] port link-aggregation group 2 Configure Device B The configuration on Device B is similar to the configuration on Device A. 1-15...
  • Page 64 Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Introduction to Port Isolation ···················································································································1-1 Configuring the Isolation Group ··············································································································1-1 Assigning a Port to the Isolation Group···························································································1-1 Displaying and Maintaining Isolation Groups··························································································1-2 Port Isolation Configuration Example······································································································1-2...

  • Page 65: Port Isolation Configuration

    VLAN, allowing for great flexibility and security. Currently: S5500-SI series Ethernet switches support only one isolation group that is created automatically by the system as isolation group 1. You can neither remove the isolation group nor create other isolation groups on such devices.

  • Page 66: Displaying And Maintaining Isolation Groups

    Displaying and Maintaining Isolation Groups To do… Use the command… Remarks Display the isolation group display port-isolate group Available in any view information Port Isolation Configuration Example Network requirements Users Host A, Host B, and Host C are connected to GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 of Device.
  • Page 67 Uplink port support: NO Group ID: 1 Group members: GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/3...
  • Page 68 Table of Contents 1 MSTP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Introduction to STP ·································································································································1-1 Why STP ·········································································································································1-1 Protocol Packets of STP··················································································································1-1 Basic Concepts in STP····················································································································1-2 How STP works ·······························································································································1-3 Introduction to RSTP·······························································································································1-9 Introduction to MSTP ····························································································································1-10 Why MSTP ····································································································································1-10 Basic Concepts in MSTP···············································································································1-11 How MSTP Works ·························································································································1-14 Implementation of MSTP on Devices ····························································································1-15 Protocols and Standards ···············································································································1-15...

  • Page 69: Mstp Configuration

    MSTP Configuration When configuring MSTP, go to these sections for information you are interested in: Overview Introduction to STP Introduction to RSTP Introduction to MSTP MSTP Configuration Task List Configuring MSTP Displaying and Maintaining MSTP MSTP Configuration Example Overview As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, and in the mean time, allows for link redundancy.

  • Page 70: Basic Concepts In Stp

    Topology change notification (TCN) BPDUs, used for notifying the concerned devices of network topology changes, if any. Basic Concepts in STP Root bridge A tree network must have a root; hence the concept of root bridge was introduced in STP. There is one and only one root bridge in the entire network, and the root bridge can change along with changes of the network topology.

  • Page 71: How Stp Works

    Figure 1-1 A schematic diagram of designated bridges and designated ports All the ports on the root bridge are designated ports. Path cost Path cost is a reference value used for link selection in STP. By calculating path costs, STP selects relatively robust links and blocks redundant links, and finally prunes the network into a loop-free tree.
  • Page 72 For simplicity, the descriptions and examples below involve only four fields of configuration BPDUs: Root bridge ID (represented by device priority) Root path cost (related to the rate of the link connecting the port) Designated bridge ID (represented by device priority) Designated port ID (represented by port name) Calculation process of the STP algorithm Initial state...
  • Page 73 Initially, each STP-enabled device on the network assumes itself to be the root bridge, with the root bridge ID being its own device ID. By exchanging configuration BPDUs, the devices compare their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge. Selection of the root port and designated ports on a non-root device Table 1-3 describes the process of selecting the root port and designated ports.
  • Page 74 Figure 1-2 Network diagram for the STP algorithm Device A With priority 0 Device B With priority 1 Device C With priority 2 Initial state of each device Table 1-4 shows the initial state of each device. Table 1-4 Initial state of each device Device Port name BPDU of port...
  • Page 75 BPDU of port Device Comparison process after comparison Port BP1 receives the configuration BPDU of Device A {0, 0, 0, AP1}. Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port {1, 0, 1, BP1}, and updates the configuration BPDU of BP1.
  • Page 76 BPDU of port Device Comparison process after comparison After comparison: Because the root path cost of CP2 (9) (root path cost of the BPDU (5) plus path cost corresponding to CP2 (4)) is smaller than the root path cost of CP1 (10) (root path cost of the BPDU (0) + path cost corresponding to CP2 (10)), the BPDU Blocked port CP2: of CP2 is elected as the optimum BPDU, and CP2 is elected...

  • Page 77: Introduction To Rstp

    If a path becomes faulty, the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout. In this case, the device will generate a configuration BPDU with itself as the root and send out the BPDUs and TCN BPDUs. This triggers a new spanning tree calculation process to establish a new path to restore the network connectivity.

  • Page 78: Introduction To Mstp

    Introduction to MSTP Why MSTP Weaknesses of STP and RSTP STP does not support rapid state transition of ports. A newly elected root port or designated port must wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a point-to-point link or an edge port, which directly connects to a user terminal rather than to another device or a shared LAN segment.

  • Page 79: Basic Concepts In Mstp

    Basic Concepts in MSTP Figure 1-4 Basic concepts in MSTP Region A0 VLAN 1 mapped to instance 1 VLAN 2 mapped to instance 2 Other VLANs mapped to CIST BPDU BPDU Region D0 BPDU Region B0 VLAN 1 mapped to instance 1, VLAN 1 mapped to instance 1 B as regional root bridge VLAN 2 mapped to instance 2...
  • Page 80 VLAN-to-instance mapping table As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping relationships between VLANs and MSTIs. In Figure 1-4, for example, the VLAN-to-instance mapping table of region A0 is as follows: VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to CIST. MSTP achieves load balancing by means of the VLAN-to-instance mapping table.
  • Page 81 During MSTP calculation, a boundary port’s role on an MSTI is consistent with its role on the CIST. But that is not true with master ports. A master port on MSTIs is a root port on the CIST. Roles of ports MSTP calculation involves these port roles: root port, designated port, master port, alternate port, backup port, and so on.

  • Page 82: How Mstp Works

    Port states In MSTP, port states fall into the following three: Forwarding: the port learns MAC addresses and forwards user traffic; Learning: the port learns MAC addresses but does not forward user traffic; Discarding: the port neither learns MAC addresses nor forwards user traffic. When in different MSTIs, a port can be in different states.

  • Page 83: Implementation Of Mstp On Devices

    Within an MST region, the packet is forwarded along the corresponding MSTI. Between two MST regions, the packet is forwarded along the CST. Implementation of MSTP on Devices MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized by devices running MSTP and used for spanning tree calculation.
  • Page 84 Task Remarks Enabling the MSTP Feature Required Configuring an MST Region Required Configuring the Work Mode of an MSTP Device Optional Configuring the Timeout Factor Optional Configuring the Maximum Port Rate Optional Configuring Ports as Edge Ports Optional Configuring Configuring Path Costs of Ports Optional the leaf nodes Configuring Port Priority...

  • Page 85: Configuring Mstp

    Configuring MSTP Configuring an MST Region Make the following configurations on the root bridge and on the leaf nodes separately. Follow these steps to configure an MST region: To do... Use the command... Remarks Enter system view — system-view Enter MST region view —...

  • Page 86: Configuring The Root Bridge Or A Secondary Root Bridge

    Configuring the Root Bridge or a Secondary Root Bridge MSTP can determine the root bridge of a spanning tree through MSTP calculation. Alternatively, you can specify the current device as the root bridge or a secondary root bridge using the commands provided by the system.

  • Page 87: Configuring The Work Mode Of An Mstp Device

    After specifying the current device as the root bridge or a secondary root bridge, you cannot change the priority of the device. Alternatively, you can also configure the current device as the root bridge by setting the priority of the device to 0. For the device priority configuration, refer to Configuring the Priority of a Device.

  • Page 88: Configuring The Maximum Hops Of An Mst Region

    After configuring a device as the root bridge or a secondary root bridge, you cannot change the priority of the device. During root bridge selection, if all devices in a spanning tree have the same priority, the one with the lowest MAC address will be selected as the root bridge of the spanning tree. Configuring the Maximum Hops of an MST Region By setting the maximum hops of an MST region, you can restrict the region size.

  • Page 89: Configuring Timers Of Mstp

    Based on the network diameter you configured, MSTP automatically sets an optimal hello time, forward delay, and max age for the device. The configured network diameter is effective for the CIST only, and not for MSTIs. Each MST region is considered as a device. The network diameter must be configured on the root bridge.

  • Page 90: Configuring The Timeout Factor

    To do... Use the command... Remarks Optional Configure the max age timer stp timer max-age time 2,000 centiseconds (20 seconds) by default The length of the forward delay time is related to the network diameter of the switched network. Typically, the larger the network diameter is, the longer the forward delay time should be. Note that if the forward delay setting is too small, temporary redundant paths may be introduced;...

  • Page 91: Configuring The Maximum Port Rate

    To do... Use the command... Remarks Enter system view — system-view Required Configure the timeout factor of the device stp timer-factor factor 3 by default Configuring the Maximum Port Rate The maximum rate of a port refers to the maximum number of BPDUs the port can send within each hello time.

  • Page 92: Configuring Path Costs Of Ports

    To do... Use the command... Remarks Enter Ethernet interface interface interface-type Enter view, or Layer 2 aggregate interface-number Required interface interface view view or port Use either command. group view port-group manual Enter port group view port-group-name Required Configure the current ports as edge ports stp edged-port enable All ports are non-edge ports by default.
  • Page 93 Table 1-7 Link speed vs. path cost Duplex state Link speed 802.1d-1998 802.1t Private standard — 65535 200,000,000 200,000 Single Port 2,000,000 2,000 Aggregate Link 2 Ports 1,000,000 1,800 10 Mbps Aggregate Link 3 Ports 666,666 1,600 Aggregate Link 4 Ports 500,000 1,400 Single Port...

  • Page 94: Configuring Port Priority

    If you change the standard that the device uses in calculating the default path cost, the port path cost value set through the stp cost command will be invalid. When the path cost of a port is changed, MSTP will re-calculate the role of the port and initiate a state transition.

  • Page 95: Configuring The Link Type Of Ports

    When the priority of a port is changed, MSTP will re-calculate the role of the port and initiate a state transition. Generally, a lower priority value indicates a higher priority. If you configure the same priority value for all the ports on a device, the specific priority of a port depends on the index number of the port. Changing the priority of a port triggers a new spanning tree calculation process.

  • Page 96: Enabling The Output Of Port State Transition Information

    dot1s: 802.1s-compliant standard format, and legacy: Compatible format By default, the packet format recognition mode of a port is auto, namely the port automatically distinguishes the two MSTP packet formats, and determines the format of packets it will send based on the recognized format.

  • Page 97: Enabling The Mstp Feature

    To do... Use the command... Remarks Required Enable output of port state transition stp port-log { all | This function is enabled by information instance instance-id } default. Enabling the MSTP Feature You must enable MSTP for the device before any other MSTP-related configurations can take effect. Make this configuration on the root bridge and on the leaf nodes separately.

  • Page 98: Configuring Digest Snooping

    By then, you can perform an mCheck operation to force the port to migrate to the MSTP (or RSTP) mode. You can perform mCheck on a port through the following two approaches, which lead to the same result. Performing mCheck globally Follow these steps to perform global mCheck: To do...
  • Page 99 Before enabling digest snooping, ensure that associated devices of different vendors are interconnected and run MSTP. Configuring the Digest Snooping feature You can enable Digest Snooping only on a device that is connected to a third-party device that uses its private key to calculate the configuration digest.

  • Page 100: Configuring No Agreement Check

    Digest Snooping configuration example Network requirements Device A and Device B connect to Device C, a third-party device, and all these devices are in the same region. Enable Digest Snooping on Device A and Device B so that the three devices can communicate with one another.
  • Page 101 Figure 1-7 shows the rapid state transition mechanism on MSTP designated ports. Figure 1-7 Rapid state transition of an MSTP designated port Figure 1-8 shows rapid state transition of an RSTP designated port. Figure 1-8 Rapid state transition of an RSTP designated port Downstream device Upstream device Proposal for rapid transition...

  • Page 102: Configuring Protection Functions

    To do... Use the command... Remarks Enter system view — system-view Enter Ethernet interface view, or interface interface-type Enter interface Layer 2 aggregate interface-number Required or port group interface view Use either command. view port-group manual Enter port group view port-group-name Required Enable No Agreement Check...
  • Page 103 Configuration prerequisites MSTP has been correctly configured on the device. Enabling BPDU guard For access layer devices, the access ports generally connect directly with user terminals (such as PCs) or file servers. In this case, the access ports are configured as edge ports to allow rapid transition. When these ports receive configuration BPDUs, the system will automatically set these ports as non-edge ports and start a new spanning tree calculation process.
  • Page 104 Follow these steps to enable root guard: To do... Use the command... Remarks Enter system view — system-view Enter Ethernet interface view, or interface interface-type Enter Layer 2 interface-number Required interface view aggregate or port group interface view Use either command. view Enter port group port-group manual...

  • Page 105: Enabling Bpdu Dropping

    With the TC-BPDU guard function, you can set the maximum number of immediate forwarding address entry flushes that the switch can perform within a certain period of time after receiving the first TC-BPDU. For TC-BPDUs received in excess of the limit, the switch performs forwarding address entry flush only when the time period expires.

  • Page 106: Displaying And Maintaining Mstp

    Displaying and Maintaining MSTP To do... Use the command... Remarks View information about abnormally Available in any view display stp abnormal-port blocked ports View information about ports blocked Available in any view display stp down-port by STP protection functions View the historical information of port display stp [ instance role calculation for the specified MSTI Available in any view...
  • Page 107 Figure 1-10 Network diagram for MSTP configuration Configuration procedure VLAN and VLAN member port configuration Create VLAN 10, VLAN 20, and VLAN 30 on Device A and Device B respectively, create VLAN 10, VLAN 20, and VLAN 40 on Device C, and create VLAN 20, VLAN 30, and VLAN 40 on Device D; configure the ports on these devices as trunk ports and assign them to related VLANs.
  • Page 108 <DeviceB> system-view [DeviceB] stp region-configuration [DeviceB-mst-region] region-name example [DeviceB-mst-region] instance 1 vlan 10 [DeviceB-mst-region] instance 3 vlan 30 [DeviceB-mst-region] instance 4 vlan 40 [DeviceB-mst-region] revision-level 0 # Activate MST region configuration. [DeviceB-mst-region] active region-configuration [DeviceB-mst-region] quit # Specify the current device as the root bridge of MSTI 3. [DeviceB] stp instance 3 root primary # Enable MSTP globally.
  • Page 109 # Activate MST region configuration. [DeviceD-mst-region] active region-configuration [DeviceD-mst-region] quit # Enable MSTP globally. [DeviceD] stp enable Verifying the configurations You can use the display stp brief command to display brief spanning tree information on each device after the network is stable. # Display brief spanning tree information on Device A.
  • Page 110 GigabitEthernet1/0/2 ALTE DISCARDING NONE GigabitEthernet1/0/3 ROOT FORWARDING NONE Based on the above information, you can draw the MSTI corresponding to each VLAN, as shown in Figure 1-11. Figure 1-11 MSTIs corresponding to different VLANs 1-42...
  • Page 111 Table of Contents 1 LLDP Configuration···································································································································1-1 Overview ·················································································································································1-1 Background ·····································································································································1-1 Basic Concepts································································································································1-1 Operating Modes of LLDP···············································································································1-5 How LLDP Works ····························································································································1-6 Protocols and Standards ·················································································································1-6 LLDP Configuration Task List ·················································································································1-6 Performing Basic LLDP Configuration ····································································································1-7 Enabling LLDP·································································································································1-7 Setting LLDP Operating Mode ········································································································1-7 Setting the LLDP Re-Initialization Delay ·························································································1-8 Enabling LLDP Polling·····················································································································1-8 Configuring the TLVs to Be Advertised ···························································································1-8...

  • Page 112: Lldp Configuration

    LLDP Configuration When configuring LLDP, go to these sections for information you are interested in: Overview LLDP Configuration Task List Performing Basic LLDP Configuration Configuring CDP Compatibility Configuring LLDP Trapping Displaying and Maintaining LLDP LLDP Configuration Examples Overview Background In a heterogeneous network, it is important that different types of network devices from different vendors can discover one other and exchange configuration for interoperability and management sake.
  • Page 113 Figure 1-1 Ethernet II-encapsulated LLDP frame format The fields in the frame are described in Table 1-1: Table 1-1 Description of the fields in an Ethernet II-encapsulated LLDP frame Field Description The MAC address to which the LLDPDU is advertised. It is fixed to Destination MAC address 0x0180-C200-000E, a multicast MAC address.
  • Page 114 Field Description The MAC address of the sending port. If the port does not have a MAC Source MAC address address, the MAC address of the sending bridge is used. The SNAP type for the upper layer protocol. It is Type 0xAAAA-0300-0000-88CC for LLDP.
  • Page 115 VLAN Name A specific VLAN name on the port Protocol Identity Protocols supported on the port Currently, H3C devices support receiving but not sending protocol identity TLVs. IEEE 802.3 organizationally specific TLVs Table 1-5 IEEE 802.3 organizationally specific TLVs Type...

  • Page 116: Operating Modes Of Lldp

    management. In addition, LLDP-MED TLVs make deploying voice devices in Ethernet easier. LLDP-MED TLVs are shown in Table 1-6: Table 1-6 LLDP-MED TLVs Type Description Allows a MED endpoint to advertise the supported LLDP-MED LLDP-MED Capabilities TLVs and its device type. Allows a network device or MED endpoint to advertise LAN type Network Policy and VLAN ID of the specific port, and the Layer 2 and Layer 3...

  • Page 117: How Lldp Works

    How LLDP Works Transmitting LLDP frames An LLDP-enabled port operating in TxRx mode or Tx mode sends LLDP frames to its directly connected devices both periodically and when the local configuration changes. To prevent the network from being overwhelmed by LLDP frames at times of frequent local device information change, an interval is introduced between two successive LLDP frames.

  • Page 118: Performing Basic Lldp Configuration

    LLDP-related configurations made in Ethernet interface view takes effect only on the current port, and those made in port group view takes effect on all ports in the current port group. Performing Basic LLDP Configuration Enabling LLDP To make LLDP take effect on certain ports, you need to enable LLDP both globally and on these ports. Follow these steps to enable LLDP: To do…...

  • Page 119: Setting The Lldp Re-Initialization Delay

    Setting the LLDP Re-Initialization Delay When LLDP operating mode changes on a port, the port initializes the protocol state machines after a certain delay. By adjusting the LLDP re-initialization delay, you can avoid frequent initializations caused by frequent LLDP operating mode changes on a port. Follow these steps to set the LLDP re-initialization delay for ports: To do…...

  • Page 120: Configuring The Management Address And Its Encoding Format

    Configuring the Management Address and Its Encoding Format LLDP encodes management addresses in numeric or character string format in management address TLVs. By default, management addresses are encoded in numeric format. If a neighbor encoded its management address in character string format, you can configure the encoding format of the management address as string on the connecting port to guarantee normal communication with the neighbor.

  • Page 121: Setting An Encapsulation Format For Lldpdus

    To do… Use the command… Remarks Optional Set the LLDPDU transmit lldp timer tx-interval interval interval 30 seconds by default Optional Set LLDPDU transmit delay lldp timer tx-delay delay 2 seconds by default Set the number of LLDP frames Optional sent each time fast LLDPDU lldp fast-count count 3 by default...

  • Page 122: Configuring Cdp Compatibility

    LLDP-CDP (CDP is short for the Cisco Discovery Protocol) packets use only SNAP encapsulation. Configuring CDP Compatibility For detailed information about voice VLAN, refer to VLAN Configuration in the Access Volume. You need to enable CDP compatibility for your device to work with Cisco IP phones. As your LLDP-enabled device cannot recognize CDP packets, it does not respond to the requests of Cisco IP phones for the voice VLAN ID configured on the device.

  • Page 123: Configuring Lldp Trapping

    To do… Use the command… Remarks Enter Enter Ethernet interface interface-type Ethernet interface view interface-number Required interface Use either command. Enter port view or port port-group manual port-group-name group view group view Required Configure CDP-compatible lldp compliance admin-status cdp By default, LLDP to operate in TxRx txrx CDP-compatible LLDP...

  • Page 124: Displaying And Maintaining Lldp

    Displaying and Maintaining LLDP To do… Use the command… Remarks Display the global LLDP display lldp local-information information or the information [ global | interface interface-type Available in any view contained in the LLDP TLVs to interface-number ] be sent through a port display lldp neighbor-information [ brief Display the information | interface interface-type interface-number...
  • Page 125 [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] lldp enable [SwitchA-GigabitEthernet1/0/1] lldp admin-status rx [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] lldp enable [SwitchA-GigabitEthernet1/0/2] lldp admin-status rx [SwitchA-GigabitEthernet1/0/2] quit Configure Switch B. # Enable LLDP globally. <SwitchB> system-view [SwitchB] lldp enable # Enable LLDP on GigabitEthernet1/0/1 (you can skip this step because LLDP is enabled on ports by default), and set the LLDP operating mode to Tx.
  • Page 126 Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV As the sample output shows, GigabitEthernet 1/0/1 of Switch A connects a MED device, and GigabitEthernet 1/0/2 of Switch A connects a non-MED device.

  • Page 127: Cdp-Compatible Lldp Configuration Example

    Number of sent optional TLV Number of received unknown TLV As the sample output shows, GigabitEthernet 1/0/2 of Switch A does not connect any neighboring devices. CDP-Compatible LLDP Configuration Example Network requirements As shown in Figure 1-5: GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 of Switch A are each connected to a Cisco IP phone.
  • Page 128 [SwitchA-GigabitEthernet1/0/1] lldp admin-status txrx [SwitchA-GigabitEthernet1/0/1] lldp compliance admin-status cdp txrx [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] lldp enable [SwitchA-GigabitEthernet1/0/2] lldp admin-status txrx [SwitchA-GigabitEthernet1/0/2] lldp compliance admin-status cdp txrx [SwitchA-GigabitEthernet1/0/2] quit Verify the configuration # Display the neighbor information on Switch A. [SwitchA] display lldp neighbor-information CDP neighbor-information of port 1[GigabitEthernet1/0/1]: CDP neighbor index : 1...
  • Page 129 Table of Contents 1 VLAN Configuration ··································································································································1-1 Introduction to VLAN ·······························································································································1-1 VLAN Overview ·······························································································································1-1 VLAN Fundamentals ·······················································································································1-2 Types of VLAN ································································································································1-3 Configuring Basic VLAN Settings ···········································································································1-3 Configuring Basic Settings of a VLAN Interface ·····················································································1-4 Port-Based VLAN Configuration ·············································································································1-5 Introduction to Port-Based VLAN ····································································································1-5 Assigning an Access Port to a VLAN ······························································································1-6 Assigning a Trunk Port to a VLAN···································································································1-7 Assigning a Hybrid Port to a VLAN ·································································································1-8...

  • Page 130: Vlan Configuration

    VLAN Configuration When configuring VLAN, go to these sections for information you are interested in: Introduction to VLAN Configuring Basic VLAN Settings Configuring Basic Settings of a VLAN Interface Port-Based VLAN Configuration MAC-Based VLAN Configuration Protocol-Based VLAN Configuration Displaying and Maintaining VLAN VLAN Configuration Example Introduction to VLAN VLAN Overview...
  • Page 131 Confining broadcast traffic within individual VLANs. This reduces bandwidth waste and improves network performance. Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2. To enable communication between VLANs, routers or Layer 3 switches are required. Flexible virtual workgroup creation.

  • Page 132: Types Of Vlan

    The Ethernet II encapsulation format is used here. Besides the Ethernet II encapsulation format, other encapsulation formats, including 802.2 LLC, 802.2 SNAP, and 802.3 raw, are also supported by Ethernet. The VLAN tag fields are also added to frames encapsulated in these formats for VLAN identification.

  • Page 133: Configuring Basic Settings Of A Vlan Interface

    As the default VLAN, VLAN 1 cannot be created or removed. You cannot manually create or remove VLANs reserved for special purposes. Dynamic VLANs cannot be removed with the undo vlan command. A VLAN with a QoS policy applied cannot be removed. For isolate-user-VLANs or secondary VLANs, if you have used the isolate-user-vlan command to create mappings between them, you cannot remove them until you remove the mappings between them first.

  • Page 134: Port-Based Vlan Configuration

    Before creating a VLAN interface for a VLAN, create the VLAN first. Port-Based VLAN Configuration Introduction to Port-Based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link type You can configure the link type of a port as access, trunk, or hybrid.

  • Page 135: Assigning An Access Port To A Vlan

    Do not set the voice VLAN as the default VLAN of a port in automatic voice VLAN assignment mode. Otherwise, the system prompts error information. For information about voice VLAN, refer to Voice VLAN Configuration. The local and remote ports must use the same default VLAN ID for the traffic of the default VLAN to be transmitted properly.

  • Page 136: Assigning A Trunk Port To A Vlan

    In interface or port group view Follow these steps to assign an access port (in interface view) or multiple access ports (in port group view) to a VLAN: To do… Use the command… Remarks Enter system view system-view — Enter Ethernet interface interface-type Required interface view...

  • Page 137: Assigning A Hybrid Port To A Vlan

    Follow these steps to assign a trunk port to one or multiple VLANs: To do… Use the command… Remarks Enter system view system-view — Enter Required interface interface-type Ethernet Use either command. interface-number interface view In Ethernet interface view, the subsequent configurations Enter Layer-2...
  • Page 138 To do… Use the command… Remarks Enter system view system-view — Enter Ethernet interface interface-type Required interface view interface-number Use either command. In Ethernet interface view, Enter Layer-2 interface bridge-aggregation subsequent aggregate interface-number configurations apply to the interface view current port. Enter In port group view, the interface...

  • Page 139: Mac-Based Vlan Configuration

    MAC-Based VLAN Configuration Introduction to MAC-Based VLAN MAC-based VLANs group VLAN members by MAC address. They are mostly used in conjunction with security technologies such as 802.1X to provide secure, flexible network access for terminal devices. MAC-based VLAN implementation With MAC-based VLAN configured, the device processes received packets as follows: When receiving an untagged frame, the device looks up the list of MAC-to-VLAN mappings based on the source MAC address of the frame for a match.

  • Page 140: Protocol-Based Vlan Configuration

    MAC-based VLANs are available only on hybrid ports. Because MAC-based dynamic port assignment is mainly configured on the downlink ports of the user access devices, do not enable this function together with link aggregation. With MSTP enabled, if the MST instance for the corresponding VLAN is blocked, the packet with the unknown source MAC address will fail to be sent to the CPU.

  • Page 141: Configuring A Protocol-Based Vlan

    Protocol-based VLANs are only applicable on hybrid ports. In this approach, inbound packets are assigned to different VLANs based on their protocol types and encapsulation formats. The protocols that can be used for VLAN assignment include IP, IPX, and AppleTalk (AT). The encapsulation formats include Ethernet II, 802.3 raw, 802.2 LLC, and 802.2 SNAP. A protocol-based VLAN is defined by a protocol template comprised of encapsulation format and protocol type.
  • Page 142 To do… Use the command… Remarks current port. In port group view, the subsequent configurations apply to all ports in the port group. Enter port port-group manual Layer-2 aggregate group view port-group-name interface view, subsequent configurations apply Layer-2 aggregate interface and all its member ports.

  • Page 143: Ip Subnet-Based Vlan Configuration

    IP Subnet-Based VLAN Configuration Introduction In this approach, packets are assigned to VLANs based on their source IP addresses and subnet masks. A port configured with IP subnet-based VLANs assigns a received untagged packet to a VLAN based on the source address of the packet. This feature is used to assign packets from the specified network segment or IP address to a specific VLAN.

  • Page 144: Displaying And Maintaining Vlan

    After you configure a command on a Layer-2 aggregate interface, the system starts applying the configuration to the aggregate interface and its aggregation member ports. If the system fails to do that on the aggregate interface, it stops applying the configuration to the aggregation member ports. If it fails to do that on an aggregation member port, it simply skips the port and moves to the next port.

  • Page 145: Vlan Configuration Example

    VLAN Configuration Example Network requirements Device A connects to Device B through a trunk port GigabitEthernet 1/0/1; The default VLAN ID of GigabitEthernet 1/0/1 is 100; GigabitEthernet 1/0/1 allows packets from VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 to pass through.
  • Page 146 <DeviceA> display interface gigabitethernet 1/0/1 GigabitEthernet1/0/1 current state: UP IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 001e-c16f-ae68 Description: GigabitEthernet1/0/1 Interface Loopback is not set Media type is twisted pair Port hardware type is 1000_BASE_T Unknown-speed mode, unknown-duplex mode Link speed type is autonegotiation, link duplex type is autonegotiation Flow-control is not enabled The Maximum Frame Length is 9216 Broadcast MAX-ratio: 100%...

  • Page 147: Isolate-User-Vlan Configuration

    Isolate-User-VLAN Configuration When configuring an isolate-user VLAN, go to these sections for information you are interested in: Overview Configuring Isolate-User-VLAN Displaying and Maintaining Isolate-User-VLAN Isolate-User-VLAN Configuration Example Overview An isolate-user-VLAN adopts a two-tier VLAN structure. In this approach, two types of VLANs, isolate-user-VLAN and secondary VLAN, are configured on the same device.
  • Page 148 Assign non-trunk ports to the isolate-user-VLAN and ensure that at least one port takes the isolate-user-VLAN as its default VLAN; Assign non-trunk ports to each secondary VLAN and ensure that at least one port in a secondary VLAN takes the secondary VLAN as its default VLAN; Associate the isolate-user-VLAN with the specified secondary VLANs.

  • Page 149: Displaying And Maintaining Isolate-User-Vlan

    Displaying and Maintaining Isolate-User-VLAN To do... Use the command... Remarks Display the mapping between an display isolate-user-vlan isolate-user-VLAN and its secondary Available in any view [ isolate-user-vlan-id ] VLAN(s) Isolate-User-VLAN Configuration Example Network requirements Connect Device A to downstream devices Device B and Device C; Configure VLAN 5 on Device B as an isolate-user-VLAN, assign the uplink port GigabitEthernet 1/0/5 to VLAN 5, and associate VLAN 5 with secondary VLANs VLAN 2 and VLAN 3.
  • Page 150 [DeviceB] vlan 2 [DeviceB-vlan2] port gigabitethernet 1/0/2 [DeviceB-vlan2] quit # Associate the isolate-user-VLAN with the secondary VLANs. [DeviceB] isolate-user-vlan 5 secondary 2 to 3 Configure Device C # Configure the isolate-user-VLAN. <DeviceC> system-view [DeviceC] vlan 6 [DeviceC-vlan6] isolate-user-vlan enable [DeviceC-vlan6] port gigabitethernet 1/0/5 [DeviceC-vlan6] quit # Configure the secondary VLANs.
  • Page 151 gigabitethernet 1/0/2 gigabitethernet 1/0/5 VLAN ID: 3 VLAN Type: static Isolate-user-VLAN type : secondary Route Interface: not configured Description: VLAN 0003 Name: VLAN 0003 Tagged Ports: none Untagged Ports: gigabitethernet 1/0/1 gigabitethernet 1/0/5...

  • Page 152: Voice Vlan Configuration

    Voice VLAN Configuration When configuring a voice VLAN, go to these sections for information you are interested in: Overview Configuring a Voice VLAN Displaying and Maintaining Voice VLAN Voice VLAN Configuration Overview A voice VLAN is configured specially for voice traffic. After assigning the ports connecting to voice devices to a voice VLAN, you can configure quality of service (QoS) parameters for the voice traffic, thus improving transmission priority and ensuring voice quality.

  • Page 153: Voice Vlan Assignment Modes

    In general, as the first 24 bits of a MAC address (in binary format), an OUI address is a globally unique identifier assigned to a vendor by IEEE. OUI addresses mentioned in this document, however, are different from those in common sense. OUI addresses in this document are used by the system to determine whether a received packet is a voice packet.

  • Page 154: Security Mode And Normal Mode Of Voice Vlans

    Voice VLAN Voice traffic type Port link type assignment mode Access: not supported Trunk: supported if the default VLAN of the connecting port exists and is not the voice VLAN and the connecting port belongs to the default VLAN Tagged voice traffic Hybrid: supported if the default VLAN of the connecting port exists and is not the voice VLAN, the traffice of the default VLAN is permitted to pass...

  • Page 155: Configuring A Voice Vlan

    Table 3-3 How a voice VLAN-enable port processes packets in security/normal mode Voice VLAN Packet type Packet processing mode working mode Untagged packets If the source MAC address of a packet matches an OUI address configured for the device, it is forwarded in the Packets carrying the voice VLAN;...

  • Page 156: Setting A Port To Operate In Manual Voice Vlan Assignment Mode

    To do... Use the command... Remarks Required Enable voice VLAN voice vlan vlan-id enable on the port Not enabled by default An S5500-SI switch supports up to eight voice VLANs globally. A protocol-based VLAN on a hybrid port can process only untagged inbound packets, whereas the voice VLAN in automatic mode on a hybrid port can process only tagged voice traffic.

  • Page 157: Displaying And Maintaining Voice Vlan

    An S5500-SI switch supports up to eight voice VLANs globally. You can configure different voice VLANs on different ports at the same time. However, one port can be configured with only one voice VLAN, and this voice VLAN must be a static VLAN that already exists on the device.
  • Page 158 Figure 3-1 Network diagram for automatic voice VLAN assignment mode configuration Device A Device B Internet GE1/0/1 GE1/0/1 GE1/0/2 VLAN 3 VLAN 2 IP phone A IP phone B 010-1001 010-1002 MAC: 0011-1100-0001 MAC: 0011-2200-0001 Mask: ffff-ff00-0000 Mask: ffff-ff00-0000 0755-2002 PC A PC B MAC: 0022-1100-0002...

  • Page 159: Manual Voice Vlan Assignment Mode Configuration Example

    [DeviceA-GigabitEthernet1/0/2] voice vlan 3 enable Verification # Display the OUI addresses, OUI address masks, and description strings supported currently. <DeviceA> display voice vlan oui Oui Address Mask Description 0001-e300-0000 ffff-ff00-0000 Siemens phone 0003-6b00-0000 ffff-ff00-0000 Cisco phone 0004-0d00-0000 ffff-ff00-0000 Avaya phone 0011-1100-0000 ffff-ff00-0000 IP phone A...
  • Page 160 Configuration procedure # Configure the voice VLAN to operate in security mode. (Optional. A voice VLAN operates in security mode by default.) <DeviceA> system-view [DeviceA] voice vlan security enable # Add a recognizable OUI address 0011-2200-0000. [DeviceA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test # Create VLAN 2 and configure it as the voice VLAN.
  • Page 161 ----------------------------------------------- GigabitEthernet1/0/1 MANUAL 3-10...
  • Page 162 Table of Contents 1 GVRP Configuration ··································································································································1-1 Introduction to GVRP ······························································································································1-1 GARP···············································································································································1-1 GVRP···············································································································································1-3 Protocols and Standards ·················································································································1-4 GVRP Configuration Task List ················································································································1-4 Configuring GVRP Functions··················································································································1-4 Configuring GARP Timers·······················································································································1-5 Displaying and Maintaining GVRP··········································································································1-6 GVRP Configuration Examples···············································································································1-7 GVRP Configuration Example I·······································································································1-7 GVRP Configuration Example II······································································································1-8 GVRP Configuration Example III·····································································································1-9...

  • Page 163: Gvrp Configuration

    GVRP Configuration The GARP VLAN Registration Protocol (GVRP) is a GARP application. It functions based on the operating mechanism of GARP to maintain and propagate dynamic VLAN registration information for the GVRP devices on the network. When configuring GVRP, go to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Task List Configuring GVRP Functions...
  • Page 164 Hold timer –– When a GARP application entity receives the first registration request, it starts a Hold timer and collects succeeding requests. When the timer expires, the entity sends all these requests in one Join message. This helps you save bandwidth. Join timer ––...

  • Page 165: Gvrp

    GARP message format Figure 1-1 GARP message format Figure 1-1 illustrates the GARP message format. Table 1-1 describes the GARP message fields. Table 1-1 Description on the GARP message fields Field Description Value Protocol ID Protocol identifier for GARP One or multiple messages, each containing Message ––...

  • Page 166: Protocols And Standards

    about active VLAN members and through which port they can be reached. It thus ensures that all GVRP participants on a bridged LAN maintain the same VLAN registration information. The VLAN registration information propagated by GVRP includes both manually configured local static entries and dynamic entries from other devices.

  • Page 167: Configuring Garp Timers

    To do… Use the command… Remarks Enter Ethernet Enter Ethernet interface view, interface view or interface interface-type Required Layer 2 Layer 2 aggregate interface-number aggregate interface view Perform either of the interface view, commands. or port-group Enter port-group port-group manual view view port-group-name...

  • Page 168: Displaying And Maintaining Gvrp

    To do… Use the command… Remarks Enter Required Enter Ethernet or Ethernet Layer 2 interface interface-type Perform either of the interface aggregate interface-number commands. view, Layer interface view Depending on the view you 2 aggregate accessed, the subsequent interface configuration takes effect on a view, or Enter port-group port-group manual...

  • Page 169: Gvrp Configuration Examples

    To do… Use the command… Remarks display gvrp state interface Display the current GVRP state interface-type interface-number vlan Available in any view vlan-id display gvrp statistics [ interface Display statistics about GVRP Available in any view interface-list ] Display the global GVRP state display gvrp status Available in any view Display the information about...

  • Page 170: Gvrp Configuration Example Ii

    [DeviceB] gvrp # Configure port GigabitEthernet 1/0/1 as a trunk port, allowing all VLANs to pass through. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on trunk port GigabitEthernet 1/0/1. [DeviceB-GigabitEthernet1/0/1] gvrp [DeviceB-GigabitEthernet1/0/1] quit # Create VLAN 3 (a static VLAN).

  • Page 171: Gvrp Configuration Example Iii

    [DeviceA-GigabitEthernet1/0/1] quit # Create VLAN 2 (a static VLAN). [DeviceA] vlan 2 Configure Device B # Enable GVRP globally. <DeviceB> system-view [DeviceB] gvrp # Configure port GigabitEthernet 1/0/1 as a trunk port, allowing all VLANs to pass through. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet 1/0/1.
  • Page 172 [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port link-type trunk [DeviceA-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet 1/0/1 and set the GVRP registration type to forbidden on the port. [DeviceA-GigabitEthernet1/0/1] gvrp [DeviceA-GigabitEthernet1/0/1] gvrp registration forbidden [DeviceA-GigabitEthernet1/0/1] quit # Create VLAN 2 (a static VLAN). [DeviceA] vlan 2 Configure Device B # Enable GVRP globally.
  • Page 173 Table of Contents 1 QinQ Configuration ···································································································································1-1 Introduction to QinQ ································································································································1-1 Background ·····································································································································1-1 QinQ Mechanism and Benefits········································································································1-1 QinQ Frame Structure ·····················································································································1-2 Implementations of QinQ·················································································································1-3 Modifying the TPID in a VLAN Tag ·································································································1-3 QinQ Configuration Task List··················································································································1-5 Configuring Basic QinQ ··························································································································1-5 Enabling Basic QinQ ·······················································································································1-5 Configuring Selective QinQ·····················································································································1-5 Configuring an Outer VLAN Tagging Policy ····················································································1-5...

  • Page 174: Qinq Configuration

    QinQ Configuration When configuring QinQ, go to these sections for information you are interested in: Introduction to QinQ QinQ Configuration Task List Configuring Basic QinQ Configuring Selective QinQ Configuring the TPID Value in VLAN Tags QinQ Configuration Examples Throughout this document, customer network VLANs (CVLANs), also called inner VLANs, refer to the VLANs that a customer uses on the private network;...

  • Page 175: Qinq Frame Structure

    Figure 1-1 Schematic diagram of the QinQ feature Customer network A VLAN 1~10 Customer network A VLAN 1~10 VLAN 3 VLAN 3 Network VLAN 4 VLAN 4 Service provider network VLAN 1~20 VLAN 1~20 Customer network B Customer network B As shown in Figure 1-1, customer network A has CVLANs 1 through 10, while customer network B has...

  • Page 176: Implementations Of Qinq

    Figure 1-2 Single-tagged frame structure vs. double-tagged Ethernet frame structure The default maximum transmission unit (MTU) of an interface is 1500 bytes. The size of an outer VLAN tag is 4 bytes. Therefore, you are recommended to increase the MTU of each interface on the service provider network.
  • Page 177 Figure 1-3 VLAN tag structure of an Ethernet frame The device determines whether a received frame carries a SVLAN tag or a CVLAN tag by checking the corresponding TPID value. Upon receiving a frame, the device compares the configured TPID value with the value of the TPID field in the frame.

  • Page 178: Qinq Configuration Task List

    QinQ allows adding different outer VLAN tags based on different inner VLAN tags. H3C S5500-SI switches support the configuration of basic QinQ and selective QinQ at the same time on a port and when the two features are both enabled on the port, frames that meet the selective QinQ...

  • Page 179: Configuring The Tpid Value In Vlan Tags

    condition are handled with selective QinQ on this port first, and the left frames are handled with basic QinQ. Follow these steps to configure an outer VLAN tagging policy: To do... Use the command... Remarks Enter system view system-view — Enter Ethernet or Layer-2 interface interface-type...
  • Page 180 Customer A1, Customer A2, Customer B1 and Customer B2 are edge devices on the customer network. Third-party devices with a TPID value of 0x8200 are deployed between Provider A and Provider B. Make configuration to achieve the following: Frames of VLAN 200 through VLAN 299 can be exchanged between Customer A1and Customer A2 through VLAN 10 of the service provider network.
  • Page 181 [ProviderA] interface gigabitethernet 1/0/2 [ProviderA-GigabitEthernet1/0/2] port link-type hybrid [ProviderA-GigabitEthernet1/0/2] port hybrid pvid vlan 50 [ProviderA-GigabitEthernet1/0/2] port hybrid vlan 50 untagged # Enable basic QinQ on GigabitEthernet 1/0/2. [ProviderA-GigabitEthernet1/0/2] qinq enable [ProviderA-GigabitEthernet1/0/2] quit Configure GigabitEthernet 1/0/3 # Configure GigabitEthernet 1/0/3 as a trunk port to permit frames of VLAN 10 and 50 to pass through. [ProviderA] interface gigabitethernet 1/0/3 [ProviderA-GigabitEthernet1/0/3] port link-type trunk [ProviderA-GigabitEthernet1/0/3] port trunk permit vlan 10 50...

  • Page 182: Comprehensive Selective Qinq Configuration Example

    Configure the third-party devices between Provider A and Provider B as follows: configure the port connecting GigabitEthernet 1/0/3 of Provider A and that connecting GigabitEthernet 1/0/3 of Provider B to allow tagged frames of VLAN 10 and 50 to pass through. Comprehensive Selective QinQ Configuration Example Network requirements Provider A and Provider B are edge devices on the service provider network and are...
  • Page 183 [ProviderA] interface gigabitethernet 1/0/1 [ProviderA-GigabitEthernet1/0/1] port link-type hybrid [ProviderA-GigabitEthernet1/0/1] port hybrid vlan 1000 2000 untagged # Tag CVLAN 10 frames with SVLAN 1000. [ProviderA-GigabitEthernet1/0/1] qinq vid 1000 [ProviderA-GigabitEthernet1/0/1-vid-1000] raw-vlan-id inbound 10 [ProviderA-GigabitEthernet1/0/1-vid-1000] quit # Tag CVLAN 20 frames with SVLAN 2000. [ProviderA-GigabitEthernet1/0/1] qinq vid 2000 [ProviderA-GigabitEthernet1/0/1-vid-2000] raw-vlan-id inbound 20 [ProviderA-GigabitEthernet1/0/1-vid-2000] quit...
  • Page 184 [ProviderB-GigabitEthernet1/0/2] port link-type hybrid [ProviderB-GigabitEthernet1/0/2] port hybrid vlan 2000 untagged # Tag CVLAN 20 frames with SVLAN 2000. [ProviderB-GigabitEthernet1/0/2] qinq vid 2000 [ProviderB-GigabitEthernet1/0/2-vid-2000] raw-vlan-id inbound 20 # Set the TPID value in the outer tag to 0x8200. [ProviderA-GigabitEthernet1/0/3] quit [ProviderA] qinq ethernet-type 8200 Configuration on third-party devices Configure the third-party devices between Provider A and Provider B as follows: configure the port connecting GigabitEthernet 1/0/3 of Provider A and that connecting GigabitEthernet 1/0/1 of Provider B...
  • Page 185 Table of Contents 1 BPDU Tunneling Configuration················································································································1-1 Introduction to BPDU Tunneling ·············································································································1-1 Background ·····································································································································1-1 BPDU Tunneling Implementation ····································································································1-2 Configuring BPDU Tunneling··················································································································1-4 Configuration Prerequisites ·············································································································1-4 Enabling BPDU Tunneling···············································································································1-4 Configuring Destination Multicast MAC Address for BPDUs ··························································1-5 BPDU Tunneling Configuration Examples ······························································································1-5 BPDU Tunneling for STP Configuration Example···········································································1-5 BPDU Tunneling for PVST Configuration Example ········································································1-7...

  • Page 186: Bpdu Tunneling Configuration

    BPDU Tunneling Configuration When configuring BPDU tunneling, go to these sections for information you are interested in: Introduction to BPDU Tunneling Configuring BPDU Tunneling BPDU Tunneling Configuration Examples Introduction to BPDU Tunneling As a Layer 2 tunneling technology, BPDU tunneling enables Layer 2 protocol packets from geographically dispersed customer networks to be transparently transmitted over specific channels across a service provider network.

  • Page 187: Bpdu Tunneling Implementation

    The encapsulated Layer 2 protocol packet (called bridge protocol data unit, BPDU) is forwarded to PE 2 at the other end of the service provider network, which decapsulates the packet, restores the original destination MAC address of the packet, and then sends the packet to User A network 2. Depending on the device models, BPDU tunneling may support the transparent transmission of these types of Layer 2 protocol packets: Cisco Discovery Protocol (CDP)
  • Page 188 To allow each network to calculate an independent spanning tree with STP, BPDU tunneling was introduced. BPDU tunneling delivers the following benefits: BPDUs can be transparently transmitted. BPDUs of the same customer network can be broadcast in a specific VLAN across the service provider network, so that the geographically dispersed networks of the same customer can implement consistent spanning tree calculation across the service provider network.

  • Page 189: Configuring Bpdu Tunneling

    Configuring BPDU Tunneling Configuration Prerequisites Before configuring BPDU tunneling for a protocol, enable the protocol in the customer network first. Assign the port on which you want to enable BPDU tunneling on the PE device and the connected port on the CE device to the same VLAN. Configure all the ports in the service provider network as trunk ports allowing packets of any VLAN to pass through.

  • Page 190: Configuring Destination Multicast Mac Address For Bpdus

    Enabling BPDU tunneling for a protocol in Layer 2 aggregate interface view Follow these steps to enable BPDU tunneling for a protocol in Layer 2 aggregate interface view: To do… Use the command… Remarks Enter system view — system-view Enter Layer 2 aggregate interface bridge-aggregation —...
  • Page 191 It is required that, after the configuration, CE 1 and CE 2 implement consistent spanning tree calculation across the service provider network, and that the destination multicast MAC address carried in BPDUs be 0x0100-0CCD-CDD0. Figure 1-3 Network diagram for configuring BPDU tunneling for STP Configuration procedure Configuration on PE 1 # Configure the destination multicast MAC address for BPDUs as 0x0100-0CCD-CDD0.

  • Page 192: Bpdu Tunneling For Pvst Configuration Example

    BPDU Tunneling for PVST Configuration Example Network requirements As shown in Figure 1-4: CE 1 and CE 2 are edges devices on the geographically dispersed network of User A; PE 1 and PE 2 are edge devices on the service provider network. All ports that connect service provider devices and customer devices and those that interconnect service provider devices are trunk ports and allow packets of any VLAN to pass through.
  • Page 193 [PE2] interface gigabitethernet 1/0/2 [PE2-GigabitEthernet1/0/2] port link-type trunk [PE2-GigabitEthernet1/0/2] port trunk permit vlan all # Disable STP on GigabitEthernet1/0/2, and then enable BPDU tunneling for STP and PVST on it. [PE2-GigabitEthernet1/0/2] undo stp enable [PE2-GigabitEthernet1/0/2] bpdu-tunnel dot1q stp [PE2-GigabitEthernet1/0/2] bpdu-tunnel dot1q pvst...
  • Page 194 Table of Contents 1 Port Mirroring Configuration ····················································································································1-1 Introduction to Port Mirroring ··················································································································1-1 Classification of Port Mirroring ········································································································1-1 Implementing Port Mirroring ············································································································1-1 Configuring Local Port Mirroring ·············································································································1-3 Configuring Remote Port Mirroring ·········································································································1-4 Configuration Prerequisites ·············································································································1-4 Configuring a Remote Source Mirroring Group (on the Source Device)·········································1-4 Configuring a Remote Destination Mirroring Group (on the Destination Device) ···························1-6 Displaying and Maintaining Port Mirroring ······························································································1-7 Port Mirroring Configuration Examples ···································································································1-7...

  • Page 195: Port Mirroring Configuration

    Port Mirroring Configuration When configuring port mirroring, go to these sections for information you are interested in: Introduction to Port Mirroring Configuring Local Port Mirroring Configuring Remote Port Mirroring Displaying and Maintaining Port Mirroring Port Mirroring Configuration Examples Introduction to Port Mirroring Port mirroring is to copy the packets passing through a port (called a mirroring port) to another port (called the monitor port) connected with a monitoring device for packet analysis.
  • Page 196 Figure 1-1 Local port mirroring implementation How the device processes packets Traffic mirrored to Mirroring port Monitor port Monitor port Mirroring port Data monitoring device Remote port mirroring Remote port mirroring can mirror all packets but protocol packets. Remote port mirroring is implemented through the cooperation of a remote source mirroring group and a remote destination mirroring group as shown Figure 1-2.

  • Page 197: Configuring Local Port Mirroring

    Destination device The destination device is the device where the monitor port is located. On it, you must create the remote destination mirroring group. When receiving a packet, the destination device compares the VLAN ID carried in the packet with the ID of the probe VLAN configured in the remote destination mirroring group.

  • Page 198: Configuring Remote Port Mirroring

    A local port mirroring group takes effect only after its mirroring and monitor ports are configured. To ensure operation of your device, do not enable STP, MSTP, or RSTP on the monitor port. A port mirroring group can have multiple mirroring ports, but only one monitor port. A mirroring or monitor port to be configured cannot belong to an existing port mirroring group.
  • Page 199 To do… Use the command… Remarks mirroring-group groupid Required In system view mirroring-port mirroring-port-list You configure multiple { both | inbound | outbound } mirroring ports in a mirroring group. interface interface-type In system view, you can interface-number Configure assign a list of mirroring [ mirroring-group groupid ] mirroring ports to the mirroring...

  • Page 200: Configuring A Remote Destination Mirroring Group (On The Destination Device)

    To remove the VLAN configured as a remote probe VLAN, you must remove the remote probe VLAN with undo mirroring-group remote-probe vlan command first. Removing the probe VLAN can invalidate the remote source mirroring group. You are recommended to use a remote probe VLAN exclusively for the mirroring purpose. A port can belong to only one mirroring group.

  • Page 201: Displaying And Maintaining Port Mirroring

    When configuring the monitor port, use the following guidelines: The port can belong to only the current mirroring group. Disable these functions on the port: STP, MSTP, and RSTP. You are recommended to use a monitor port only for port mirroring. This is to ensure that the data monitoring device receives and analyzes only the mirrored traffic rather than a mix of mirrored traffic and normally forwarded traffic.

  • Page 202: Remote Port Mirroring Configuration Example

    Figure 1-3 Network diagram for local port mirroring configuration Switch A R&D department GE1/0/1 GE1/0/3 GE1/0/2 Switch C Data monitoring device Switch B Marketing department Configuration procedure Configure Switch C. # Create a local port mirroring group. <SwitchC> system-view [SwitchC] mirroring-group 1 local # Add port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to the port mirroring group as source ports.
  • Page 203 As shown in Figure 1-4, the administrator wants to monitor the packets sent from Department 1 and 2 through the data monitoring device. Use the remote port mirroring function to meet the requirement. Perform the following configurations: Use Switch A as the source device, Switch B as the intermediate device, and Switch C as the destination device.
  • Page 204 [SwitchA-GigabitEthernet1/0/3] port link-type trunk [SwitchA-GigabitEthernet1/0/3] port trunk permit vlan 2 Configure Switch B (the intermediate device). # Configure port GigabitEthernet 1/0/1 as a trunk port and configure the port to permit the packets of VLAN 2. <SwitchB> system-view [SwitchB] interface GigabitEthernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port link-type trunk [SwitchB-GigabitEthernet1/0/1] port trunk permit vlan 2 [SwitchB-GigabitEthernet1/0/1] quit...
  • Page 205 IP Services Volume Organization Manual Version 20090930-C-1.01 Product Version Release 2202 Organization The IP Services Volume is organized as follows: Features Description An IP address is a 32-bit address allocated to a network interface on a device that is attached to the Internet. This document describes: IP Address Introduction to IP addresses IP address configuration...
  • Page 206 Features Description UDP Helper functions as a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified server. This document describes: UDP Helper UDP Helper overview UDP Helper configuration Internet protocol version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet Engineering Task Force (IETF) as the successor to Internet protocol version 4 (IPv4).
  • Page 207 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special IP Addresses ······················································································································1-2 Subnetting and Masking ··················································································································1-2 Configuring IP Addresses ·······················································································································1-3 Assigning an IP Address to an Interface ·························································································1-3 IP Addressing Configuration Example·····························································································1-4 Displaying and Maintaining IP Addressing······························································································1-5...

  • Page 208: Ip Addressing Configuration

    IP Addressing Configuration When assigning IP addresses to interfaces on your device, go to these sections for information you are interested in: IP Addressing Overview Configuring IP Addresses Displaying and Maintaining IP Addressing IP Addressing Overview This section covers these topics: IP Address Classes Special IP Addresses IP Address Classes...

  • Page 209: Special Ip Addresses

    Table 1-1 IP address classes and ranges Class Address range Remarks The IP address 0.0.0.0 is used by a host at bootstrap for temporary communication. This address is never a valid destination address. 0.0.0.0 to 127.255.255.255 Addresses starting with 127 are reserved for loopback test. Packets destined to these addresses are processed locally as input packets rather than sent to the link.

  • Page 210: Configuring Ip Addresses

    In the absence of subnetting, some special addresses such as the addresses with the net ID of all zeros and the addresses with the host ID of all ones, are not assignable to hosts. The same is true for subnetting. When designing your network, you should note that subnetting is somewhat a tradeoff between subnets and accommodated hosts.

  • Page 211: Ip Addressing Configuration Example

    The primary IP address you assigned to the interface can overwrite the old one if there is any. You cannot assign secondary IP addresses to an interface that has BOOTP or DHCP configured. The primary and secondary IP addresses you assign to the interface can be located on the same network segment.

  • Page 212: Displaying And Maintaining Ip Addressing

    <Switch> ping 172.16.1.2 PING 172.16.1.2: 56 data bytes, press CTRL_C to break Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=255 time=25 ms Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=255 time=27 ms Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.1.2 ping statistics --- 5 packet(s) transmitted...
  • Page 213 Table of Contents 1 ARP Configuration·····································································································································1-1 ARP Overview·········································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ·····················································································································1-1 ARP Address Resolution Process···································································································1-2 ARP Table ·······································································································································1-3 Configuring ARP ·····································································································································1-4 Configuring a Static ARP Entry ·······································································································1-4 Configuring the Maximum Number of ARP Entries for an Interface ···············································1-4 Setting the Aging Time for Dynamic ARP Entries ···········································································1-4 Enabling the ARP Entry Check ·······································································································1-5 ARP Configuration Example············································································································1-5...

  • Page 214: Arp Configuration

    This document is organized as follows: ARP Configuration Proxy ARP Configuration ARP Configuration When configuring ARP, go to these sections for information you are interested in: ARP Overview Configuring ARP Configuring Gratuitous ARP Displaying and Maintaining ARP ARP Overview ARP Function The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC address (or physical address).

  • Page 215: Arp Address Resolution Process

    hardware address length field is "6”. For an IP(v4) address, the value of the protocol address length field is “4”. OP: Operation code. This field specifies the type of ARP message. The value “1” represents an ARP request and “2” represents an ARP reply. Sender hardware address: This field specifies the hardware address of the device sending the message.

  • Page 216: Arp Table

    which the target IP address is the IP address of Host B. After obtaining the MAC address of Host B, the gateway sends the packet to Host B. ARP Table After obtaining the MAC address for the destination host, the device puts the IP-to-MAC mapping into its own ARP table.

  • Page 217: Configuring Arp

    Configuring ARP Configuring a Static ARP Entry A static ARP entry is effective when the device works normally. However, when a VLAN or VLAN interface to which a static ARP entry corresponds is deleted, the entry, if permanent, will be deleted, and if non-permanent and resolved, will become unresolved.

  • Page 218: Enabling The Arp Entry Check

    To do… Use the command… Remarks Enter system view system-view — Optional Set the aging time for dynamic arp timer aging aging-time ARP entries 20 minutes by default. Enabling the ARP Entry Check The ARP entry check function disables the device from learning multicast MAC addresses. With the ARP entry check enabled, the device cannot learn any ARP entry with a multicast MAC address, and configuring such a static ARP entry is not allowed;...

  • Page 219: Configuring Gratuitous Arp

    Configuring Gratuitous ARP Introduction to Gratuitous ARP A gratuitous ARP packet is a special ARP packet, in which the sender IP address and the target IP address are both the IP address of the sender, the sender MAC address is the MAC address of the sender, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff.
  • Page 220 Clearing ARP entries from the ARP table may cause communication failures.

  • Page 221: Proxy Arp Configuration

    Proxy ARP Configuration When configuring proxy ARP, go to these sections for information you are interested in: Proxy ARP Overview Enabling Proxy ARP Displaying and Maintaining Proxy ARP Proxy ARP Overview If a host sends an ARP request for the MAC address of another host that actually resides on another network (but the sending host considers the requested host is on the same network) or that is isolated from the sending host at Layer 2, the device in between must be able to respond to the request with the MAC address of the receiving interface to allow Layer 3 communication between the two hosts.

  • Page 222: Local Proxy Arp

    You can solve the problem by enabling proxy ARP on Switch. After that, Switch can reply to the ARP request from Host A with the MAC address of VLAN-interface 1, and forward packets sent from Host A to Host B. In this case, Switch seems to be a proxy of Host B. A main advantage of proxy ARP is that it is added on a single router without disturbing routing tables of other routers in the network.

  • Page 223: Displaying And Maintaining Proxy Arp

    To do… Use the command… Remarks Required Enable local proxy ARP local-proxy-arp enable Disabled by default. Displaying and Maintaining Proxy ARP To do… Use the command… Remarks Display whether proxy ARP is display proxy-arp [ interface Available in any view enabled vlan-interface vlan-id ] Display whether local proxy...

  • Page 224: Local Proxy Arp Configuration Example In Case Of Port Isolation

    [Switch-Vlan-interface1] quit [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.20.99 255.255.255.0 [Switch-Vlan-interface2] proxy-arp enable [Switch-Vlan-interface2] quit Local Proxy ARP Configuration Example in Case of Port Isolation Network requirements Host A and Host B belong to the same VLAN, and connect to Switch B via GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3, respectively.

  • Page 225: Local Proxy Arp Configuration Example In Isolate-User-Vlan

    # Configure an IP address of VLAN-interface 2. <SwitchA> system-view [SwitchA] vlan 2 [SwitchA-vlan2] port gigabitethernet 1/0/2 [SwitchA-vlan2] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.10.100 255.255.0.0 The ping operation from Host A to Host B is unsuccessful because they are isolated at Layer 2. # Configure local proxy ARP to let Host A and Host B communicate at Layer 3.
  • Page 226 [SwitchB-vlan2] port gigabitethernet 1/0/2 [SwitchB-vlan2] quit [SwitchB] vlan 3 [SwitchB-vlan3] port gigabitethernet 1/0/3 [SwitchB-vlan3] quit [SwitchB] vlan 5 [SwitchB-vlan5] port gigabitethernet 1/0/1 [SwitchB-vlan5] isolate-user-vlan enable [SwitchB-vlan5] quit [SwitchB] isolate-user-vlan 5 secondary 2 3 Configure Switch A # Create VLAN 5 and add GigabitEthernet 1/0/1 to it. <SwitchA>...
  • Page 227 Table of Contents 1 DHCP Overview··········································································································································1-1 Introduction to DHCP ······························································································································1-1 DHCP Address Allocation ·······················································································································1-2 Allocation Mechanisms····················································································································1-2 Dynamic IP Address Allocation Process ·························································································1-2 IP Address Lease Extension ···········································································································1-3 DHCP Message Format ··························································································································1-3 DHCP Options·········································································································································1-4 DHCP Options Overview ·················································································································1-4 Introduction to DHCP Options ·········································································································1-4 Self-Defined Options ·······················································································································1-5 Protocols and Standards·························································································································1-8 2 DHCP Relay Agent Configuration ············································································································2-1...
  • Page 228 Prerequisites····································································································································4-5 Configuring DHCP Snooping to Support Option 82 ········································································4-5 Displaying and Maintaining DHCP Snooping ·························································································4-7 DHCP Snooping Configuration Examples ······························································································4-7 DHCP Snooping Configuration Example·························································································4-7 DHCP Snooping Option 82 Support Configuration Example ··························································4-8 5 BOOTP Client Configuration ····················································································································5-1 Introduction to BOOTP Client ·················································································································5-1 BOOTP Application ·························································································································5-1 Obtaining an IP Address Dynamically ·····························································································5-2 Protocols and Standards ·················································································································5-2...

  • Page 229: Dhcp Overview

    This document is organized as follows: DHCP Overview DHCP Relay Agent Configuration DHCP Client Configuration DHCP Snooping Configuration BOOTP Client Configuration DHCP Overview Introduction to DHCP The fast expansion and growing complexity of networks result in scarce IP addresses assignable to hosts.

  • Page 230: Dhcp Address Allocation

    DHCP Address Allocation Allocation Mechanisms DHCP supports three mechanisms for IP address allocation. Manual allocation: The network administrator assigns an IP address to a client like a WWW server, and DHCP conveys the assigned address to the client. Automatic allocation: DHCP assigns a permanent IP address to a client. Dynamic allocation: DHCP assigns an IP address to a client for a limited period of time, which is called a lease.

  • Page 231: Ip Address Lease Extension

    After receiving the DHCP-ACK message, the client probes whether the IP address assigned by the server is in use by broadcasting a gratuitous ARP packet. If the client receives no response within a specified time, the client can use this IP address. Otherwise, the client sends a DHCP-DECLINE message to the server and requests an IP address again.

  • Page 232: Dhcp Options

    secs: Filled in by the client, the number of seconds elapsed since the client began address acquisition or renewal process. Currently this field is reserved and set to 0. flags: The leftmost bit is defined as the BROADCAST (B) flag. If this flag is set to 0, the DHCP server sent a reply back by unicast;...

  • Page 233: Self-Defined Options

    Option 121: Classless route option. It specifies a list of classless static routes (the destination addresses in these static routes are classless) that the requesting client should add to its routing table. Option 33: Static route option. It specifies a list of classful static routes (the destination addresses in these static routes are classful) that a client should add to its routing table.
  • Page 234 Figure 1-6 Format of the value field of the ACS parameter sub-option The value field of the service provider identifier sub-option contains the service provider identifier. Figure 1-7 shows the format of the value field of the PXE server address sub-option. Currently, the value of the PXE server type can only be 0.
  • Page 235 Figure 1-8 Sub-option 1 in normal padding format Sub-option 2: Padded with the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device that received the client’s request. The following figure gives its format. The value of the sub-option type is 2, and that of the remote ID type is 0. Figure 1-9 Sub-option 2 in normal padding format Verbose padding format The padding contents for sub-options in the verbose padding format are as follows:...

  • Page 236: Protocols And Standards

    Sub-option 1: IP address of the primary network calling processor, which is a server serving as the network calling control source and providing program downloads. Sub-option 2: IP address of the backup network calling processor that DHCP clients will contact when the primary one is unreachable.

  • Page 237: Dhcp Relay Agent Configuration

    DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: Introduction to DHCP Relay Agent DHCP Relay Agent Configuration Task List Configuring the DHCP Relay Agent Displaying and Maintaining DHCP Relay Agent Configuration DHCP Relay Agent Configuration Examples Troubleshooting DHCP Relay Agent Configuration The DHCP relay agent configuration is supported only on VLAN interfaces.

  • Page 238: Dhcp Relay Agent Support For Option 82

    Figure 2-1 DHCP relay agent application DHCP client DHCP client IP network DHCP relay agent DHCP client DHCP client DHCP server No matter whether a relay agent exists or not, the DHCP server and client interact with each other in a similar way (see section Dynamic IP Address Allocation Process).

  • Page 239: Dhcp Relay Agent Configuration Task List

    If a client’s Handling requesting Padding format The DHCP relay agent will… strategy message has… Drop Random Drop the message. Forward the message without changing Keep Random Option 82. Forward the message after replacing normal the original Option 82 with the Option 82 padded in normal format.

  • Page 240: Enabling The Dhcp Relay Agent On An Interface

    Follow these steps to enable DHCP: To do… Use the command… Remarks Enter system view system-view — Required Enable DHCP dhcp enable Disabled by default. Enabling the DHCP Relay Agent on an Interface With this task completed, upon receiving a DHCP request from the enabled interface, the relay agent will forward the request to a DHCP server for address allocation.

  • Page 241: Configuring The Dhcp Relay Agent Security Functions

    To do… Use the command… Remarks Required Correlate the DHCP server dhcp relay server-select By default, no interface is group with the current interface group-id correlated with any DHCP server group. You can specify up to twenty DHCP server groups on the relay agent and eight DHCP server addresses for each DHCP server group.
  • Page 242 The dhcp relay address-check enable command is independent of other commands of the DHCP relay agent. That is, the invalid address check takes effect when this command is executed, regardless of whether other commands are used. The dhcp relay address-check enable command only checks IP and MAC addresses of clients. You are recommended to configure IP address check on the interface enabled with the DHCP relay agent;...

  • Page 243: Configuring The Dhcp Relay Agent To Send A Dhcp-Release Request

    Follow these steps to enable unauthorized DHCP server detection: To do… Use the command… Remarks Enter system view system-view — Required Enable unauthorized DHCP dhcp relay server-detect server detection Disabled by default. With the unauthorized DHCP server detection enabled, the device puts a record once for each DHCP server.
  • Page 244 Configuring the DHCP relay agent to support Option 82 Follow these steps to configure the DHCP relay agent to support Option 82: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Required Enable the relay agent to dhcp relay information...

  • Page 245: Displaying And Maintaining Dhcp Relay Agent Configuration

    Displaying and Maintaining DHCP Relay Agent Configuration To do… Use the command… Remarks Display information about DHCP display dhcp relay { all | server groups correlated to a specified interface interface-type or all interfaces interface-number } display dhcp relay information Display Option 82 configuration { all | interface interface-type information on the DHCP relay agent...

  • Page 246: Dhcp Relay Agent Option 82 Support Configuration Example

    Configuration procedure # Specify IP addresses for the interfaces (omitted). # Enable DHCP. <SwitchA> system-view [SwitchA] dhcp enable # Add DHCP server 10.1.1.1 into DHCP server group 1. [SwitchA] dhcp relay server-group 1 ip 10.1.1.1 # Enable the DHCP relay agent on VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] dhcp select relay # Correlate VLAN-interface 1 to DHCP server group 1.

  • Page 247: Troubleshooting Dhcp Relay Agent Configuration

    # Enable the DHCP relay agent to support Option 82, and perform Option 82-related configurations. [SwitchA-Vlan-interface1] dhcp relay information enable [SwitchA-Vlan-interface1] dhcp relay information strategy replace [SwitchA-Vlan-interface1] dhcp relay information circuit-id string company001 [SwitchA-Vlan-interface1] dhcp relay information remote-id string device001 You need to perform corresponding configurations on the DHCP server to make the Option 82 configurations function normally.

  • Page 248: Dhcp Client Configuration

    DHCP Client Configuration When configuring the DHCP client, go to these sections for information you are interested in: Introduction to DHCP Client Enabling the DHCP Client on an Interface Displaying and Maintaining the DHCP Client DHCP Client Configuration Example The DHCP client configuration is supported only on VLAN interfaces. When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition via a relay agent, the DHCP server cannot be a Windows 2000 Server or Windows 2003 Server.

  • Page 249: Displaying And Maintaining The Dhcp Client

    An interface can be configured to acquire an IP address in multiple ways, but these ways are mutually exclusive. The latest configuration will overwrite the previous one. After the DHCP client is enabled on an interface, no secondary IP address is configurable for the interface.
  • Page 250 <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address dhcp-alloc...

  • Page 251: Dhcp Snooping Configuration

    DHCP Snooping Configuration When configuring DHCP snooping, go to these sections for information you are interested in: DHCP Snooping Overview Configuring DHCP Snooping Basic Functions Configuring DHCP Snooping to Support Option 82 Displaying and Maintaining DHCP Snooping DHCP Snooping Configuration Examples The DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP server, and it can work when it is between the DHCP client and relay agent or between the DHCP client and server.

  • Page 252: Application Environment Of Trusted Ports

    Recording IP-to-MAC mappings of DHCP clients DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the clients, ports that connect to DHCP clients, and VLANs to which the ports belong. With DHCP snooping entries, DHCP snooping can implement the following: ARP detection: Whether ARP packets are sent from an authorized client is determined based on DHCP snooping entries.

  • Page 253: Dhcp Snooping Support For Option 82

    Figure 4-2 Configure trusted ports in a cascaded network Table 4-1 describes roles of the ports shown in Figure 4-2. Table 4-1 Roles of ports Trusted port disabled from Trusted port enabled to Device Untrusted port recording binding entries record binding entries Switch A GE1/0/1 GE1/0/3...

  • Page 254: Configuring Dhcp Snooping Basic Functions

    If a client’s Handling Padding requesting The DHCP snooping device will… strategy format message has… Drop Random Drop the message. Forward the message without changing Keep Random Option 82. Forward the message after replacing the normal original Option 82 with the Option 82 padded in normal format.

  • Page 255: Configuring Dhcp Snooping To Support Option 82

    You need to specify the ports connected to the valid DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP client must be in the same VLAN. You can specify Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces as trusted ports.
  • Page 256 To do… Use the command… Remarks dhcp-snooping information format Configure the Optional { normal | verbose padding format for [ node-identifier { mac | normal by default. Option 82 sysname | user-defined node-identifier } ] } Optional By default, the code type depends on the padding format of Option 82.

  • Page 257: Displaying And Maintaining Dhcp Snooping

    Displaying and Maintaining DHCP Snooping To do… Use the command… Remarks display dhcp-snooping [ ip Display DHCP snooping entries ip-address ] display dhcp-snooping Display Option 82 configuration information information { all | interface Available in any on the DHCP snooping device interface-type interface-number } view Display DHCP packet statistics on the...

  • Page 258: Dhcp Snooping Option 82 Support Configuration Example

    [SwitchB-GigabitEthernet1/0/1] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/1] quit DHCP Snooping Option 82 Support Configuration Example Network requirements As shown in Figure 4-3, enable DHCP snooping and Option 82 support on Switch B. Configure the handling strategy for DHCP requests containing Option 82 as replace. On GigabitEthernet 1/0/2, configure the padding content for the circuit ID sub-option as company001 and for the remote ID sub-option as device001.

  • Page 259: Bootp Client Configuration

    BOOTP Client Configuration While configuring a BOOTP client, go to these sections for information you are interested in: Introduction to BOOTP Client Configuring an Interface to Dynamically Obtain an IP Address Through BOOTP Displaying and Maintaining BOOTP Client Configuration BOOTP client configuration only applies to VLAN interfaces. If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows 2000 Server or Windows 2003 Server.

  • Page 260: Obtaining An Ip Address Dynamically

    Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to configure an IP address for the BOOTP client, without any BOOTP server. Obtaining an IP Address Dynamically A DHCP server can take the place of the BOOTP server in the following dynamic IP address acquisition.

  • Page 261: Displaying And Maintaining Bootp Client Configuration

    Displaying and Maintaining BOOTP Client Configuration To do… Use the command… Remarks Display related information on a display bootp client [ interface Available in any view BOOTP client interface-type interface-number ] BOOTP Client Configuration Example Network requirement As shown in Figure 5-1, Switch B’s port belonging to VLAN 1 is connected to the LAN.
  • Page 262 Table of Contents 1 DNS Configuration·····································································································································1-1 DNS Overview·········································································································································1-1 Static Domain Name Resolution ·····································································································1-1 Dynamic Domain Name Resolution ································································································1-1 DNS Proxy·······································································································································1-3 Configuring the DNS Client·····················································································································1-4 Configuring Static Domain Name Resolution ··················································································1-4 Configuring Dynamic Domain Name Resolution·············································································1-4 Configuring the DNS Proxy·····················································································································1-5 Displaying and Maintaining DNS ············································································································1-5 DNS Configuration Examples ·················································································································1-5 Static Domain Name Resolution Configuration Example································································1-5 Dynamic Domain Name Resolution Configuration Example···························································1-6...

  • Page 263: Dns Configuration

    DNS Configuration When configuring DNS, go to these sections for information you are interested in: DNS Overview Configuring the DNS Client Configuring the DNS Proxy Displaying and Maintaining DNS DNS Configuration Examples Troubleshooting DNS Configuration This document only covers IPv4 DNS configuration. For information about IPv6 DNS configuration, refer to IPv6 Basics Configuration in the IP Services Volume.
  • Page 264 The DNS server looks up the corresponding IP address of the domain name in its DNS database. If no match is found, it sends a query to a higher level DNS server. This process continues until a result, whether successful or not, is returned. The DNS client returns the resolution result to the application after receiving a response from the DNS server.

  • Page 265: Dns Proxy

    If an alias is configured for a domain name on the DNS server, the device can resolve the alias into the IP address of the host. DNS Proxy Introduction to DNS proxy A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server. As shown in Figure 1-2, a DNS client sends a DNS request to the DNS proxy, which forwards the...

  • Page 266: Configuring The Dns Client

    Configuring the DNS Client Configuring Static Domain Name Resolution Follow these steps to configure static domain name resolution: To do… Use the command… Remarks Enter system view system-view –– Configure a mapping between a host Required name and IP address in the static ip host hostname ip-address Not configured by default.

  • Page 267: Configuring The Dns Proxy

    Configuring the DNS Proxy Follow these steps to configure the DNS proxy: To do… Use the command… Remarks Enter system view system-view — Required Enable DNS proxy dns proxy enable Disabled by default. Displaying and Maintaining DNS To do… Use the command… Remarks Display the static domain name display ip host...

  • Page 268: Dynamic Domain Name Resolution Configuration Example

    data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=128 time=1 ms Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=128 time=4 ms Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=128 time=3 ms Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=128 time=2 ms Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=128 time=3 ms --- host.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received...
  • Page 269 Figure 1-5, right click Forward Lookup Zones, select New zone, and then follow the instructions to create a new zone named com. Figure 1-5 Create a zone # Create a mapping between the host name and IP address. Figure 1-6 Add a host Figure 1-6, right click zone com, and then select New Host to bring up a dialog box as shown in Figure...
  • Page 270 Figure 1-7 Add a mapping between domain name and IP address Configure the DNS client # Enable dynamic domain name resolution. <Sysname> system-view [Sysname] dns resolve # Specify the DNS server 2.1.1.2. [Sysname] dns server 2.1.1.2 # Configure com as the name suffix. [Sysname] dns domain com Configuration verification # Execute the ping host command on the Switch to verify that the communication between the Switch...

  • Page 271: Dns Proxy Configuration Example

    DNS Proxy Configuration Example Network requirements Specify Switch A as the DNS server of Switch B (the DNS client). Switch A acts as a DNS proxy. The IP address of the real DNS server is 4.1.1.1. Switch B implements domain name resolution through Switch A. Figure 1-8 Network diagram for DNS proxy Configuration procedure Before performing the following configuration, assume that Switch A, the DNS server, and the host are...

  • Page 272: Troubleshooting Dns Configuration

    # Specify the DNS server 2.1.1.2. [SwitchB] dns server 2.1.1.2 Configuration verification # Execute the ping host.com command on Switch B to verify that the communication between the Switch and the host is normal and that the corresponding destination IP address is 3.1.1.1. [SwitchB] ping host.com Trying DNS resolve, press CTRL_C to break Trying DNS server (2.1.1.2)
  • Page 273 Table of Contents 1 IP Performance Optimization Configuration···························································································1-1 IP Performance Overview ·······················································································································1-1 Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network ············1-1 Enabling Reception of Directed Broadcasts to a Directly Connected Network·······························1-1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network ·····························1-2 Configuration Example ····················································································································1-2 Configuring TCP Optional Parameters ···································································································1-3 Configuring ICMP to Send Error Packets ·······························································································1-4...

  • Page 274: Ip Performance Optimization Configuration

    IP Performance Optimization Configuration When optimizing IP performance, go to these sections for information you are interested in: IP Performance Overview Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network Configuring TCP Optional Parameters Configuring ICMP to Send Error Packets Displaying and Maintaining IP Performance Optimization IP Performance Overview In some network environments, you can adjust the IP parameters to achieve best network performance.

  • Page 275: Enabling Forwarding Of Directed Broadcasts To A Directly Connected Network

    Enabling Forwarding of Directed Broadcasts to a Directly Connected Network Follow these steps to enable the device to forward directed broadcasts: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Required Enable the interface to forward ip forward-broadcast [ acl By default, the device is...

  • Page 276: Configuring Tcp Optional Parameters

    [SwitchA-Vlan-interface3] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 2.2.2.2 24 # Enable VLAN-interface 2 to forward directed broadcasts. [SwitchA-Vlan-interface2] ip forward-broadcast Configure Switch B # Enable Switch B to receive directed broadcasts. <SwitchB> system-view [SwitchB] ip forward-broadcast # Configure a static route to the host. [SwitchB] ip route-static 1.1.1.1 24 2.2.2.2 # Configure an IP address for VLAN-interface 2.

  • Page 277: Configuring Icmp To Send Error Packets

    Actual length of the finwait timer = (Configured length of the finwait timer – 75) + configured length of the synwait timer Configuring ICMP to Send Error Packets Sending error packets is a major function of ICMP. In case of network abnormalities, ICMP packets are usually sent by the network or transport layer protocols to notify corresponding devices so as to facilitate control and management.
  • Page 278 If the source uses “strict source routing" to send packets, but the intermediate device finds that the next hop specified by the source is not directly connected, the device will send the source a “source routing failure” ICMP error packet. When forwarding a packet, if the MTU of the sending interface is smaller than the packet but the packet has been set “Don’t Fragment”, the device will send the source a “fragmentation needed and Don’t Fragment (DF)-set”...

  • Page 279: Displaying And Maintaining Ip Performance Optimization

    Displaying and Maintaining IP Performance Optimization To do… Use the command… Remarks Display current TCP connection state display tcp status Display TCP connection statistics display tcp statistics Display UDP statistics display udp statistics Display statistics of IP packets display ip statistics Display statistics of ICMP flows display icmp statistics Available in any view...
  • Page 280 Table of Contents 1 UDP Helper Configuration ························································································································1-1 Introduction to UDP Helper ·····················································································································1-1 Configuring UDP Helper ·························································································································1-1 Displaying and Maintaining UDP Helper·································································································1-2 UDP Helper Configuration Examples······································································································1-2 UDP Helper Configuration Example································································································1-2...

  • Page 281: Udp Helper Configuration

    UDP Helper Configuration When configuring UDP Helper, go to these sections for information you are interested in: Introduction to UDP Helper Configuring UDP Helper Displaying and Maintaining UDP Helper UDP Helper Configuration Examples UDP Helper can be currently configured on VLAN interfaces only. Introduction to UDP Helper Sometimes, a host needs to forward broadcasts to obtain network configuration information or request the names of other devices on the network.

  • Page 282: Displaying And Maintaining Udp Helper

    To do… Use the command… Remarks interface interface-type Enter interface view — interface-number Required Specify the destination server to which UDP packets udp-helper server ip-address No destination server is specified are to be forwarded by default. The UDP Helper enabled device cannot forward DHCP broadcast packets. That is to say, the UDP port number cannot be set to 67 or 68.
  • Page 283 Figure 1-1 Network diagram for UDP Helper configuration Configuration procedure The following configuration assumes that a route from Switch A to the network segment 10.2.0.0/16 is available. # Enable UDP Helper. <SwitchA> system-view [SwitchA] udp-helper enable # Enable the forwarding broadcast packets with the UDP destination port 55. [SwitchA] udp-helper port 55 # Specify the destination server 10.2.1.1 on VLAN-interface 1.
  • Page 284 Table of Contents 1 IPv6 Basics Configuration ························································································································1-1 IPv6 Overview ·········································································································································1-1 IPv6 Features ··································································································································1-1 Introduction to IPv6 Address ···········································································································1-3 Introduction to IPv6 Neighbor Discovery Protocol···········································································1-5 IPv6 PMTU Discovery ·····················································································································1-8 Introduction to IPv6 DNS ·················································································································1-9 Protocols and Standards ·················································································································1-9 IPv6 Basics Configuration Task List ·······································································································1-9 Configuring Basic IPv6 Functions ·········································································································1-10 Enabling IPv6 ································································································································1-10 Configuring an IPv6 Unicast Address····························································································1-10...

  • Page 285: Ipv6 Basics Configuration

    IPv6 Basics Configuration When configuring IPv6 basics, go to these sections for information you are interested in: IPv6 Overview IPv6 Basics Configuration Task List Configuring Basic IPv6 Functions Configuring IPv6 NDP Configuring PMTU Discovery Configuring IPv6 TCP Properties Configuring ICMPv6 Packet Sending Configuring IPv6 DNS Client Displaying and Maintaining IPv6 Basics Configuration IPv6 Configuration Example...
  • Page 286 the IPv4 address size, the basic IPv6 header size is 40 bytes and is only twice the IPv4 header size (excluding the Options field). Figure 1-1 Comparison between IPv4 packet header format and basic IPv6 packet header format Adequate address space The source and destination IPv6 addresses are both 128 bits (16 bytes) long.

  • Page 287: Introduction To Ipv6 Address

    Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemented through a group of Internet Control Message Protocol Version 6 (ICMPv6) messages that manage the information exchange between neighbor nodes on the same link. The group of ICMPv6 messages takes the place of Address Resolution Protocol (ARP) messages, Internet Control Message Protocol version 4 (ICMPv4) router discovery messages, and ICMPv4 redirection messages and provides a series of other functions.
  • Page 288 Anycast address: An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the target interface is nearest to the source, according to a routing protocol’s measure of distance).

  • Page 289: Introduction To Ipv6 Neighbor Discovery Protocol

    Multicast address IPv6 multicast addresses listed in Table 1-2 are reserved for special purpose. Table 1-2 Reserved IPv6 multicast addresses Address Application FF01::1 Node-local scope all nodes multicast address FF02::1 Link-local scope all nodes multicast address FF01::2 Node-local scope all routers multicast address FF02::2 Link-local scope all routers multicast address FF05::2...
  • Page 290 Duplicate address detection Router/prefix discovery and address autoconfiguration Redirection Table 1-3 lists the types and functions of ICMPv6 messages used by the NDP. Table 1-3 Types and functions of ICMPv6 messages ICMPv6 message Number Function Used to acquire the link-layer address of a neighbor Neighbor solicitation (NS) Used to verify whether the neighbor is reachable message...
  • Page 291 After receiving the NS message, node B judges whether the destination address of the packet is its solicited-node multicast address. If yes, node B learns the link-layer address of node A, and then unicasts an NA message containing its link-layer address. Node A acquires the link-layer address of node B from the NA message.

  • Page 292: Ipv6 Pmtu Discovery

    The router returns an RA message containing information such as prefix information option. (The router also regularly sends an RA message.) The node automatically generates an IPv6 address and other information for its interface according to the address prefix and other configuration parameters in the RA message. In addition to an address prefix, the prefix information option also contains the preferred lifetime and valid lifetime of the address prefix.

  • Page 293: Introduction To Ipv6 Dns

    The source host uses its MTU to send packets to the destination host. If the MTU supported by a forwarding interface is smaller than the packet size, the forwarding device will discard the packet and return an ICMPv6 error packet containing the interface MTU to the source host.

  • Page 294: Configuring Basic Ipv6 Functions

    Task Remarks Configuring ICMPv6 Packet Sending Optional Configuring IPv6 DNS Client Optional Configuring Basic IPv6 Functions Enabling IPv6 Before performing IPv6-related configurations, you need to Enable IPv6. Otherwise, an interface cannot forward IPv6 packets even if it has an IPv6 address configured. Follow these steps to Enable IPv6: To do...

  • Page 295: Configuring Ipv6 Ndp

    To do... Use the command... Remarks Automatically Optional generate a link-local ipv6 address auto By default, after an IPv6 address for the link-local Configure site-local address or interface an IPv6 aggregatable global unicast link-local address is configured for an Manually assign a address interface, a link-local address ipv6 address...

  • Page 296: Configuring The Maximum Number Of Neighbors Dynamically Learned

    Follow these steps to configure a static neighbor entry: To do... Use the command... Remarks Enter system view system-view — ipv6 neighbor ipv6-address mac-address { vlan-id Configure a static port-type port-number | interface interface-type Required neighbor entry interface-number } You can adopt either of the two methods above to configure a static neighbor entry. After a static neighbor entry is configured by using the first method, the device needs to resolve the corresponding Layer 2 port information of the VLAN interface.
  • Page 297 Table 1-4 Parameters in an RA message and their descriptions Parameters Description When sending an IPv6 packet, a host uses the value to fill the Cur Hop Limit Cur hop limit field in IPv6 headers. The value is also filled into the Cur Hop Limit field in response messages of a device.
  • Page 298 To do… Use the command… Remarks Disable the RA Required message undo ipv6 nd ra halt By default, RA messages are suppressed. suppression Optional By default, the maximum interval for sending RA messages is 600 seconds, and Configure the the minimum interval is 200 seconds. maximum and ipv6 nd ra interval minimum intervals for...

  • Page 299: Configuring The Maximum Number Of Attempts To Send An Ns Message For Dad

    Configuring the Maximum Number of Attempts to Send an NS Message for DAD An interface sends a neighbor solicitation (NS) message for duplicate address detection after acquiring an IPv6 address. If the interface does not receive a response within a specified time (determined by the ipv6 nd ns retrans-timer command), it continues to send an NS message.

  • Page 300: Configuring Ipv6 Tcp Properties

    Follow these steps to configure the aging time for dynamic PMTUs: To do… Use the command… Remarks Enter system view system-view — Optional Configure the aging time for ipv6 pathmtu age age-time dynamic PMTUs 10 minutes by default. Configuring IPv6 TCP Properties The IPv6 TCP properties you can configure include: synwait timer: When a SYN packet is sent, the synwait timer is triggered.

  • Page 301: Enable Sending Of Multicast Echo Replies

    To do… Use the command… Remarks Enter system view system-view — Optional By default, the capacity of a token bucket is 10 Configure the Ipv6 icmp-error { bucket and the update interval is 100 milliseconds. That capacity and bucket-size | ratelimit is, at most 10 IPv6 ICMP error packets can be update interval of interval } *...

  • Page 302: Configuring Ipv6 Dns Client

    Configuring IPv6 DNS Client Configuring Static IPv6 Domain Name Resolution Configuring static IPv6 domain name resolution is to establish the mapping between a host name and an IPv6 address. When using such applications as Telnet, you can directly input a host name and the system will resolve the host name into an IPv6 address.

  • Page 303: Displaying And Maintaining Ipv6 Basics Configuration

    Displaying and Maintaining IPv6 Basics Configuration To do… Use the command… Remarks Display DNS suffix information display dns domain [ dynamic ] Display IPv6 dynamic domain name display dns ipv6 dynamic-host cache information Display IPv6 DNS server information display dns ipv6 server [ dynamic ] Display the IPv6 FIB entries display ipv6 fib [ ipv6-address ] Display the host name to IPv6...

  • Page 304: Ipv6 Configuration Example

    The display dns domain command is the same as the one of IPv4 DNS. For details about the commands, refer to DNS Commands in the IP Services Volume. IPv6 Configuration Example Network requirements Host, Switch A and Switch B are directly connected through Ethernet ports. Add the Ethernet ports into corresponding VLANs, configure IPv6 addresses for the VLAN interfaces and verify the connectivity between them.
  • Page 305 Configure Switch B # Enable IPv6. <SwitchB> system-view [SwitchB] ipv6 # Configure an aggregatable global unicast address for VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ipv6 address 3001::2/64 # Configure an IPv6 static route with destination IP address 2001::/64 and next hop address 3001::1. [SwitchB-Vlan-interface2] ipv6 route-static 2001:: 64 3001::1 Configure Host Enable IPv6 for Host to automatically get an IPv6 address through IPv6 NDP.
  • Page 306 ReasmReqds: ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: 25747 OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: [SwitchA-Vlan-interface1] display ipv6 interface vlan-interface 1 verbose Vlan-interface1 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es):...
  • Page 307 ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: 1012 OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Display the IPv6 interface settings on Switch B. [SwitchB-Vlan-interface2] display ipv6 interface vlan-interface 2 verbose Vlan-interface2 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1234 Global unicast address(es): 3001::2, subnet is 3001::/64...
  • Page 308 OutFragFails: InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Ping Switch A and Switch B on Host, and ping Switch A and Host on Switch B to verify the connectivity between them. When you ping a link-local address, you should use the “–i” parameter to specify an interface for the link-local address.

  • Page 309: Troubleshooting Ipv6 Basics Configuration

    Troubleshooting IPv6 Basics Configuration Symptom The peer IPv6 address cannot be pinged. Solution Use the display current-configuration command in any view or the display this command in system view to verify that IPv6 is enabled. Use the display ipv6 interface command in any view to verify that the IPv6 address of the interface is correct and the interface is up.
  • Page 310 Table of Contents 1 Dual Stack Configuration··························································································································1-1 Dual Stack Overview·······························································································································1-1 Configuring Dual Stack ···························································································································1-1...

  • Page 311: Dual Stack Overview

    Dual Stack Configuration When configuring dual stack, go to these sections for information you are interested in: Dual Stack Overview Configuring Dual Stack Dual Stack Overview Dual stack is the most direct approach to making IPv6 nodes compatible with IPv4 nodes. The best way for an IPv6 node to be compatible with an IPv4 node is to maintain a complete IPv4 stack.
  • Page 312 To do… Use the command… Remarks Required ip address ip-address By default, no IP Configure an IPv4 address for the interface { mask | mask-length } address is [ sub ] configured. ipv6 address Use either Manually specify { ipv6-address prefix-length command.
  • Page 313 Table of Contents 1 sFlow Configuration ··································································································································1-1 sFlow Overview·······································································································································1-1 Introduction to sFlow ·······················································································································1-1 Operation of sFlow ··························································································································1-1 Configuring sFlow ···································································································································1-2 Displaying and Maintaining sFlow···········································································································1-2 sFlow Configuration Example ·················································································································1-3 Troubleshooting sFlow Configuration ·····································································································1-4 The Remote sFlow Collector Cannot Receive sFlow Packets ························································1-4...

  • Page 314: Sflow Configuration

    Supporting traffic monitoring on Gigabit and higher-speed networks. Providing scalability to allow one sFlow collector to monitor multiple or more sFlow agents. Implementing the low-cost sFlow agent. Currently, only the sFlow agent function is supported on S5500-SI Series Ethernet Switchs. Operation of sFlow sFlow operates as follows: With sFlow enabled, a physical port encapsulates sampled data into packets and sends them to the sFlow agent.

  • Page 315: Configuring Sflow

    200000 by default. a packet The sFlow agent and sFlow collector must not have the same IP address. Currently, you can specify at most two sFlow collectors on on S5500-SI Series Ethernet Switchs. Displaying and Maintaining sFlow To do… Use the command…...

  • Page 316: Sflow Configuration Example

    sFlow Configuration Example Network requirements Host A and Server are connected to Switch through GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 respectively. Host B works as an sFlow collector with IP address 3.3.3.2 and port number 6343, and is connected to Switch through GigabitEthernet 1/0/3. GigabitEthernet 1/0/3 belongs to VLAN 1, having an IP address of 3.3.3.1.

  • Page 317: Troubleshooting Sflow Configuration

    Collector IP:3.3.3.2 Port:6343 Interval(s): 30 sFlow Port Information: Interface Direction Rate Mode Status Eth1/1 In/Out 100000 Random Active Troubleshooting sFlow Configuration The Remote sFlow Collector Cannot Receive sFlow Packets Symptom The remote sFlow collector cannot receive sFlow packets. Analysis sFlow is not enabled globally because the sFlow agent or/and the sFlow collector is/are not specified.
  • Page 318 IP Routing Volume Organization Manual Version 20090930-C-1.01 Product Version Release 2202 Organization The IP Routing Volume is organized as follows: Features Description This document describes: IP Routing Overview Introduction to IP routing and routing table Routing protocol overview A static route is manually configured by the administrator. The proper configuration and usage of static routes can improve network performance and ensure bandwidth for important network applications.
  • Page 319 Table of Contents 1 IP Routing Overview··································································································································1-1 IP Routing and Routing Table·················································································································1-1 Routing ············································································································································1-1 Routing Table ··································································································································1-1 Routing Protocol Overview ·····················································································································1-3 Static Routing and Dynamic Routing·······························································································1-3 Routing Protocols and Routing Priority ···························································································1-3 Displaying and Maintaining a Routing Table···························································································1-3...

  • Page 320: Ip Routing Overview

    IP Routing Overview Go to these sections for information you are interested in: IP Routing and Routing Table Routing Protocol Overview Displaying and Maintaining a Routing Table The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. IP Routing and Routing Table Routing Routing in the Internet is achieved through routers.
  • Page 321 IP address of the next hop: Specifies the address of the next router on the path. If only the outbound interface is configured, its address will be the IP address of the next hop. Priority for the route. Routes to the same destination but having different nexthops may have different priorities and be found by various routing protocols or manually configured.

  • Page 322: Routing Protocol Overview

    Routing Protocol Overview Static Routing and Dynamic Routing Static routing is easy to configure and requires less system resources. It works well in small, stable networks with simple topologies. Its major drawback is that you must perform routing configuration again whenever the network topology changes; it cannot adjust to network changes by itself. Dynamic routing is based on dynamic routing protocols, which can detect network topology changes and recalculate the routes accordingly.
  • Page 323 To do… Use the command… Remarks Display information about display ip routing-table ip-address1 routes with destination Available in any { mask-length | mask } ip-address2 addresses in the specified view { mask-length | mask } [ verbose ] range Display information about display ip routing-table acl acl-number Available in any routes permitted by an IPv4...
  • Page 324 Table of Contents 1 Static Routing Configuration····················································································································1-1 Introduction ·············································································································································1-1 Static Route ·····································································································································1-1 Default Route···································································································································1-1 Application Environment of Static Routing ······················································································1-2 Configuring a Static Route ······················································································································1-2 Configuration Prerequisites ·············································································································1-2 Configuration Procedure··················································································································1-3 Detecting Reachability of the Static Route’s Nexthop ············································································1-3 Detecting Nexthop Reachability Through Track··············································································1-3 Displaying and Maintaining Static Routes·······························································································1-4 Static Route Configuration Example ·······································································································1-5 Basic Static Route Configuration Example······················································································1-5...

  • Page 325: Static Routing Configuration

    Static Routing Configuration When configuring a static route, go to these sections for information you are interested in: Introduction Configuring a Static Route Detecting Reachability of the Static Route’s Nexthop Displaying and Maintaining Static Routes Static Route Configuration Example The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. Introduction Static Route A static route is a manually configured.

  • Page 326: Application Environment Of Static Routing

    The network administrator can configure a default route with both destination and mask being 0.0.0.0. The router forwards any packet whose destination address fails to match any entry in the routing table to the next hop of the default static route. Some dynamic routing protocols, such as RIP.

  • Page 327: Configuration Procedure

    Configuration Procedure Follow these steps to configure a static route: To do… Use the command… Remarks Enter system view system-view — Required By default, ip route-static dest-address { mask | mask-length } preference for Configure a static { next-hop-address | interface-type interface-number static routes is 60, route next-hop-address } [ preference preference-value ]...

  • Page 328: Displaying And Maintaining Static Routes

    Network requirements To detect the reachability of a static route's nexthop through a Track entry, you need to create a Track first. For detailed Track configuration procedure, refer to Track Configuration in the High Availability Volume. Configuration procedure Follow these steps to detect the reachability of a static route's nexthop through Track: To do…...

  • Page 329: Static Route Configuration Example

    Static Route Configuration Example Basic Static Route Configuration Example Network requirements The IP addresses and masks of the switches and hosts are shown in the following figure. Static routes are required for interconnection between any two hosts. Figure 1-1 Network diagram for static route configuration Configuration procedure Configuring IP addresses for interfaces (omitted) Configuring static routes...
  • Page 330 Destination/Mask Proto Cost NextHop Interface 0.0.0.0/0 Static 60 1.1.4.2 Vlan500 1.1.2.0/24 Direct 0 1.1.2.3 Vlan300 1.1.2.3/32 Direct 0 127.0.0.1 InLoop0 1.1.4.0/30 Direct 0 1.1.4.1 Vlan500 1.1.4.1/32 Direct 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 127.0.0.1 InLoop0 # Display the IP routing table of Switch B.
  • Page 331 <1 ms <1 ms <1 ms 1.1.6.1 <1 ms <1 ms <1 ms 1.1.4.1 1 ms <1 ms <1 ms 1.1.2.2 Trace complete.
  • Page 332 Table of Contents 1 RIP Configuration ······································································································································1-1 RIP Overview ··········································································································································1-1 Operation of RIP······························································································································1-1 Operation of RIP······························································································································1-2 RIP Version ·····································································································································1-2 RIP Message Format·······················································································································1-3 Supported RIP Features··················································································································1-5 Protocols and Standards ·················································································································1-5 Configuring RIP Basic Functions ············································································································1-5 Configuration Prerequisites ·············································································································1-5 Configuration Procedure··················································································································1-5 Configuring RIP Route Control ···············································································································1-7 Configuring an Additional Routing Metric ························································································1-7 Configuring RIPv2 Route Summarization························································································1-8 Disabling Host Route Reception ·····································································································1-9...

  • Page 333: Rip Configuration

    RIP Configuration The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. When configuring RIP, go to these sections for information you are interested in: RIP Overview Configuring RIP Basic Functions Configuring RIP Route Control Configuring RIP Network Optimization Displaying and Maintaining RIP...

  • Page 334: Operation Of Rip

    Egress interface: Packet outgoing interface. Metric: Cost from the local router to the destination. Route time: Time elapsed since the routing entry was last updated. The time is reset to 0 every time the routing entry is updated. Route tag: Identifies a route, used in a routing policy to flexibly control routes. For information about routing policy, refer to Routing Policy Configuration in the IP Routing Volume.

  • Page 335: Rip Message Format

    RIPv1, a classful routing protocol, supports message advertisement via broadcast only. RIPv1 protocol messages do not carry mask information, which means it can only recognize routing information of natural networks such as Class A, B, C. That is why RIPv1 does not support discontiguous subnets. RIPv2 is a classless routing protocol.
  • Page 336 RIPv2 message format The format of RIPv2 message is similar to RIPv1. Figure 1-2 shows it. Figure 1-2 RIPv2 Message Format The differences from RIPv1 are stated as following. Version: Version of RIP. For RIPv2 the value is 0x02. Route Tag: Route Tag. IP Address: Destination IP address.

  • Page 337: Protocols And Standards

    RFC 1723 only defines plain text authentication. For information about MD5 authentication, refer to RFC 2453 “RIP Version 2”. With RIPv1, you can configure the authentication mode in interface view. However, the configuration will not take effect because RIPv1 does not support authentication. Supported RIP Features The current implementation supports the following RIP features.
  • Page 338 If you make some RIP configurations in interface view before enabling RIP, those configurations will take effect after RIP is enabled. RIP runs only on the interfaces residing on the specified networks. Therefore, you need to specify the network after enabling RIP to validate RIP on a specific interface. You can enable RIP on all interfaces using the command network 0.0.0.0.

  • Page 339: Configuring Rip Route Control

    Follow these steps to configure a RIP version: To do… Use the command… Remarks Enter system view system-view –– Enter RIP view rip [ process-id ] –– Optional By default, if an interface has a RIP version specified, the version takes precedence over the global one.

  • Page 340: Configuring Ripv2 Route Summarization

    To do… Use the command… Remarks Enter system view system-view –– interface interface-type Enter interface view –– interface-number Optional Define an inbound rip metricin [ route-policy additional routing metric route-policy-name ] value 0 by default Optional Define an outbound rip metricout [ route-policy additional routing metric route-policy-name ] value 1 by default...

  • Page 341: Disabling Host Route Reception

    You need to disable RIPv2 route automatic summarization before advertising a summary route on an interface. Disabling Host Route Reception Sometimes a router may receive from the same network many host routes, which are not helpful for routing and consume a large amount of network resources. In this case, you can disable RIP from receiving host routes to save network resources.

  • Page 342: Configuring Inbound/Outbound Route Filtering

    To do… Use the command… Remarks Optional rip default-route { { only | By default, a RIP interface can Configure the RIP interface originate } [ cost cost ] | advertise a default route if the to advertise a default route no-originate } RIP process is configured with default route advertisement.

  • Page 343: Configuring Rip Route Redistribution

    To do… Use the command… Remarks Enter system view system-view –– Enter RIP view rip [ process-id ] –– Optional preference [ route-policy Configure a priority for RIP route-policy-name ] value 100 by default Configuring RIP Route Redistribution If a router runs RIP and other routing protocols, you can configure RIP to redistribute static or direct routes.

  • Page 344: Configuring Split Horizon And Poison Reverse

    To do… Use the command… Remarks Optional timers { garbage-collect garbage-collect-value | suppress The default update timer, timeout Configure values for suppress-value | timeout timer, suppress timer, and RIP timers timeout-value | update garbage-collect timer are 30s, 180s, update-value } * 120s and 120s respectively.

  • Page 345: Enabling Zero Field Check On Incoming Ripv1 Messages

    To do… Use the command… Remarks interface interface-type Enter interface view — interface-number Required Enable poison reverse rip poison-reverse Disabled by default Enabling Zero Field Check on Incoming RIPv1 Messages Some fields in the RIPv1 message must be zero. These fields are called zero fields. You can enable zero field check on received RIPv1 messages.

  • Page 346: Configuring Ripv2 Message Authentication

    Configuring RIPv2 Message Authentication In a network requiring high security, you can configure this task to implement RIPv2 message validity check and authentication. RIPv2 supports two authentication modes: plain text and MD5. In plain text authentication, the authentication information is sent with the RIP message, which however cannot meet high security needs.

  • Page 347: Configuring Rip-To-Mib Binding

    You need not use the peer ip-address command when the neighbor is directly connected; otherwise the neighbor may receive both the unicast and multicast (or broadcast) of the same routing information. If a specified neighbor is not directly connected, you need to disable source address check on incoming updates.

  • Page 348: Rip Configuration Examples

    To do… Use the command… Remarks Display RIP interface display rip process-id interface information [ interface-type interface-number ] display rip process-id route Display routing information [ ip-address { mask | mask-length } | about a specified RIP process peer ip-address | statistics ] Clear the statistics of a RIP Available in user view reset rip process-id statistics...
  • Page 349 # Configure Switch A. [SwitchA] rip [SwitchA-rip-1] network 192.168.1.0 [SwitchA-rip-1] network 172.16.0.0 [SwitchA-rip-1] network 172.17.0.0 # Configure Switch B. [SwitchB] rip [SwitchB-rip-1] network 192.168.1.0 [SwitchB-rip-1] network 10.0.0.0 # Display the RIP routing table of Switch A. [SwitchA] display rip 1 route Route Flags: R - RIP, T - TRIP P - Permanent, A - Aging, S - Suppressed, G - Garbage-collect --------------------------------------------------------------------------...

  • Page 350: Configuring Rip Route Redistribution

    Since the routing information advertised by RIPv1 has a long aging time, it will still exist until it ages out after RIPv2 is configured. Configuring RIP Route Redistribution Network requirements As shown in the following figure: Two RIP processes are running on Switch B, which communicates with Switch A through RIP 100 and with Switch C through RIP 200.
  • Page 351 [SwitchB] rip 200 [SwitchB-rip-200] network 12.0.0.0 [SwitchB-rip-200] version 2 [SwitchB-rip-200] undo summary [SwitchB-rip-200] quit # Enable RIP 200 and specify RIP version 2 on Switch C. <SwitchC> system-view [SwitchC] rip 200 [SwitchC-rip-200] network 12.0.0.0 [SwitchC-rip-200] network 16.0.0.0 [SwitchC-rip-200] version 2 [SwitchC-rip-200] undo summary # Display the routing table of Switch C.

  • Page 352: Configuring An Additional Metric For A Rip Interface

    [SwitchB] acl number 2000 [SwitchB-acl-basic-2000] rule deny source 10.2.1.1 0.0.0.255 [SwitchB-acl-basic-2000] rule permit [SwitchB-acl-basic-2000] quit [SwitchB] rip 200 [SwitchB-rip-200] filter-policy 2000 export rip 100 # Display the routing table of Switch C. [SwitchC] display ip routing-table Routing Tables: Public Destinations : 7 Routes : 7 Destination/Mask Proto...
  • Page 353 [SwitchA-rip-1] network 1.0.0.0 [SwitchA-rip-1] version 2 [SwitchA-rip-1] undo summary [SwitchA-rip-1] quit # Configure Switch B. <SwitchB> system-view [SwitchB] rip 1 [SwitchB-rip-1] network 1.0.0.0 [SwitchB-rip-1] version 2 [SwitchB-rip-1] undo summary # Configure Switch C. <SwitchC> system-view [SwitchB] rip 1 [SwitchC-rip-1] network 1.0.0.0 [SwitchC-rip-1] version 2 [SwitchC-rip-1] undo summary # Configure Switch D.

  • Page 354: Troubleshooting Rip

    [SwitchA-Vlan-interface200] display rip 1 database 1.0.0.0/8, cost 0, ClassfulSumm 1.1.1.0/24, cost 0, nexthop 1.1.1.1, Rip-interface 1.1.2.0/24, cost 0, nexthop 1.1.2.1, Rip-interface 1.1.3.0/24, cost 1, nexthop 1.1.1.2 1.1.4.0/24, cost 2, nexthop 1.1.1.2 1.1.5.0/24, cost 2, nexthop 1.1.1.2 The display shows that there is only one RIP route to network 1.1.5.0/24, with the next hop as Switch B (1.1.1.2) and a cost of 2.
  • Page 355 Table of Contents 1 IPv6 Static Routing Configuration ···········································································································1-1 Introduction to IPv6 Static Routing··········································································································1-1 Features of IPv6 Static Routes········································································································1-1 Default IPv6 Route ··························································································································1-1 Configuring an IPv6 Static Route············································································································1-1 Configuration prerequisites ·············································································································1-1 Configuring an IPv6 Static Route ····································································································1-2 Displaying and Maintaining IPv6 Static Routes ······················································································1-2 IPv6 Static Routing Configuration Example ····························································································1-2...

  • Page 356: Ipv6 Static Routing Configuration

    IPv6 Static Routing Configuration When configuring IPv6 Static Routing, go to these sections for information you are interested in: Introduction to IPv6 Static Routing Configuring an IPv6 Static Route Displaying and Maintaining IPv6 Static Routes IPv6 Static Routing Configuration Example The term “router”...

  • Page 357: Displaying And Maintaining Ipv6 Static Routes

    Enabling IPv6 packet forwarding Ensuring that the neighboring nodes are IPv6 reachable Configuring an IPv6 Static Route Follow these steps to configure an IPv6 static route: To do… Use the commands… Remarks Enter system view system-view — Required ipv6 route-static ipv6-address prefix-length [ interface-type The default Configure an IPv6 static route...
  • Page 358 Configuration procedure Configure the IPv6 addresses of all VLAN interfaces (Omitted) Configure IPv6 static routes. # Configure the default IPv6 static route on SwitchA. <SwitchA> system-view [SwitchA] ipv6 route-static :: 0 4::2 # Configure two IPv6 static routes on SwitchB. <SwitchB>...
  • Page 359 Reply from 3::1 bytes=56 Sequence=1 hop limit=254 time = 63 ms Reply from 3::1 bytes=56 Sequence=2 hop limit=254 time = 62 ms Reply from 3::1 bytes=56 Sequence=3 hop limit=254 time = 62 ms Reply from 3::1 bytes=56 Sequence=4 hop limit=254 time = 63 ms Reply from 3::1 bytes=56 Sequence=5 hop limit=254...
  • Page 360 Table of Contents 1 RIPng Configuration··································································································································1-1 Introduction to RIPng ······························································································································1-1 RIPng Working Mechanism ·············································································································1-1 RIPng Packet Format ······················································································································1-2 RIPng Packet Processing Procedure ······························································································1-3 Protocols and Standards ·················································································································1-3 Configuring RIPng Basic Functions ········································································································1-3 Configuration Prerequisites ·············································································································1-3 Configuration Procedure··················································································································1-4 Configuring RIPng Route Control ···········································································································1-4 Configuring an Additional Routing Metric ························································································1-4 Configuring RIPng Route Summarization ·······················································································1-5 Advertising a Default Route·············································································································1-5...

  • Page 361: Ripng Configuration

    RIPng Configuration When configuring RIPng, go to these sections for information you are interested in: Introduction to RIPng Configuring RIPng Basic Functions Configuring RIPng Route Control Tuning and Optimizing the RIPng Network Displaying and Maintaining RIPng RIPng Configuration Example The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. Introduction to RIPng RIP next generation (RIPng) is an extension of RIP-2 for IPv4.

  • Page 362: Ripng Packet Format

    Each RIPng router maintains a routing database, including route entries of all reachable destinations. A route entry contains the following information: Destination address: IPv6 address of a host or a network. Next hop address: IPv6 address of a neighbor along the path to the destination. Egress interface: Outbound interface that forwards IPv6 packets.

  • Page 363: Ripng Packet Processing Procedure

    Figure 1-3 IPv6 prefix RTE format IPv6 prefix (16 octets) Route tag Prefix length Metric IPv6 prefix: Destination IPv6 address prefix. Route tag: Route tag. Prefix len: Length of the IPv6 address prefix. Metric: Cost of a route. RIPng Packet Processing Procedure Request packet When a RIPng router first starts or needs to update some entries in its routing table, generally a multicast request packet is sent to ask for needed routes from neighbors.

  • Page 364: Configuration Procedure

    Configure an IP address for each interface, and make sure all nodes are reachable to one another. Configuration Procedure Follow these steps to configure the basic RIPng functions: To do… Use the command… Remarks Enter system view system-view –– Required Create a RIPng process and ripng [ process-id ] enter RIPng view...

  • Page 365: Configuring Ripng Route Summarization

    The inbound additional metric is added to the metric of a received route before the route is added into the routing table, so the route’s metric is changed. Follow these steps to configure an inbound/outbound additional routing metric: To do… Use the command…...

  • Page 366: Configuring A Ripng Route Filtering Policy

    Configuring a RIPng Route Filtering Policy You can reference a configured IPv6 ACL or prefix list to filter received/advertised routing information as needed. For filtering outbound routes, you can also specify a routing protocol from which to filter routing information redistributed. Follow these steps to configure a RIPng route filtering policy: To do…...

  • Page 367: Tuning And Optimizing The Ripng Network

    Tuning and Optimizing the RIPng Network This section describes how to tune and optimize the performance of the RIPng network as well as applications under special network environments. Before tuning and optimizing the RIPng network, complete the following tasks: Configure a network layer address for each interface Configure the basic RIPng functions This section covers the following topics: Configuring RIPng Timers...

  • Page 368: Configuring Zero Field Check On Ripng Packets

    same interface to prevent routing loops between neighbors. Follow these steps to configure split horizon: To do… Use the command… Remarks Enter system view system-view –– Enter interface view interface interface-type interface-number –– Optional Enable the split horizon ripng split-horizon function Enabled by default Generally, you are recommended to enable split horizon to prevent routing loops.

  • Page 369: Displaying And Maintaining Ripng

    Displaying and Maintaining RIPng To do… Use the command… Remarks Display configuration display ripng [ process-id ] Available in any view information of a RIPng process Display routes in the RIPng display ripng process-id database Available in any view database Display the routing information display ripng process-id route Available in any view...
  • Page 370 [SwitchB] interface vlan-interface 200 [SwitchB-Vlan-interface200] ripng 1 enable [SwitchB-Vlan-interface200] quit [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ripng 1 enable [SwitchB-Vlan-interface100] quit # Configure Switch C. <SwitchC> system-view [SwitchC] ripng 1 [SwitchC-ripng-1] quit [SwitchC] interface vlan-interface 200 [SwitchC-Vlan-interface200] ripng 1 enable [SwitchC-Vlan-interface200] quit [SwitchC] interface vlan-interface 500 [SwitchC-Vlan-interface500] ripng 1 enable [SwitchC-Vlan-interface500] quit...
  • Page 371 via FE80::200:2FF:FE64:8904, cost 2, tag 0, A, 31 Sec Dest 5::/64, via FE80::200:2FF:FE64:8904, cost 2, tag 0, A, 31 Sec Dest 3::/64, via FE80::200:2FF:FE64:8904, cost 1, tag 0, A, 31 Sec Configure Switch B to filter incoming and outgoing routes. [SwitchB] acl ipv6 number 2000 [SwitchB-acl6-basic-2000] rule deny source 3::/64 [SwitchB-acl6-basic-2000] rule permit...
  • Page 372 Table of Contents 1 Route Policy Configuration ······················································································································1-1 Introduction to Route Policy ····················································································································1-1 Route Policy ····································································································································1-1 Filters ···············································································································································1-1 Route Policy Application··················································································································1-2 Route Policy Configuration Task List ······································································································1-2 Defining Filters ········································································································································1-2 Prerequisites····································································································································1-2 Defining an IP-prefix List ·················································································································1-3 Configuring a Route Policy ·····················································································································1-4 Prerequisites····································································································································1-4 Creating a Route Policy···················································································································1-4 Defining if-match Clauses················································································································1-5...

  • Page 373: Route Policy Configuration

    Route Policy Configuration A route policy is used on a router for route filtering and attributes modification when routes are received, advertised, or redistributed. When configuring route policy, go to these sections for information you are interested in: Introduction to Route Policy Route Policy Configuration Task List Defining Filters Configuring a Route Policy...

  • Page 374: Route Policy Application

    An IP prefix list is configured to match the destination address of routing information. Moreover, you can use the gateway option to allow only routing information from certain routers to be received. For gateway option information, refer to RIP Commands in the IP Routing Volume. An IP prefix list, identified by name, can comprise multiple items.

  • Page 375: Defining An Ip-Prefix List

    Defining an IP-prefix List Define an IPv4 prefix list Identified by name, an IPv4 prefix list can comprise multiple items. Each item specifies a prefix range to match and is identified by an index number. An item with a smaller index number is matched first. If one item is matched, the IP prefix list is passed, and the routing information will not go to the next item.

  • Page 376: Configuring A Route Policy

    If all items are set to the deny mode, no routes can pass the IPv6 prefix list. Therefore, you need to define the permit :: 0 less-equal 128 item following multiple deny items to allow other IPv6 routing information to pass. For example, the following configuration filters routes 2000:1::/48, 2000:2::/48 and 2000:3::/48, but allows other routes to pass.

  • Page 377: Defining If-Match Clauses

    If a route policy node has the permit keyword specified, routing information matching all the if-match clauses of the node will be handled using the apply clauses of this node, without needing to match against the next node. If routing information does not match the node, it will go to the next node for a match.

  • Page 378: Defining Apply Clauses

    The if-match clauses of a route policy node are in logic AND relationship, namely, routing information has to satisfy all its if-match clauses before being executed with its apply clauses. You can specify no or multiple if-match clauses for a route policy node. If no if-match clause is specified, and the route policy node is in permit mode, all routing information can pass the node.

  • Page 379: Displaying And Maintaining The Route Policy

    Displaying and Maintaining the Route Policy To do… Use the command… Remarks Display IPv4 prefix list statistics display ip ip-prefix [ ip-prefix-name ] Available in any Display IPv6 prefix list statistics display ip ipv6-prefix [ ipv6-prefix-name ] view Display route policy information display route-policy [ route-policy-name ] Clear IPv4 prefix list statistics reset ip ip-prefix [ ip-prefix-name ]...

  • Page 380: Applying A Route Policy To Ipv6 Route Redistribution

    [SwitchA-acl-basic-2000] rule deny source 30.0.0.0 0.255.255.255 [SwitchA-acl-basic-2000] rule permit source any [SwitchA-acl-basic-2000] quit # Redistribute static routes. [SwitchA] rip [SwitchA-rip-1] import-route static # Apply ACL 2000 to filter the routing information to be advertised to Switch B. [SwitchA-rip-1] filter-policy 2000 export vlan-interface 100 [SwitchA-rip-1] quit Configure Switch B.
  • Page 381 Figure 1-2 Network diagram for route policy application to route redistribution Configuration procedure Configure Switch A. # Configure IPv6 addresses for VLAN-interface 100 and VLAN-interface 200. <SwitchA> system-view [SwitchA] ipv6 [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ipv6 address 10::1 32 [SwitchA-Vlan-interface100] quit [SwitchA] interface vlan-interface 200 [SwitchA-Vlan-interface200] ipv6 address 11::1 32 [SwitchA-Vlan-interface200] quit...

  • Page 382: Troubleshooting Route Policy Configuration

    [SwitchB-Vlan-interface100] ripng 1 enable [SwitchB-Vlan-interface100] quit # Enable RIPng. [SwitchB] ripng # Display RIPng routing table information. [SwitchB-ripng-1] display ripng 1 route Route Flags: A - Aging, S - Suppressed, G - Garbage-collect ---------------------------------------------------------------- Peer FE80::7D58:0:CA03:1 on Vlan-interface 100 Dest 10::/32, via FE80::7D58:0:CA03:1, cost 1, tag 0, A, 18 Sec Dest 20::/32,...
  • Page 383 IP Multicast Volume Organization Manual Version 20090930-C-1.01 Product Version Release 2202 Organization The IP Multicast Volume is organized as follows: Features Description This document describes the main concepts in multicast: Introduction to Multicast Multicast Overview Multicast Models Multicast Architecture Multicast Packets Forwarding Mechanism Running at the data link layer, IGMP Snooping is a multicast control mechanism on the Layer 2 Ethernet switch and it is used for multicast group management and control.
  • Page 384 Table of Contents 1 Multicast Overview ····································································································································1-1 Introduction to Multicast ··························································································································1-1 Comparison of Information Transmission Techniques····································································1-1 Features of Multicast ·······················································································································1-4 Common Notations in Multicast·······································································································1-5 Advantages and Applications of Multicast·······················································································1-5 Multicast Models ·····································································································································1-5 Multicast Architecture······························································································································1-6 Multicast Addresses ························································································································1-7 Multicast Protocols ························································································································1-10 Multicast Packet Forwarding Mechanism ·····························································································1-12...

  • Page 385: Multicast Overview

    Multicast Overview This manual chiefly focuses on the IP multicast technology and device operations. Unless otherwise stated, the term “multicast” in this document refers to IP multicast. Introduction to Multicast As a technique coexisting with unicast and broadcast, the multicast technique effectively addresses the issue of point-to-multipoint data transmission.
  • Page 386 Figure 1-1 Unicast transmission Host A Receiver Host B Source Host C Receiver Host D IP network Receiver Packets for Host B Host E Packets for Host D Packets for Host E Assume that Host B, Host D and Host E need the information. A separate transmission channel needs to be established from the information source to each of these hosts.
  • Page 387 Figure 1-2 Broadcast transmission Assume that only Host B, Host D, and Host E need the information. If the information is broadcast to the subnet, Host A and Host C also receive it. In addition to information security issues, this also causes traffic flooding on the same subnet.

  • Page 388: Features Of Multicast

    Figure 1-3 Multicast transmission The multicast source (Source in the figure) sends only one copy of the information to a multicast group. Host B, Host D and Host E, which are receivers of the information, need to join the multicast group. The routers on the network duplicate and forward the information based on the distribution of the group members.

  • Page 389: Common Notations In Multicast

    For a better understanding of the multicast concept, you can assimilate multicast transmission to the transmission of TV programs, as shown in Table 1-1. Table 1-1 An analogy between TV transmission and multicast transmission TV transmission Multicast transmission A TV station transmits a TV program through A multicast source sends multicast data to a a channel.

  • Page 390: Multicast Architecture

    ASM model In the ASM model, any sender can send information to a multicast group as a multicast source, and numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group. In this model, receivers are not aware of the position of multicast sources in advance.

  • Page 391: Multicast Addresses

    Multicast Addresses To allow communication between multicast sources and multicast group members, network-layer multicast addresses, namely, multicast IP addresses must be provided. In addition, a technique must be available to map multicast IP addresses to link-layer multicast MAC addresses. IP multicast addresses IPv4 multicast addresses Internet Assigned Numbers Authority (IANA) assigned the Class D address space (224.0.0.0 to 239.255.255.255) for IPv4 multicast.
  • Page 392 Address Description 224.0.0.7 Shared Tree (ST) routers 224.0.0.8 ST hosts 224.0.0.9 Routing Information Protocol version 2 (RIPv2) routers 224.0.0.11 Mobile agents 224.0.0.12 Dynamic Host Configuration Protocol (DHCP) server/relay agent 224.0.0.13 All Protocol Independent Multicast (PIM) routers 224.0.0.14 Resource Reservation Protocol (RSVP) encapsulation 224.0.0.15 All Core-Based Tree (CBT) routers 224.0.0.16...
  • Page 393 Description When set to 0, it indicates that this address is an IPv6 multicast address permanently-assigned by IANA When set to 1, it indicates that this address is a transient, or dynamically assigned IPv6 multicast address Scope: 4 bits, indicating the scope of the IPv6 internetwork for which the multicast traffic is intended. Possible values of this field are given in Table 1-5.

  • Page 394: Multicast Protocols

    The high-order four bits of a multicast IPv4 address are 1110, indicating that this address is a multicast address, and only 23 bits of the remaining 28 bits are mapped to a MAC address, so five bits of the multicast IPv4 address are lost. As a result, 32 multicast IPv4 addresses map to the same MAC address. Therefore, in Layer 2 multicast forwarding, a device may receive some multicast data addressed for other IPv4 multicast groups, and such redundant data needs to be filtered by the upper layer.
  • Page 395 Figure 1-8 Positions of Layer 3 multicast protocols Multicast management protocols Typically, the internet group management protocol (IGMP) or multicast listener discovery protocol (MLD) is used between hosts and Layer 3 multicast devices directly connected with the hosts. These protocols define the mechanism of establishing and maintaining group memberships between hosts and Layer 3 multicast devices.

  • Page 396: Multicast Packet Forwarding Mechanism

    Figure 1-9 Position of Layer 2 multicast protocols Source Multicast VLAN /IPv6 Multicast VLAN IGMP Snooping /MLD Snooping Receiver Receiver IPv4/IPv6 multicast packets IGMP Snooping/MLD Snooping Running on Layer 2 devices, Internet Group Management Protocol Snooping (IGMP Snooping) and Multicast Listener Discovery Snooping (MLD Snooping) are multicast constraining mechanisms that manage and control multicast groups by listening to and analyzing IGMP or MLD messages exchanged between the hosts and Layer 3 multicast devices, thus effectively controlling the flooding of multicast data in a Layer 2 network.
  • Page 397 Table of Contents 1 IGMP Snooping Configuration ·················································································································1-1 IGMP Snooping Overview·······················································································································1-1 Principle of IGMP Snooping ············································································································1-1 Basic Concepts in IGMP Snooping ·································································································1-2 How IGMP Snooping Works············································································································1-3 Protocols and Standards ·················································································································1-5 IGMP Snooping Configuration Task List·································································································1-5 Configuring Basic Functions of IGMP Snooping·····················································································1-6 Configuration Prerequisites ·············································································································1-6 Enabling IGMP Snooping ················································································································1-6 Configuring the Version of IGMP Snooping ····················································································1-7...

  • Page 398: Igmp Snooping Configuration

    IGMP Snooping Configuration When configuring IGMP Snooping, go to the following sections for information you are interested in: IGMP Snooping Overview IGMP Snooping Configuration Task List Displaying and Maintaining IGMP Snooping IGMP Snooping Configuration Examples Troubleshooting IGMP Snooping Configuration IGMP Snooping Overview Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups.

  • Page 399: Basic Concepts In Igmp Snooping

    Reducing Layer 2 broadcast packets, thus saving network bandwidth. Enhancing the security of multicast traffic. Facilitating the implementation of per-host accounting. Basic Concepts in IGMP Snooping IGMP Snooping related ports As shown in Figure 1-2, Router A connects to the multicast source, IGMP Snooping runs on Switch A and Switch B, Host A and Host C are receiver hosts (namely, multicast group members).

  • Page 400: How Igmp Snooping Works

    Aging timers for dynamic ports in IGMP Snooping and related messages and actions Table 1-1 Aging timers for dynamic ports in IGMP Snooping and related messages and actions Message before Timer Description Action after expiry expiry For each dynamic IGMP general query of router port, the switch The switch removes Dynamic router port...
  • Page 401 When receiving a membership report A host sends an IGMP report to the IGMP querier in the following circumstances: Upon receiving an IGMP query, a multicast group member host responds with an IGMP report. When intended to join a multicast group, a host sends an IGMP report to the IGMP querier to announce that it is interested in the multicast information addressed to that group.

  • Page 402: Protocols And Standards

    Upon receiving the IGMP leave message from a host, the IGMP querier resolves the multicast group address in the message and sends an IGMP group-specific query to that multicast group through the port that received the leave message. Upon receiving the IGMP group-specific query, the switch forwards it through all its router ports in the VLAN and all member ports for that multicast group, and performs the following to the port on which it received the IGMP leave message: If any IGMP report in response to the group-specific query is received on the port (suppose it is a...

  • Page 403: Configuring Basic Functions Of Igmp Snooping

    Configurations made in IGMP Snooping view are effective for all VLANs, while configurations made in VLAN view are effective only for ports belonging to the current VLAN. For a given VLAN, a configuration made in IGMP Snooping view is effective only if the same configuration is not made in VLAN view.

  • Page 404: Configuring The Version Of Igmp Snooping

    IGMP Snooping must be enabled globally before it can be enabled in a VLAN. When you enable IGMP Snooping in a specified VLAN, this function takes effect for the ports in this VLAN only. Configuring the Version of IGMP Snooping By configuring an IGMP Snooping version, you actually configure the version of IGMP messages that IGMP Snooping can process.

  • Page 405: Configuring Aging Timers For Dynamic Ports

    Configuring Aging Timers for Dynamic Ports If the switch receives no IGMP general queries or PIM hello messages on a dynamic router port, the switch removes the port from the router port list when the aging timer of the port expires. If the switch receives no IGMP reports for a multicast group on a dynamic member port, the switch removes the port from the outgoing port list of the forwarding table entry for that multicast group when the aging timer of the port for that group expires.

  • Page 406: Configuring Simulated Joining

    Follow these steps to configure static ports: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 interface-number Required aggregate port view or port Use either approach port-group manual group view port-group-name Required igmp-snooping static-group Configure the port(s) as static group-address [ source-ip...

  • Page 407: Configuring Fast Leave Processing

    Follow these steps to configure simulated joining: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 Required interface-number aggregate port view or port Use either approach group view port-group manual port-group-name igmp-snooping host-join Required Configure simulated (*, G) or group-address [ source-ip...

  • Page 408: Configuring Igmp Snooping Querier

    Configuring fast leave processing on a port or a group of ports Follow these steps to configure fast leave processing on a port or a group of ports: To do... Use the command... Remarks Enter system view system-view — Enter Ethernet port/Layer 2 interface interface-type interface-number Required aggregate port view or port...

  • Page 409: Configuring Igmp Queries And Responses

    It is meaningless to configure an IGMP Snooping querier in a multicast network running IGMP. Although an IGMP Snooping querier does not take part in IGMP querier elections, it may affect IGMP querier elections because it sends IGMP general queries with a low source IP address. Configuring IGMP Queries and Responses You can tune the IGMP general query interval based on actual condition of the network.

  • Page 410: Configuring Source Ip Address Of Igmp Queries

    To do... Use the command... Remarks Configure the maximum Optional igmp-snooping max-response-time response time to IGMP general interval 10 seconds by default queries Optional Configure the IGMP igmp-snooping last-member query interval last-member-query-interval interval 1 second by default In the configuration, make sure that the IGMP general query interval is larger than the maximum response time for IGMP general queries.

  • Page 411: Configuring A Multicast Group Filter

    Before configuring an IGMP Snooping policy, prepare the following data: ACL rule for multicast group filtering The maximum number of multicast groups that can pass the ports Configuring a Multicast Group Filter On an IGMP Snooping–enabled switch, the configuration of a multicast group allows the service provider to define restrictions on multicast programs available to different users.

  • Page 412: Configuring The Function Of Dropping Unknown Multicast Data

    Disabled by default S5500-SI series switches, when enabled to filter IPv4 multicast data based on the source ports, are automatically enabled to filter IPv6 multicast data based on the source ports. Configuring the Function of Dropping Unknown Multicast Data Unknown multicast data refers to multicast data for which no entries exist in the IGMP Snooping forwarding table.

  • Page 413: Configuring Igmp Report Suppression

    To do... Use the command... Remarks Required Enable the function of dropping igmp-snooping unknown multicast data drop-unknown Disabled by default Configuring IGMP Report Suppression When a Layer 2 device receives an IGMP report from a multicast group member, the device forwards the message to the Layer 3 device directly connected with it.

  • Page 414: Configuring Multicast Group Replacement

    When the number of multicast groups a port has joined reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the IGMP Snooping forwarding table, and the hosts on this port need to join the multicast groups again. If you have configured static or simulated joins on a port, however, when the number of multicast groups on the port exceeds the configured threshold, the system deletes all the forwarding entries persistent to that port from the IGMP Snooping forwarding table and applies the static or simulated...

  • Page 415: Displaying And Maintaining Igmp Snooping

    Configuring multicast group replacement on a port or a group of ports Follow these steps to configure multicast group replacement on a port or a group of ports: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 interface-number Required...

  • Page 416: Igmp Snooping Configuration Examples

    IGMP Snooping Configuration Examples Configuring Group Policy and Simulated Joining Network requirements As shown in Figure 1-3, Router A connects to the multicast source through GigabitEthernet 1/0/2 and to Switch A through GigabitEthernet 1/0/1. IGMPv2 is required on Router A, IGMP Snooping version 2 is required on Switch A, and Router A will act as the IGMP querier on the subnet.
  • Page 417 [RouterA-GigabitEthernet1/0/2] pim dm [RouterA-GigabitEthernet1/0/2] quit Configure Switch A # Enable IGMP Snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping [SwitchA-igmp-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 to this VLAN, and enable IGMP Snooping and the function of dropping unknown multicast traffic in the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 [SwitchA-vlan100] igmp-snooping enable...

  • Page 418: Static Port Configuration

    IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Attribute: Host Port Host port(s):total 2 port. GE1/0/3 (D) ( 00:03:23 ) GE1/0/4 (D) ( 00:04:10 ) MAC group(s): MAC group address:0100-5e01-0101 Host port(s):total 2 port. GE1/0/3 GE1/0/4 As shown above, GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 of Switch A has joined multicast...
  • Page 419 Network diagram Figure 1-4 Network diagram for static port configuration Source Switch A GE1/0/2 GE1/0/1 1.1.1.2/24 10.1.1.1/24 GE1/0/1 Router A 1.1.1.1/24 IGMP querier Switch C GE1/0/5 GE1/0/2 GE1/0/2 Host C Switch B Receiver Host B Host A Receiver Configuration procedure Configure IP addresses Configure an IP address and subnet mask for each interface as per Figure...
  • Page 420 [SwitchA-vlan100] quit # Configure GigabitEthernet 1/0/3 to be a static router port. [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] igmp-snooping static-router-port vlan 100 [SwitchA-GigabitEthernet1/0/3] quit Configure Switch B # Enable IGMP Snooping globally. <SwitchB> system-view [SwitchB] igmp-snooping [SwitchB-igmp-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to this VLAN, and enable IGMP Snooping in the VLAN.
  • Page 421 Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 2 port. GE1/0/1 (D) ( 00:01:30 ) GE1/0/3 IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Attribute: Host Port Host port(s):total 1 port.

  • Page 422: Igmp Snooping Querier Configuration

    IGMP Snooping Querier Configuration Network requirements As shown in Figure 1-5, in a Layer 2–only network environment, two multicast sources Source 1 and Source 2 send multicast data to multicast groups 224.1.1.1 and 225.1.1.1 respectively, Host A and Host C are receivers of multicast group 224.1.1.1, while Host B and Host D are receivers of multicast group 225.1.1.1.
  • Page 423 # Enable the IGMP-Snooping querier function in VLAN 100 [SwitchA-vlan100] igmp-snooping querier # Set the source IP address of IGMP general queries and group-specific queries to 192.168.1.1 in VLAN 100. [SwitchA-vlan100] igmp-snooping general-query source-ip 192.168.1.1 [SwitchA-vlan100] igmp-snooping special-query source-ip 192.168.1.1 [SwitchA-vlan100] quit Configure Switch B # Enable IGMP Snooping globally.

  • Page 424: Troubleshooting Igmp Snooping Configuration

    Troubleshooting IGMP Snooping Configuration Switch Fails in Layer 2 Multicast Forwarding Symptom A switch fails to implement Layer 2 multicast forwarding. Analysis IGMP Snooping is not enabled. Solution Enter the display current-configuration command to view the running status of IGMP Snooping. If IGMP Snooping is not enabled, use the igmp-snooping command to enable IGMP Snooping globally, and then use igmp-snooping enable command to enable IGMP Snooping in VLAN view.
  • Page 425 Table of Contents 1 Multicast VLAN Configuration··················································································································1-1 Introduction to Multicast VLAN················································································································1-1 Multicast VLAN Configuration Task List··································································································1-3 Configuring Sub-VLAN-Based Multicast VLAN ······················································································1-3 Configuration Prerequisites ·············································································································1-3 Configuring Sub-VLAN-Based Multicast VLAN···············································································1-3 Configuring Port-Based Multicast VLAN ·································································································1-4 Configuration Prerequisites ·············································································································1-4 Configuring User Port Attributes······································································································1-4 Configuring Multicast VLAN Ports ···································································································1-5 Displaying and Maintaining Multicast VLAN ···························································································1-6 Multicast VLAN Configuration Examples ································································································1-6...

  • Page 426: Multicast Vlan Configuration

    Multicast VLAN Configuration When configuring multicast VLAN, go to these sections for information you are interested in: Introduction to Multicast VLAN Multicast VLAN Configuration Task List Configuring Sub-VLAN-Based Multicast VLAN Configuring Port-Based Multicast VLAN Displaying and Maintaining Multicast VLAN Multicast VLAN Configuration Examples Introduction to Multicast VLAN As shown in Figure...
  • Page 427 Figure 1-2 Sub-VLAN-based multicast VLAN Multicast packets VLAN 10 (Multicast VLAN) VLAN 2 VLAN 2 Receiver VLAN 3 Host A VLAN 4 VLAN 3 Receiver Host B Source Router A Switch A IGMP querier VLAN 4 Receiver Host C After the configuration, IGMP Snooping manages router ports in the multicast VLAN and member ports in the sub-VLANs.

  • Page 428: Multicast Vlan Configuration Task List

    For information about IGMP Snooping, router ports, and member ports, refer to IGMP Snooping Configuration in the IP Multicast Volume. For information about VLAN tags, refer to VLAN Configuration in the Access Volume. Multicast VLAN Configuration Task List Complete the following tasks to configure multicast VLAN: Task Remarks Configuring Sub-VLAN-Based Multicast VLAN...

  • Page 429: Configuring Port-Based Multicast Vlan

    The VLAN to be configured as a multicast VLAN must exist. The VLANs to be configured as sub-VLANs of the multicast VLAN must exist and must not be sub-VLANs of another multicast VLAN. The total number of sub-VLANs of a multicast VLAN must not exceed 63. Configuring Port-Based Multicast VLAN When configuring port-based multicast VLAN, you need to configure the attributes of each user port and then assign the ports to the multicast VLAN.

  • Page 430: Configuring Multicast Vlan Ports

    Follow these steps to configure user port attributes: To do... Use the command... Remarks Enter system view system-view — interface interface-type interface-number Required Enter port view or port group port-group { manual view Use either command port-group-name | aggregation agg-id } Required Configure the user port link port link-type hybrid...

  • Page 431: Displaying And Maintaining Multicast Vlan

    Configuring multicast VLAN ports in port view or port group view Follow these steps to configure multicast VLAN ports in port view or port group view: To do… Use this command… Remarks Enter system view system-view — Required Configure the specified VLAN as a multicast VLAN and enter multicast-vlan vlan-id Not a multicast VLAN by...
  • Page 432 Configure the sub-VLAN-based multicast VLAN feature so that Router A just sends multicast data to Switch A through the multicast VLAN and Switch A forwards the traffic to the receivers that belong to different user VLANs. Network diagram Figure 1-4 Network diagram for sub-VLAN-based multicast VLAN configuration Source IGMP querier Router A...
  • Page 433 [SwitchA-vlan2] port gigabitethernet 1/0/2 [SwitchA-vlan2] quit The configuration for VLAN 3 and VLAN 4 is similar to the configuration for VLAN 2. # Create VLAN 10, assign GigabitEthernet 1/0/1 to this VLAN and enable IGMP Snooping in the VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] igmp-snooping enable [SwitchA-vlan10] quit...
  • Page 434 Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 0 port. IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Host port(s):total 1 port. GE1/0/3 MAC group(s): MAC group address:0100-5e01-0101 Host port(s):total 1 port.
  • Page 435 Port-Based Multicast VLAN Configuration Network requirements As shown in Figure 1-5, Router A connects to a multicast source (Source) through GigabitEthernet 1/0/1, and to Switch A through GigabitEthernet 1/0/2. IGMPv2 is required on Router A. IGMPv2 Snooping is required on Switch A. Router A acts as the IGMP querier.
  • Page 436 [RouterA-GigabitEthernet1/0/1] quit [RouterA] interface gigabitethernet 1/0/2 [RouterA-GigabitEthernet1/0/2] pim dm [RouterA-GigabitEthernet1/0/2] igmp enable Configure Switch A # Enable IGMP Snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping [SwitchA-igmp-snooping] quit # Create VLAN 10, assign GigabitEthernet 1/0/1 to VLAN 10, and enable IGMP Snooping in this VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] igmp-snooping enable...
  • Page 437 Total 1 multicast-vlan(s) Multicast vlan 10 subvlan list: no subvlan port list: GE1/0/2 GE1/0/3 GE1/0/4 # View the IGMP Snooping multicast group information on Switch A. [SwitchA] display igmp-snooping group Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):10.
  • Page 438 Table of Contents 1 MLD Snooping Configuration···················································································································1-1 MLD Snooping Overview ························································································································1-1 Introduction to MLD Snooping·········································································································1-1 Basic Concepts in MLD Snooping···································································································1-2 How MLD Snooping Works ·············································································································1-3 Protocols and Standards ·················································································································1-5 MLD Snooping Configuration Task List ··································································································1-5 Configuring Basic Functions of MLD Snooping ······················································································1-6 Configuration Prerequisites ·············································································································1-6 Enabling MLD Snooping··················································································································1-6 Configuring the Version of MLD Snooping ······················································································1-7...

  • Page 439: Mld Snooping Configuration

    MLD Snooping Configuration When configuring MLD Snooping, go to these sections for information you are interested in: MLD Snooping Overview MLD Snooping Configuration Task List Displaying and Maintaining MLD Snooping MLD Snooping Configuration Examples Troubleshooting MLD Snooping MLD Snooping Overview Multicast Listener Discovery Snooping (MLD Snooping) is an IPv6 multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups.

  • Page 440: Basic Concepts In Mld Snooping

    Reducing Layer 2 broadcast packets, thus saving network bandwidth. Enhancing the security of multicast traffic. Facilitating the implementation of per-host accounting. Basic Concepts in MLD Snooping MLD Snooping related ports As shown in Figure 1-2, Router A connects to the multicast source, MLD Snooping runs on Switch A and Switch B, Host A and Host C are receiver hosts (namely, IPv6 multicast group members).

  • Page 441: How Mld Snooping Works

    Whenever mentioned in this document, a router port is a router-connecting port on the switch, rather than a port on a router. Unless otherwise specified, router/member ports mentioned in this document include static and dynamic ports. On an MLD Snooping-enabled switch, the ports that received MLD general queries with the source address other than 0::0 or IPv6 PIM hello messages are dynamic router ports.
  • Page 442 General queries The MLD querier periodically sends MLD general queries to all hosts and routers (FF02::1) on the local subnet to find out whether IPv6 multicast group members exist on the subnet. Upon receiving an MLD general query, the switch forwards it through all ports in the VLAN except the port on which it received the MLD query and performs the following: If the port on which it the switch received the MLD query is a dynamic router port in its router port list, the switch resets the aging timer for this dynamic router port.

  • Page 443: Protocols And Standards

    If the forwarding table entry does not exist or if the outgoing port list does not contain the port, the switch discards the MLD done message instead of forwarding it to any port. If the forwarding table entry exists and the outgoing port list contains the port, the switch forwards the MLD done message to all router ports in the native VLAN.

  • Page 444: Configuring Basic Functions Of Mld Snooping

    Task Remarks Configuring an IPv6 Multicast Group Filter Optional Configuring IPv6 Multicast Source Port Filtering Optional Configuring an MLD Configuring MLD Report Suppression Optional Snooping Policy Configuring Maximum Multicast Groups that Can Be Optional Joined on a Port Configuring IPv6 Multicast Group Replacement Optional Configurations made in MLD Snooping view are effective for all VLANs, while configurations made in VLAN view are effective only for ports belonging to the current VLAN.

  • Page 445: Configuring Mld Snooping Port Functions

    To do... Use the command... Remarks Enter VLAN view vlan vlan-id — Required Enable MLD Snooping in the mld-snooping enable VLAN Disabled by default MLD Snooping must be enabled globally before it can be enabled in a VLAN. When you enable MLD Snooping in a specified VLAN, this function takes effect for ports in this VLAN only.

  • Page 446: Configuring Aging Timers For Dynamic Ports

    Configure the corresponding port groups Before configuring MLD Snooping port functions, prepare the following data: Aging time of dynamic router ports, Aging timer of dynamic member ports, and IPv6 multicast group and IPv6 multicast source addresses Configuring Aging Timers for Dynamic Ports If the switch receives no MLD general queries or IPv6 PIM hello messages on a dynamic router port, the switch removes the port from the router port list when the aging timer of the port expires.

  • Page 447: Configuring Simulated Joining

    Follow these steps to configure static ports: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 interface-number Required aggregate port view or port Use either approach port-group manual group view port-group-name mld-snooping static-group Required Configure the port(s) as static ipv6-group-address [ source-ip...

  • Page 448: Configuring Fast Leave Processing

    Follow these steps to configure simulated joining: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 Required interface-number aggregate port view or port Use either approach group view port-group manual port-group-name mld-snooping host-join Required Configure simulated joining ipv6-group-address [ source-ip...

  • Page 449: Configuring Mld Snooping Querier

    Configuring fast leave processing on a port or a group of ports Follow these steps to configure fast leave processing on a port or a group of ports: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 Required interface-number...

  • Page 450: Configuring Mld Queries And Responses

    To do... Use the command... Remarks Enter system view system-view — Enter VLAN view — vlan vlan-id Required Enable the MLD Snooping mld-snooping querier querier Disabled by default It is meaningless to configure an MLD Snooping querier in an IPv6 multicast network running MLD. Although an MLD Snooping querier does not take part in MLD querier elections, it may affect MLD querier elections because it sends MLD general queries with a low source IPv6 address.

  • Page 451: Configuring Source Ipv6 Addresses Of Mld Queries

    Configuring MLD queries and responses in a VLAN Follow these steps to configure MLD queries and responses in a VLAN To do... Use the command... Remarks Enter system view system-view — Enter VLAN view vlan vlan-id — Optional mld-snooping query-interval Configure MLD query interval interval 125 seconds by default...

  • Page 452: Configuring An Mld Snooping Policy

    Configuring an MLD Snooping Policy Configuration Prerequisites Before configuring an MLD Snooping policy, complete the following tasks: Enable MLD Snooping in the VLAN Before configuring an MLD Snooping policy, prepare the following data: IPv6 ACL rule for IPv6 multicast group filtering The maximum number of IPv6 multicast groups that can pass the ports Configuring an IPv6 Multicast Group Filter On a MLD Snooping–enabled switch, the configuration of an IPv6 multicast group filter allows the...

  • Page 453: Configuring Ipv6 Multicast Source Port Filtering

    To do... Use the command... Remarks Required By default, no group filter is Configure an IPv6 multicast mld-snooping group-policy configured on the current group filter acl6-number [ vlan vlan-list ] port, that is, hosts on this port can join any valid IPv6 multicast group.

  • Page 454: Configuring Mld Report Suppression

    Configuring MLD Report Suppression When a Layer 2 device receives an MLD report from an IPv6 multicast group member, the Layer 2 device forwards the message to the Layer 3 device directly connected with it. Thus, when multiple members belonging to an IPv6 multicast group exist on the Layer 2 device, the Layer 3 device directly connected with it will receive duplicate MLD reports from these members.

  • Page 455: Configuring Ipv6 Multicast Group Replacement

    When the number of IPv6 multicast groups that can be joined on a port reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the MLD Snooping forwarding table, and the hosts on this port need to join IPv6 multicast groups again.

  • Page 456: Displaying And Maintaining Mld Snooping

    Configuring IPv6 multicast group replacement on a port or a group of ports Follow these steps to configure IPv6 multicast group replacement on a port or a group of ports: To do... Use the command... Remarks Enter system view system-view —...

  • Page 457: Mld Snooping Configuration Examples

    MLD Snooping Configuration Examples Configuring IPv6 Group Policy and Simulated Joining Network requirements As shown in Figure 1-3, Router A connects to the IPv6 multicast source through GigabitEthernet 1/0/2 and to Switch A through GigabitEthernet 1/0/1. Router A is the MLD querier on the subnet. MLDv1 is required on Router A, MLD Snooping version 1 is required on Switch A, and Router A will act as the MLD querier on the subnet.
  • Page 458 [RouterA-GigabitEthernet1/0/2] pim ipv6 dm [RouterA-GigabitEthernet1/0/2] quit Configure Switch A # Enable MLD Snooping globally. <SwitchA> system-view [SwitchA] mld-snooping [SwitchA-mld-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 to this VLAN, and enable MLD Snooping in the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 [SwitchA-vlan100] mld-snooping enable...

  • Page 459: Static Port Configuration

    IP group address:FF1E::101 (::, FF1E::101): Attribute: Host Port Host port(s):total 2 port. GE1/0/3 (D) ( 00:03:23 ) GE1/0/4 (D) ( 00:04:10 ) MAC group(s): MAC group address:3333-0000-1001 Host port(s):total 2 port. GE1/0/3 GE1/0/4 As shown above, GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 of Switch A have joined IPv6 multicast group FF1E::101.
  • Page 460 Network diagram Figure 1-4 Network diagram for static port configuration Source Switch A GE1/0/2 GE1/0/1 1::2/64 GE1/0/1 2001::1/64 Router A 1::1/64 MLD querier Switch C GE1/0/5 GE1/0/2 GE1/0/2 Host C Switch B Receiver Host B Host A Receiver Configuration procedure Enable IPv6 forwarding and configure IPv6 addresses Enable IPv6 forwarding and configure an IPv6 address and prefix length for each interface as per Figure...
  • Page 461 [SwitchA-vlan100] quit # Configure GigabitEthernet 1/0/3 to be a static router port. [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] mld-snooping static-router-port vlan 100 [SwitchA-GigabitEthernet1/0/3] quit Configure Switch B # Enable MLD Snooping globally. <SwitchB> system-view [SwitchB] mld-snooping [SwitchB-mld-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to this VLAN, and enable MLD Snooping in the VLAN.
  • Page 462 Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 2 port. GE1/0/1 (D) ( 00:01:30 ) GE1/0/3 IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Attribute: Host Port Host port(s):total 1 port.

  • Page 463: Mld Snooping Querier Configuration

    MLD Snooping Querier Configuration Network requirements As shown in Figure 1-5, in a Layer-2-only network environment, two multicast sources Source 1 and Source 2 send IPv6 multicast data to multicast groups FF1E::101 and FF1E::102 respectively, Host A and Host C are receivers of multicast group FF1E::101, while Host B and Host D are receivers of multicast group FF1E::102.

  • Page 464: Troubleshooting Mld Snooping

    [SwitchB] ipv6 [SwitchB] mld-snooping [SwitchB-mld-snooping] quit # Create VLAN 100, add GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 into VLAN 100. [SwitchB] vlan 100 [SwitchB-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 # Enable the MLD Snooping feature in VLAN 100. [SwitchB-vlan100] mld-snooping enable [SwitchB-vlan100] quit Configurations of Switch C and Switch D are similar to the configuration of Switch B.

  • Page 465: Configured Ipv6 Multicast Group Policy Fails To Take Effect

    Configured IPv6 Multicast Group Policy Fails to Take Effect Symptom Although an IPv6 multicast group policy has been configured to allow hosts to join specific IPv6 multicast groups, the hosts can still receive IPv6 multicast data addressed to other groups. Analysis The IPv6 ACL rule is incorrectly configured.
  • Page 466 Table of Contents 1 IPv6 Multicast VLAN Configuration ·········································································································1-1 Introduction to IPv6 Multicast VLAN ·······································································································1-1 IPv6 Multicast VLAN Configuration Task List ·························································································1-3 Configuring IPv6 Sub-VLAN-Based IPv6 Multicast VLAN ······································································1-3 Configuration Prerequisites ·············································································································1-3 Configuring Sub-VLAN-Based IPv6 Multicast VLAN·······································································1-3 Configuring Port-Based IPv6 Multicast VLAN·························································································1-4 Configuration Prerequisites ·············································································································1-4 Configuring User Port Attributes······································································································1-4 Configuring IPv6 Multicast VLAN Ports···························································································1-5...

  • Page 467: Ipv6 Multicast Vlan Configuration

    IPv6 Multicast VLAN Configuration When configuring IPv6 multicast VLAN, go to these sections for information you are interested in: Introduction to IPv6 Multicast VLAN IPv6 Multicast VLAN Configuration Task List Configuring IPv6 Sub-VLAN-Based IPv6 Multicast VLAN Configuring Port-Based IPv6 Multicast VLAN Displaying and Maintaining IPv6 Multicast VLAN IPv6 Multicast VLAN Configuration Examples Introduction to IPv6 Multicast VLAN...
  • Page 468 Figure 1-2 Sub-VLAN-based IPv6 multicast VLAN IPv6 Multicast packets VLAN 10 (IPv6 Multicast VLAN) VLAN 2 VLAN 2 Receiver VLAN 3 Host A VLAN 4 VLAN 3 Receiver Host B Source Router A Switch A MLD querier VLAN 4 Receiver Host C After the configuration, MLD snooping manages router ports in the IPv6 multicast VLAN and member ports in the sub-VLANs.

  • Page 469: Ipv6 Multicast Vlan Configuration Task List

    For information about MLD Snooping, router ports, and member ports, refer to MLD Snooping Configuration in the IP Multicast Volume. For information about VLAN tags, refer to VLAN Configuration in the Access Volume. IPv6 Multicast VLAN Configuration Task List Complete the following tasks to configure IPv6 multicast VLAN: Configuration task Remarks Configuring IPv6 Sub-VLAN-Based IPv6 Multicast VLAN...

  • Page 470: Configuring Port-Based Ipv6 Multicast Vlan

    To do… Use the command… Remarks Required Configure the specified VLAN(s) as sub-VLAN(s) of the subvlan vlan-list By default, an IPv6 multicast IPv6 multicast VLAN VLAN has no sub-VLANs. The VLAN to be configured as an IPv6 multicast VLAN must exist. The VLANs to be configured as the sub-VLANs of the IPv6 multicast VLAN must exist and must not be sub-VLANs of another IPv6 multicast VLAN.

  • Page 471: Configuring Ipv6 Multicast Vlan Ports

    To do... Use the command... Remarks Enter system view system-view — interface interface-type interface-number Required Enter port view or port group view Use either approach. port-group manual port-group-name Required Configue the user port link type port link-type hybrid as hybrid Access by default Specify the user VLAN that Required...

  • Page 472: Displaying And Maintaining Ipv6 Multicast Vlan

    Configure IPv6 multicast VLAN ports in terface view or port group view Follow these steps to configure IPv6 multicast VLAN ports in port view or port group view: To do… Use this command… Remarks Enter system view system-view — Configure the specified Required VLAN as an IPv6 multicast multicast-vlan ipv6 vlan-id...
  • Page 473 Configure the sub-VLAN-based IPv6 multicast VLAN feature so that Router A just sends IPv6 multicast data to Switch A through the IPv6 multicast VLAN and Switch A forwards the traffic to the receivers that belong to different user VLANs. Figure 1-4 Network diagram for sub-VLAN-based IPv6 multicast VLAN configuration Source MLD querier Router A...
  • Page 474 The configuration for VLAN 3 and VLAN 4 is similar to the configuration for VLAN 2. # Create VLAN 10, assign GigabitEthernet 1/0/1 to this VLAN and enable MLD Snooping in the VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] mld-snooping enable [SwitchA-vlan10] quit # Configure VLAN 10 as an IPv6 multicast VLAN and configure VLAN 2 through VLAN 4 as its...

  • Page 475: Port-Based Multicast Vlan Configuration Example

    IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Host port(s):total 1 port. GE1/0/3 MAC group(s): MAC group address:3333-0000-0101 Host port(s):total 1 port. GE1/0/3 Vlan(id):4. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 0 port.
  • Page 476 Switch A’s GigabitEthernet 1/0/1 belongs to VLAN 10, GigabitEthernet 1/0/2 through GigabitEthernet 1/0/4 belong to VLAN 2 through VLAN 4 respectively, and Host A through Host C are attached to GigabitEthernet 1/0/2 through GigabitEthernet 1/0/4 of Switch A. The IPv6 multicast source sends IPv6 multicast data to IPv6 multicast group FF1E::101. Host A, Host B, and Host C are receivers of the IPv6 multicast group.
  • Page 477 # Create VLAN 10, assign GigabitEthernet 1/0/1 to VLAN 10, and enable MLD Snooping in this VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] mld-snooping enable [SwitchA-vlan10] quit # Create VLAN 2 and enable MLD Snooping in the VLAN. [SwitchA] vlan 2 [SwitchA-vlan2] mld-snooping enable [SwitchA-vlan2] quit...
  • Page 478 Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):10. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 1 port. GE1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Host port(s):total 3 port.
  • Page 479 QoS Volume Organization Manual Version 20090930-C-1.01 Product Version Release 2202 Organization The QoS Volume is organized as follows: Features Description For network traffic, the Quality of Service (QoS) involves bandwidth, delay, and packet loss rate during traffic forwarding process. In a network, you can improve the QoS by guaranteeing the bandwidth, and reducing the delay, jitter, and packet loss rate.
  • Page 480 Table of Contents 1 QoS Overview ············································································································································1-1 Introduction to QoS ·································································································································1-1 Introduction to QoS Service Models ·······································································································1-1 Best-Effort Service Model················································································································1-1 IntServ Service Model ·····················································································································1-1 DiffServ Service Model ····················································································································1-2 QoS Techniques Overview ·····················································································································1-2 Positions of the QoS Techniques in a Network···············································································1-2 2 QoS Configuration Approaches···············································································································2-1 QoS Configuration Approach Overview ··································································································2-1 Non Policy-Based Configuration ·····································································································2-1...
  • Page 481 Configuration Example ····················································································································4-5 Displaying and Maintaining Traffic Policing, GTS, and Line Rate ··························································4-5 5 Congestion Management Configuration ·································································································5-1 Congestion Management Overview········································································································5-1 Causes, Impacts, and Countermeasures of Congestion·································································5-1 Congestion Management Policies···································································································5-1 Congestion Management Configuration Approaches ·············································································5-4 Configuring Congestion Management ····································································································5-5 Configuring SP Queuing··················································································································5-5 Configure WRR Queuing·················································································································5-5 Configuring WFQ Queuing ··············································································································5-6 Configuring SP+WRR Queues ········································································································5-7...
  • Page 482 Uncolored Priority Mapping Tables ·······························································································11-2 Appendix C Introduction to Packet Precedences ·················································································11-3 IP Precedence and DSCP Values·································································································11-3 802.1p Priority ·······························································································································11-5...

  • Page 483: Qos Overview

    QoS Overview This chapter covers the following topics: Introduction to QoS Introduction to QoS Service Models QoS Techniques Overview Introduction to QoS For network traffic, the Quality of Service (QoS) involves bandwidth, delay, and packet loss rate during traffic forwarding process. In a network, you can improve the QoS by guaranteeing the bandwidth, and reducing the delay, jitter, and packet loss rate.

  • Page 484: Diffserv Service Model

    However, the Inter-Serv model imposes extremely high requirements on devices. In a network with heavy data traffic, the Inter-Serv model imposes very great pressure on the storage and processing capabilities of devices. On the other hand, the Inter-Serv model is poor in scalability, and therefore, it is hard to be deployed in the core Internet network.
  • Page 485 Congestion avoidance monitors the usage status of network resources and is usually applied to the outgoing traffic of a port. As congestion becomes worse, it actively reduces the amount of traffic by dropping packets.

  • Page 486: Qos Configuration Approaches

    QoS Configuration Approaches This chapter covers the following topics: QoS Configuration Approach Overview Configuring a QoS Policy QoS Configuration Approach Overview Two approaches are available for you to configure QoS: policy-based and non policy-based. Some QoS features can be configured in either approach while some can be configured only in one approach.

  • Page 487: Configuring A Qos Policy

    Configuring a QoS Policy Figure 2-1 shows how to configure a QoS policy. Figure 2-1 QoS policy configuration procedure Defining a Class To define a class, you need to specify a name for it and then configure match criteria in class view. Follow these steps to define a class: To do…...
  • Page 488 Form Description Specifies to match an IPv6 ACL specified by its number or name. The access-list-number argument specifies an ACL by its number, which acl ipv6 { access-list-number | name acl-name } ranges from 2000 to 3999; the name acl-name keyword-argument combination specifies an ACL by its name.

  • Page 489: Defining A Traffic Behavior

    Form Description Specifies to match packets by 802.1p priority of the service provider network. The 8021p-list argument is a list of CoS values in the range of 0 to 7. service-dot1p 8021p-list Even though you can provide up to eight space-separated CoS values for this argument, the S5500-SI switch supports only one CoS value in a rule.

  • Page 490: Defining A Policy

    Defining a Policy In a policy, you can define multiple class-behavior associations. A behavior is performed for the associated class of packets. In this way, various QoS features can be implemented. Follow these steps to associate a class with a behavior in a policy: To do…...
  • Page 491 To do… Use the command… Remarks Enter Use either command interface interface-type interface Enter Settings in interface view take interface-number view interface effect on the current interface; view or port settings in port group view take Enter port port-group manual group view effect on all ports in the port group view...

  • Page 492: Displaying And Maintaining Qos Policies

    If a user profile is active, the QoS policy, except ACLs referenced in the QoS policy, applied to it cannot be configured or removed. If the user profile is being used by online users, the referenced ACLs cannot be modified either. The QoS policies applied in user profile view support only the remark, car, and filter actions.

  • Page 494: Priority Mapping Configuration

    Priority Mapping Configuration When configuring priority mapping, go to these sections for information you are interested in: Priority Mapping Overview Priority Mapping Configuration Tasks Configuring Priority Mapping Displaying and Maintaining Priority Mapping Priority Mapping Configuration Examples Priority Mapping Overview Introduction to Priority Mapping The priorities of a packet determine its transmission priority.

  • Page 495: Priority Trust Mode On A Port

    The priority trust mode on a port decides which priority is used for priority mapping table lookup. For the priority mapping purpose, port priority was introduced so that you can use it for priority mapping in addition to priority fields carried in packets. There are three priority trust modes on H3C S5500-SIseries switches: dot1p: Uses the 802.1p priority carried in packets for priority mapping.

  • Page 496: Priority Mapping Configuration Tasks

    Figure 3-1 Priority mapping procedure for an Ethernet packet Receive a packet on a port Which priority is 802.1p trusted on the Port priority in packets port? Use the port priority as the Use the port priority DSCP 802.1p priority for Is the packet as the 802.1p priority in packets...

  • Page 497: Configuring Priority Mapping

    Task Remarks Configuring a Priority Mapping Table Optional Configuring the Priority Trust Mode on a Port Optional Configuring the Port Priority of a Port Optional Configuring Priority Mapping Configuring a Priority Mapping Table Follow these steps to configure an uncolored priority mapping table: To do…...

  • Page 498: Configuring The Port Priority Of A Port

    To do… Use the command… Remarks Trust the undo qos trust port priority Display the priority trust Optional display qos trust interface mode configuration on [ interface-type interface-number ] Available in any view the port Configuring the Port Priority of a Port You can change the port priority of a port used for priority mapping.
  • Page 499 Network requirements As shown in Figure 3-2, the enterprise network of a company interconnects all departments through Device. The network is described as follows: The marketing department connects to GigabitEthernet 1/0/1 of Device, which sets the 802.1p priority of traffic from the marketing department to 3. The R&D department connects to GigabitEthernet 1/0/2 of Device, which sets the 802.1p priority of traffic from the R&D department to 4.
  • Page 500 Figure 3-2 Network diagram for priority mapping table and priority marking configuration Configuration procedure Configure trusting port priority # Set the port priority of GigabitEthernet 1/0/1 to 3. <Device> system-view [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] qos priority 3 [Device-GigabitEthernet1/0/1] quit # Set the port priority of GigabitEthernet 1/0/2 to 4.
  • Page 501 Configure priority marking # Mark the HTTP traffic of the management department, marketing department, and R&D department to the Internet with 802.1p priorities 4, 5, and 3 respectively. Use the priority mapping table configured above to map the 802.1p priorities to local precedence values 6, 4, and 2 respectively for differentiated traffic treatment.

  • Page 502: Traffic Policing And Line Rate Configuration

    Traffic Policing and Line Rate Configuration When configuring traffic policing and line rate, go to these sections for information you are interested in: Traffic Policing and Line Rate Overview Configuring Traffic Policing Configuring the Line Rate Displaying and Maintaining Traffic Policing, GTS, and Line Rate Traffic Policing and Line Rate Overview Without limits on user traffic, a network can be overwhelmed very easily.

  • Page 503: Traffic Policing

    Complicated evaluation You can set two token buckets (referred to as the C bucket and E bucket respectively) in order to evaluate more complicated conditions and implement more flexible regulation policies. For example, traffic policing uses four parameters: CIR: Rate at which tokens are put into the C bucket, that is, the average packet transmission or forwarding rate allowed by the C bucket.

  • Page 504: Line Rate

    Marking a conforming packet or a non-conforming packet with a new DSCP precedence value and forwarding the packet. Line Rate The line rate of a physical interface specifies the maximum rate for forwarding packets (including critical packets). Line rate also uses token buckets for traffic control. With line rate configured on an interface, all packets to be sent through the interface are firstly handled by the token bucket at line rate.

  • Page 505: Configuration Example

    To do… Use the command… Remarks Create a behavior and traffic behavior behavior-name — enter behavior view car cir committed-information-rate [ cbs committed-burst-size [ ebs Configure a traffic policing excess-burst-size ] ] [ pir Required action peak-information-rate ] [ green action ] [ red action ] [ yellow action ] Exit behavior view quit...

  • Page 506: Configuring The Line Rate

    [Sysname-GigabitEthernet1/0/1] qos lr outbound cir 512 Displaying and Maintaining Traffic Policing, GTS, and Line Rate On the S5500-SI series switches, you can configure traffic policing in policy-based approach. For related displaying and maintaining commands, refer to Displaying and Maintaining QoS Policies.

  • Page 507: Congestion Management Configuration

    Congestion Management Configuration When configuring hardware congestion management, go to these sections for information you are interested in: Congestion Management Overview Congestion Management Configuration Approaches Configuring Congestion Management Displaying and Maintaining Congestion Management Congestion Management Overview Causes, Impacts, and Countermeasures of Congestion Network congestion is a major factor contributed to service quality degrading on a traditional network.
  • Page 508 The S5500-SI series support the following four queue scheduling methods: Scheduling all queues with the strict priority (SP) algorithm.
  • Page 509 Figure 5-3 Schematic diagram for WRR queuing Assume there are eight output queues on a port. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. On a 100 Mbps port, you can configure the weight values of WRR queuing to 5, 3, 1, 1, 5, 3, 1, and 10 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0 respectively).

  • Page 510: Congestion Management Configuration Approaches

    Short packets and long packets are fairly scheduled: if there are both long packets and short packets in queues, statistically the short packets should be scheduled preferentially to reduce the jitter between packets as a whole. Compared with FQ, WFQ takes weights into account when determining the queue scheduling order. Statistically, WFQ gives high priority traffic more scheduling opportunities than low priority traffic.

  • Page 511: Configuring Congestion Management

    Task Remarks Configuring WFQ Queuing Optional Configuring SP+WRR Queues Optional Configuring Congestion Management Configuring SP Queuing Configuration procedure Follow these steps to configure SP queuing: To do… Use the command… Remarks Enter system view system-view — Enter Use either command interface interface-type Enter interface...

  • Page 512: Configuring Wfq Queuing

    To do… Use the command… Remarks Enter Use either command interface interface-type interface Enter Settings in interface view take interface-number view interface effect on the current interface; view or port settings in port group view take Enter port port-group manual group view effect on all ports in the port group view...

  • Page 513: Configuring Sp+Wrr Queues

    To do… Use the command… Remarks group view settings in port group view take Enter port port-group manual effect on all ports in the port group view port-group-name group. Required By default, all the ports adopt the WRR queue scheduling Enable WFQ queuing qos wfq algorithm, with the weight...

  • Page 514: Configuration Example

    To do… Use the command… Remarks Enter Use either command interface interface-type Enter interface view interface-number interface Settings in interface view take effect view or on the current interface; settings in Enter port port-group manual port group port group view take effect on all ports group view port-group-name view...

  • Page 515: Displaying And Maintaining Congestion Management

    Displaying and Maintaining Congestion Management To do… Use the command… Remarks Display WRR queue display qos wrr interface [ interface-type configuration information interface-number ] Available in any Display SP queue configuration display qos sp interface [ interface-type view information interface-number ] Display WFQ queue display qos wfq interface [ interface-type configuration information...

  • Page 516: Traffic Filtering Configuration

    Traffic Filtering Configuration When configuring traffic filtering, go to these sections for information you are interested in: Traffic Filtering Overview Configuring Traffic Filtering Traffic Filtering Configuration Example Traffic Filtering Overview You can filter in or filter out a class of traffic by associating the class with a traffic filtering action. For example, you can filter packets sourced from a specific IP address according to network status.

  • Page 517: Traffic Filtering Configuration Example

    To do… Use the command… Remarks Optional Display the traffic filtering display traffic behavior configuration user-defined [ behavior-name ] Available in any view With filter deny configured for a traffic behavior, the other actions (except class-based accounting) in the traffic behavior do not take effect. Traffic Filtering Configuration Example Traffic Filtering Configuration Example Network requirements...
  • Page 518 # Apply the policy named policy to the incoming traffic of GigabitEthernet 1/0/1. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] qos apply policy policy inbound...

  • Page 519: Priority Marking Configuration

    Priority Marking Configuration When configuring priority marking, go to these sections for information you are interested in: Priority Marking Overview Configuring Priority Marking Priority Marking Configuration Example Priority Marking Overview Priority marking can be used together with priority mapping. For details, refer to Priority Mapping Table and Priority Marking Configuration Example.

  • Page 520: Priority Marking Configuration Example

    To do… Use the command… Remarks Set the IP precedence for remark ip-precedence Optional packets ip-precedence-value Set the local precedence remark local-precedence Optional for packets local-precedence Exit behavior view quit — Create a policy and enter — qos policy policy-name policy view Associate the class with classifier tcl-name behavior...
  • Page 521 Figure 7-1 Network diagram for priority marking configuration Internet Data server Host A 192.168.0.1/24 GE1/0/1 GE1/0/2 Mail server 192.168.0.2/24 Host B Device File server 192.168.0.3/24 Configuration procedure # Create advanced ACL 3000, and configure a rule to match packets with destination IP address 192.168.0.1.
  • Page 522 [Device] traffic behavior behavior_dbserver [Device-behavior-behavior_dbserver] remark local-precedence 4 [Device-behavior-behavior_dbserver] quit # Create a behavior named behavior_mserver, and configure the action of setting the local precedence value to 3 for the behavior. [Device] traffic behavior behavior_mserver [Device-behavior-behavior_mserver] remark local-precedence 3 [Device-behavior-behavior_mserver] quit # Create a behavior named behavior_fserver, and configure the action of setting the local precedence value to 2 for the behavior.

  • Page 523: Traffic Redirecting Configuration

    Traffic Redirecting Configuration When configuring traffic redirecting, go to these sections for information you are interested in: Traffic Redirecting Overview Configuring Traffic Redirecting Traffic Redirecting Overview Traffic Redirecting Traffic redirecting is the action of redirecting the packets matching the specific match criteria to a certain location for processing.
  • Page 524 To do… Use the command… Remarks Exit policy view — quit Applying the QoS policy to an Apply the To an interface — interface policy To a VLAN Applying the QoS policy to a VLAN — Generally, the action of redirecting traffic to the CPU, the action of redirecting traffic to an interface, and the action of redirecting traffic to the next hop are mutually exclusive with each other in the same traffic behavior.

  • Page 525: Traffic Mirroring Configuration

    Traffic Mirroring Configuration When configuring traffic mirroring, go to these sections for information you are interested in: Traffic Mirroring Overview Configuring Traffic Mirroring Displaying and Maintaining Traffic Mirroring Traffic Mirroring Configuration Examples Traffic Mirroring Overview Traffic mirroring is the action of copying the specified packets to the specified destination for packet analyzing and monitoring.

  • Page 526: Mirroring Traffic To The Cpu

    To do… Use the command… Remarks Specify the destination mirror-to interface interface-type Required interface for traffic mirroring interface-number Exit behavior view quit — Create a policy and enter qos policy policy-name — policy view Associate the class with the classifier tcl-name behavior traffic behavior in the QoS —...

  • Page 527: Traffic Mirroring Configuration Examples

    To do… Use the command… Remarks display qos policy Display QoS policy user-defined [ policy-name Available in any view configuration information [ classifier tcl-name ] ] Traffic Mirroring Configuration Examples Example for Mirroring Traffic to an Interface Network requirements On the network as shown in Figure 9-1, Host A (with the IP address 192.168.0.1) and Host B are connected to GigabitEthernet1/0/1 of the switch;...
  • Page 528 [Sysname] qos policy 1 [Sysname-policy-1] classifier 1 behavior 1 [Sysname-policy-1] quit # Apply the QoS policy to the incoming traffic of GigabitEthernet 1/0/1. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos apply policy 1 inbound After the configurations, you can monitor all packets sent from Host A on the data monitoring device.

  • Page 529: Class-Based Accounting Configuration

    Create a behavior and enter traffic behavior behavior-name Required behavior view Optional The class-based accounting Configure the accounting accounting function on S5500-SI series action switches counts traffic in the number of packets. Exit behavior view quit — Create a policy and enter qos policy policy-name —...

  • Page 530: Displaying And Maintaining Traffic Accounting

    Displaying and Maintaining Traffic Accounting After completing the configuration above, you can verify the configuration with the display qos policy interface, or display qos vlan-policy command depending on the occasion where the QoS policy is applied. Class-Based Accounting Configuration Example Class-Based Accounting Configuration Example Network requirements As shown in...
  • Page 531 # Display traffic statistics to verify the configuration. [DeviceA] display qos policy interface gigabitethernet 1/0/1 Interface: GigabitEthernet1/0/1 Direction: Inbound Policy: policy Classifier: classifier_1 Operator: AND Rule(s) : If-match acl 2000 Behavior: behavior_1 Accounting Enable: 58 (Packets) 10-3...

  • Page 532: Appendix

    Appendix This chapter covers the following appendixes: Appendix A Acronym Appendix B Default Priority Mapping Tables Appendix C Introduction to Packet Precedences Appendix A Acronym Table 11-1 Appendix A Acronym Acronym Full spelling Assured Forwarding Best Effort Committed Access Rate Committed Burst Size CBWFQ Class Based Weighted Fair Queuing...

  • Page 533: Appendix B Default Priority Mapping Tables

    Acronym Full spelling Provider Edge Per-hop Behavior Peak Information Rate Priority Queuing Quality of Service Random Early Detection RSVP Resource Reservation Protocol Real Time Protocol Service Level Agreement Traffic Engineering Type of Service Traffic Policing Traffic Shaping VoIP Voice over IP Virtual Private Network Weighted Fair Queuing WRED...

  • Page 534: Appendix C Introduction To Packet Precedences

    Input priority value dot1p-lp mapping dot1p-dp mapping Table 11-3 The default dscp-lp, dscp-dp, dscp-dot1p, and dscp-exp priority mapping tables Input priority value dscp-dp mapping dscp-dot1p mapping DSCP Drop precedence (dp) 802.1p priority (dot1p) 0 to 7 8 to 15 16 to 23 24 to 31 32 to 39 40 to 47...
  • Page 535 Table 11-4 Description on IP precedence IP precedence (decimal) IP precedence (binary) Description Routine priority immediate flash flash-override critical internet network Table 11-5 Description on DSCP values DSCP value (decimal) DSCP value (binary) Description 101110 001010 af11 001100 af12 001110 af13 010010 af21...

  • Page 536: 802.1P Priority

    802.1p Priority 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2. Figure 11-2 An Ethernet frame with an 802.1Q tag header As shown in Figure 11-2, the 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two...
  • Page 537 Table of Contents 1 User Profile Configuration························································································································1-1 User Profile Overview ·····························································································································1-1 User Profile Configuration·······················································································································1-1 User Profile Configuration Task List································································································1-1 Creating a User Profile ····················································································································1-2 Applying a QoS Policy to User Profile ·····························································································1-2 Enabling a User Profile····················································································································1-3 Displaying and Maintaining User Profile ·································································································1-3...

  • Page 538: User Profile Configuration

    User Profile Configuration When configuring user profile, go to these sections for information you are interested in: User Profile Overview User Profile Configuration Displaying and Maintaining User Profile User Profile Overview User profile provides a configuration template to save predefined configurations. Based on different application scenarios, you can configure different items for a user profile, such as Committed Access Rate (CAR), Quality of Service (QoS), and so on.

  • Page 539: Creating A User Profile

    Creating a User Profile Configuration Prerequisites Before creating a user profile, you need to configure authentication parameters. User profile supports 802.1X authentications. You need to perform the related configurations (for example, username, password, authentication scheme, domain and binding between a user profile and user) on the client, the device and authentication server.

  • Page 540: Enabling A User Profile

    When a user profile is active, you cannot configure or remove the QoS policy applied to it. The QoS policies applied in user profile view support only the remark, car, and filter actions. Do not apply an empty QoS policy in user profile view, because even if you can do that, the user profile cannot be activated.
  • Page 541 Security Volume Organization Manual Version 20090930-C-1.01 Product Version Release 2202 Organization The Security Volume is organized as follows: Features Description Authentication, Authorization and Accounting (AAA) provide a uniform framework used for configuring these three security functions to implement the network security management. This document describes: Introduction to AAA, RADIUS and HWTACACS AAA configuration RADIUS configuration...
  • Page 542 Features Description Port security is a MAC address-based security mechanism for network access controlling. It is an extension to the existing 802.1X authentication and MAC authentication. This document describes: Enabling Port Security Setting the Maximum Number of Secure MAC Addresses Port Security Setting the Port Security Mode Configuring Port Security Features...
  • Page 543 Table of Contents 1 AAA Configuration ····································································································································1-1 Introduction to AAA ·································································································································1-1 Introduction to RADIUS···························································································································1-2 Client/Server Model ·························································································································1-2 Security and Authentication Mechanisms ·······················································································1-3 Basic Message Exchange Process of RADIUS ··············································································1-3 RADIUS Packet Format···················································································································1-4 Extended RADIUS Attributes ··········································································································1-7 Introduction to HWTACACS····················································································································1-8 Differences Between HWTACACS and RADIUS············································································1-8 Basic Message Exchange Process of HWTACACS ·······································································1-8 Protocols and Standards·······················································································································1-10 AAA Configuration Task List ·················································································································1-10...
  • Page 544 Specifying the HWTACACS Authorization Servers·······································································1-32 Specifying the HWTACACS Accounting Servers··········································································1-33 Setting the Shared Key for HWTACACS Packets·········································································1-34 Configuring Attributes Related to the Data Sent to HWTACACS Server······································1-34 Setting Timers Regarding HWTACACS Servers ··········································································1-35 Displaying and Maintaining HWTACACS······················································································1-35 AAA Configuration Examples················································································································1-36 AAA for Telnet Users by a HWTACACS Server ···········································································1-36 AAA for Telnet Users by Separate Servers···················································································1-37 AAA for SSH Users by a RADIUS Server ·····················································································1-39...

  • Page 545: Aaa Configuration

    AAA Configuration When configuring AAA, go to these sections for information you are interested in: Introduction to AAA Introduction to RADIUS Introduction to HWTACACS Protocols and Standards AAA Configuration Task List Configuring AAA Configuring RADIUS Configuring HWTACACS AAA Configuration Examples Troubleshooting AAA Introduction to AAA Authentication, Authorization, and Accounting (AAA) provides a uniform framework for configuring...

  • Page 546: Client/Server Model

    requirements. For example, you can use the HWTACACS server for authentication and authorization, and the RADIUS server for accounting. The three security functions are described as follows: Authentication: Identifies remote users and judges whether a user is legal. Authorization: Grants different users different rights. For example, a user logging into the server can be granted the permission to access and print the files in the server.

  • Page 547: Security And Authentication Mechanisms

    Figure 1-2 RADIUS server components Users: Stores user information such as the usernames, passwords, applied protocols, and IP addresses. Clients: Stores information about RADIUS clients, such as the shared keys and IP addresses. Dictionary: Stores information about the meanings of RADIUS protocol attributes and their values. Security and Authentication Mechanisms Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared key, which is never transmitted over the network.

  • Page 548: Radius Packet Format

    The following is how RADIUS operates: The host initiates a connection request carrying the username and password to the RADIUS client. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key.
  • Page 549 Table 1-1 Main values of the Code field Code Packet type Description From the client to the server. A packet of this type carries user information for the server to authenticate the user. It must contain the Access-Request User-Name attribute and can optionally contain the attributes of NAS-IP-Address, User-Password, and NAS-Port.
  • Page 550 Table 1-2 RADIUS attributes Attribute Attribute User-Name Acct-Authentic User-Password Acct-Session-Time CHAP-Password Acct-Input-Packets NAS-IP-Address Acct-Output-Packets NAS-Port Acct-Terminate-Cause Service-Type Acct-Multi-Session-Id Framed-Protocol Acct-Link-Count Framed-IP-Address Acct-Input-Gigawords Framed-IP-Netmask Acct-Output-Gigawords Framed-Routing (unassigned) Filter-ID Event-Timestamp Framed-MTU 56-59 (unassigned) Framed-Compression CHAP-Challenge Login-IP-Host NAS-Port-Type Login-Service Port-Limit Login-TCP-Port Login-LAT-Port (unassigned) Tunnel-Type Reply_Message Tunnel-Medium-Type...

  • Page 551: Extended Radius Attributes

    Vendor-ID (four bytes): Indicates the ID of the vendor. Its most significant byte is 0 and the other three bytes contain a code complying with RFC 1700. The vendor ID of H3C is 2011. Vendor-Type: Indicates the type of the sub-attribute.

  • Page 552: Introduction To Hwtacacs

    Introduction to HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between NAS and HWTACACS server. HWTACACS is mainly used to provide AAA services for terminal users. In a typical HWTACACS application, a terminal user needs to log into the device for operations, and HWTACACS authenticates, authorizes and keeps accounting for the user.
  • Page 553 Figure 1-6 Basic message exchange process of HWTACACS for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login...

  • Page 554: Protocols And Standards

    12) The HWTACACS client sends the user authorization request packet to the HWTACACS server. 13) The HWTACACS server sends back the authorization response, indicating that the user is authorized now. 14) Knowing that the user is now authorized, the HWTACACS client pushes the configuration interface of the NAS to the user.

  • Page 555: Radius Configuration Task List

    AAA Configuration Task List Task Remarks Creating an ISP Domain Required Configuring ISP Domain Attributes Optional Required For local authentication, refer to Configuring Local User Attributes. Configuring AAA Authentication Methods for an For RADIUS authentication, refer to Configuring ISP Domain RADIUS.
  • Page 556 HWTACACS Configuration Task List Task Remarks Creating a HWTACACS scheme Required Specifying the HWTACACS Authentication Servers Required Specifying the HWTACACS Authorization Servers Optional Specifying the HWTACACS Accounting Servers Optional Setting the Shared Key for HWTACACS Packets Required Configuring Attributes Related to the Data Sent to HWTACACS Server Optional Setting Timers Regarding HWTACACS Servers Optional...
  • Page 557 For the NAS, each user belongs to an ISP domain. Up to 16 ISP domains can be configured on a NAS. If a user does not provide the ISP domain name, the system considers that the user belongs to the default ISP domain.
  • Page 558 A self-service RADIUS server, for example, iMC, is required for the self-service server localization function to work. With the self-service function, a user can manage and control his or her accounting information or card number. A server with self-service software is a self-service server. Configuring AAA Authentication Methods for an ISP Domain In AAA, authentication, authorization, and accounting are separate processes.
  • Page 559 To do… Use the command… Remarks authentication default { hwtacacs-scheme Specify the default Optional hwtacacs-scheme-name authentication method for all [ local ] | local | none | local by default types of users radius-scheme radius-scheme-name [ local ] } Optional authentication lan-access Specify the authentication { local | none | radius-scheme...
  • Page 560 authorization can work only after RADIUS authentication is successful, and the authorization information is carried in the Access-Accept message. HWTACACS authorization is separate from HWTACACS authentication, and the authorization information is carried in the authorization response after successful authentication. You can configure local authorization or no authorization as the backup method in case the remote server is not available.
  • Page 561 The authorization method specified with the authorization default command is for all types of users and has a priority lower than that for a specific access mode. RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme.
  • Page 562 Follow these steps to configure AAA accounting methods for an ISP domain: To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and domain isp-name Required enter ISP domain view Optional Enable the accounting optional accounting optional feature Disabled by default...
  • Page 563 With the accounting optional command configured, a user to be disconnected can still use the network resources even when there is no available accounting server or communication with the current accounting server fails. The local accounting is not used for accounting implementation, but together with the attribute access-limit command for limiting the number of local user connections.
  • Page 564 To do… Use the command… Remarks Required Add a local user and enter local local-user user-name No local user exists by user view default. Configure a password for the local password { cipher | simple } Optional user password Optional When created, a local user Place the local user to the state of state { active | block }...

  • Page 565: Tearing Down User Connections Forcibly

    Local authentication checks the service types of a local user. If the service types are not available, the user cannot pass authentication. In the authentication method that requires the username and password, including local authentication, RADIUS authentication and HWTACACS authentication, the commands that a login user can use after logging in depend on the level of the user.

  • Page 566: Displaying And Maintaining Aaa

    To do… Use the command… Remarks cut connection { access-type { dot1x | mac-authentication | portal } | all | domain isp-name Required | interface interface-type Tear down AAA user Applies to only LAN access and interface-number | ip connections forcibly portal user connections at ip-address | mac mac-address | present...

  • Page 567: Creating A Radius Scheme

    When there are users online, you cannot modify RADIUS parameters other than the retransmission ones and the timers. Creating a RADIUS Scheme Before performing other RADIUS configurations, follow these steps to create a RADIUS scheme and enter RADIUS scheme view: To do…...

  • Page 568: Specifying The Radius Accounting Servers And Relevant Parameters

    It is recommended to specify only the primary RADIUS authentication/authorization server if backup is not required. If both the primary and secondary authentication/authorization servers are specified, the secondary one is used when the primary one is unreachable. In practice, you may specify two RADIUS servers as the primary and secondary authentication/authorization servers respectively.

  • Page 569: Setting The Shared Key For Radius Packets

    It is recommended to specify only the primary RADIUS accounting server if backup is not required. If both the primary and secondary accounting servers are specified, the secondary one is used when the primary one is not reachable. In practice, you can specify two RADIUS servers as the primary and secondary accounting servers respectively, or specify one server to function as the primary accounting server in a scheme and the secondary accounting server in another scheme.

  • Page 570: Setting The Supported Radius Server Type

    to retransmit the RADIUS request. If the number of transmission attempts exceeds the specified limit but it still receives no response, it considers that the authentication has failed. Follow these steps to set the upper limit of RADIUS request retransmission attempts: To do…...

  • Page 571: Configuring Attributes Related To Data To Be Sent To The Radius Server

    When both the primary and secondary servers are available, the device sends request packets to the primary server. Once the primary server fails, the primary server turns into the state of block, and the device turns to the secondary server. In this case: If the secondary server is available, the device triggers the primary server quiet timer.

  • Page 572: Setting Timers Regarding Radius Servers

    To do… Use the command… Remarks Enter system view system-view — radius trap Optional Enable the RADIUS trap { accounting-server-down | function Disabled by default authentication-server-down } Required Create a RADIUS scheme and radius scheme enter RADIUS scheme view radius-scheme-name Not defined by default Optional Specify the format of the...

  • Page 573: Specifying A Security Policy Server

    Primary server quiet timer (timer quiet): If the primary server is not reachable, its state changes to blocked, and the device will turn to the specified secondary server. If the secondary server is reachable, the device starts this timer and communicates with the secondary server. After this timer expires, the device turns the state of the primary server to active and tries to communicate with the primary server while keeping the state of the secondary server unchanged.

  • Page 574: Enabling The Listening Port Of The Radius Client

    This task allows you to configure the IP address of a security policy server. If the security policy server and the RADIUS server reside on the same host, you can omit this task. When the device receives a control packet from the security policy server, it checks whether the source IP address of the packet is the IP address of the security policy server or RADIUS server.

  • Page 575: Configuring Hwtacacs

    To do… Use the command… Remarks reset stop-accounting-buffer { radius-scheme Clear buffered stop-accounting radius-server-name | session-id Available in user view requests that get no responses session-id | time-range start-time stop-time | user-name user-name } Configuring HWTACACS Different from RADIUS, except for deleting HWTACACS schemes and changing the IP addresses of the HWTACACS servers, you can make any changes to HWTACACS parameters, whether there are users online or not.
  • Page 576 To do… Use the command… Remarks Specify the primary primary authentication Required HWTACACS authentication ip-address [ port-number ] Configure at least one of the server commands Specify the secondary No authentication server by secondary authentication HWTACACS authentication default ip-address [ port-number ] server It is recommended to specify only the primary HWTACACS authentication server if backup is not required.
  • Page 577 It is recommended to specify only the primary HWTACACS authorization server if backup is not required. If both the primary and secondary authorization servers are specified, the secondary one is used when the primary one is not reachable. The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.
  • Page 578 Setting the Shared Key for HWTACACS Packets When using a HWTACACS server as an AAA server, you can set a key to secure the communications between the device and the HWTACACS server. The HWTACACS client and HWTACACS server use the MD5 algorithm to encrypt packets exchanged between them and a shared key to verify the packets.
  • Page 579 If a HWTACACS server does not support a username with the domain name, you can configure the device to remove the domain name before sending the username to the server. The nas-ip command in HWTACACS scheme view is only for the current HWTACACS scheme, while the hwtacacs nas-ip command in system view is for all HWTACACS schemes.

  • Page 580: Aaa Configuration Examples

    To do… Use the command… Remarks reset hwtacacs statistics Clear HWTACACS statistics { accounting | all | authentication | Available in user view authorization } reset stop-accounting-buffer Clear buffered stop-accounting hwtacacs-scheme Available in user view requests that get no responses hwtacacs-scheme-name AAA Configuration Examples AAA for Telnet Users by a HWTACACS Server...

  • Page 581: Aaa For Telnet Users By Separate Servers

    [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 [Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49 [Switch-hwtacacs-hwtac] key authentication expert [Switch-hwtacacs-hwtac] key authorization expert [Switch-hwtacacs-hwtac] key accounting expert [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Configure the AAA methods for the domain. [Switch] domain bbb [Switch-isp-bbb] authentication login hwtacacs-scheme hwtac [Switch-isp-bbb] authorization login hwtacacs-scheme hwtac...
  • Page 582 Figure 1-8 Configure AAA by separate servers for Telnet users Configuration procedure # Configure the IP addresses of various interfaces (omitted). # Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme [Switch-ui-vty0-4] quit...
  • Page 583 [Switch-isp-bbb] quit # Configure the default AAA methods for all types of users. [Switch] domain bbb [Switch-isp-bbb] authentication default local [Switch-isp-bbb] authorization default hwtacacs-scheme hwtac [Switch-isp-bbb] accounting default radius-scheme imc When telneting into the switch, a user enters username telnet@bbb for authentication using domain bbb.
  • Page 584 Specify the ports for authentication and accounting as 1812 and 1813 respectively Select Device Management Service as the service type Select H3C as the access device type Select the access device from the device list or manually add the device with the IP address of 10.1.1.2...
  • Page 585 Figure 1-11 Add an account for device management Configure the switch # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch access the server.

  • Page 586: Troubleshooting Aaa

    [Switch-radius-rad] primary authentication 10.1.1.1 1812 [Switch-radius-rad] primary accounting 10.1.1.1 1813 [Switch-radius-rad] key authentication expert [Switch-radius-rad] key accounting expert [Switch-radius-rad] user-name-format with-domain [Switch-radius-rad] quit # Configure the AAA methods for the domain. [Switch] domain bbb [Switch-isp-bbb] authentication login radius-scheme rad [Switch-isp-bbb] authorization login radius-scheme rad [Switch-isp-bbb] accounting login radius-scheme rad [Switch-isp-bbb] quit When using SSH to log in, a user enters a username in the form userid@bbb for authentication using...
  • Page 587 The port numbers of the RADIUS server for authentication, authorization and accounting are being used by other applications. Solution: Check that: The communication links between the NAS and the RADIUS server work well at both physical and link layers. The IP address of the RADIUS server is correctly configured on the NAS. UDP ports for authentication/authorization/accounting configured on the NAS are the same as those configured on the RADIUS server.
  • Page 588 Table of Contents 1 802.1X Configuration·································································································································1-1 802.1X Overview·····································································································································1-1 Architecture of 802.1X ·····················································································································1-2 Authentication Modes of 802.1X ·····································································································1-2 Basic Concepts of 802.1X ···············································································································1-2 EAP over LANs································································································································1-3 EAP over RADIUS···························································································································1-5 802.1X Authentication Triggering ····································································································1-5 Authentication Process of 802.1X ···································································································1-6 802.1X Timers ·································································································································1-9 Extensions to 802.1X·····················································································································1-10 Features Working Together with 802.1X·······················································································1-10 Configuring 802.1X ·······························································································································1-13...

  • Page 589: 802.1X Overview

    802.1X Configuration When configuring 802.1X, go to these sections for information you are interested in: 802.1X Overview Configuring 802.1X Configuring an 802.1X Guest VLAN Configuring an Auth-Fail VLAN Displaying and Maintaining 802.1X 802.1X Configuration Example Guest VLAN and VLAN Assignment Configuration Example ACL Assignment Configuration Example 802.1X Overview The 802.1X protocol was proposed by IEEE802 LAN/WAN committee for security of wireless LANs...

  • Page 590: Architecture

    Architecture of 802.1X 802.1X operates in the typical client/server model and defines three entities: client, device, and server, as shown in Figure 1-1. Figure 1-1 Architecture of 802.1X Client: An entity to be authenticated by the device residing on the same LAN. A client is usually a user-end device and initiates 802.1X authentication through 802.1X client software supporting the EAP over LANs (EAPOL) protocol.
  • Page 591 Authorized state and unauthorized state The device uses the authentication server to authenticate a client trying to access the LAN and controls the status of the controlled port depending on the authentication result, putting the controlled port in the authorized state or unauthorized state, as shown in Figure 1-2.
  • Page 592 Figure 1-3 EAPOL frame format PAE Ethernet type: Protocol type. It takes the value 0x888E. Protocol version: Version of the EAPOL protocol supported by the EAPOL frame sender. Type: Type of the EAPOL frame. Table 1-1 lists the types that the device currently supports. Table 1-1 Types of EAPOL frames Type Description...

  • Page 593: Eap Over Radius

    Figure 1-5 Format of the Data field in an EAP request/response packet Identifier: Allows matching of responses with requests. Length: Length of the EAP packet, including the Code, Identifier, Length, and Data fields, in bytes. Data: Content of the EAP packet. This field is zero or more bytes and its format is determined by the Code field.

  • Page 594: Authentication Process

    To solve the problem, the device also supports EAPOL-Start frames whose destination address is a broadcast MAC address. In this case, the H3C iNode 802.1X client is required. Unsolicited triggering of the device The device can trigger authentication by sending EAP-Request/Identity packets to unauthenticated clients periodically (every 30 seconds by default).
  • Page 595 Figure 1-8 Message exchange in EAP relay mode Client Device Server EAPOR EAPOL EAPOL-Start EAP-Request / Identity EAP-Response / Identity RADIUS Access-Request (EAP-Response / Identity) RADIUS Access-Challenge (EAP-Request / MD5 challenge) EAP-Request / MD5 challenge EAP-Response / MD5 challenge RADIUS Access-Request (EAP-Response / MD5 challenge) RADIUS Access-Accept (EAP-Success)
  • Page 596 When receiving the RADIUS Access-Request packet, the RADIUS server compares the password information encapsulated in the packet with that generated by itself. If the two are identical, the authentication server considers the user valid and sends to the device a RADIUS Access-Accept packet.

  • Page 597: 802.1X Timers

    Figure 1-9 Message exchange in EAP termination mode Client Device Server EAPOR EAPOL EAPOL-Start EAP-Request / Identity EAP-Response / Identity EAP-Request / MD5 challenge EAP-Response / MD5 challenge RADIUS Access-Request (CHAP-Response / MD5 challenge) RADIUS Access-Accept (CHAP-Success) EAP-Success Port authorized Handshake timer Handshake request [ EAP-Request / Identity ]...

  • Page 598: Extensions

    Handshake timer (handshake-period): After a client passes authentication, the device sends to the client handshake requests at this interval to check whether the client is online. If the device receives no response after sending the allowed maximum number of handshake requests, it considers that the client is offline.
  • Page 599 The assigned VLAN neither changes nor affects the configuration of a port. However, as the assigned VLAN has higher priority than the initial VLAN of the port, it is the assigned VLAN that takes effect after a user passes authentication. After the user goes offline, the port returns to the initial VLAN of the port. For details about VLAN configuration, refer to VLAN Configuration in the Access Volume.
  • Page 600 If a user of a port in the guest VLAN initiates authentication process but fails the authentication, the device will add the user to the Auth-Fail VLAN of the port configured for the port, if any. If no Auth-Fail VLAN is configured, the device will keep the user in the guest VLAN. If a user of a port in the guest VLAN initiates authentication and passes the authentication, the device will add the user to the assigned VLAN or return the user to the initial VLAN of the port, depending on whether the authentication server assigns a VLAN.

  • Page 601: Configuring 802.1X

    command. If the device does not receive any response from an online user after the device has sent the handshake packet for the maximum number of times, which is set by the dot1x retry command, the device will set the user state to offline. The online user handshake security function helps prevent online users from using illegal client software to exchange handshake messages with the device.
  • Page 602 To do… Use the command… Remarks Set the port dot1x port-control access control Optional { authorized-force | auto | mode for unauthorized-force } auto by default specified or all [ interface interface-list ] ports Set the port access control dot1x port-method Optional Set the port method for...

  • Page 603: Configuring 802.1X For A Port

    will take effect instead of that specified on the device. The re-authentication interval assignment varies by server type. Refer to the specific authentication server implementation for further details. Configuring 802.1X for a Port Enabling 802.1X for a port Follow these steps to enable 802.1X for a port: To do…...

  • Page 604: Configuring An 802.1X Guest Vlan

    information about the user-name-format command, refer to AAA Commands in the Security Volume. If the username of a client contains the version number or one or more blank spaces, you can neither retrieve information nor disconnect the client by using the username. However, you can use items such as IP address and connection index number to do so.

  • Page 605: Configuring An Auth-Fail Vlan

    To do… Use the command… Remarks dot1x guest-vlan vlan-id Different ports can be configured with different guest VLANs, but a port can be configured with only one guest VLAN. If you configure both 802.1X authentication and MAC authentication on a port and specify an MGV for each authentication method, the MGV for the 802.1X authentication method will take effect.

  • Page 606: Displaying And Maintaining 802.1X

    To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet interface view — interface-number Required Configure the Auth-Fail VLAN dot1x auth-fail vlan By default, a port is configured for the port authfail-vlan-id with no Auth-Fail VLAN. Different ports can be configured with different Auth-Fail VLANs, but a port can be configured with only one Auth-Fail VLAN.
  • Page 607 Set the shared key for the device to exchange packets with the authentication server as name, and that for the device to exchange packets with the accounting server as money. Specify the device to try up to five times at an interval of 5 seconds in transmitting a packet to the RADIUS server until it receives a response from the server, and to send real time accounting packets to the accounting server every 15 minutes.
  • Page 608 [Device-radius-radius1] primary accounting 10.1.1.2 # Configure the IP addresses of the secondary authentication and accounting RADIUS servers. [Device-radius-radius1] secondary authentication 10.1.1.2 [Device-radius-radius1] secondary accounting 10.1.1.1 # Specify the shared key for the device to exchange packets with the authentication server. [Device-radius-radius1] key authentication name # Specify the shared key for the device to exchange packets with the accounting server.

  • Page 609: Guest Vlan And Vlan Assignment Configuration Example

    Guest VLAN and VLAN Assignment Configuration Example Network requirements As shown in Figure 1-11: A host is connected to port GigabitEthernet 1/0/2 of the device and must pass 802.1X authentication to access the Internet. GigabitEthernet 1/0/2 is in VLAN 1. The authentication server runs RADIUS and is in VLAN 2.
  • Page 610 Figure 1-12 Network diagram with the port in the guest VLAN Figure 1-13 Network diagram when the client passes authentication Configuration procedure The following configuration procedure uses many AAA/RADIUS commands. For detailed configuration of these commands, refer to AAA Configuration in the Security Volume. Configurations on the 802.1X client and RADIUS server are omitted.

  • Page 611: Acl Assignment Configuration Example

    [Device-radius-2000] primary authentication 10.11.1.1 1812 [Device-radius-2000] primary accounting 10.11.1.1 1813 [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit # Configure authentication domain system and specify to use RADIUS scheme 2000 for users of the domain. [Device] domain system [Device-isp-system] authentication default radius-scheme 2000 [Device-isp-system] authorization default radius-scheme 2000...
  • Page 612 Enable 802.1X authentication on port GigabitEthernet 1/0/1 of the device, and configure ACL 3000. After the host passes 802.1X authentication, the RADIUS server assigns ACL 3000 to port GigabitEthernet 1/0/1. As a result, the host can access the Internet but cannot access the FTP server, whose IP address is 10.0.0.1.
  • Page 613 Pinging 10.0.0.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss) C:\> 1-25...

  • Page 614: Ead Fast Deployment Overview

    802.1X-based EAD Fast Deployment Configuration When configuring EAD fast deployment, go to these sections for information you are interested in: EAD Fast Deployment Overview Configuring EAD Fast Deployment Displaying and Maintaining EAD Fast Deployment EAD Fast Deployment Configuration Example Troubleshooting EAD Fast Deployment EAD Fast Deployment Overview Overview Endpoint Admission Defense (EAD) is an integrated endpoint access control solution.

  • Page 615: Configuring Ead Fast Deployment

    Configuring EAD Fast Deployment Currently, MAC authentication and port security cannot work together with EAD fast deployment. Once MAC authentication or port security is enabled globally, the EAD fast deployment is disabled automatically. Configuration Prerequisites Enable 802.1X globally. Enable 802.1X on the specified port, and set the access control mode to auto. Configuration Procedure Configuring a freely accessible network segment A freely accessible network segment, also called a free IP, is a network segment that users can access...

  • Page 616: Displaying And Maintaining Ead Fast Deployment

    Configuring the IE redirect URL Follow these steps to configure the IE redirect URL: To do… Use the command… Remarks Enter system view system-view — Required Configure the IE redirect URL dot1x url url-string No redirect URL is configured by default. The redirect URL and the freely accessible network segment must belong to the same network segment.

  • Page 617: Ead Fast Deployment Configuration Example

    EAD Fast Deployment Configuration Example Network requirements As shown in Figure 2-1, the host is connected to the device, and the device is connected to the freely accessible network segment and outside network. It is required that: Before successful 802.1 authentication, the host using IE to access outside network will be redirected to the WEB server, and it can download and install 802.1X client software.

  • Page 618: Troubleshooting Ead Fast Deployment

    C:\>ping 192.168.2.3 Pinging 192.168.2.3 with 32 bytes of data: Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Besides, if the user uses IE to access any external website, the user will be taken to the WEB server,...
  • Page 619 Table of Contents 1 HABP Configuration ··································································································································1-1 Introduction to HABP·······························································································································1-1 Configuring HABP ···································································································································1-2 Configuring the HABP Server··········································································································1-2 Configuring an HABP Client ············································································································1-3 Displaying and Maintaining HABP ··········································································································1-3 HABP Configuration Example·················································································································1-3...

  • Page 620: Habp Configuration

    HABP Configuration When configuring HABP, go to these sections for the information you are interested in: Introduction to HABP Configuring HABP Displaying and Maintaining HABP HABP Configuration Example Introduction to HABP The HW Authentication Bypass Protocol (HABP) is used to enable the downstream network devices of an 802.1X or MAC authentication enabled access device to bypass 802.1X authentication and MAC authentication.

  • Page 621: Configuring Habp

    Figure 1-1 Network diagram for HABP application Internet Switch A Authentication server Authenticator Switch B Switch C Switch D Switch E Supplicant Supplicant Supplicant HABP is a link layer protocol that works above the MAC layer. It is built on the client-server model. Generally, the HABP server is assumed by the management device (such as Switch A in the above example), and the attached switches function as the HABP clients, such as Switch B through Switch E in the example.

  • Page 622: Configuring An Habp Client

    To do… Use the command… Remarks Required Configure HABP to work in habp server vlan vlan-id server mode HABP works in client mode by default. Optional Set the interval to send habp timer interval HABP requests 20 seconds by default Configuring an HABP Client Configure the HABP client function on each device that is attached to the administrative device and needs to be managed.
  • Page 623 Figure 1-2 Network diagram for HABP configuration Configuration procedure Configure Switch A # Enable HABP. <SwitchA> system-view [SwitchA] habp enable # Configure HABP to work in server mode, allowing HABP packets to be transmitted in VLAN 2. [SwitchA] habp server vlan 2 # Set the interval to send HABP request packets to 50 seconds.
  • Page 624 Table of Contents 1 MAC Authentication Configuration··········································································································1-1 MAC Authentication Overview ················································································································1-1 RADIUS-Based MAC Authentication·······························································································1-1 Local MAC Authentication ···············································································································1-1 Related Concepts····································································································································1-2 MAC Authentication Timers·············································································································1-2 Quiet MAC Address·························································································································1-2 VLAN Assigning·······························································································································1-2 Guest VLAN of MAC Authentication································································································1-2 ACL Assigning ·································································································································1-3 Configuring MAC Authentication·············································································································1-3 Configuration Prerequisites ·············································································································1-3 Configuration Procedure··················································································································1-3 Configuring a Guest VLAN······················································································································1-4 Configuration Prerequisites ·············································································································1-4...

  • Page 625: Mac Authentication Configuration

    MAC Authentication Configuration When configuring MAC authentication, go to these sections for information you are interested in: MAC Authentication Overview Related Concepts Configuring MAC Authentication Displaying and Maintaining MAC Authentication MAC Authentication Configuration Examples MAC Authentication Overview MAC authentication provides a way for authenticating users based on ports and MAC addresses. Once detecting a new MAC address, the device initiates the authentication process.

  • Page 626: Related Concepts

    Related Concepts MAC Authentication Timers The following timers function in the process of MAC authentication: Offline detect timer: At this interval, the device checks to see whether there is traffic from a user. Once detecting that there is no traffic from a user within this interval, the device logs the user out and sends to the RADIUS server a stop accounting request.

  • Page 627: Acl Assigning

    ACL Assigning ACLs assigned by an authorization server are referred to as authorization ACLs, which are designed to control access to network resources. If the RADIUS server is configured with authorization ACLs, the device will permit or deny data flows traversing through the port through which a user accesses the device according to the authorization ACLs.

  • Page 628: Configuring A Guest Vlan

    To do… Use the command… Remarks Optional mac-authentication timer quiet Set the quiet timer quiet-value 60 seconds by default mac-authentication timer Optional Set the server timeout server-timeout timer 100 seconds by default server-timeout-value mac-authentication Optional user-name-format { fixed Configure the username By default, the user’s source [ account name ] [ password and password for MAC...

  • Page 629: Displaying And Maintaining Mac Authentication

    Different ports can be configured with different guest VLANs, but a port can be configured with only one guest VLAN. If you configure both the 802.1X authentication MGV and the MAC authentication MGV on a port, only the 802.1X authentication MGV will take effect. For description on 802.1X authentication MGV, refer to 802.1X Configuration in the Security Volume.
  • Page 630 Configuration procedure Configure MAC authentication on the device # Add a local user, setting the username and password as 00-e0-fc-12-34-56, the MAC address of the user. <Device> system-view [Device] local-user 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] service-type lan-access [Device-luser-00-e0-fc-12-34-56] quit # Configure ISP domain aabbcc.net, and specify that the users in the domain use local authentication.

  • Page 631: Radius-Based Mac Authentication Configuration Example

    MAC address authentication is enabled Authenticate success: 1, failed: 0 Current online user number is 1 MAC Addr Authenticate state Auth Index 00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS RADIUS-Based MAC Authentication Configuration Example Network requirements As illustrated in Figure 1-2, a host is connected to the device through port GigabitEthernet 1/0/1. The device authenticates, authorizes and keeps accounting on the host through the RADIUS server.
  • Page 632 [Device-radius-2000] quit # Specify the AAA schemes for the ISP domain. [Device] domain 2000 [Device-isp-2000] authentication default radius-scheme 2000 [Device-isp-2000] authorization default radius-scheme 2000 [Device-isp-2000] accounting default radius-scheme 2000 [Device-isp-2000] quit # Enable MAC authentication globally. [Device] mac-authentication # Enable MAC authentication for port GigabitEthernet 1/0/1. [Device] mac-authentication interface GigabitEthernet 1/0/1 # Specify the ISP domain for MAC authentication.

  • Page 633: Acl Assignment Configuration Example

    ACL Assignment Configuration Example Network requirements As shown in Figure 1-3, a host is connected to port GigabitEthernet 1/0/1 of the switch and must pass MAC authentication to access the Internet. Specify to use the MAC address of a user as the username and password for MAC authentication of the user.
  • Page 634 # Create an ISP domain and specify the AAA schemes. [Sysname] domain 2000 [Sysname-isp-2000] authentication default radius-scheme 2000 [Sysname-isp-2000] authorization default radius-scheme 2000 [Sysname-isp-2000] accounting default radius-scheme 2000 [Sysname-isp-2000] quit # Configure ACL 3000 to deny packets destined for 10.0.0.1. [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 [Sysname-acl-adv-3000] quit...
  • Page 635 Table of Contents 1 Portal Configuration ··································································································································1-1 Portal Overview·······································································································································1-1 Introduction to Portal ·······················································································································1-1 Introduction to Extended Portal Functions ······················································································1-1 Portal System Components·············································································································1-2 Portal Authentication Modes ···········································································································1-3 Portal Authentication Process ·········································································································1-4 Portal Configuration Task List·················································································································1-6 Basic Portal Configuration ······················································································································1-7 Configuration Prerequisites ·············································································································1-7 Configuration Procedure··················································································································1-7 Configuring a Portal-Free Rule ···············································································································1-8 Configuring an Authentication Subnet ····································································································1-9...

  • Page 636: Portal Configuration

    Portal Configuration When configuring portal, go to these sections for information you are interested in: Portal Overview Portal Configuration Task List Displaying and Maintaining Portal Portal Configuration Examples Troubleshooting Portal Portal Overview This section covers these topics: Introduction to Portal Introduction to Extended Portal Portal System Components Portal Authentication Modes...

  • Page 637: Portal System Components

    Resource access limit: A user passing identity authentication can access only network resources like the anti-virus server or OS patch server, which are called the restricted resources. Only users passing security authentication can access more network resources, which are called the unrestricted resources.

  • Page 638: Portal Authentication Modes

    Currently, only a RADIUS server can serve as the authentication/accounting server in a portal system. Currently, security authentication requires the cooperation of the H3C iNode client. Portal Authentication Modes Portal authentication supports two modes: non-Layer 3 authentication and Layer 3 authentication.

  • Page 639: Portal Authentication Process

    authentication. This solves the problem about IP address planning and allocation and proves to be useful. For example, a service provider can allocate public IP addresses to broadband users only when they access networks beyond the residential community network. Layer 3 authentication Layer 3 portal authentication is similar to direct authentication.
  • Page 640 Direct authentication/Layer 3 authentication process Figure 1-2 Direct authentication/Layer 3 authentication process The direct authentication/Layer 3 authentication process is as follows: A portal user initiates an authentication request through HTTP. When the HTTP packet arrives at the access device, the access device allows it to pass if it is destined for the portal server or a predefined free website, or redirects it to the portal server if it is destined for other websites.

  • Page 641: Portal Configuration Task List

    Re-DHCP authentication process Figure 1-3 Re-DHCP authentication process Authentication Authentication/ Security Portal server Access device client accounting server policy server 1) Initiate a connection 2) CHAP authentication 3) Authentication request 4) RADIUS authentication Timer 5) Authentication acknowledgement 6) Authentication succeeds 7) The user obtains a new IP address 8) Discover user IP change...

  • Page 642: Basic Portal Configuration

    Task Remarks Basic Portal Configuration Required Configuring a Portal-Free Rule Optional Configuring an Authentication Subnet Optional Logging out Users Optional Specifying a Mandatory Authentication Domain Optional Basic Portal Configuration Configuration Prerequisites The portal feature provides a solution for user authentication and security authentication. However, the portal feature cannot implement this solution by itself.

  • Page 643: Configuring A Portal-Free Rule

    To do… Use the command… Remarks Enter system view system-view — Required portal server server-name ip Configure a portal server ip-address [ key key-string | By default, no portal server is port port-id | url url-string ] * configured. interface interface-type Enter interface view —...

  • Page 644: Configuring An Authentication Subnet

    If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the VLAN. You cannot configure two or more portal-free rules with the same filtering conditions. Otherwise, the system prompts that the rule already exists. No matter whether portal authentication is enabled, you can only add or remove a portal-free rule, rather than modifying it.

  • Page 645: Specifying A Mandatory Authentication Domain

    Specifying a Mandatory Authentication Domain After you specify a mandatory authentication domain for an interface, the device will use the mandatory authentication domain for authentication, authorization, and accounting (AAA) of the portal users on the interface, ignoring the domain names carried in the usernames. Thereby, you can specify different authentication domains for different interfaces as needed.

  • Page 646: Portal Configuration Examples

    To do… Use the command… Remarks Clear portal connection reset portal connection statistics statistics on a specified {all | interface interface-type Available in user view interface or all interfaces interface-number } Clear portal server statistics on reset portal server statistics { all | a specified interface or all interface interface-type Available in user view...
  • Page 647 The following takes iMC as an example to describe the basic configurations required on the portal server. The iMC version is iMC PLAT 3.20-F2603P01 or iMC UAM 3.60-C6201. # Configure the portal server. Log in to the iMC management platform and select the Service tab. Then, select Portal Service Management >...
  • Page 648 Type the device name Switch. Type the IP address of the interface on the switch for connecting the user. Type the key, which must be the same as that configured on the switch. Set whether to enable IP address reallocation. Direction portal authentication is used in this example, and therefore select No from the Reallocate IP drop-down list.
  • Page 649 Figure 1-9 Port group configuration # Select Service Parameters > Validate System Configuration from the navigation tree to make the previous configurations take effect. Configure the switch: Configure a RADIUS scheme # Create a RADIUS scheme named rs1 and enter its view. <Switch>...

  • Page 650: Configuring Re-Dhcp Portal Authentication

    # Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at login, the authentication and accounting methods of the default domain will be used for the user. [Switch] domain default enable dm1 Configure portal authentication # Configure the portal server as follows: Name: newpt...
  • Page 651 For re-DHCP authentication, you need to configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10.0.0.0/24, in this example) on the DHCP server. The configuration steps are omitted. For DHCP configuration information, refer to DHCP Configuration in the IP Services Volume.

  • Page 652: Configuring Layer 3 Portal Authentication

    [Switch] domain default enable dm1 Configure portal authentication # Configure the portal server as follows: Name: newpt IP address: 192.168.0.111 Key: portal Port number: 50100 URL: http://192.168.0.111/portal. [Switch] portal server newpt 192.168.0.111 portal port 50100 http://192.168.0.111/portal # Configure the switch as a DHCP relay agent, and enable the invalid address check function. [Switch] dhcp enable [Switch] dhcp relay server-group 0 ip 192.168.0.112 [Switch] interface vlan-interface 100...
  • Page 653 Figure 1-11 Configure Layer 3 portal authentication Switch A Vlan-int2 192.168.0.100/24 Portal server 192.168.0.111/24 Vlan-int4 20.20.20.1/24 Vlan-int4 20.20.20.2/24 Vlan-int2 8.8.8.1/24 Host Switch B 8.8.8.2/24 RADIUS server 192.168.0.112/24 Configuration procedure You need to configure IP addresses for the devices as shown in Figure 1-11 and ensure that routes are available between devices.

  • Page 654: Configuring Direct Portal Authentication With Extended Functions

    # Configure the ISP domain to use RADIUS scheme rs1. [SwitchA-isp-dm1] authentication portal radius-scheme rs1 [SwitchA-isp-dm1] authorization portal radius-scheme rs1 [SwitchA-isp-dm1] accounting portal radius-scheme rs1 [SwitchA-isp-dm1] quit # Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at login, the authentication and accounting methods of the default domain will be used for the user.
  • Page 655 Figure 1-12 Configure direct portal authentication with extended functions Portal server 192.168.0.111/24 Vlan-int100 Vlan-int2 2.2.2.1/24 192.168.0.100/24 RADIUS server Host Switch 192.168.0.112/24 2.2.2.2/24 Gateway : 2.2.2.1/24 Security policy server 192.168.0.113/24 Configuration procedure You need to configure IP addresses for the devices as shown in Figure 1-12 and ensure that routes are available between devices.
  • Page 656 [Switch] domain dm1 # Configure the ISP domain to use RADIUS scheme rs1. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit # Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at login, the authentication and accounting methods of the default domain will be used for the user.

  • Page 657: Configuring Re-Dhcp Portal Authentication With Extended Functions

    Configuring Re-DHCP Portal Authentication with Extended Functions Network requirements The host is directly connected to the switch and the switch is configured for re-DHCP authentication. The host is assigned with an IP address through the DHCP server. Before portal authentication, the host uses an assigned private IP address. After passing portal authentication, it can get a public IP address.
  • Page 658 Configure a RADIUS scheme # Create a RADIUS scheme named rs1 and enter its view. <Switch> system-view [Switch] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the iMC server, you need set the server type to extended.

  • Page 659: Configuring Layer 3 Portal Authentication With Extended Functions

    [Switch-acl-adv-3001] rule permit ip [Switch-acl-adv-3001] quit Configure portal authentication # Configure the portal server as follows: Name: newpt IP address: 192.168.0.111 Key: portal Port number: 50100 URL: http://192.168.0.111/portal. [Switch] portal server newpt ip 192.168.0.111 key portal port 50100 url http://192.168.0.111/portal # Configure the switch as a DHCP relay agent, and enable the invalid address check function.
  • Page 660 Configuration procedure You need to configure IP addresses for the devices as shown in Figure 1-14 and ensure that routes are available between devices. Perform configurations on the RADIUS server to ensure that the user authentication and accounting functions can work normally. Configure Switch A: Configure a RADIUS scheme # Create a RADIUS scheme named rs1 and enter its view.

  • Page 661: Troubleshooting Portal

    On the security policy server, you need to specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL. [SwitchA] acl number 3000 [SwitchA-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255 [SwitchA-acl-adv-3000] rule deny ip [SwitchA-acl-adv-3000] quit [SwitchA] acl number 3001 [SwitchA-acl-adv-3001] rule permit ip [SwitchA-acl-adv-3001] quit Configure portal authentication...

  • Page 662: Incorrect Server Port Number On The Access Device

    Use the portal server command to modify the key on the access device or modify the key for the access device on the portal server to ensure that the keys are consistent. Incorrect Server Port Number on the Access Device Symptom After a user passes the portal authentication, you cannot force the user to log out by executing the portal delete-user command on the access device, but the user can log out by using the disconnect...
  • Page 663 Table of Contents 1 Port Security Configuration······················································································································1-1 Introduction to Port Security····················································································································1-1 Port Security Overview ····················································································································1-1 Port Security Features·····················································································································1-2 Port Security Modes ························································································································1-2 Support for Guest VLAN and Auth-Fail VLAN·················································································1-4 Port Security Configuration Task List······································································································1-5 Enabling Port Security·····························································································································1-5 Configuration Prerequisites ·············································································································1-5 Configuration Procedure··················································································································1-5 Setting the Maximum Number of Secure MAC Addresses·····································································1-6 Setting the Port Security Mode ···············································································································1-6...

  • Page 664: Port Security Configuration

    Port Security Configuration When configuring port security, go to these sections for information you are interested in: Introduction to Port Security Port Security Configuration Task List Displaying and Maintaining Port Security Port Security Configuration Examples Troubleshooting Port Security Introduction to Port Security Port Security Overview Port security is a MAC address-based security mechanism for network access controlling.

  • Page 665: Port Security Features

    Port Security Features The need to know (NTK) feature checks the destination MAC addresses in outbound frames and allows frames to be sent to only devices passing authentication, thus preventing illegal devices from intercepting network traffic. Intrusion protection The intrusion protection feature checks the source MAC addresses in inbound frames and takes a pre-defined action accordingly upon detecting illegal frames.
  • Page 666 Security mode Description Features In this mode, a port performs 802.1X authentication of users in portbased mode and userLoginSecure services only one user passing 802.1X authentication. Similar to the userLoginSecure mode, a port in this mode performs 802.1X authentication of users and services only one user passing 802.1X authentication.

  • Page 667: Support For Guest Vlan And Auth-Fail Vlan

    Currently, port security supports two authentication methods: 802.1X and MAC authentication. Different port security modes employ different authentication methods or different combinations of authentication methods. The maximum number of users a port supports is the lesser of the maximum number of secure MAC addresses or the maximum number of authenticated users the security mode supports.

  • Page 668: Port Security Configuration Task List

    Port Security Configuration Task List Complete the following tasks to configure port security: Task Remarks Enabling Port Security Required Setting the Maximum Number of Secure MAC Addresses Optional Setting the Port Security Mode Required Configuring NTK Optional Choose one or Configuring Port Security Features Configuring Intrusion Protection more features as...

  • Page 669: Setting The Maximum Number Of Secure Mac Addresses

    For detailed 802.1X configuration, refer to 802.1X Configuration in the Security Volume. For detailed MAC-based authentication configuration, refer to MAC Authentication Configuration in the Security Volume. Setting the Maximum Number of Secure MAC Addresses With port security enabled, more than one authenticated user is allowed on a port. The number of authenticated users allowed, however, cannot exceed the specified upper limit.

  • Page 670: Configuring Procedure

    With port security disabled, you can configure the port security mode, but your configuration does not take effect. You cannot change the port security mode of a port when any user is present on the port. Before configuring the port to operate in autoLearn mode, set the maximum number of secure MAC addresses allowed on a port.

  • Page 671: Configuring Port Security Features

    Configuring Port Security Features Configuring NTK The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow frames to be forwarded to only devices passing authentication. The NTK feature supports three modes: ntkonly: Forwards only frames destined for authenticated MAC addresses. ntk-withbroadcasts: Forwards only frames destined for authenticated MAC addresses or the broadcast address.

  • Page 672: Configuring Trapping

    To do… Use the command… Remarks Required port-security intrusion-mode Configure the intrusion { blockmac | disableport | By default, intrusion protection protection feature disableport-temporarily } is disabled. Return to system view quit — Optional Set the silence timeout during port-security timer which a port remains disabled disableport time-value 20 seconds by default...

  • Page 673: Configuration Prerequisites

    Configuration Prerequisites Enable port security Set the maximum number of secure MAC addresses allowed on the port Set the port security mode to autoLearn Configuration Procedure Follow these steps to configure a secure MAC address: To do… Use the command… Remarks Enter system view system-view...

  • Page 674: Displaying And Maintaining Port Security

    Displaying and Maintaining Port Security To do… Use the command… Remarks Display port security configuration information, display port-security [ interface Available in any operation information, and interface-list ] view statistics about one or more ports or all ports display port-security mac-address Display information about Available in any security [ interface interface-type...
  • Page 675 # Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered. [Switch-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily [Switch-GigabitEthernet1/0/1] quit [Switch] port-security timer disableport 30 Verify the configuration After completing the above configurations, you can use the following command to view the port security configuration information: <Switch>...

  • Page 676: Configuring The Userloginwithoui Mode

    IfIndex: 9437207 Port: 9437207 MAC Addr: 0.2.0.0.0.21 VLAN ID: 1 IfAdminStatus: 1 In addition, you will see that the port security feature has disabled the port if you issue the following command: [Switch-GigabitEthernet1/0/1] display interface gigabitethernet 1/0/1 GigabitEthernet1/0/1 current state: Port Security Disabled IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558 Description: GigabitEthernet1/0/1 Interface...
  • Page 677 Figure 1-2 Network diagram for configuring the userLoginWithOUI mode Configuration procedure The following configuration steps cover some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Configuration in the Security Volume. Configurations on the host and RADIUS servers are omitted. Configure the RADIUS protocol # Configure a RADIUS scheme named radsun.
  • Page 678 [Switch] dot1x authentication-method chap Configure port security # Enable port security. [Switch] port-security enable # Add five OUI values. [Switch] port-security oui 1234-0100-1111 index 1 [Switch] port-security oui 1234-0200-1111 index 2 [Switch] port-security oui 1234-0300-1111 index 3 [Switch] port-security oui 1234-0400-1111 index 4 [Switch] port-security oui 1234-0500-1111 index 5 [Switch] interface gigabitethernet 1/0/1 # Set the port security mode to userLoginWithOUI.
  • Page 679 Self-service = Disabled Use the following command to view the port security configuration information: <Switch> display port-security interface gigabitethernet 1/0/1 Equipment port-security is enabled Trap is disabled Disableport Timeout: 20s OUI value: Index is 1, OUI value is 123401 Index is 2, OUI value is 123402 Index is 3, OUI value is 123403...

  • Page 680: Configuring The Macaddresselseuserloginsecure Mode

    EAPOL Packet: Tx 16331, Rx 102 Sent EAP Request/Identity Packets : 16316 EAP Request/Challenge Packets: 6 EAP Success Packets: 4, Fail Packets: 5 Received EAPOL Start Packets : 6 EAPOL LogOff Packets: 2 EAP Response/Identity Packets : 80 EAP Response/Challenge Packets: 6 Error Packets: 0 1.
  • Page 681 Configure port security # Enable port security. <Switch> system-view [Switch] port-security enable # Configure a MAC authentication user, setting the user name and password to aaa and 123456 respectively. [Switch] mac-authentication user-name-format fixed account aaa password simple 123456 # Set the 802.1X authentication method to CHAP. (This configuration is optional. By default, the authentication method is CHAP for 802.1X.) [Switch] dot1x authentication-method chap # Set the maximum number of secure MAC addresses allowed on the port to 64.
  • Page 682 Use the following command to view 802.1X authentication information: <Switch> display dot1x interface gigabitethernet 1/0/1 Equipment 802.1X protocol is enabled CHAP authentication is enabled EAD quick deploy is disabled Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout...

  • Page 683: Troubleshooting Port Security

    Troubleshooting Port Security Cannot Set the Port Security Mode Symptom Cannot set the port security mode. [Switch-GigabitEthernet1/0/1] port-security port-mode autolearn Error:When we change port-mode, we should first change it to noRestrictions, then change it to the other. Analysis For a port working in a port security mode other than noRestrictions, you cannot change the port security mode by using the port-security port-mode command directly.
  • Page 684 Analysis Changing port security mode is not allowed when an 802.1X-authenticated or MAC authenticated user is online. Solution Use the cut command to forcibly disconnect the user from the port before changing the port security mode. [Switch-GigabitEthernet1/0/1] quit [Switch] cut connection interface gigabitethernet 1/0/1 [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] undo port-security port-mode 1-21...
  • Page 685 Table of Contents 1 IP Source Guard Configuration················································································································1-1 IP Source Guard Overview ·····················································································································1-1 Configuring a Static Binding Entry ··········································································································1-1 Configuring Dynamic Binding Function···································································································1-2 Displaying and Maintaining IP Source Guard ·························································································1-3 IP Source Guard Configuration Examples ······························································································1-3 Static Binding Entry Configuration Example····················································································1-3 Dynamic Binding Function Configuration Example ·········································································1-4 Troubleshooting IP Source Guard ··········································································································1-6 Failed to Configure Static Binding Entries and Dynamic Binding Function·····································1-6...

  • Page 686: Ip Source Guard Configuration

    IP Source Guard Configuration When configuring IP Source Guard, go to these sections for information you are interested in: IP Source Guard Overview Configuring a Static Binding Entry Configuring Dynamic Binding Function Displaying and Maintaining IP Source Guard IP Source Guard Configuration Examples Troubleshooting IP Source Guard IP Source Guard Overview By filtering packets on a per-port basis, IP source guard prevents illegal packets from traveling through,...

  • Page 687: Configuring Dynamic Binding Function

    To do… Use the command… Remarks user-bind { ip-address ip-address | Required ip-address ip-address mac-address Configure a static binding entry No static binding entry mac-address | mac-address exists by default. mac-address } [ vlan vlan-id ] The system does not support repeatedly binding a binding entry to one port. For products supporting multi-port binding, a binding entry can be configured to multiple ports;...

  • Page 688: Displaying And Maintaining Ip Source Guard

    Displaying and Maintaining IP Source Guard To do… Use the command… Remarks display user-bind [ interface Display information about static interface-type interface-number | Available in any binding entries ip-address ip-address | mac-address view mac-address ] display ip check source [ interface Display information about interface-type interface-number | Available in any...

  • Page 689: Dynamic Binding Function Configuration Example

    [SwitchA-GigabitEthernet1/0/2] user-bind ip-address 192.168.0.3 mac-address 0001-0203-0405 [SwitchA-GigabitEthernet1/0/2] quit # Configure port GigabitEthernet 1/0/1 of Switch A to allow only IP packets with the source MAC address of 00-01-02-03-04-06 and the source IP address of 192.168.0.1 to pass. [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] user-bind ip-address 192.168.0.1 mac-address 0001-0203-0406 Configure Switch B # Configure the IP addresses of various interfaces (omitted).
  • Page 690 For detailed configuration of a DHCP server, refer to DHCP Configuration in the IP Service Volume. Network diagram Figure 1-2 Network diagram for configuring dynamic binding function Configuration procedure Configure Switch A # Configure dynamic binding function on port GigabitEthernet 1/0/1. <SwitchA>...

  • Page 691: Troubleshooting Ip Source Guard

    [SwitchA-GigabitEthernet1/0/1] display dhcp-snooping DHCP Snooping is enabled. The client binding table for all untrusted ports. Type : D--Dynamic , S--Static Type IP Address MAC Address Lease VLAN Interface ==== =============== ============== ============ ==== ================= 192.168.0.1 0001-0203-0406 86335 GigabitEthernet1/0/1 As you see, port GigabitEthernet 1/0/1 has obtained the dynamic entries generated by DHCP snooping after it is configured with dynamic binding function.
  • Page 692 Table of Contents 1 SSH2.0 Configuration································································································································1-1 SSH2.0 Overview····································································································································1-1 Introduction to SSH2.0 ····················································································································1-1 Operation of SSH ····························································································································1-1 Configuring the Device as an SSH Server······························································································1-4 SSH Server Configuration Task List································································································1-4 Generating a DSA or RSA Key Pair ································································································1-4 Enabling SSH Server·······················································································································1-5 Configuring the User Interfaces for SSH Clients·············································································1-5 Configuring a Client Public Key·······································································································1-6 Configuring an SSH User ················································································································1-7 Setting the SSH Management Parameters ·····················································································1-8...

  • Page 693: Ssh2.0 Configuration

    SSH2.0 Configuration When configuring SSH2.0, go to these sections for information you are interested in: SSH2.0 Overview Configuring the Device as an SSH Server Configuring the Device as an SSH Client Displaying and Maintaining SSH SSH Server Configuration Examples SSH Client Configuration Examples SSH2.0 Overview Introduction to SSH2.0 Secure Shell (SSH) offers an approach to securely logging into a remote device.
  • Page 694 Stages Description After passing authentication, the client sends a session request Session request to the server. After the server grants the request, the client and server start to Interaction communicate with each other. Version negotiation The server opens port 22 to listen to connection requests from clients. The client sends a TCP connection request to the server.
  • Page 695 Before the negotiation, the server must have already generated a DSA or RSA key pair, which is not only used for generating the session key, but also used by the client to authenticate the identity of the server. For details about DSA and RSA key pairs, refer to Public Key Configuration in the Security Volume.

  • Page 696: Configuring The Device As An Ssh Server

    Session request After passing authentication, the client sends a session request to the server, while the server listens to and processes the request from the client. After successfully processing the request, the server sends back to the client an SSH_SMSG_SUCCESS packet and goes on to the interactive session stage with the client.

  • Page 697: Enabling Ssh Server

    To do… Use the command… Remarks Enter system view system-view — Required Generate the local DSA or RSA public-key local create { dsa | By default, there is neither DSA key pair rsa } key pair nor RSA key pair. For details about the public-key local create command, refer to Public Key Commands in the Security Volume.

  • Page 698: Configuring A Client Public Key

    To do… Use the command… Remarks Enter system view system-view — Enter user interface view of one user-interface vty number — or more user interfaces [ ending-number ] Required Set the login authentication authentication-mode scheme By default, the authentication mode to scheme [ command-authorization ] mode is password.

  • Page 699: Configuring An Ssh User

    You are recommended to configure a client public key by importing it from a public key file. You can configure at most 20 client pubic keys on an SSH server. Configuring a client public key manually Follow these steps to configure the client public key manually: To do…...

  • Page 700: Setting The Ssh Management Parameters

    To do… Use the command… Remarks Enter system view system-view — ssh user username service-type stelnet For Stelnet authentication-type { password | { any | Create an users password-publickey | publickey } assign SSH user, and publickey keyname } Required specify the service type Use either...

  • Page 701: Configuring The Device As An Ssh Client

    Enabling the SSH server to be compatible with SSH1 client Setting the server key pair update interval, applicable to users using SSH1 client Setting the SSH user authentication timeout period Setting the maximum number of SSH authentication attempts Setting the above parameters can help avoid malicious guess at and cracking of the keys and usernames, securing your SSH connections.

  • Page 702: Specifying A Source Ip Address/Interface For The Ssh Client

    To do… Use the command… Remarks Enter system view system-view — Specify a source ssh client source { ip ip-address | Required IPv4 address or Specify a interface interface-type interface for the By default, the source IP interface-number } SSH client address of the address or interface decided...

  • Page 703: Establishing A Connection Between The Ssh Client And The Server

    To do... Use the command… Remarks Required The method of configuring Refer to Configuring a Client Configure the server public key server public key on the client is Public Key similar to that of configuring client public key on the server. ssh client authentication Specify the host public key Required...

  • Page 704: Ssh Server Configuration Examples

    To do… Use the command… Remarks Display the public keys of the display public-key local { dsa Available in any view local key pairs | rsa } public Display the public keys of the display public-key peer Available in any view SSH peers [ brief | name publickey-name ] For information about the display public-key local and display public-key peer commands, refer to...
  • Page 705 [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Create local user client001, and set the user command privilege level to 3 [Switch] local-user client001 [Switch-luser-client001] password simple aabbcc [Switch-luser-client001] service-type ssh [Switch-luser-client001] authorization-attribute level 3 [Switch-luser-client001] quit # Specify the service type for user client001 as Stelnet, and the authentication mode as password. This step is optional.

  • Page 706: When Switch Acts As Server For Publickey Authentication

    Figure 1-2 SSH client configuration interface In the window shown in Figure 1-2, click Open. If the connection is normal, you will be prompted to enter the username and password. After entering the correct username (client001) and password (aabbcc), you can enter the configuration interface. When Switch Acts as Server for Publickey Authentication Network requirements As shown in...
  • Page 707 [Switch] public-key local create dsa [Switch] ssh server enable # Configure an IP address for VLAN interface 1. This address will serve as the destination of the SSH connection. [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface1] quit # Set the authentication mode for the user interfaces to AAA.
  • Page 708 Figure 1-4 Generate a client key pair 1) While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1-5. Otherwise, the process bar stops moving and the key pair generating process will be stopped.
  • Page 709 Figure 1-5 Generate a client key pair 2) After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 1-6 Generate a client key pair 3) 1-17...
  • Page 710 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key (private in this case). Figure 1-7 Generate a client key pair 4) After generating a key pair on a client, you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the server done before continuing configuration of...

  • Page 711: Ssh Client Configuration Examples

    Select Connection/SSH/Auth from the navigation tree. The following window appears. Click Browse… to bring up the file selection window, navigate to the private key file and click OK. Figure 1-9 SSH client configuration interface 2) In the window shown in Figure 1-9, click Open.
  • Page 712 # Create RSA and DSA key pairs and enable the SSH server. <SwitchB> system-view [SwitchB] public-key local create rsa [SwitchB] public-key local create dsa [SwitchB] ssh server enable # Create an IP address for VLAN interface 1, which the SSH client will use as the destination for SSH connection.
  • Page 713 After you enter the correct username, you can log into Switch B successfully. If the client does not support first-time authentication, you need to perform the following configurations. # Disable first-time authentication. [SwitchA] undo ssh client first-time # Configure the host public key of the SSH server. You can get the server host public key by using the display public-key local dsa public command on the server.

  • Page 714: When Switch Acts As Client For Publickey Authentication

    When Switch Acts as Client for Publickey Authentication Network requirements As shown in Figure 1-11, Switch A (the SSH client) needs to log into Switch B (the SSH server) through the SSH protocol. Publickey authentication is used, and the public key algorithm is DSA. Figure 1-11 Switch acts as client for publickey authentication Configuration procedure Configure the SSH server...
  • Page 715 # Specify the authentication type for user client002 as publickey, and assign the public key Switch001 to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 Configure the SSH client # Configure an IP address for Vlan interface 1. <SwitchA>...

  • Page 716: Sftp Service

    SFTP Service When configuring SFTP, go to these sections for information you are interested in: SFTP Overview Configuring an SFTP Server Configuring an SFTP Client SFTP Client Configuration Example SFTP Server Configuration Example SFTP Overview The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer.

  • Page 717: Configuring The Sftp Connection Idle Timeout Period

    When the device functions as the SFTP server, only one client can access the SFTP server at a time. If the SFTP client uses WinSCP, a file on the server cannot be modified directly; it can only be downloaded to a local place, modified, and then uploaded to the server. Configuring the SFTP Connection Idle Timeout Period Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down, so that a user cannot occupy a connection for nothing.

  • Page 718: Working With The Sftp Directories

    To do… Use the command… Remarks sftp server [ port-number ] [ identity-key Establish a { dsa | rsa } | prefer-ctos-cipher { aes128 | connection to des } | prefer-ctos-hmac { md5 | md5-96 | the remote sha1 | sha1-96 } | prefer-kex IPv4 SFTP { dh-group-exchange | dh-group1 | server and...

  • Page 719: Working With Sftp Files

    To do… Use the command… Remarks Create a new directory on the mkdir remote-path Optional remote SFTP server Delete a directory from the rmdir remote-path&<1-10> Optional SFTP server Working with SFTP Files SFTP file operations include: Changing the name of a file Downloading a file Uploading a file Displaying a list of the files...

  • Page 720: Terminating The Connection To The Remote Sftp Server

    To do… Use the command… Remarks sftp [ ipv6 ] server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { aes128 | des } | Required prefer-ctos-hmac { md5 | md5-96 | sha1 | Execute the Enter SFTP client view sha1-96 } | prefer-kex command in user...
  • Page 721 # Generate RSA and DSA key pairs and enable the SSH server. <SwitchB> system-view [SwitchB] public-key local create rsa [SwitchB] public-key local create dsa [SwitchB] ssh server enable # Enable the SFTP server. [SwitchB] sftp server enable # Configure an IP address for VLAN interface 1, which the SSH client uses as the destination for SSH connection.
  • Page 722 [SwitchA] quit After generating key pairs on a client, you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the server done before continuing configuration of the client. # Establish a connection to the remote SFTP server and enter SFTP client view. <SwitchA>...

  • Page 723: Sftp Server Configuration Example

    sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx...
  • Page 724 authentication with the username being client002 and the password being aabbcc. The username and password are saved on the switch. Figure 2-2 Network diagram for SFTP server configuration Configuration procedure Configure the SFTP server # Generate RSA and DSA key pairs and enable the SSH server. <Switch>...
  • Page 725 There are many kinds of SSH client software. The following takes the PSFTP of Putty Version 0.58 as an example. The PSFTP supports only password authentication. # Establish a connection with the remote SFTP server. Run the psftp.exe to launch the client interface as shown in Figure 2-3, and enter the following command:...
  • Page 726 Table of Contents 1 PKI Configuration ······································································································································1-1 Introduction to PKI···································································································································1-1 PKI Overview···································································································································1-1 PKI Terms········································································································································1-1 Architecture of PKI···························································································································1-2 Applications of PKI ··························································································································1-3 Operation of PKI ······························································································································1-3 PKI Configuration Task List ····················································································································1-4 Configuring an Entity DN ························································································································1-4 Configuring a PKI Domain ······················································································································1-6 Submitting a PKI Certificate Request······································································································1-7 Submitting a Certificate Request in Auto Mode ··············································································1-7 Submitting a Certificate Request in Manual Mode ··········································································1-8...

  • Page 727: Pki Configuration

    PKI Configuration When configuring PKI, go to these sections for information you are interested in: Introduction to PKI PKI Configuration Task List Displaying and Maintaining PKI PKI Configuration Examples Troubleshooting PKI Introduction to PKI This section covers these topics: PKI Overview PKI Terms Architecture of PKI Applications of PKI...

  • Page 728: Architecture Of Pki

    level. The root CA has a CA certificate signed by itself while each lower level CA has a CA certificate signed by the CA at the next higher level. An existing certificate may need to be revoked when, for example, the user name changes, the private key leaks, or the user stops the business.

  • Page 729: Applications Of Pki

    A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs. A registration authority (RA) is an extended part of a CA or an independent authority. An RA can implement functions including identity authentication, CRL management, key pair generation and key pair backup.

  • Page 730: Pki Configuration Task List

    The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. The CA verifies the digital signature, approves the application, and issues a certificate. The RA receives the certificate from the CA, sends it to the LDAP server to provide directory navigation service, and notifies the entity that the certificate is successfully issued.
  • Page 731 The configuration of an entity DN must comply with the CA certificate issue policy. You need to determine, for example, which entity DN parameters are mandatory and which are optional. Otherwise, certificate request may be rejected. Follow these steps to configure an entity DN: To do…...

  • Page 732: Configuring A Pki Domain

    Configuring a PKI Domain Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance. A PKI domain is defined by these parameters: Trusted CA An entity requests a certificate from a trusted CA.

  • Page 733: Submitting A Pki Certificate Request

    To do… Use the command… Remarks Required Specify the entity for certificate certificate request entity No entity is specified by default. request entity-name The specified entity must exist. Required Specify the authority for certificate request from { ca | No authority is specified by certificate request ra } default.

  • Page 734: Submitting A Certificate Request In Manual Mode

    Follow these steps to configure an entity to submit a certificate request in auto mode: To do… Use the command… Remarks Enter system view system-view — Enter PKI domain view pki domain domain-name — certificate request mode auto Required Set the certificate request [ key-length key-length | password mode to auto Manual by default...

  • Page 735: Retrieving A Certificate Manually

    If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the local certificate and then issue the public-key local create command. For information about the public-key local create command, refer to Public Key Commands in the Security Volume.

  • Page 736: Configuring Pki Certificate Verification

    If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This is in order to avoid inconsistency between the certificate and registration information due to related configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and local certificate first.

  • Page 737: Destroying A Local Rsa Key Pair

    To do… Use the command… Remarks Enter system view system-view — Enter PKI domain view — pki domain domain-name Required Disable CRL checking crl check disable Enabled by default Return to system view quit — Refer to Retrieving a Certificate Retrieve the CA certificate Required Manually...

  • Page 738: Configuring An Access Control Policy

    To do… Use the command… Remarks Enter system view system-view — pki delete-certificate { ca | local } domain Delete certificates Required domain-name Configuring an Access Control Policy By configuring a certificate attribute-based access control policy, you can further control access to the server, providing additional security for the server.

  • Page 739: Pki Configuration Examples

    To do… Use the command… Remarks Display information about one display pki certificate or all certificate attribute-based access-control-policy Available in any view access control policies { policy-name | all } PKI Configuration Examples The SCEP plug-in is required when you use the Windows Server as the CA. In this case, when configuring the PKI domain, you need to use the certificate request from ra command to specify that the entity requests a certificate from an RA.
  • Page 740 Subject DN: DN information of the CA, including the Common Name (CN), Organization Unit (OU), Organization (O), and Country (C). The other attributes may be left using the default values. # Configure extended attributes. After configuring the basic attributes, you need to perform configuration on the jurisdiction configuration page of the CA server.
  • Page 741 Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ Apply for certificates # Retrieve the CA certificate and save it locally. [Switch] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..

  • Page 742: Requesting A Certificate From A Ca Running Windows 2003 Server

    Not After : Jan 8 09:26:53 2008 GMT Subject: CN=switch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61 D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F...
  • Page 743 Figure 1-3 Request a certificate from a CA running Windows 2003 server Configuration procedure Configure the CA server Install the certificate server suites From the start menu, select Control Panel > Add or Remove Programs, and then select Add/Remove Windows Components > Certificate Services and click Next to begin the installation. Install the SCEP plug-in As a CA server running the Windows 2003 server does not support SCEP by default, you need to install the SCEP plug-in so that the switch can register and obtain its certificate automatically.
  • Page 744 # Configure the URL of the registration server in the format of http://host:port/ certsrv/mscep/mscep.dll, where host:port indicates the IP address and port number of the CA server. [Switch-pki-domain-torsa] certificate request http://4.4.4.1:8080/certsrv/mscep/mscep.dll # Set the registration authority to RA. [Switch-pki-domain-torsa] certificate request from ra # Specify the entity for certificate request as aaa.
  • Page 745 Data: Version: 3 (0x2) Serial Number: 48FA0FD9 00000000 000C Signature Algorithm: sha1WithRSAEncryption Issuer: CN=CA server Validity Not Before: Nov 21 12:32:16 2007 GMT Not After : Nov 21 12:42:16 2008 GMT Subject: CN=switch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00A6637A 8CDEA1AC B2E04A59 F7F6A9FE...

  • Page 746: Configuring A Certificate Attribute-Based Access Control Policy

    Configuring a Certificate Attribute-Based Access Control Policy Network requirements The client accesses the remote HTTP Security (HTTPS) server through the HTTPS protocol. SSL is configured to ensure that only legal clients log into the HTTPS server. Create a certificate attribute-based access control policy to control access to the HTTPS server. Figure 1-4 Configure a certificate attribute-based access control policy Configuration procedure For detailed information about SSL configuration, refer to SSL Configuration in the Security...

  • Page 747: Troubleshooting Pki

    # Create certificate attribute group mygroup2 and add two attribute rules. The first rule defines that the FQDN of the alternative subject name does not include the string of apple, and the second rule defines that the DN of the certificate issuer name includes the string aabbcc. [Switch] pki certificate attribute-group mygroup2 [Switch-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn apple [Switch-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc...

  • Page 748: Failed To Request A Local Certificate

    Failed to Request a Local Certificate Symptom Failed to request a local certificate. Analysis Possible reasons include these: The network connection is not proper. For example, the network cable may be damaged or loose. No CA certificate has been retrieved. The current key pair has been bound to a certificate.
  • Page 749 Table of Contents 1 SSL Configuration ·····································································································································1-1 SSL Overview ·········································································································································1-1 SSL Security Mechanism ················································································································1-1 SSL Protocol Stack··························································································································1-2 SSL Configuration Task List ···················································································································1-2 Configuring an SSL Server Policy···········································································································1-3 Configuration Prerequisites ·············································································································1-3 Configuration Procedure··················································································································1-3 SSL Server Policy Configuration Example ······················································································1-4 Configuring an SSL Client Policy ············································································································1-5 Configuration Prerequisites ·············································································································1-6 Configuration Procedure··················································································································1-6 Displaying and Maintaining SSL ·············································································································1-6...

  • Page 750: Ssl Configuration

    SSL Configuration When configuring SSL, go to these sections for information you are interested in: SSL Overview SSL Configuration Task List Displaying and Maintaining SSL Troubleshooting SSL SSL Overview Secure Sockets Layer (SSL) is a security protocol providing secure connection service for TCP-based application layer protocols, for example, HTTP protocol.

  • Page 751: Ssl Protocol Stack

    For details about symmetric key algorithms, asymmetric key algorithm RSA and digital signature, refer to Public Key Configuration in the Security Volume. For details about PKI, certificate, and CA, refer to PKI Configuration in the Security Volume. SSL Protocol Stack As shown in Figure 1-2, the SSL protocol consists of two layers of protocols: the SSL record protocol at...

  • Page 752: Configuring An Ssl Server Policy

    Configuring an SSL Server Policy An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy takes effect only after it is associated with an application layer protocol, HTTP protocol, for example.

  • Page 753: Ssl Server Policy Configuration Example

    If you enable client authentication here, you must request a local certificate for the client. Currently, SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds to SSL 3.1. When the device acts as an SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify Hello packets from clients running SSL 2.0.

  • Page 754: Configuring An Ssl Client Policy

    [Device] pki domain 1 [Device-pki-domain-1] ca identifier ca1 [Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll [Device-pki-domain-1] certificate request from ra [Device-pki-domain-1] certificate request entity en [Device-pki-domain-1] quit # Create the local RSA key pairs. [Device] public-key local create rsa # Retrieve the CA certificate. [Device] pki retrieval-certificate ca domain 1 # Request a local certificate.

  • Page 755: Configuration Prerequisites

    Configuration Prerequisites If the SSL server is configured to authenticate the SSL client, when configuring the SSL client policy, you need to specify the PKI domain to be used for obtaining the certificate of the client. Therefore, before configuring an SSL client policy, you must configure a PKI domain. For details about PKI domain configuration, refer to PKI Configuration in the Security Volume.
  • Page 756 Analysis SSL handshake failure may result from the following causes: No SSL server certificate exists, or the certificate is not trusted. The server is expected to authenticate the client, but the SSL client has no certificate or the certificate is not trusted. The cipher suites used by the server and the client do not match.
  • Page 757 Table of Contents 1 Public Key Configuration··························································································································1-1 Asymmetric Key Algorithm Overview······································································································1-1 Basic Concepts································································································································1-1 Key Algorithm Types ·······················································································································1-1 Asymmetric Key Algorithm Applications··························································································1-1 Configuring the Local Asymmetric Key Pair····························································································1-2 Creating an Asymmetric Key Pair ···································································································1-2 Displaying or Exporting the Local RSA or DSA Host Public Key ····················································1-3 Destroying an Asymmetric Key Pair································································································1-3 Configuring the Public Key of a Peer ······································································································1-3 Displaying and Maintaining Public Keys ·································································································1-4...

  • Page 758: Public Key Configuration

    Public Key Configuration When configuring public keys, go to these sections for information you are interested in: Asymmetric Key Algorithm Overview Configuring the Local Asymmetric Key Pair Configuring the Public Key of a Peer Displaying and Maintaining Public Keys Public Key Configuration Examples Asymmetric Key Algorithm Overview Basic Concepts Algorithm: A set of transformation rules for encryption and decryption.

  • Page 759: Configuring The Local Asymmetric Key Pair

    Encryption/decryption: The information encrypted with a receiver's public key can be decrypted by the receiver possessing the corresponding private key. This is used to ensure confidentiality. Digital signature: The information encrypted with a sender's private key can be decrypted by anyone who has access to the sender's public key, thereby proving that the information is from the sender and has not been tampered with.

  • Page 760: Displaying Or Exporting The Local Rsa Or Dsa Host Public Key

    Configuration of the public-key local create command can survive a reboot. The public-key local create rsa command generates two key pairs: one server key pair and one host key pair. Each key pair consists of a public key and a private key. The length of an RSA key modulus is in the range 512 to 2048 bits.

  • Page 761: Displaying And Maintaining Public Keys

    Import it from the public key file: The system automatically converts the public key to a string coded using the PKCS (Public Key Cryptography Standards). Before importing the public key, you must upload the peer's public key file (in binary) to the local host through FTP or TFTP. If you choose to input the public key, the public key must be in a correct format.

  • Page 762: Public Key Configuration Examples

    Public Key Configuration Examples Configuring the Public Key of a Peer Manually Network requirements Device A is authenticated by Device B when accessing Device B, so the public key of Device A should be configured on Device B in advance. In this example: RSA is used.

  • Page 763: Importing The Public Key Of A Peer From A Public Key File

    ===================================================== Time of Key pair created: 09:50:07 2007/08/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E 35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E8 4B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001 Configure Device B # Configure the host public key of Device A on Device B. In public key code view, input the host public key of Device A.
  • Page 764 The host public key of Device A is imported from the public key file to Device B. Figure 1-3 Network diagram for importing the public key of a peer from a public key file Configurtion procedure Create key pairs on Device A and export the host public key # Create RSA key pairs on Device A.
  • Page 765 [DeviceA] public-key local export rsa ssh2 devicea.pub [DeviceA] quit Enable the FTP server function on Device B # Enable the FTP server function, create an FTP user with the username ftp and password 123. <DeviceB> system-view [DeviceB] ftp server enable [DeviceB] local-user ftp [DeviceB-luser-ftp] password simple 123 [DeviceB-luser-ftp] service-type ftp...
  • Page 766 Table of Contents 1 ACL Overview ············································································································································1-1 Introduction to ACL ·································································································································1-1 Introduction······································································································································1-1 Application of ACLs on the Switch ··································································································1-1 Introduction to IPv4 ACL ·························································································································1-2 IPv4 ACL Classification ···················································································································1-2 IPv4 ACL Naming ····························································································································1-2 IPv4 ACL Match Order ····················································································································1-3 IPv4 ACL Step ·································································································································1-4 Effective Period of an IPv4 ACL ······································································································1-4 IP Fragments Filtering with IPv4 ACL ·····························································································1-4 Introduction to IPv6 ACL ·························································································································1-4...
  • Page 767 Configuring a Basic IPv6 ACL·················································································································3-1 Configuration Prerequisites ·············································································································3-1 Configuration Procedure··················································································································3-1 Configuration Example ····················································································································3-2 Configuring an Advanced IPv6 ACL ·······································································································3-2 Configuration Prerequisites ·············································································································3-3 Configuration Procedure··················································································································3-3 Configuration Example ····················································································································3-4 Copying an IPv6 ACL······························································································································3-4 Configuration Prerequisites ·············································································································3-4 Configuration Procedure··················································································································3-4 Displaying and Maintaining IPv6 ACLs ···································································································3-5 IPv6 ACL Configuration Example ···········································································································3-5 Network Requirements ····················································································································3-5 Network Diagram·····························································································································3-5...

  • Page 768: Acl Overview

    ACL Overview In order to filter traffic, network devices use sets of rules, called access control lists (ACLs), to identify and handle packets. When configuring ACLs, go to these chapters for information you are interested in: ACL Overview IPv4 ACL Configuration IPv6 ACL Configuration Unless otherwise stated, ACLs refer to both IPv4 ACLs and IPv6 ACLs throughout this document.

  • Page 769: Introduction To Ipv4 Acl

    When an ACL is assigned to a piece of hardware and referenced by a QoS policy for traffic classification, the switch does not take action according to the traffic behavior definition on a packet that does not match the ACL. When an ACL is referenced by a piece of software to control Telnet, SNMP, and Web login users, the switch denies all packets that do not match the ACL.

  • Page 770: Ipv4 Acl Match Order

    The name of an IPv4 ACL must be unique among IPv4 ACLs. However, an IPv4 ACL and an IPv6 ACL can share the same name. IPv4 ACL Match Order An ACL may consist of multiple rules, which specify different matching criteria. These criteria may have overlapping or conflicting parts.

  • Page 771: Ipv4 Acl Step

    If the numbers of ones in the destination MAC address masks are the same, compare packets against the one configured first. The comparison of a packet against ACL rules stops immediately after a match is found. The packet is then processed as per the rule. IPv4 ACL Step Meaning of the step The step defines the difference between two neighboring numbers that are automatically assigned to...

  • Page 772: Ipv6 Acl Classification

    Effective Period of an IPv6 ACL IPv6 ACL Classification IPv6 ACLs, identified by ACL numbers, fall into three categories, as shown in Table 1-2. Table 1-2 IPv6 ACL categories Category ACL number Matching criteria Basic IPv6 ACL 2000 to 2999 Source IPv6 address Source IPv6 address, destination IPv6 address, Advanced IPv6 ACL...

  • Page 773: Ipv6 Acl Step

    Look at the protocol type field in the rules first. A rule with no limit to the protocol type (that is, configured with the ipv6 keyword) has the lowest precedence. Rules each of which has a single specified protocol type are of the same precedence level. Compare packets against the rule with the highest precedence.

  • Page 774: Ipv4 Acl Configuration

    IPv4 ACL Configuration When configuring an IPv4 ACL, go to these sections for information you are interested in: Creating a Time Range Configuring a Basic IPv4 ACL Configuring an Advanced IPv4 ACL Configuring an Ethernet Frame Header ACL Copying an IPv4 ACL Displaying and Maintaining IPv4 ACLs IPv4 ACL Configuration Example Creating a Time Range...

  • Page 775: Configuration Example

    on the day or days of the week only within the specified period. For example, to create a time range that is active from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59 12/31/2004 command.

  • Page 776: Configuration Procedure

    Configuration Procedure Follow these steps to configure a basic IPv4 ACL: To do… Use the command… Remarks Enter system view system-view –– Required acl number acl-number The default match order is config. Create a basic IPv4 ACL [ name acl-name ] If you specify a name for an IPv4 ACL and enter its view [ match-order { auto |...

  • Page 777: Configuring An Advanced Ipv4 Acl

    <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 1.1.1.1 0 # Verify the configuration. [Sysname-acl-basic-2000] display acl 2000 Basic ACL 2000, named -none-, 1 rule, ACL's step is 5 rule 0 deny source 1.1.1.1 0 (5 times matched) Configuring an Advanced IPv4 ACL Advanced IPv4 ACLs match packets based on source IP address, destination IP address, protocol carried over IP, and other protocol header fields, such as the TCP/UDP source port number, TCP/UDP...

  • Page 778: Configuration Example

    To do… Use the command… Remarks Optional Set the rule numbering step step-value step 5 by default Optional Configure a description for the advanced IPv4 description text By default, an advanced IPv4 ACL has no ACL description. Optional Configure a rule rule rule-id comment text By default, an IPv4 ACL rule has no description...

  • Page 779: Configuring An Ethernet Frame Header Acl

    Configuring an Ethernet Frame Header ACL Ethernet frame header ACLs match packets based on Layer 2 protocol header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority), and link layer protocol type. They are numbered in the range 4000 to 4999. Configuration Prerequisites If you want to reference a time range in a rule, define it with the time-range command first.

  • Page 780: Configuration Example

    Note that: You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same. You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.

  • Page 781: Displaying And Maintaining Ipv4 Acls

    The source IPv4 ACL and the destination IPv4 ACL must be of the same type. The destination ACL does not take the name of the source IPv4 ACL. Displaying and Maintaining IPv4 ACLs To do... Use the command… Remarks Display information about one or all IPv4 display acl { acl-number | all | Available in any ACLs...

  • Page 782: Configuration Procedure

    Configuration Procedure Create a time range for office hours # Create a periodic time range spanning 8:00 to 18:00 in working days. <Switch> system-view [Switch] time-range trname 8:00 to 18:00 working-day Define an ACL to control access to the salary query server # Configure a rule to control access of the R&D Department to the salary query server.
  • Page 783 [Switch] interface GigabitEthernet 1/0/2 [Switch-GigabitEthernet1/0/2] qos apply policy p_rd inbound [Switch-GigabitEthernet1/0/2] quit # Apply QoS policy p_market to interface GigabitEthernet 1/0/3. [Switch] interface GigabitEthernet 1/0/3 [Switch-GigabitEthernet1/0/3] qos apply policy p_market inbound 2-10...

  • Page 784: Ipv6 Acl Configuration

    IPv6 ACL Configuration When configuring IPv6 ACLs, go to these sections for information you are interested in: Creating a Time Range Configuring a Basic IPv6 ACL Configuring an Advanced IPv6 ACL Copying an IPv6 ACL Displaying and Maintaining IPv6 ACLs IPv6 ACL Configuration Example Creating a Time Range Refer to...
  • Page 785 To do… Use the command… Remarks Optional Configure a description description text By default, a basic IPv6 ACL has no ACL for the basic IPv6 ACL description. Optional Configure a rule rule rule-id comment text By default, an IPv6 ACL rule has no rule description description.
  • Page 786 Advanced IPv6 ACLs are numbered in the range 3000 to 3999. Compared with basic IPv6 ACLs, they allow of more flexible and accurate filtering. Configuration Prerequisites If you want to reference a time range in a rule, define it with the time-range command first. Configuration Procedure Follow these steps to configure an advanced IPv6 ACL: To do…...
  • Page 787 When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same. You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6-number [ name acl6-name ] match-order { auto | config } command, but only when the ACL does not contain any rules.

  • Page 788: Ipv6 Acl Configuration Example

    The source IPv6 ACL and the destination IPv6 ACL must be of the same type. The destination ACL does not take the name of the source IPv6 ACL. Displaying and Maintaining IPv6 ACLs To do… Use the command… Remarks Display information about one or all display acl ipv6 { acl6-number | all | Available in any IPv6 ACLs...
  • Page 789 [Switch-acl6-basic-2000] quit # Configure class c_rd for packets matching IPv6 ACL 2000. [Switch] traffic classifier c_rd [Switch-classifier-c_rd] if-match acl ipv6 2000 [Switch-classifier-c_rd] quit # Configure traffic behavior b_rd to deny matching packets. [Switch] traffic behavior b_rd [Switch-behavior-b_rd] filter deny [Switch-behavior-b_rd] quit # Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd.
  • Page 790 ACL Application for Packet Filtering When applying an ACL for packet filtering, go to these sections for information you are interested in: Filtering Ethernet Frames Filtering IPv4 Packets Filtering IPv6 Packets ACL Application Example You can apply an ACL to the inbound direction of an Ethernet interface or VLAN interface to filter packets: Applied to an Ethernet interface, an ACL can filter all Ethernet frames, IPv4 packets, and IPv6 packets that are received or to be sent on the interface.
  • Page 791 Configuring Packet Filtering Statistics Function The S5500-SI series provides the packet filtering statistics function so that the device can output packet filtering statistics information at a specified interval. With the output, you are able to know how many packets are filtered by which ACL rules.
  • Page 792 Follow the steps to set the intervals for packet filtering statistics so that the device outputs packet filtering statistics at the end of every interval: To do… Use the command… Remarks Enter system view system-view — Set the interval for IPv4 packet acl logging frequence Configure a command as filtering statistics...
  • Page 793 [DeviceA] acl number 2009 # Create a basic IPv4 ACL rule to deny packets sourced from 192.168.1.2/32 during time range study. [DeviceA-acl-basic-2009] rule permit source 192.168.1.2 0 time-range study [DeviceA-acl-basic-2009] rule deny source any time-range study [DeviceA-acl-basic-2009] quit # Apply ACL 2009 to the inbound direction of interface GigabitEthernet 1/0/1. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] packet-filter 2009 inbound Applying an ACL to a VLAN Interface...
  • Page 794 Table of Contents 1 ARP Attack Protection Configuration······································································································1-1 ARP Attack Protection Overview ············································································································1-1 ARP Attack Protection Configuration Task List ······················································································1-1 Configuring ARP Defense Against IP Packet Attacks ············································································1-2 Introduction······································································································································1-2 Configuring ARP Source Suppression ····························································································1-3 Enabling ARP Black Hole Routing ··································································································1-3 Displaying and Maintaining ARP Defense Against IP Packet Attacks ············································1-3 Configuring ARP Packet Rate Limit ········································································································1-3 Introduction······································································································································1-3...

  • Page 795: Arp Attack Protection Configuration

    ARP Attack Protection Configuration When configuring ARP attack Protection, go to these sections for information you are interested in: Configuring ARP Defense Against IP Packet Attacks Configuring ARP Packet Rate Limit Configuring Source MAC Address Based ARP Attack Detection Configuring ARP Packet Source MAC Address Consistency Check Configuring ARP Active Acknowledgement Configuring ARP Detection Configuring ARP Automatic Scanning and Fixed ARP...

  • Page 796: Configuring Arp Defense Against Ip Packet Attacks

    Task Remarks Optional Configuring Source MAC Address Based Configure this function on gateways ARP Attack Detection (recommended). Optional Configuring ARP Packet Source MAC Configure this function on gateways Address Consistency Check (recommended). Optional Configuring ARP Active Acknowledgement Configure this function on gateways (recommended).

  • Page 797: Configuring Arp Source Suppression

    Configuring ARP Source Suppression Follow these steps configure source suppression: To do… Use the command… Remarks Enter system view system-view — Required arp source-suppression Enable ARP source suppression enable Disabled by default. Set the maximum number of packets with the Optional same source IP address but unresolvable arp source-suppression...

  • Page 798: Configuring Source Mac Address Based Arp Attack Detection

    To do… Use the command… Remarks Enter Ethernet interface interface interface-type — view interface-number Required Configure ARP packet rate arp rate-limit { disable | By default, the ARP packet rate limit limit rate pps drop } is enabled and is 100 pps. Configuring Source MAC Address Based ARP Attack Detection Introduction This feature allows the device to check the source MAC address of ARP packets.

  • Page 799: Displaying And Maintaining Source Mac Address Based Arp Attack Detection

    Displaying and Maintaining Source MAC Address Based ARP Attack Detection To do… Use the command… Remarks Display attacking entries display arp anti-attack source-mac Available in any detected [ interface interface-type interface-number ] view Configuring ARP Packet Source MAC Address Consistency Check Introduction This feature enables a gateway device to filter out ARP packets with the source MAC address in the Ethernet header different from the sender MAC address in the ARP message, so that the gateway...

  • Page 800: Configuring Arp Detection

    Configuring ARP Detection Introduction The ARP detection feature is mainly configured on an access device to allow only the ARP packets of authorized clients to be forwarded, hence preventing user spoofing and gateway spoofing. ARP detection includes ARP detection based on specified objects, and ARP detection based on static IP source guard binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses.
  • Page 801 To do… Use the command… Remarks Optional Configure the port as a trusted port on which ARP detection arp detection trust The port is an untrusted port by does not apply default. Enabling ARP Detection Based on Static IP Source Guard Binding Entries/DHCP Snooping Entries/802.1X Security Entries/OUI MAC Addresses With this feature enabled, the device compares the sender IP and MAC addresses of an ARP packet received from the VLAN against the static IP Source Guard binding entries, DHCP snooping entries,...

  • Page 802: Entries/802.1X Security Entries/Oui Mac Addresses

    To do… Use the command… Remarks Required Disabled by default. That is, ARP Enable ARP detection for detection based on static IP Source arp detection enable the VLAN Guard binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses is not enabled by default. Return to system view quit —...
  • Page 803 Figure 1-1 Network diagram for ARP detection configuration Configuration procedure Add all the ports on Switch B to VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Omitted) Configure Switch A as a DHCP server # Configure DHCP address pool 0. <SwitchA>...

  • Page 804: Arp Detection Configuration Example Ii

    [SwitchB-GigabitEthernet1/0/3] quit # Enable the checking of the MAC addresses and IP addresses of ARP packets. [SwitchB] arp detection validate dst-mac ip src-mac After the preceding configurations are complete, when ARP packets arrive at interfaces GigabitEthernet1/0/2 and GigabitEthernet1/0/3, their MAC and IP addresses are checked, and then the packets are checked against the static IP Source Guard binding entries and finally DHCP snooping entries.

  • Page 805: Configuring Arp Automatic Scanning And Fixed Arp

    [SwitchB] dot1x [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-gigabitethernet1/0/1] dot1x [SwitchB-gigabitethernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-gigabitethernet1/0/2] dot1x [SwitchB-gigabitethernet1/0/2] quit # Add local access user test. [SwitchB] local-user test [SwitchB-luser-test] service-type lan-access [SwitchB-luser-test] password simple test [SwitchB-luser-test] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is...

  • Page 806: Configuring Arp Gateway Protection

    To do… Use the command… Remarks Enter system view system-view — Enter interface view interface interface-type interface-number — Enable ARP automatic arp scan [ start-ip-address to end-ip-address ] Required scanning Return to system view quit — Enable fixed ARP arp fixup Optional IP addresses already existent in ARP entries are not scanned.

  • Page 807: Arp Gateway Protection Configuration Example

    To do… Use the command… Remarks Required Enable ARP gateway protection arp filter source ip-address for a specified gateway Disabled by default. You can enable ARP gateway protection for up to eight gateways on a port. Commands arp filter source and arp filter binding cannot be both configured on a port. If ARP gateway protection works with ARP detection, MFF, and ARP snooping, ARP gateway protection applies first.

  • Page 808: Configuring Arp Filtering

    After the above configuration is complete, Switch B will discard the ARP packets whose source IP address is that of the gateway. Configuring ARP Filtering Introduction To prevent gateway spoofing and user spoofing, the ARP filtering feature controls the forwarding of ARP packets on a port as follows: The port checks the sender IP and MAC addresses in a received ARP packet against configured ARP filtering entries.
  • Page 809 Figure 1-4 Network diagram for ARP filtering configuration Switch A GE1/0/3 Switch B GE1/0/1 GE1/0/2 Host A Host B Configuration procedure # Configure ARP filtering on Switch B. <SwitchB> system-view [SwitchB] interface GigabitEthernet 1/0/1 [SwitchB-GigabitEthernet 1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [SwitchB-GigabitEthernet 1/0/1] quit [SwitchB] interface GigabitEthernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] arp filter binding 10.1.1.9 000f-e349-1233...
  • Page 810 High Availability Volume Organization Manual Version 20090930-C-1.01 Product Version Release 2202 Organization The High Availability Volume is organized as follows: Features Description Smart Link is a solution for active-standby link redundancy backup and rapid transition in dual-uplink networking. This document describes: Smart Link Smart Link Overview Configuring a Smart Link Device...
  • Page 811 Features Description In the use of fibers, link errors, namely unidirectional links, are likely to occur. DLDP is designed to detect such errors. This document describes: DLDP Introduction Enabling DLDP Setting DLDP Mode DLDP Setting the Interval for Sending Advertisement Packets Setting the DelayDown Timer Setting the Port Shutdown Mode Configuring DLDP Authentication...
  • Page 812 Table of Contents 1 Smart Link Configuration ·························································································································1-2 Smart Link Overview ·······························································································································1-2 Terminology·····································································································································1-3 How Smart Link Works ····················································································································1-4 Smart Link Configuration Task List ·········································································································1-5 Configuring a Smart Link Device ············································································································1-5 Configuration Prerequisites ·············································································································1-5 Configuring Protected VLANs for a Smart Link Group····································································1-6 Configuring Member Ports for a Smart Link Group·········································································1-6 Configuring Role Preemption for a Smart Link Group·····································································1-7 Enabling the Sending of Flush Messages ·······················································································1-7...

  • Page 813: Smart Link Configuration

    Smart Link Configuration When configuring Smart Link, go to these sections for information that you are interested in: Smart Link Overview Configuring a Smart Link Device Configuring an Associated Device Displaying and Maintaining Smart Link Smart Link Configuration Examples Smart Link Overview To avoid single-point failures and guarantee network reliability, downstream devices are usually dual uplinked to upstream devices.

  • Page 814: Terminology

    For more information about STP and RRPP, refer to MSTP Configuration in the Access Volume and RRPP Configuration in the High Availability Volum. Smart Link is a feature developed to address the slow convergence issue with STP. It provides link redundancy as well as fast convergence in a dual uplink network, allowing the backup link to take over quickly when the primary link fails.

  • Page 815: How Smart Link Works

    Receive control VLAN The receive control VLAN is used for receiving and processing flush messages. When link switchover occurs, the devices (such as Device A, Device B, and Device E in Figure 1-1) receive and process flush messages in the receive control VLAN and refresh their MAC address forwarding entries and ARP/ND entries.

  • Page 816: Smart Link Configuration Task List

    configured with role preemption, GE1/0/1 takes over to forward traffic as soon as the former master link recovers, while GE1/0/2 is automatically blocked and placed in the standby state. Load sharing mechanism A ring network may carry traffic of multiple VLANs. Smart link can forward traffic of different VLANs in different smart link groups, thus implementing load sharing.

  • Page 817: Configuring Protected Vlans For A Smart Link Group

    A loop may occur on the network during the time when STP is disabled but Smart Link has not yet taken effect on a port. Configuring Protected VLANs for a Smart Link Group Follow these steps to configure the protected VLANs for a smart link group: To do…...

  • Page 818: Configuring Role Preemption For A Smart Link Group

    To do… Use the command… Remarks Enter system view system-view — Enter Ethernet interface view or layer 2 interface interface-type — aggregate interface view interface-number Configure member ports for a smart link port smart-link group group-id Required group { master | slave } Configuring Role Preemption for a Smart Link Group Follow these steps to configure role preemption for a smart link group: To do…...

  • Page 819: Smart Link Device Configuration Example

    The control VLAN configured for a smart link group must be different from that configured for any other smart link group. Make sure that the configured control VLAN already exists, and assign the smart link group member ports to the control VLAN. Do not remove the control VLAN.

  • Page 820: Associated Device Configuration Example

    Follow these steps to enable the receiving of flush messages: To do… Use the command… Remarks Enter system view system-view — Enter Ethernet interface view or interface interface-type — Layer 2 aggregate interface view interface-number Required Configure the control VLANs for smart-link flush enable By default, no control receiving flush messages...

  • Page 821: Smart Link Configuration Examples

    To do... Use the command… Remarks Display information about the display smart-link flush Available in any view received flush messages Clear the statistics about flush reset smart-link statistics Available in user view messages Smart Link Configuration Examples Single Smart Link Group Configuration Example Network requirements As shown in Figure 1-2:...
  • Page 822 # Disable STP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 separately, and configure them as trunk ports that permit VLANs 1 through 30. [DeviceC] interface gigabitethernet 1/0/1 [DeviceC-GigabitEthernet1/0/1] undo stp enable [DeviceC-GigabitEthernet1/0/1] port link-type trunk [DeviceC-GigabitEthernet1/0/1] port trunk permit vlan 1 to 30 [DeviceC-GigabitEthernet1/0/1] quit [DeviceC] interface gigabitethernet 1/0/2 [DeviceC-GigabitEthernet1/0/2] undo stp enable...
  • Page 823 [DeviceD-GigabitEthernet1/0/2] quit # Create smart link group 1 and configure all VLANs mapped to MSTIs 0 through 2 as the protected VLANs. [DeviceD] smart-link group 1 [DeviceD-smlk-group1] protected-vlan reference-instance 0 to 2 # Configure GigabitEthernet 1/0/1 as the master port and GigabitEthernet 1/0/2 as the slave port for smart link group 1.
  • Page 824 [DeviceE] interface gigabitethernet 1/0/2 [DeviceE-GigabitEthernet1/0/2] port link-type trunk [DeviceE-GigabitEthernet1/0/2] port trunk permit vlan 1 to 30 [DeviceE-GigabitEthernet1/0/2] smart-link flush enable [DeviceE-GigabitEthernet1/0/2] quit [DeviceE] interface gigabitethernet 1/0/3 [DeviceE-GigabitEthernet1/0/3] port link-type trunk [DeviceE-GigabitEthernet1/0/3] port trunk permit vlan 1 to 30 [DeviceE-GigabitEthernet1/0/3] smart-link flush enable [DeviceE-GigabitEthernet1/0/3] quit Configuration on Device A # Create VLANs 1 through 30.

  • Page 825: Multiple Smart Link Groups Load Sharing Configuration Example

    Receiving interface of the last flush packet : GigabitEthernet1/0/3 Receiving time of the last flush packet : 16:25:21 2009/02/21 Device ID of the last flush packet : 000f-e23d-5af0 Control VLAN of the last flush packet Multiple Smart Link Groups Load Sharing Configuration Example Network requirements As shown in Figure...
  • Page 826 [DeviceC-GigabitEthernet1/0/1] port link-type trunk [DeviceC-GigabitEthernet1/0/1] port trunk permit vlan 1 to 200 [DeviceC-GigabitEthernet1/0/1] quit [DeviceC] interface gigabitethernet 1/0/2 [DeviceC-GigabitEthernet1/0/2] undo stp enable [DeviceC-GigabitEthernet1/0/2] port link-type trunk [DeviceC-GigabitEthernet1/0/2] port trunk permit vlan 1 to 200 [DeviceC-GigabitEthernet1/0/2] quit # Create smart link group 1, and configure all VLANs mapped to MSTI 0 as the protected VLANs for smart link group 1.
  • Page 827 [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 1 to 200 [DeviceB-GigabitEthernet1/0/1] smart-link flush enable control-vlan 10 101 [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] port link-type trunk [DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 1 to 200 [DeviceB-GigabitEthernet1/0/2] smart-link flush enable control-vlan 10 101 [DeviceB-GigabitEthernet1/0/2] quit Configuration on Device D # Create VLAN 1 through VLAN 200.
  • Page 828 # Display the smart link group configuration on Device C. [DeviceC] display smart-link group all Smart link group 1 information: Device ID: 000f-e23d-5af0 Preemption mode: ROLE Control VLAN: 10 Protected VLAN: Reference Instance 0 Member Role State Flush-count Last-flush-time ------------------------------------------------------------------------------- GigabitEthernet1/0/1 MASTER ACTVIE...
  • Page 829 Table of Contents 1 Monitor Link Configuration ······················································································································1-1 Overview ·················································································································································1-1 Terminology·····································································································································1-1 How Monitor Link Works··················································································································1-1 Configuring Monitor Link ·························································································································1-2 Configuration Prerequisites ·············································································································1-2 Configuration Procedure··················································································································1-2 Monitor Link Configuration Example ·······························································································1-2 Displaying and Maintaining Monitor Link ································································································1-3 Monitor Link Configuration Example ·······································································································1-3...

  • Page 830: Monitor Link Configuration

    Monitor Link Configuration When configuring monitor link, go to these sections for information you are interested in: Overview Configuring Monitor Link Displaying and Maintaining Monitor Link Monitor Link Configuration Example Overview Monitor link is a port collaboration function. Monitor link is usually used in conjunction with Layer 2 topology protocols.

  • Page 831: Configuring Monitor Link

    Configuring Monitor Link Configuration Prerequisites Before assigning a port to a monitor link group, make sure the port is not the member port of any aggregation group or service loopback group. Configuration Procedure Follow these steps to configure monitor link: To do…...

  • Page 832: Displaying And Maintaining Monitor Link

    Displaying and Maintaining Monitor Link To do… Use the command… Remarks Display monitor link group display monitor-link group Available in any view information { group-id | all } Monitor Link Configuration Example Network requirements As shown in Figure 1-1: Device C is dually uplinked to Device A through a smart link group. It is required that when GigabitEthernet1/0/1 or GigabitEthernet1/0/2 of Device A fails, Device C can sense the link failure and perform link switchover in the smart link group.
  • Page 833 [DeviceC-GigabitEthernet1/0/2] quit # Create smart link group 1 and configure the smart link group to protect all the VLANs mapped to MSTIs 0 through 15 for smart link group 1. [DeviceC] smart-link group 1 [DeviceC-smlk-group1] protected-vlan reference-instance 0 to 15 # Configure GigabitEthernet 1/0/1 as the master port and GigabitEthernet 1/0/2 as the slave port for smart link group 1.
  • Page 834 # Enable flush message receiving on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 separately. [DeviceD] interface gigabitethernet 1/0/1 [DeviceD-GigabitEthernet1/0/1] smart-link flush enable [DeviceD-GigabitEthernet1/0/1] quit [DeviceD] interface gigabitethernet 1/0/2 [DeviceD-GigabitEthernet1/0/2] smart-link flush enable...
  • Page 835 Table of Contents 1 RRPP Configuration ··································································································································1-1 RRPP Overview ······································································································································1-1 Background ·····································································································································1-1 Basic Concepts in RRPP·················································································································1-2 RRPPDUs········································································································································1-4 RRPP Timers···································································································································1-5 How RRPP Works ···························································································································1-5 Typical RRPP Networking ···············································································································1-7 Protocols and Standards ·················································································································1-9 RRPP Configuration Task List ················································································································1-9 Creating an RRPP Domain ···················································································································1-10 Configuring Control VLANs···················································································································1-11 Configuring Protected VLANs ···············································································································1-11 Configuring RRPP Rings ······················································································································1-12...

  • Page 836: Rrpp Configuration

    RRPP Configuration When configuring RRPP, go to these sections for information you are interested in: RRPP Overview RRPP Configuration Task List Creating an RRPP Domain Configuring Control VLANs Configuring Protected VLANs Configuring RRPP Rings Activating an RRPP Domain Configuring RRPP Timers Configuring an RRPP Ring Group Displaying and Maintaining RRPP RRPP Configuration Examples...

  • Page 837: Basic Concepts In Rrpp

    Basic Concepts in RRPP Figure 1-1 RRPP networking diagram RRPP domain The interconnected devices with the same domain ID and control VLANs constitute an RRPP domain. An RRPP domain contains the following elements: primary ring, subring, control VLAN, master node, transit node, primary port, secondary port, common port, and edge port.
  • Page 838 IP address configuration is prohibited on the control VLAN interfaces. Data VLAN A data VLAN is a VLAN dedicated to transferring data packets. Both RRPP ports and non-RRPP ports can be assigned to a data VLAN. Node Each device on an RRPP ring is referred to as a node. The role of a node is configurable. There are the following node roles: Master node: Each ring has one and only one master node.

  • Page 839: Rrppdus

    Common port and edge port The ports connecting the edge node and assistant-edge node to the primary ring are common ports. The ports connecting the edge node and assistant-edge node only to the subrings are edge ports. As shown in Figure 1-1, Device B and Device C lie on Ring 1 and Ring 2.

  • Page 840: Rrpp Timers

    RRPPDUs of subrings are transmitted as data packets in the primary ring, while RRPPDUs of the primary ring can only be transmitted within the primary ring. RRPP Timers When RRPP checks the link state of an Ethernet ring, the master node sends Hello packets out the primary port according to the Hello timer and determines whether its secondary port receives the Hello packets based on the Fail timer.
  • Page 841 while sending Common-Flush-FDB packet to instruct all the transit nodes, the edge nodes and the assistant-edge nodes to update their own MAC entries and ARP/ND entries. After each node updates its own entries, traffic is switched to the normal link. Ring recovery The master node may find the ring is restored after a period of time after the ports belonging to the RRPP domain on the transit nodes, the edge nodes, or the assistant-edge nodes are brought up again.

  • Page 842: Typical Rrpp Networking

    Typical RRPP Networking Here are several typical networking applications. Single ring As shown in Figure 1-2, there is only a single ring in the network topology. In this case, you only need to define an RRPP domain. Figure 1-2 Schematic diagram for a single-ring network Tangent rings As shown in Figure...
  • Page 843 Figure 1-4 Schematic diagram for an intersecting-ring network Dual homed rings As shown in Figure 1-5, there are two or more rings in the network topology and two similar common nodes between rings. In this case, you only need to define an RRPP domain, and configure one ring as the primary ring and the other rings as subrings.

  • Page 844: Protocols And Standards

    Figure 1-6 Schematic diagram for a single-ring load balancing network Device A Device B Domain 1 Ring 1 Domain 2 Device D Device C Intersecting-ring load balancing In an intersecting-ring network, you can also achieve load balancing by configuring multiple domains. As shown in Figure 1-7, Ring 1 is the primary ring and Ring 2 is the subring in both Domain 1 and...

  • Page 845: Creating An Rrpp Domain

    Complete the following tasks to configure RRPP: Task Remarks Required Creating an RRPP Domain Perform this task on all nodes in the RRPP domain. Required Configuring Control VLANs Perform this task on all nodes in the RRPP domain. Required Configuring Protected VLANs Perform this task on all nodes in the RRPP domain.

  • Page 846: Configuring Control Vlans

    Configuring Control VLANs Before configuring RRPP rings in an RRPP domain, configure the same control VLANs for all nodes in the RRPP domain first. Perform this configuration on all nodes in the RRPP domain to be configured. Follow these steps to configure control VLANs: To do…...

  • Page 847: Configuring Rrpp Rings

    Configuring RRPP Rings When configuring an RRPP ring, you must make some configurations on the ports connecting each node to the RRPP ring before configuring the nodes. RRPP ports, that is, ports connecting devices to an RRPP ring, must be Layer-2 GE ports, Layer-2 XGE ports, or Layer-2 aggregate interfaces and cannot be member ports of any aggregation group, service loopback group, or smart link group.

  • Page 848: Configuring Rrpp Nodes

    For detailed information about the port link-type trunk command and port trunk permit vlan { vlan-id-list | all } command, refer to VLAN Commands in the Access Volume. For detailed information about the undo stp enable command, refer to MSTP Commands in the Access Volume.
  • Page 849 To do… Use the command… Remarks Enter system view system-view — Enter RRPP domain view — rrpp domain domain-id ring ring-id node-mode transit Specify the current device as a [ primary-port interface-type transit node of the ring, and interface-number ] [ secondary-port Required specify the primary port and the interface-type interface-number ] level...

  • Page 850: Activating An Rrpp Domain

    Activating an RRPP Domain To activate an RRPP domain on the current device, enable the RRPP protocol and RRPP rings for the RRPP domain on the current device. Perform this operation on all nodes in the RRPP domain. Follow these steps to activate an RRPP domain: To do…...

  • Page 851: Configuring An Rrpp Ring Group

    The Fail timer value must be equal to or greater than three times the Hello timer value. To avoid temporary loops when the primary ring fails in a dual-homed-ring network, ensure that the difference between the Fail timer value on the master node of the subring and that on the master node of the primary ring is greater than twice the Hello timer value of the master node of the subring.

  • Page 852: Displaying And Maintaining Rrpp

    Displaying and Maintaining RRPP To do… Use the command… Remarks Display brief RRPP information display rrpp brief Display RRPP group display rrpp ring-group configuration information [ ring-group-id ] Available in any view Display detailed RRPP display rrpp verbose domain information domain-id [ ring ring-id ] display rrpp statistics domain Display RRPP statistics...
  • Page 853 <DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] link-delay 0 [DeviceA-GigabitEthernet1/0/1] undo stp enable [DeviceA-GigabitEthernet1/0/1] port link-type trunk [DeviceA-GigabitEthernet1/0/1] port trunk permit vlan all [DeviceA-GigabitEthernet1/0/1] qos trust dot1p [DeviceA-GigabitEthernet1/0/1] quit [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] link-delay 0 [DeviceA-GigabitEthernet1/0/2] undo stp enable [DeviceA-GigabitEthernet1/0/2] port link-type trunk [DeviceA-GigabitEthernet1/0/2] port trunk permit vlan all [DeviceA-GigabitEthernet1/0/2] qos trust dot1p...

  • Page 854: Intersecting Ring Configuration Example

    [DeviceB-GigabitEthernet1/0/2] qos trust dot1p [DeviceB-GigabitEthernet1/0/2] quit # Create RRPP domain 1, configure VLAN 4092 as the primary control VLAN of RRPP domain 1, and configure the VLANs mapped to MSTIs 0 through 16 as the protected VLANs of RRPP domain 1. [DeviceB] rrpp domain 1 [DeviceB-rrpp-domain1] control-vlan 4092 [DeviceB-rrpp-domain1] protected-vlan reference-instance 0 to 16...
  • Page 855 Figure 1-9 Network diagram for intersecting rings configuration Configuration procedure Configuration on Device A # Configure the suppression time of physical-link-state changes on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as zero, disable STP, configure the two ports as trunk ports, and assign them to all VLANs, and configure them to trust the 802.1p precedence of the received packets.
  • Page 856 [DeviceA-rrpp-domain1] quit # Enable RRPP. [DeviceA] rrpp enable Configuration on Device B # Configure the suppression time of physical-link-state changes on GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 as zero, disable STP, configure the ports as trunk ports, and assign them to all VLANs, and configure them to trust the 802.1p precedence of the received packets.
  • Page 857 # Enable RRPP. [DeviceB] rrpp enable Configuration on Device C # Configure the suppression time of physical-link-state changes on GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 as zero, disable STP, configure the ports as trunk ports, and assign them to all VLANs, and configure them to trust the 802.1p precedence of the received packets.
  • Page 858 [DeviceC] rrpp enable Configuration on Device D # Configure the suppression time of physical-link-state changes on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as zero, disable STP, configure the two ports as trunk ports, and assign them to all VLANs, and configure them to trust the 802.1p precedence of the received packets. <DeviceD>...

  • Page 859: Intersecting-Ring Load Balancing Configuration Example

    [DeviceE] interface gigabitethernet 1/0/2 [DeviceE-GigabitEthernet1/0/2] link-delay 0 [DeviceE-GigabitEthernet1/0/2] undo stp enable [DeviceE-GigabitEthernet1/0/2] port link-type trunk [DeviceE-GigabitEthernet1/0/2] port trunk permit vlan all [DeviceE-GigabitEthernet1/0/2] qos trust dot1p [DeviceE-GigabitEthernet1/0/2] quit # Create RRPP domain 1, configure VLAN 4092 as the primary control VLAN of RRPP domain 1, and configure VLANs mapped to MSTIs 0 through 16 as the protected VLANs of RRPP domain 1.
  • Page 860 Figure 1-10 Network diagram for intersecting-ring load balancing configuration Configuration procedure Configuration on Device A # Create VLANs 10 and 20, map VLAN 10 to MSTI 1 and VLAN 20 to MSTI 2, and activate MST region configuration. <DeviceA> system-view [DeviceA] vlan 10 [DeviceA-vlan10] quit [DeviceA] vlan 20...
  • Page 861 [DeviceA-GigabitEthernet1/0/2] link-delay 0 [DeviceA-GigabitEthernet1/0/2] undo stp enable [DeviceA-GigabitEthernet1/0/2] port link-type trunk [DeviceA-GigabitEthernet1/0/2] undo port trunk permit vlan 1 [DeviceA-GigabitEthernet1/0/2] port trunk permit vlan 10 20 [DeviceA-GigabitEthernet1/0/1] qos trust dot1p [DeviceA-GigabitEthernet1/0/2] quit # Create RRPP domain 1, configure VLAN 100 as the primary control VLAN of RRPP domain 1, and configure the VLAN mapped to MSTI 1 as the protected VLAN of RRPP domain 1.
  • Page 862 # Configure the suppression time of physical-link-state changes on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as zero, disable STP, configure the two ports as trunk ports, remove them from VLAN 1, and assign them to VLAN 10 and VLAN 20, and configure them to trust the 802.1p precedence of the received packets.
  • Page 863 [DeviceB-rrpp-domain1] protected-vlan reference-instance 1 # Configure Device B as a transit node of primary ring 1 in RRPP domain 1, with GigabitEthernet 1/0/1 as the primary port and GigabitEthernet 1/0/2 as the secondary port, and enable ring 1. [DeviceB-rrpp-domain1] ring node-mode transit primary-port...
  • Page 864 VLAN 1, and assign them to VLAN 10 and VLAN 20, and configure them to trust the 802.1p precedence of the received packets. [DeviceC] interface gigabitethernet 1/0/1 [DeviceC-GigabitEthernet1/0/1] link-delay 0 [DeviceC-GigabitEthernet1/0/1] undo stp enable [DeviceC-GigabitEthernet1/0/1] port link-type trunk [DeviceC-GigabitEthernet1/0/1] undo port trunk permit vlan 1 [DeviceC-GigabitEthernet1/0/1] port trunk permit vlan 10 20 [DeviceC-GigabitEthernet1/0/1] qos trust dot1p [DeviceC-GigabitEthernet1/0/1] quit...
  • Page 865 # Configure Device C as the transit node of primary ring 1 in RRPP domain 1, with GigabitEthernet 1/0/1 as the primary port and GigabitEthernet 1/0/2 as the secondary port, and enable ring 1. [DeviceC-rrpp-domain1] ring node-mode transit primary-port gigabitethernet 1/0/1 secondary-port gigabitethernet 1/0/2 level 0 [DeviceC-rrpp-domain1] ring 1 enable...
  • Page 866 [DeviceD] interface gigabitethernet 1/0/1 [DeviceD-GigabitEthernet1/0/1] link-delay 0 [DeviceD-GigabitEthernet1/0/1] undo stp enable [DeviceD-GigabitEthernet1/0/1] port link-type trunk [DeviceD-GigabitEthernet1/0/1] undo port trunk permit vlan 1 [DeviceD-GigabitEthernet1/0/1] port trunk permit vlan 10 20 [DeviceD-GigabitEthernet1/0/1] qos trust dot1p [DeviceD-GigabitEthernet1/0/1] quit [DeviceD] interface gigabitethernet 1/0/2 [DeviceD-GigabitEthernet1/0/2] link-delay 0 [DeviceD-GigabitEthernet1/0/2] undo stp enable [DeviceD-GigabitEthernet1/0/2] port link-type trunk [DeviceD-GigabitEthernet1/0/2] undo port trunk permit vlan 1...
  • Page 867 [DeviceE-vlan20] quit [DeviceE] stp region-configuration [DeviceE-mst-region] instance 2 vlan 20 [DeviceE-mst-region] active region-configuration [DeviceE-mst-region] quit # Configure the suppression time of physical-link-state changes on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as zero, disable STP, configure the two ports as trunk ports, remove them from VLAN 1, and assign them to VLAN 20, and configure them to trust the 802.1p precedence of the received packets.
  • Page 868 [DeviceF-mst-region] active region-configuration [DeviceF-mst-region] quit # Configure the suppression time of physical-link-state changes on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as zero, disable STP, configure the two ports as trunk ports, remove them from VLAN 1, and assign them to VLAN 10, and configure them to trust the 802.1p precedence of the received packets.

  • Page 869: Troubleshooting

    Verification After the configuration, you can use the display command to view RRPP configuration and operational information on each device. Troubleshooting Symptom: When the link state is normal, the master node cannot receive Hello packets, and the master node unblocks the secondary port. Analysis: The reasons may be: RRPP is not enabled on some nodes in the RRPP ring.
  • Page 870 Table of Contents 1 DLDP Configuration ··································································································································1-1 Overview ·················································································································································1-1 DLDP Introduction ···························································································································1-2 DLDP Fundamentals ·······················································································································1-2 DLDP Configuration Task List·················································································································1-8 Enabling DLDP········································································································································1-9 Setting DLDP Mode ································································································································1-9 Setting the Interval for Sending Advertisement Packets·······································································1-10 Setting the DelayDown Timer ···············································································································1-10 Setting the Port Shutdown Mode ··········································································································1-10 Configuring DLDP Authentication ·········································································································1-11 Resetting DLDP State ···························································································································1-11 Resetting DLDP State in System View··························································································1-12...

  • Page 871: Dldp Configuration

    DLDP Configuration When performing DLDP configuration, go to these sections for information you are interested in: Overview DLDP Configuration Task List Enabling DLDP Setting DLDP Mode Setting the Interval for Sending Advertisement Packets Setting the DelayDown Timer Setting the Port Shutdown Mode Configuring DLDP Authentication Resetting DLDP State Displaying and Maintaining DLDP...

  • Page 872: Dldp Introduction

    Figure 1-2 Unidirectional fiber link: a fiber not connected or disconnected Device A GE1/0/50 GE1/0/51 GE1/0/50 GE1/0/51 Device B DLDP Introduction Device Link Detection Protocol (DLDP) can detect the link status of a fiber cable or twisted pair. On detecting a unidirectional link, DLDP can shut down the related port automatically or prompt users to take measures as configured to avoid network problems.
  • Page 873 State Indicates… A port enters this state when: A unidirectional link is detected. Disable The contact with the neighbor in enhanced mode gets lost. In this state, the port does not receive or send packets other than DLDPDUs. A port in the Active, Advertisement, or Probe DLDP link state transits to this state rather than removes the corresponding neighbor entry and transits to the DelayDown Inactive state when it detects a port-down event.
  • Page 874 DLDP timer Description A device in the Active, Advertisement, or Probe DLDP link state transits to DelayDown state rather than removes the corresponding neighbor entry and transits to the Inactive state when it detects a port-down event. When a device transits to this state, the DelayDown timer is triggered. A DelayDown timer device in DelayDown state only responds to port-up events.
  • Page 875 Figure 1-3 A case for Enhanced DLDP mode In normal DLDP mode, only fiber cross-connected unidirectional links (as shown in Figure 1-1 ) can be detected. In enhanced DLDP mode, two types of unidirectional links can be detected. One is fiber cross-connected links (as shown in Figure 1-1).
  • Page 876 Table 1-4 DLDP packet types and DLDP states DLDP state Type of DLDP packets sent Active Advertisement packet with RSY tag Advertisement Normal Advertisement packet Probe Probe packet Disable Disable packet and RecoverProbe packet When a device transits from a DLDP state other than Inactive state or Disable state to Initial state, it sends Flush packets.
  • Page 877 Packet type Processing procedure If the corresponding neighbor entry does not exist, creates the neighbor entry, triggers the Entry timer, and transits to Probe state. If the neighbor information it carries conflicts with the corresponding locally Retrieves the maintained neighbor entry, drops the Echo packet neighbor packet.

  • Page 878: Dldp Configuration Task List

    The DLDP down port sends out a RecoverProbe packet, which carries only information about the local port, every two seconds. Upon receiving the RecoverProbe packet, the remote end returns a RecoverEcho packet. Upon receiving the RecoverEcho packet, the local port checks whether neighbor information in the RecoverEcho packet is the same as the local port information.

  • Page 879: Enabling Dldp

    To ensure unidirectional links can be detected, make sure these settings are the same on the both sides: DLDP state (enabled/disabled), the interval for sending Advertisement packets, authentication mode, and password. Keep the interval for sending Advertisement packets adequate to enable unidirectional links to be detected in time.

  • Page 880: Setting The Interval For Sending Advertisement Packets

    Setting the Interval for Sending Advertisement Packets You can set the interval for sending Advertisement packets to enable unidirectional links to be detected in time. Follow these steps to set the interval for sending Advertisement packets: To do… Use the command… Remarks Enter system view system-view...

  • Page 881: Configuring Dldp Authentication

    Manual mode. This mode applies to networks with low performance, where normal links may be treated as unidirectional links. It protects service packet transmission against false unidirectional links. In this mode, DLDP only detects unidirectional links and generates log and traps. The operations to shut down unidirectional link ports are accomplished by the administrator.

  • Page 882: Resetting Dldp State In System View

    user-defined port shutdown mode. To enable the port to perform DLDP detect again, you can reset the DLDP state of the port in one of the following methods: If the port is shut down with the shutdown command manually, use the undo shutdown command on the port.

  • Page 883: Dldp Configuration Example

    To do… Use the command… Remarks Clear the statistics on reset dldp statistics [ interface-type DLDP packets passing Available in user view interface-number ] through a port DLDP Configuration Example DLDP Configuration Example Network requirements Device A and Device B are connected through two fiber pairs, in which two fibers are cross-connected, as shown in Figure 1-4.

  • Page 884: Troubleshooting

    [DeviceA] dldp work-mode enhance # Set the port shutdown mode as auto mode. [DeviceA] dldp unidirectional-shutdown auto # Enable DLDP globally. [DeviceA] dldp enable # Check the information about DLDP. [DeviceA] display dldp DLDP global status : enable DLDP interval : 6s DLDP work-mode : enhance DLDP authentication-mode : none...
  • Page 885 Analysis: The problem can be caused by the following. The intervals for sending Advertisement packets on Device A and Device B are not the same. DLDP authentication modes/passwords on Device A and Device B are not the same. Solution: Make sure the interval for sending Advertisement packets, the authentication mode, and the password on Device A and Device B are the same.
  • Page 886 Table of Contents 1 Ethernet OAM Configuration ····················································································································1-1 Ethernet OAM Overview ·························································································································1-1 Background ·····································································································································1-1 Major Functions of Ethernet OAM ···································································································1-1 Ethernet OAMPDUs ························································································································1-1 How Ethernet OAM Works ··············································································································1-3 Standards and Protocols ·················································································································1-5 Ethernet OAM Configuration Task List ···································································································1-5 Configuring Basic Ethernet OAM Functions ···························································································1-6 Configuring Link Monitoring ····················································································································1-6 Configuring Errored Symbol Event Detection ·················································································1-7 Configuring Errored Frame Event Detection ···················································································1-7...

  • Page 887: Ethernet Oam Configuration

    Ethernet OAM Configuration When configuring the Ethernet OAM function, go to these sections for information you are interested in: Ethernet OAM Overview Ethernet OAM Configuration Task List Configuring Basic Ethernet OAM Functions Configuring Link Monitoring Enabling OAM Remote Loopback Displaying and Maintaining Ethernet OAM Configuration Ethernet OAM Configuration Example Ethernet OAM Overview Background...
  • Page 888 Figure 1-1 Formats of different types of Ethernet OAMPDUs The fields in an OAMPDU are described as follows: Table 1-1 Description of the fields in an OAMPDU Field Description Destination MAC address of the Ethernet OAMPDU. It is a slow protocol multicast address 0180c2000002. As slow Dest addr protocol packet cannot be forwarded by bridges, Ethernet OAMPDUs cannot be forwarded.

  • Page 889: How Ethernet Oam Works

    Table 1-2 Functions of different types of OAMPDUs OAMPDU type Function Used for transmitting state information of an Ethernet OAM entity (including the Information information about the local device and remote devices, and customized OAMPDU information) to the remote Ethernet OAM entity and maintaining OAM connections Event Used by link monitoring to notify the remote OAM entity when it detects problems...
  • Page 890 OAM connections can be initiated only by OAM entities operating in active OAM mode, while those operating in passive mode wait and respond to the connection requests sent by their peers. No OAM connection can be established between OAM entities operating in passive OAM mode. After an Ethernet OAM connection is established, the Ethernet OAM entities on both sides exchange Information OAMPDUs periodically to keep the Ethernet OAM connection valid.

  • Page 891: Standards And Protocols

    The system transforms the period of detecting errored frame period events into the maximum number of 64-byte frames that a port can send in the specific period, that is, the system takes the maximum number of frames sent as the period. The maximum number of frames sent is calculated using this formula: the maximum number of frames = interface bandwidth (bps) ×...

  • Page 892: Configuring Basic Ethernet Oam Functions

    Task Remarks Configuring Basic Ethernet OAM Functions Required Configuring Errored Symbol Event Detection Optional Configuring Errored Frame Event Detection Optional Configuring Link Monitoring Configuring Errored Frame Period Event Detection Optional Configuring Errored Frame Seconds Event Detection Optional Enabling OAM Remote Loopback Optional Configuring Basic Ethernet OAM Functions As for Ethernet OAM connection establishment, a device can operate in active mode or passive mode.

  • Page 893: Configuring Errored Symbol Event Detection

    Configuring Errored Symbol Event Detection An errored symbol event occurs when the number of detected symbol errors over a specific detection interval exceeds the predefined threshold. Follow these steps to configure errored symbol event detection: To do… Use the command… Remarks Enter system view system-view...

  • Page 894: Enabling Oam Remote Loopback

    Follow these steps to configure errored frame seconds event detection: To do… Use the command… Remarks Enter system view system-view — Configure the errored Optional oam errored-frame-seconds period frame seconds event period-value 60 second by default detection interval Configure the errored Optional oam errored-frame-seconds frame seconds event...

  • Page 895: Displaying And Maintaining Ethernet Oam Configuration

    Ethernet OAM remote loopback is available only after the Ethernet OAM connection is established and can be performed only by the Ethernet OAM entities operating in active Ethernet OAM mode. Remote loopback is available only on full-duplex links that support remote loopback at both ends. Ethernet OAM remote loopback needs the support of the peer hardware.
  • Page 896 Figure 1-2 Network diagram for Ethernet OAM configuration Configuration procedure Configure Device A # Configure GigabitEthernet 1/0/1 to operate in passive Ethernet OAM mode and enable Ethernet OAM for it. <DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] oam mode passivez [DeviceA-GigabitEthernet1/0/1] oam enable [DeviceA-GigabitEthernet1/0/1] quit # Set the errored frame detection interval to 20 seconds and set the errored frame event triggering...
  • Page 897 You can use the display oam link-event command to display the statistics about Ethernet OAM link events and use the display oam critical-event command to display the Ethernet OAM configuration information. For example: # Display the statistics of Ethernet OAM critical link events on all the ports of Device A. [DeviceA] display oam critical-event Port : GigabitEthernet1/0/1...
  • Page 898 Table of Contents 1 Connectivity Fault Detection Configuration ···························································································1-1 Overview ·················································································································································1-1 Basic Concepts in CFD ···················································································································1-1 Basic Functions of CFD···················································································································1-4 Protocols and Standards ·················································································································1-5 CFD Configuration Task List···················································································································1-5 Basic Configuration Tasks ······················································································································1-5 Configuring Service Instance ··········································································································1-6 Configuring MEP ·····························································································································1-6 Configuring MIP Generation Rules··································································································1-7 Configuring CC on MEPs························································································································1-7 Configuration Prerequisites ·············································································································1-8 Configuring Procedure·····················································································································1-8...

  • Page 899: Connectivity Fault Detection Configuration

    Connectivity Fault Detection Configuration When configuring CFD, go to these sections for information you are interested in: Overview CFD Configuration Task List Basic Configuration Tasks Configuring CC on MEPs Configuring LB on MEPs Configuring LT on MEPs Displaying and Maintaining CFD CFD Configuration Examples Overview Connectivity Fault Detection (CFD) is an end-to-end per-VLAN link layer Operations, Administration...
  • Page 900 Figure 1-1 Two nested MDs CFD exchanges messages and performs operations on a per-domain basis. By planning MDs properly in a network, you can use CFD to locate failure points rapidly. Maintenance association A maintenance association (MA) is a set of maintenance points (MPs) in a MD. An MA is identified by the “MD name + MA name”.
  • Page 901 Figure 1-2 Outward-facing MEP Figure 1-3 Inward-facing MEP A MIP is internal to an MD. It cannot send CFD packets actively; however, it can handle and respond to CFD packets. The MA and MD that a MIP belongs to define the VLAN attribute and level of the packets received.

  • Page 902: Basic Functions Of Cfd

    Figure 1-4 Levels of MPs Basic Functions of CFD CFD works effectively only in properly-configured networks. Its functions, which are implemented through the MPs, include: Continuity check (CC); Loopback (LB) Linktrace (LT) Continuity check Continuity check is responsible for checking the connectivity between MEPs. Connectivity faults are usually caused by device faults or configuration errors.

  • Page 903: Protocols And Standards

    source MEP can identify the path to the destination MEP. Note that LTMs are multicast frames while LTRs are unicast frames. Protocols and Standards The CFD function is implemented in accordance with IEEE P802.1ag. CFD Configuration Task List For CFD to work effectively, you should first design the network by performing the following tasks: Grade the MDs in the entire network, and define the boundary of each MD.

  • Page 904: Configuring Service Instance

    Based on the network design, you should configure MEPs or the rules for generating MIPs on each device. However, before doing this you must first configure the service instance. Configuring Service Instance A service instance is indicated by an integer to represent an MA in an MD. The MD and MA define the level and VLAN attribute of the messages handled by the MPs in a service instance.

  • Page 905: Configuring Mip Generation Rules

    To do... Use the command... Remarks cfd remote-mep Required Configure a remote MEP for a remote-mep-id MEP in the same service No remote MEP is configured service-instance instance-id instance for a MEP by default. mep mep-id cfd mep service-instance Required Enable the MEP instance-id mep mep-id Disabled by default...

  • Page 906: Configuration Prerequisites

    Configuration Prerequisites Before configuring this function, you should first complete the MEP configuration. Configuring Procedure Follow these steps to configure CC on a MEP: To do... Use the command... Remarks Enter system view system-view — Optional Configure the interval field cfd cc interval value in the CCM messages interval-field-value...

  • Page 907: Configuration Procedure

    Configuration Procedure Follow these steps to configure LB on MEP: To do... Use the command... Remarks Enter system view system-view — cfd loopback service-instance instance-id mep Required Enable LB mep-id { target-mep target-mep-id | target-mac Disabled by default mac-address } [ number loopback-number ] Configuring LT on MEPs LT can trace the path between the specified MEP and the target MEP, and can also locate link faults by sending LT messages automatically.

  • Page 908: Displaying And Maintaining Cfd

    Displaying and Maintaining CFD To do... Use the command... Remarks Display CFD status display cfd status Available in any view Display MD configuration display cfd md Available in any view information Display MA configuration display cfd ma [ [ ma-name ] Available in any view information md md-name ]...

  • Page 909: Configuring Mep And Enabling Cc On

    Figure 1-5 Network diagram for MD configuration Configuration procedure Configuration on Device A (configuration on Device E is the same as that on Device A) <DeviceA> system-view [DeviceA] cfd enable [DeviceA] cfd md MD_A level 5 [DeviceA] cfd ma MA_MD_A md MD_A vlan 100 [DeviceA] cfd service-instance 1 md MD_A ma MA_MD_A Configuration on Device C <DeviceC>...
  • Page 910 Decide the remote MEP for each MEP, and enable these MEPs. According to the network diagram as shown in Figure 1-6, perform the following configurations: In MD_A, there are three edge ports: GigabitEthernet 1/0/1 on Device A, GigabitEthernet 1/0/3 on Device D and GigabitEthernet 1/0/4 on Device E.

  • Page 911: Configuring The Rules For Generating Mips

    [DeviceD-GigabitEthernet1/0/3] cfd remote-mep 1001 service-instance 1 mep 4002 [DeviceD-GigabitEthernet1/0/3] cfd remote-mep 5001 service-instance 1 mep 4002 [DeviceD-GigabitEthernet1/0/3] cfd mep service-instance 1 mep 4002 enable [DeviceD-GigabitEthernet1/0/3] cfd cc service-instance 1 mep 4002 enable On Device E <DeviceE> system-view [DeviceE] interface gigabitethernet 1/0/4 [DeviceE-GigabitEthernet1/0/4] cfd mep 5001 service-instance 1 inbound [DeviceE-GigabitEthernet1/0/4] cfd remote-mep 1001 service-instance 1 mep 5001 [DeviceE-GigabitEthernet1/0/4] cfd remote-mep 4002 service-instance 1 mep 5001...

  • Page 912: Configuring Lb On Meps

    Configuration procedure Configure Device B <DeviceB> system-view [DeviceB] cfd mip-rule explicit service-instance 1 Configure Device C <DeviceC> system-view [DeviceC] cfd mip-rule default service-instance 2 After the above operation, you can use the display cfd mp command to verify your configuration. Configuring LB on MEPs Network requirements Use the LB function to trace the fault source after CC detects a link fault.
  • Page 913 Table of Contents 1 Track Configuration···································································································································1-1 Track Overview ·······································································································································1-1 Collaboration Between the Track Module and the Detection Modules ···········································1-1 Collaboration Between the Track Module and the Application Modules·········································1-2 Track Configuration Task List ·················································································································1-2 Configuring Collaboration Between the Track Module and the Detection Modules ·······························1-2 Configuring Track-NQA Collaboration·····························································································1-2 Configuring Collaboration Between the Track Module and the Application Modules·····························1-3 Configuring Track-Static Routing Collaboration ··············································································1-3...

  • Page 914: Track Configuration

    Track Configuration When configuring Track, go to these sections for information you are interested in: Track Overview Track Configuration Task List Configuring Collaboration Between the Track Module and the Detection Modules Configuring Collaboration Between the Track Module and the Application Modules Displaying and Maintaining Track Object(s) Track Configuration Examples Track Overview...

  • Page 915: Collaboration Between The Track Module And The Application Modules

    At present, the detection modules that can collaborate with the Track module is the Network Quality Analyzer (NQA). Refer to NQA Configuration in the System Volume for details of NQA. Collaboration Between the Track Module and the Application Modules You can establish the collaboration between the Track module and the application modules through configuration.

  • Page 916: Configuring Collaboration Between The Track Module And The Application Modules

    Configuring Collaboration Between the Track Module and the Application Modules Configuring Track-Static Routing Collaboration You can check the validity of a static route in real time by establishing collaboration between Track and static routing. If you specify the next hop but not the egress interface when configuring a static route, you can associate the static route with a Track object and thus check the validity of the static route according to the status of the Track object.

  • Page 917: Displaying And Maintaining Track Object

    Displaying and Maintaining Track Object(s) To do… Use the command… Remarks Display information about the display track specified Track object or all Available in any view { track-entry-number | all } Track objects Track Configuration Examples Static Routing-Track-NQA Collaboration Configuration Example Network requirements The next hop of the static route from Switch A to Switch C is Switch B.
  • Page 918 # Configure Reaction entry 1, specifying that five consecutive probe failures trigger the Static Routing-Track-NQA collaboration. [SwitchA-nqa-admin-test-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only [SwitchA-nqa-admin-test-icmp-echo] quit # Start NQA probes. [SwitchA] nqa schedule admin test start-time now lifetime forever Configure a Track object on Switch A.
  • Page 919 # Display the routing table of Switch A. [SwitchA] display ip routing-table Routing Tables: Public Destinations : 4 Routes : 4 Destination/Mask Proto Cost NextHop Interface 10.2.1.0/24 Direct 0 10.2.1.2 Vlan3 10.2.1.2/32 Direct 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0...
  • Page 920 System Volume Organization Manual Version 20090930-C-1.01 Product Version Release 2202 Organization The System Volume is organized as follows: Features Description Upon logging into a device, you can configure user interface properties and manage the system conveniently. This document describes: How to log in to your Ethernet switch Introduction to the user interface and common configurations Logging In Through the Console Port Login...
  • Page 921 Features Description A major function of the file system is to manage storage devices, mainly including creating the file system, creating, deleting, modifying and renaming a file or a directory and opening a file. This document describes: File System File system management Management Configuration File Management FTP configuration...
  • Page 922 Features Description The Power over Ethernet (PoE) feature enables the power sourcing equipment (PSE) to feed powered devices (PDs) from Ethernet ports through twisted pair cables. This document describes: PoE overview Configuring the PoE Interface Configuring PoE power management Configuring the PoE monitoring function Online upgrading the PSE processing software Configuring a PD Disconnection Detection Mode Enabling the PSE to detect nonstandard PDs...
  • Page 923 Features Description A stack is a set of network devices. Administrators can group multiple network devices into a stack and manage them as a whole. Therefore, stack management can help reduce customer investments and simplify network management. This document describes: Stack Management Stack Configuration Overview Configuring the Master Device of a Stack...
  • Page 924 Table of Contents 1 Logging In to an Ethernet Switch ············································································································1-1 Logging In to an Ethernet Switch ············································································································1-1 Introduction to User Interface··················································································································1-1 Supported User Interfaces ··············································································································1-1 Users and User Interfaces···············································································································1-2 User Interface Number ····················································································································1-2 Common User Interface Configuration····························································································1-2 2 Logging In Through the Console Port·····································································································2-1 Introduction ·············································································································································2-1 Setting Up the Connection to the Console Port ······················································································2-1 Console Port Login Configuration ···········································································································2-3...

  • Page 925: Introduction

    Specifying Source IP address/Interface for Telnet Packets····································································6-1 Displaying the source IP address/Interface Specified for Telnet Packets ··············································6-2 7 Controlling Login Users····························································································································7-1 Introduction ·············································································································································7-1 Controlling Telnet Users ·························································································································7-1 Prerequisites····································································································································7-1 Controlling Telnet Users by Source IP Addresses ··········································································7-1 Controlling Telnet Users by Source and Destination IP Addresses················································7-2 Controlling Telnet Users by Source MAC Addresses ·····································································7-2 Configuration Example ····················································································································7-3 Controlling Network Management Users by Source IP Addresses ························································7-4...
  • Page 926 Ethernet port users up to five VTY users. As the AUX port and the Console port of a H3C series switch are the same one, you will be in the AUX user interface if you log in through this port.
  • Page 927 Users and User Interfaces A device can support one AUX ports and multiple Ethernet interfaces, and thus multiple user interfaces are supported. These user interfaces do not associate with specific users. When the user initiates a connection request, based on the login type the system automatically assigns a type of idle user interface with the smallest number to the user.
  • Page 928 To do… Use the command… Remarks Display the information about You can execute this command the current user interface/all display users [ all ] in any view. user interfaces Display the physical attributes and configuration of the display user-interface [ type You can execute this command current/a specified user number | number ] [ summary ]...

  • Page 929: Logging In Through The Console Port

    To log in through the Console port is the most common way to log in to a switch. It is also the prerequisite to configure other login methods. By default, you can log in to an H3C S5500-SI series Ethernet switch through its Console port only.
  • Page 930 If you use a PC to connect to the Console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP) and perform the configuration shown in Figure 2-2 through Figure 2-4 for the connection to be created.

  • Page 931: Common Configuration

    Figure 2-4 Set port parameters terminal window Turn on the switch. The user will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <H3C>) appears after the user presses the Enter key.
  • Page 932 Configuration Description Optional Data bits databits { 5 | 6 | 7 | 8 } The default data bits of a Console port is 8. Optional Define a shortcut escape-key { default | key for terminating By default, you can use Ctrl+C character } tasks.

  • Page 933: Configuration Procedure

    Authentication Configuration Description mode Configure to authenticate users using Refer to Console Port Login the local password Password Configuration with Authentication Mode Being Password for details. Set the local password Configure to authenticate users locally or remotely Refer to Console Port Login Configure the authentication mode Scheme Configuration with Authentication...
  • Page 934 The timeout time of the AUX user interface is 6 minutes. Network diagram Figure 2-5 Network diagram for AUX user interface configuration (with the authentication mode being none) Configuration procedure # Enter system view. <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify not to authenticate the user logging in through the Console port.

  • Page 935: Configuration Procedure

    Console Port Login Configuration with Authentication Mode Being Password Configuration Procedure Follow these steps to perform Console port login configuration (with authentication mode being password): To do… Use the command… Remarks Enter system view system-view — Enter AUX user interface user-interface aux 0 —...
  • Page 936 Network diagram Figure 2-6 Network diagram for AUX user interface configuration (with the authentication mode being password) Configuration procedure # Enter system view. <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify to authenticate the user logging in through the Console port using the local password. [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text).

  • Page 937: Configuration Procedure

    Console Port Login Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to perform Console port login configuration (with authentication mode being scheme): To do… Use the command… Remarks Enter system view system-view — Enter AUX user interface user-interface aux 0 —...

  • Page 938: Configuration Example

    Note that, when you log in to an Ethernet switch using the scheme authentication mode, your access rights depend on your user level defined in the AAA scheme. When the local authentication mode is used, the user levels are specified using the authorization-attribute level level command.
  • Page 939 # Create a local user named guest and enter local user view. [Sysname] local-user guest # Set the authentication password to 123456 (in plain text). [Sysname-luser-guest] password simple 123456 # Set the service type to Terminal. [Sysname-luser-guest] service-type terminal [Sysname-luser-guest] quit # Enter AUX user interface view.

  • Page 940: Logging In Through Telnet/Ssh

    Logging In Through Telnet/SSH Logging In Through Telnet When logging in through Telnet, go to these sections for information you are interested in: Introduction Telnet Connection EstablishmentTelnet Connection Establishment Telnet Login Configuration with Authentication Mode Being None Telnet Login Configuration with Authentication Mode Being Password Telnet Login Configuration with Authentication Mode Being Scheme Introduction You can telnet to a remote switch to manage and maintain the switch.
  • Page 941 Step 5: Enter the password when the Telnet window displays “Login authentication” and prompts for login password. The CLI prompt (such as <H3C>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.

  • Page 942: Common Configuration

    Step 4: Enter the password. If the password is correct, the CLI prompt (such as <H3C>) appears. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.
  • Page 943 Table 3-2 Common Telnet configuration Configuration Remarks Enter system view system-view — By default, a switch does Make the switch to operate as a Telnet telnet server enable not operate as a Telnet Server server user-interface vty Enter one or more VTY user interface first-number —...
  • Page 944 Table 3-3 Telnet login configuration tasks when different authentication modes are adopted Task Description Telnet Login Configuration with Authentication Configure not to authenticate users logging in user Mode Being None interfaces Configure to authenticate users logging in to user Telnet Login Configuration with Authentication interfaces using a local password and configure the Mode Being Password local password...
  • Page 945 Figure 3-4 Network diagram for Telnet configuration (with the authentication mode being none) Configuration procedure # Enter system view, and enable the Telnet service. <Sysname> system-view [Sysname] telnet server enable # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging in to VTY 0.
  • Page 946 Configuration Example Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in to VTY 0: Authenticate users logging in to VTY 0 using the local password. Set the local password to 123456 (in plain text). Commands of level 2 are available to users logging in to VTY 0.
  • Page 947 Telnet Login Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to perform Telnet configuration (with authentication mode being scheme): To do… Use the command… Remarks Enter system view system-view — Enter one or more VTY user user-interface vty —...
  • Page 948 For more information about AAA, RADIUS, and HWTACACS, see AAA Configuration in the Security Volume. Configuration Example Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in to VTY 0: Configure the name of the local user to be “guest”.

  • Page 949: Logging In Through Ssh

    # Configure Telnet protocol is supported. [Sysname-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. [Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes.

  • Page 950: Introduction

    Logging in Through Web-based Network Management System Introduction An S5500-SI series switch has a built-in Web server. You can log in to an S5500-SI series switch through a Web browser and manage and maintain the switch intuitively by interacting with the built-in Web server.

  • Page 951: Configuration Example

    To do… Use the command… Remarks Optional Configure the authorization authorization-attribute level By default, no authorization attributes for the local user level attribute is configured for a local user. Optional Specify the service types for the service-type telnet By default, no service is local user authorized to a user.
  • Page 952 Step 4: Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch (here it is http://10.153.17.82). (Make sure the route between the Web-based network management terminal and the switch is available.) Step 5: When the login interface (shown in Figure...

  • Page 953: Introduction

    Logging In Through NMS When logging in through NMS, go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through an NMS (network management station), and then configure and manage the switch through the agent module on the switch.

  • Page 954: Introduction

    Specifying Source for Telnet Packets When specifying source IP address/interface for Telnet packets, go to these sections for information you are interested in: Introduction Specifying Source IP address/Interface for Telnet Packets Displaying the source IP address/Interface Specified for Telnet Packets Introduction To improve security and make it easier to manage services, you can specify source IP addresses/interfaces for Telnet clients.
  • Page 955 To do… Use the command… Remarks telnet client source { ip Optional Specify source IP ip-address | interface address/interface for Telnet By default, no source IP interface-type packets address/interface is specified. interface-number } The IP address specified must be a local IP address. When specifying the source interface for Telnet packets, make sure the interface already exists.

  • Page 956: Controlling Telnet Users

    Controlling Login Users When controlling login users, go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Introduction Multiple ways are available for controlling different types of login users, as listed in Table 7-1.
  • Page 957 To do… Use the command… Remarks rule [ rule-id ] { permit | deny } [ source { sour-addr Define rules for the ACL sour-wildcard | any } | Required time-range time-name | fragment | logging ]* Quit to system view quit —...
  • Page 958 Follow these steps to control Telnet users by source MAC addresses: To do… Use the command… Remarks Enter system view system-view — acl number acl-number As for the acl number Create a basic ACL or enter [ match-order { config | command, the config keyword basic ACL view auto } ]...

  • Page 959: Controlling Network Management Users By Source Ip Addresses

    [Sysname-ui-vty0-4] acl 2000 inbound Controlling Network Management Users by Source IP Addresses You can manage a H3C S5500-SI series Ethernet switch through network management software. Network management users can access switches through SNMP. You need to perform the following two operations to control network management users by source IP addresses.
  • Page 960 # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to access the switch. [Sysname] snmp-agent community read h3c acl 2000 [Sysname] snmp-agent group v2c h3cgroup acl 2000 [Sysname] snmp-agent usm-user v2c h3cuser h3cgroup acl 2000...

  • Page 961: Controlling Web Users By Source Ip Addresses

    Controlling Web Users by Source IP Addresses The S5500-SI series Ethernet switches support Web-based remote management, which allows Web users to access the switches using the HTTP protocol. By referencing access control lists (ACLs), you can control the access of Web users to the switches.
  • Page 962 Figure 7-3 Configure an ACL to control the access of HTTP users to the switch 10.110.100.46 Host A IP network Switch Host B 10.110.100.52 Configuration procedure # Create a basic ACL. <Sysname> system-view [Sysname] acl number 2030 match-order config [Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0 # Reference the ACL to allow only Web users using IP address 10.110.100.52 to access the switch.
  • Page 963 Table of Contents 1 Basic Configurations·································································································································1-1 Configuration Display ······························································································································1-1 Basic Configurations ·······························································································································1-1 Entering/Exiting System View ·········································································································1-2 Configuring the Device Name ·········································································································1-2 Configuring the System Clock ·········································································································1-2 Enabling/Disabling the Display of Copyright Information ································································1-5 Configuring a Banner·······················································································································1-6 Configuring CLI Hotkeys··················································································································1-7 Configuring Command Alias············································································································1-8 Configuring User Privilege Levels and Command Levels ·······························································1-9 Displaying and Maintaining Basic Configurations ·········································································1-15 CLI Features ·········································································································································1-16...

  • Page 964: Basic Configurations

    Basic Configurations While performing basic configurations of the system, go to these sections for information you are interested in: Configuration Display Basic Configurations CLI Features Configuration Display To avoid duplicate configuration, you can use the display commands to view the current configuration of the device before configuring the device.

  • Page 965: Entering/Exiting System View

    Optional Configure the device name sysname sysname The device name is “H3C” by default. Configuring the System Clock Configuring the system clock The system clock, displayed by system time stamp, is decided by the configured relative time, time zone, and daylight saving time. You can view the system clock by using the display clock command.
  • Page 966 To do… Use the command… Remarks Enter system view system-view — clock timezone zone-name Set the time zone Optional { add | minus } zone-offset clock summer-time zone-name one-off start-time start-date end-time end-date add-time Optional Set a daylight saving time scheme Use either command clock summer-time...
  • Page 967 System clock displayed by the Configuration Example display clock command Configure: clock summer-time ss If the original system clock is not in the one-off 1:00 2006/1/1 1:00 2006/8/8 2 daylight saving time range, the original system clock is displayed. Display: 01:00:00 UTC Sat 01/01/2005 If the original system clock is in the Configure: clock summer-time ss daylight saving time range, the original...

  • Page 968: Enabling/Disabling The Display Of Copyright Information

    The display format of copyright information is as shown below: **************************************************************************** * Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed.

  • Page 969: Configuring A Banner

    To do… Use the command… Remarks Required Disable the display of copyright undo copyright-info enable information Enabled by default. Configuring a Banner Introduction to banners Banners are prompt information displayed by the system when users are connected to the device, perform login authentication, and start interactive configuration.

  • Page 970: Configuring Cli Hotkeys

    Follow these steps to configure a banner: To do… Use the command… Remarks Enter system view system-view — Configure the banner to be displayed at login Optional header incoming text (available for Modem login users) Configure the banner to be displayed at login header login text Optional authentication...

  • Page 971: Configuring Command Alias

    Hotkey Function Ctrl+F Moves the cursor one character to the right. Ctrl+H Deletes the character to the left of the cursor. Ctrl+K Terminates an outgoing connection. Displays the next command in the history command buffer. Ctrl+N Ctrl+P Displays the previous command in the history command buffer. Ctrl+R Redisplays the current line information.

  • Page 972: Configuring User Privilege Levels And Command Levels

    The command alias function well meets the users’ requirements for preferred form of frequently used commands, and thus facilitates network configurations as well as respects users' usage habits. Follow these steps to configure command aliases: To do… Use the command… Remarks Enter system view system-view...
  • Page 973 Level Privilege Description Includes commands for system maintenance and service fault diagnosis. Commands at this level are not allowed to be saved after Monitor being configured. After the device is restarted, the commands at this level will be restored to the default settings. Commands at this level include debugging, terminal, refresh, reset, and send.
  • Page 974 To do… Use the command… Remarks For remote authentication, if Using remote you do not configure the authentication user level, the user level (RADIUS, Configure user level on the depends on the default HWTACACS, authentication server configuration and LDAP authentication server. authentication For the description of user interface, refer to Login Configuration in the System Volume;...
  • Page 975 To do… Use the command… Remarks Required if users adopt the SSH login mode, and only username, instead of password Configure the authentication For the details, refer to SSH2.0 is needed at authentication. type for SSH users as Configuration in the Security After the configuration, the publickey Volume.
  • Page 976 By default, when users telnet to the device, they can only use the following commands after passing the authentication: <Sysname> ? User view commands: cluster Run cluster command display Display current system information ping Ping function quit Exit from current command view ssh2 Establish a secure shell client connection super...
  • Page 977 reauthentication, but the commands that they can execute have changed. For example, if the current user privilege level is 3, the user can configure system parameters; after switching the user privilege level to 0, the user can only execute some simple commands, like ping and tracert, and only a few display commands.

  • Page 978: Displaying And Maintaining Basic Configurations

    To do… Use the command… Remarks Enter system view system-view — Required Configure the command level in command-privilege level Refer to Table 1-3 for the a specified view level view view command default settings. You are recommended to use the default command level or modify the command level under the guidance of professional staff;...

  • Page 979: Cli Features

    For the detailed description of the display users command, refer to Login Commands in the System Volume. Support for the display configure-user and display current-configuration command depends on the device model. The display commands discussed above are for the global configuration. Refer to the corresponding section for the display command for specific protocol and interface.
  • Page 980 To obtain the desired help information, you can: Enter ? in any view to access all the commands in this view and brief description about them as well. <Sysname> ? User view commands: backup Backup next startup-configuration file to TFTP server boot-loader Set boot loader bootrom...

  • Page 981: Synchronous Information Output

    first.). If you repeatedly press Tab, all the keywords starting with the letter that you enter are displayed in cycles. Synchronous Information Output Synchronous information output refers to the feature that if the user’s input is interrupted by system output, then after the completion of system output the system will display a command line prompt and your input so far, and you can continue your operations from where you were stopped.

  • Page 982: Cli Display

    When editing the command line, you can use other shortcut keys (For details, see Table 1-2) besides the shortcut keys defined in Table 1-4, or you can define shortcut keys by yourself. (For details, see Configuring CLI Hotkeys.) CLI Display By filtering the output information, you can find the wanted information effectively.
  • Page 983 Character Meaning Remarks Addition, used to match a For example, “zo+” can match “zo” and character or character group “zoo”, but not “z”. one or multiple times before it Vertical bar, used to match the For example, “def|int” can only match a whole string on the left or right character string containing “def”...
  • Page 984 Character Meaning Remarks Used to match character1character2. For example, \ba can match -a, with - character1 can be any represents character1, and a represents \bcharacter2 character except number, letter character2; while \ba cannot match “2a” or underline, and \b equals or “ba”.

  • Page 985: Saving History Commands

    Table 1-6 Display functions Action Function Continues to display information of the next Press Space when information display pauses screen page. Press Enter when information display pauses Continues to display information of the next line. Press Ctrl+C when information display pauses Stops the display and the command execution.

  • Page 986: Command Line Error Information

    Command Line Error Information The commands are executed only if they have no syntax error. Otherwise, error information is reported. Table 1-7 lists some common errors. Table 1-7 Common command line errors Error information Cause The command was not found. The keyword was not found.
  • Page 987 Table of Contents 1 Device Management ··································································································································1-1 Device Management Overview ···············································································································1-1 Device Management Configuration Task List ·························································································1-1 Configuring the Exception Handling Method ··························································································1-1 Rebooting a Device·································································································································1-2 Configuring the Scheduled Automatic Execution Function·····································································1-3 Upgrading Device Software ····················································································································1-4 Device Software Overview ··············································································································1-4 Upgrading the Boot ROM Program Through Command Lines ·······················································1-4 Upgrading the Boot File Through Command Lines·········································································1-5 Disabling Boot ROM Access···················································································································1-5...

  • Page 988: Device Management

    Device Management When configuring device management, go to these sections for information you are interested in: Device Management Overview Device Management Configuration Task List Configuring the Exception Handling Method Rebooting a Device Configuring the Scheduled Automatic Execution Function Upgrading Device Software Disabling Boot ROM Access Configuring a Detection Interval Clearing the 16-bit Interface Indexes Not Used in the Current System...

  • Page 989: Rebooting A Device

    maintain: The system maintains the current situation, and does not take any measure to recover itself. Therefore, you need to recover the system manually, such as reboot the system. Sometimes, it is difficult for the system to recover, or some prompts that are printed during the failure are lost after the reboot.

  • Page 990: Configuring The Scheduled Automatic Execution Function

    Device reboot may result in the interruption of the ongoing services. Use these commands with caution. Before device reboot, use the save command to save the current configurations. For details about the save command, refer to File System Configuration in the System Volume. Before device reboot, use the commands of display startup and display boot-loader to check if the configuration file and boot file for the next boot are configured.

  • Page 991: Upgrading Device Software

    characters need to be input, the system automatically inputs a default character string, or inputs an empty character string when there is no default character string. For the commands used to switch user interfaces, such as telnet, ftp, and ssh2, the commands used to switch views, such as system-view, quit, and the commands used to modify status of a user that is executing commands, such as super, the operation interface, command view and status of the current user are not changed after the automatic execution function is performed.

  • Page 992: Upgrading The Boot File Through Command Lines

    Upgrading the Boot ROM Program Through Command Lines. Reboot the device to make the specified Boot ROM program take effect. Follow these steps to upgrade the Boot ROM program: To do… Use the command… Remarks Enter system view system-view — Optional Enable the validity check bootrom-update...

  • Page 993: Configuring A Detection Interval

    whether you press Ctrl+B or not, the system does not enter the Boot ROM menu, but enters the command line configuration interface directly. In addition, you need to set the Boot ROM access password when you enter the Boot ROM menu for the first time to protect the Boot ROM against operations of illegal users.

  • Page 994: Identifying And Diagnosing Pluggable Transceivers

    To do… Use the command… Remarks Clear the 16-bit interface Required indexes saved but not used in reset unused porttag Available in user view. the current system A confirmation is required when you execute this command. If you fail to make a confirmation within 30 seconds or enter N to cancel the operation, the command will not be executed.

  • Page 995: Diagnosing Pluggable Transceivers

    H3C You can use the Vendor Name field in the prompt information of the display transceiver command to identify an anti-spoofing pluggable transceiver customized by H3C. If the field is H3C, it is considered an H3C-customized pluggable transceiver.

  • Page 996: Device Management Configuration Examples

    To do… Use the command… Remarks Display electrical label display device manuinfo Available in any view information of the device Display the temperature display environment Available in any view information of devices Display the operating state of display fan fan-id Available in any view fans in a device Display the usage of the...
  • Page 997 Figure 1-2 Network diagram for remote scheduled automatic upgrade Configuration procedure Configuration on the FTP server (Note that configurations may vary with different types of servers) Set the access parameters for the FTP client (including enabling the FTP server function, setting the FTP username to aaa and password to hello, and setting the user to have access to the flash:/aaa directory).
  • Page 998 [ftp] get auto-update.txt # Download file new-config.cfg on the FTP server. [ftp]get new-config.cfg # Download file soft-version2.bin on the FTP server. [ftp] binary [ftp] get soft-version2.bin [ftp] bye <Device> # Modify the extension of file auto-update.txt as .bat. <Device> rename auto-update.txt auto-update.bat To ensure correctness of the file, you can use the more command to view the content of the file.
  • Page 999 Table of Contents 1 File System Management Configuration ·································································································1-1 File System Management ·······················································································································1-1 File System Overview······················································································································1-1 Filename Formats····························································································································1-1 Directory Operations························································································································1-2 File Operations ································································································································1-3 Batch Operations·····························································································································1-5 Storage Medium Operations ···········································································································1-5 Setting File System Prompt Modes ·································································································1-6 File System Operations Example ····································································································1-6 Configuration File Management··············································································································1-7 Configuration File Overview ············································································································1-7 Saving the Current Configuration ····································································································1-8...

  • Page 1000: File System Management Configuration

    File System Management Configuration When configuring file system management, go to these sections for information you are interested in: File System Management Configuration File Management Displaying and Maintaining Device Configuration File System Management This section covers these topics: File System Overview Filename Formats Directory Operations File Operations...
  • Page 1001 Format Description Length Example Specifies a file in the specified storage medium on the device. flash:/test/a.cfg: Indicates that drive:/[path]/file- drive represents the storage 1 to 135 a file named a.cfg is in the test name medium name. The S5500-SI characters folder under the root directory series switches use flashes as of the flash memory.

Table of Contents