H3C S5120-EI Series Operation Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Switch
  5. S5120-EI Series
  6. Operation manual

H3C S5120-EI Series Operation Manual

Ethernet switches
Hide thumbs Also See for S5120-EI Series:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual, Installation Manual
H3C S5120-EI Series Ethernet Switches
Operation Manual
Hangzhou H3C Technologies Co., Ltd.
Manual Version: 6W101-20100305
Product Version: Release 2202

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the S5120-EI Series and is the answer not in the manual?

Questions and answers

Related Manuals for H3C S5120-EI Series

Summary of Contents for H3C S5120-EI Series

  • Page 1 H3C S5120-EI Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co., Ltd. Manual Version: 6W101-20100305 Product Version: Release 2202...
  • Page 2 SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V G, V G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.

  • Page 3: About This Manual

    About This Manual Organization H3C S5120-EI Series Ethernet Switches Operation Manual is organized as follows: Volume Features 00-Product Product Overview Acronyms Overview Ethernet Port Link Aggregation Port Isolation MSTP 01-Access LLDP VLAN GVRP QinQ Volume BPDU Tunneling Mirroring IP Addressing...
  • Page 4 Conventions The manual uses the following conventions: Command conventions Convention Description The keywords of a command line are in Boldface. Boldface Command arguments are in italic. italic Items (keywords or arguments) in square brackets [ ] are optional. Alternative items are grouped in braces and separated by vertical bars. { x | y | ...
  • Page 5 Related Documentation In addition to this manual, each H3C S5120-EI Series Ethernet Switch documentation set includes the following: Manual Description It introduces the installation procedure, commissioning, H3C S5120-EI Series Ethernet Switches maintenance and monitoring of the S5120-EI Series Installation Manual Ethernet switches.
  • Page 6 Troubleshoot Online You will find support tools posted on the web site at http://www.h3cnetworks.com/ under Support, Knowledgebase. The Knowledgebase helps you troubleshoot H3C products. This query-based interactive tool contains thousands of technical solutions. Access Software Downloads Software Updates are the bug fix / maintenance releases for the version of software initially purchased with the product.

  • Page 7: Table Of Contents

    Table of Contents 1 Obtaining the Documentation ··················································································································1-1 H3C Website ···········································································································································1-1 Software Release Notes ·························································································································1-1 2 Correspondence between Documentation and Software······································································2-1 Manual List··············································································································································2-1 Software Version·····································································································································2-1 3 Product Features ·······································································································································3-1 Introduction to Product ····························································································································3-1 Feature Lists ···········································································································································3-1 4 Features······················································································································································4-1 Access Volume ·······································································································································4-1 IP Services Volume·································································································································4-3...

  • Page 8: Obtaining The Documentation

    H3C website Software release notes H3C Website You can access the most up-to-date H3C product documentation on the World Wide Web at this URL: http://www.h3c.com. Software Release Notes With software upgrade, new software features may be added. You can acquire the information about...

  • Page 9: Correspondence Between Documentation And Software

    H3C S5120-EI Series Ethernet Switches Command Manual-Release 2202 Software Version H3C S5120-EI Series Ethernet Switches Operation Manual-Release 2202 and H3C S5120-EI Series Ethernet Switches Command Manual-Release 2202 are for the software version Release 2202P06 and Release 2202P19 of the S5120-EI series switches.

  • Page 10: Product Features

    With IRF, multiple S5120-EI switches can be interconnected as a logical entity to form a new intelligent network featuring high availability, scalability, and manageability. Feature Lists The S5120-EI series support abundant features and the related documents are divided into the volumes as listed in Table 3-1.
  • Page 11 Volume Features Basic System Device File System Login Configuration Management Management MAC Address HTTP SNMP RMON Table System 08-System Information Maintaining and Hotfix Volume Center Debugging Cluster Management Automatic Configuration...

  • Page 12: Features

    Features The following sections provide an overview of the main features of each module supported by the S5120-EI series. Access Volume Table 4-1 Features in Access volume Features Description This document describes: Combo Port Configuration Basic Ethernet Interface Configuration Configuring Flow Control on an Ethernet Interface...
  • Page 13 Features Description LLDP enables a device to maintain and manage its own and its immediate neighbor’s device information, based on which the network management system detects and determines the conditions of the communications links. This document describes: LLDP Introduction to LLDP Performing Basic LLDP Configuration Configuring CDP Compatibility Configuring LLDP Trapping...

  • Page 14: Ip Services Volume

    IP Services Volume Table 4-2 Features in the IP Services volume Features Description An IP address is a 32-bit address allocated to a network interface on a device that is attached to the Internet. This document describes: IP Address Introduction to IP addresses IP address configuration Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address.

  • Page 15: Ip Routing Volume

    Features Description A network node that supports both IPv4 and IPv6 is called a dual stack node. A dual stack node configured with an IPv4 address and an IPv6 address can have both IPv4 and IPv6 packets transmitted. This document Dual Stack describes: Dual stack overview...

  • Page 16: Qos Volume

    Features Description Multicast Listener Discovery Snooping (MLD Snooping) is an IPv6 multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups. This document describes: MLD Snooping Configuring Basic Functions of MLD Snooping Configuring MLD Snooping Port Functions Configuring MLD Snooping Querier Configuring MLD Snooping Policy IPv6 Multicast VLAN...
  • Page 17 Features Description On an HABP-capable switch, HABP packets can bypass 802.1X authentication and MAC authentication, allowing communication among switches in a cluster. This document describes: HABP Introduction to HABP HABP configuration MAC authentication provides a way for authenticating users based on ports and MAC addresses;...

  • Page 18: High Availability Volume

    Features Description Currently, ARP attacks and viruses are threatening LAN security. The device can provide multiple features to detect and prevent such attacks. This document describes: Configuring ARP Defense Against IP Packet Attacks ARP Attack Protection Configuring ARP Packet Rate Limit Configuring Source MAC Address Based ARP Attack Detection Configuring ARP Packet Source MAC Address Consistency Check Configuring ARP Active Acknowledgement...

  • Page 19: System Volume

    Features Description Ethernet OAM is a tool monitoring Layer-2 link status. It helps network administrators manage their networks effectively. This document describes: Ethernet OAM Ethernet OAM overview Configuring Basic Ethernet OAM Functions Configuring Link Monitoring Enabling OAM Loopback Testing CFD is an end-to-end, per-VLAN link-layer OAM mechanism for link connectivity detection, fault verification, and fault location.
  • Page 20 Features Description Through the device management function, you can view the current condition of your device and configure running parameters. This document describes: Device management overview Configuring the Exception Handling Method Rebooting a device Device Management Configuring the scheduled automatic execution function Specifying a file for the next device boot Disabling Boot ROM Access Configuring a detection interval...
  • Page 21 Features Description As the system information hub, Information Center classifies and manages all types of system information. This document describes: Information Center Overview Setting to Output System Information to the Console Setting to Output System Information to a Monitor Terminal Information Center Setting to Output System Information to a Log Host Setting to Output System Information to the Trap Buffer...
  • Page 22 Features Description A cluster is a group of network devices. Cluster management is to implement management of large numbers of distributed network devices. This document describes: Cluster Management Overview Configuring the Management Device Cluster Management Configuring the Member Devices Configuring Access Between the Management Device and Its Member Devices Adding a Candidate Device to a Cluster Configuring Advanced Cluster Functions...
  • Page 23 Appendix A Acronyms # A B C D E F G H I K L M N O P Q R S T U V W X Z Acronyms Full spelling Return 10GE Ten-GigabitEthernet Return Authentication, Authorization and Accounting Activity Based Costing Area Border Router Alternating Current ACKnowledgement...
  • Page 24 Acronyms Full spelling Border Gateway Protocol BIMS Branch Intelligent Management System BOOTP Bootstrap Protocol BPDU Bridge Protocol Data Unit Basic Rate Interface Bootstrap Router BitTorrent Burst Tolerance Return Call Appearance Certificate Authority Committed Access Rate Committed Burst Size Class Based Queuing Constant Bit Rate Core-Based Tree International Telephone and Telegraph Consultative...
  • Page 25 Acronyms Full spelling Connectivity Verification Return Deeper Application Recognition Data Circuit-terminal Equipment Database Description Digital Data Network DHCP Dynamic Host Configuration Protocol Designated IS DLCI Data Link Connection Identifier DLDP Device Link Detection Protocol Domain Name System Downstream on Demand Denial of Service Designated Router DSCP...
  • Page 26 Acronyms Full spelling Forward Defect Indication Forwarding Equivalence Class Fast Failure Detection Forwarding Group Forwarding information base FIFO First In First Out FQDN Full Qualified Domain Name Frame Relay Fast ReRoute FRTT Fairness Round Trip Time Functional Test File Transfer Protocol Return GARP Generic Attribute Registration Protocol...
  • Page 27 Acronyms Full spelling International Business Machines ICMP Internet Control Message Protocol ICMPv6 Internet Control Message Protocol for IPv6 IDentification/IDentity IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force IGMP Internet Group Management Protocol IGMP-Snooping Internet Group Management Protocol Snooping Interior Gateway Protocol Incoming Label Map Internet Locator Service...
  • Page 28 Acronyms Full spelling LACP Link Aggregation Control Protocol LACPDU Link Aggregation Control Protocol Data Unit Local Area Network Link Control Protocol LDAP Lightweight Directory Access Protocol Label Distribution Protocol Label Edge Router LFIB Label Forwarding Information Base Label Information Base Link Layer Control LLDP Link Layer Discovery Protocol...
  • Page 29 Acronyms Full spelling Multicast Listener Discovery Protocol MLD-Snooping Multicast Listener Discovery Snooping Meet-Me Conference MODEM MOdulator-DEModulator Multilink PPP MP-BGP Multiprotocol extensions for BGP-4 Middle-level PE MP-group Multilink Point to Point Protocol group MPLS Multiprotocol Label Switching MPLSFW Multi-protocol Label Switch Forward Multicast Port Management Mobile Switching Center MSDP...
  • Page 30 Acronyms Full spelling Network Management Station NPDU Network Protocol Data Unit Network Provider Edge Network Quality Analyzer NSAP Network Service Access Point NetStream Collector N-SEL NSAP Selector NSSA Not-So-Stubby Area NTDP Neighbor Topology Discovery Protocol Network Time Protocol Return Operation Administration and Maintenance OAMPDU OAM Protocol Data Units OC-3...
  • Page 31 Acronyms Full spelling Power over Ethernet Point Of Presence Packet Over SDH Point-to-Point Protocol PPTP Point to Point Tunneling Protocol PPVPN Provider-provisioned Virtual Private Network Priority Queuing Primary Reference Clock Primary Rate Interface Protection Switching Power Sourcing Equipment PSNP Partial SNP Permanent Virtual Channel Pseudo wires Return...
  • Page 32 Acronyms Full spelling Resilient Packet Ring Rendezvous Point Tree RRPP Rapid Ring Protection Protocol Reservation State Block RSOH Regenerator Section Overhead RSTP Rapid Spanning Tree Protocol RSVP Resource ReserVation Protocol RTCP Real-time Transport Control Protocol Route Table Entry Real-time Transport Protocol Real-time Transport Protocol Return Source Active...
  • Page 33 Acronyms Full spelling Shortest Path First Shortest Path Tree Secure Shell Synchronization Status Marker Source-Specific Multicast Shared Tree STM-1 SDH Transport Module -1 STM-16 SDH Transport Module -16 STM-16c SDH Transport Module -16c STM-4c SDH Transport Module -4c Spanning Tree Protocol Signalling Virtual Connection Switch-MDT Switch-Multicast Distribution Tree...
  • Page 34 Acronyms Full spelling Return Variable Bit Rate Virtual Channel Identifier Virtual Ethernet Virtual File System VLAN Virtual Local Area Network Virtual Leased Lines Video On Demand VoIP Voice over IP Virtual Operate System VPDN Virtual Private Dial-up Network VPDN Virtual Private Data Network Virtual Path Identifier VPLS Virtual Private Local Switch...
  • Page 35 Access Volume Organization Manual Version 6W101-20100305 Product Version Release 2202 Organization The Access Volume is organized as follows: Features Description This document describes: Combo Port Configuration Basic Ethernet Interface Configuration Configuring Flow Control on an Ethernet Interface Configuring the Suppression Time of Physical-Link-State Change on an Ethernet Interface Configuring Loopback Testing on an Ethernet Interface Configuring a Port Group...
  • Page 36 Features Description MSTP is used to eliminate loops in a LAN. It is compatible with STP and RSTP. This document describes: MSTP Introduction to STP/RSTP/MSTP Configuring MSTP LLDP enables a device to maintain and manage its own and its immediate neighbor’s device information, based on which the network management system detects and determines the conditions of the communications links.
  • Page 37 Features Description Port mirroring copies packets passing through a port to another port connected with a monitoring device for packet analysis to help implement network monitoring and troubleshooting. Traffic mirroring is implemented by a QoS policy, which defines certain match criteria to match the packets to be mirrored and defines the action of mirroring such packets to the specified destination.
  • Page 38 Table of Contents 1 Ethernet Port Configuration ·····················································································································1-1 Ethernet Port Configuration ····················································································································1-1 Combo Port Configuration ···············································································································1-1 Basic Ethernet Port Configuration ···································································································1-2 Configuring an Auto-negotiation Transmission Rate·······································································1-3 Configuring Flow Control on an Ethernet Port ················································································1-4 Configuring the Suppression Time of Physical-Link-State Change on an Ethernet Port················1-4 Configuring Loopback Testing on an Ethernet Port ········································································1-5 Configuring a Port Group·················································································································1-5 Configuring Storm Suppression ······································································································1-6...

  • Page 39: Ethernet Port Configuration

    Ethernet Port Configuration Ethernet Port Configuration GE and 10GE ports on the S5120-EI series Ethernet switches are numbered in the following format: interface type A/B/C. A: Number of a member device in an IRF. If no IRF is formed, this value is 1.

  • Page 40: Basic Ethernet Port Configuration

    In case of a Combo port, only one port (either the optical port or the electrical port) is active at a time. That is, once the optical port is active, the electrical port will be inactive automatically, and vice versa. Basic Ethernet Port Configuration Configuring an Ethernet port Three types of duplex modes are available to Ethernet ports:...

  • Page 41: Configuring An Auto-Negotiation Transmission Rate

    10-Gigabit Ethernet ports do not support the duplex command or the speed command. Configuring an Auto-negotiation Transmission Rate Usually, the transmission rate on an Ethernet port is determined through negotiation with the peer end, which can be any rate within the capacity range. With auto-negotiation rate configured, you can enable the Ethernet port to negotiate only part of the transmission rates within its capacity.

  • Page 42: Configuring Flow Control On An Ethernet Port

    This function is available for auto-negotiation-capable Gigabit Layer-2 Ethernet electrical ports only. If you repeatedly use the speed and the speed auto commands to configure the transmission rate on a port, only the latest configuration takes effect. Configuring Flow Control on an Ethernet Port When flow control is enabled on both sides, if traffic congestion occurs at the ingress port, it will send a Pause frame notifying the egress port to temporarily suspend the sending of packets.

  • Page 43: Configuring Loopback Testing On An Ethernet Port

    Configuring Loopback Testing on an Ethernet Port You can enable loopback testing to check whether the Ethernet port functions properly. Note that no data packets can be forwarded during the testing. Loopback testing falls into the following two categories: Internal loopback testing, which is performed within switching chips to test the functions related to the Ethernet ports.

  • Page 44: Configuring Storm Suppression

    To do… Use the command… Remarks Add Ethernet ports to the manual port Required group-member interface-list group Configuring Storm Suppression You can use the following commands to suppress the broadcast, multicast, and unknown unicast traffic. In port configuration mode, the suppression ratio indicates the maximum broadcast, multicast or unknown unicast traffic that is allowed to pass through a port.

  • Page 45: Setting The Interval For Collecting Ethernet Port Statistics

    If you set storm suppression ratios in Ethernet port view or port group view repeatedly for an Ethernet port that belongs to a port group, only the latest settings take effect. Setting the Interval for Collecting Ethernet Port Statistics You can use the reset counters interface command to clear port statistics. Follow these steps to configure the interval for collecting port statistics: To do…...

  • Page 46: Enabling Loopback Detection On An Ethernet Port

    Enabling Loopback Detection on an Ethernet Port If a port receives a packet that it sent out, a loop occurs. Loops may cause broadcast storms. The purpose of loopback detection is to detect loops on a port. When loopback detection is enabled on an Ethernet port, the device periodically checks whether the ports have any external loopback.

  • Page 47: Testing The Cable On An Ethernet Port

    10-Gigabit Ethernet ports and optical ports of SFP ports do not support this function. Two types of Ethernet cables can be used to connect Ethernet devices: crossover cable and straight-through cable. To accommodate these two types of cables, an Ethernet port on a device can operate in one of the following three Medium Dependent Interface (MDI) modes: Across mode Normal mode...

  • Page 48: Configuring The Storm Constrain Function On An Ethernet Port

    10-Gigabit Ethernet ports and optical ports of SFP ports do not support this feature. A link in the up state goes down and then up automatically if you perform the operation described in this section on one of the Ethernet ports forming the link. Follow these steps to test the current operating state of the cable connected to an Ethernet port: To do…...

  • Page 49: Displaying And Maintaining An Ethernet Port

    To do… Use the command… Remarks Optional Set the interval for generating storm-constrain interval traffic statistics 10 seconds by default seconds interface interface-type Enter Ethernet port view — interface-number Enable the storm constrain storm-constrain { broadcast | Required function and set the lower multicast } { pps | kbps | threshold and the upper ratio } max-pps-values...
  • Page 50 To do… Use the command… Remarks display brief interface [ interface-type Display the summary of a port [ interface-number ] ] [ | { begin Available in any view | exclude | include } regular-expression ] display packet-drop interface Display information about [ interface-type Available in any view discarded packets on a port...
  • Page 51 Table of Contents 1 Ethernet Link Aggregation Configuration·······························································································1-1 Overview ·················································································································································1-1 Basic Concepts································································································································1-1 Aggregating Links in Static Mode····································································································1-5 Aggregating Links in Dynamic Mode·······························································································1-6 Load Sharing Criteria for Link Aggregation Groups ········································································1-8 Ethernet Link Aggregation Configuration Task List ················································································1-8 Configuring an Aggregation Group ·········································································································1-8 Configuration Guidelines ·················································································································1-8 Configuring a Static Aggregation Group··························································································1-9 Configuring a Dynamic Aggregation Group·····················································································1-9...

  • Page 52: Ethernet Link Aggregation Configuration

    Ethernet Link Aggregation Configuration When configuring Ethernet link aggregation, go to these sections for information you are interested in: Overview Ethernet Link Aggregation Configuration Task List Configuring an Aggregation Group Configuring an Aggregate Interface Configuring Load Sharing for Link Aggregation Groups Displaying and Maintaining Ethernet Link Aggregation Ethernet Link Aggregation Configuration Examples The extended LACP functions is added.
  • Page 53 interfaces. When an aggregate interface is created, an aggregation group of the same type and numbered the same is created automatically. For example, when you create interface Bridge-aggregation 1, Layer 2 aggregation group 1 is created. To a Layer 2 aggregation group, you can assign only Layer 2 Ethernet interfaces. Current device only supports Layer 2 aggregation group and Layer 2 aggregate interface.
  • Page 54 This is how the LACP multi-active detection (MAD) mechanism of the Extended LACP Intelligent Resilient Framework (IRF) feature is implemented. functions Switches of the S5120-EI series that support extended LACP functions can function as an IRF member device or an intermediate device in LACP MAD implementation.
  • Page 55 Currently, the S5120-EI series Ethernet switches support returning Marker Response PDUs only after dynamic link aggregation member ports receive Marker PDUs. Link aggregation modes There are two link aggregation modes: dynamic and static.

  • Page 56: Aggregating Links In Static Mode

    aggregation group, while a link aggregation group operating in dynamic mode is called a dynamic link aggregation group. Table 1-4 compares the two aggregation modes. Table 1-4 A comparison between static and dynamic aggregation modes LACP status Aggregation on member Pros Cons mode...

  • Page 57: Aggregating Links In Dynamic Mode

    Figure 1-2 Set the aggregation state of a member port in a static aggregation group Because any port attribute or class-two configuration change on a member port may cause the aggregation state of the port and other member ports to change and thus affect services, you are recommended to do that with caution.
  • Page 58 Selecting a reference port The local system (the actor) negotiates with the remote system (the partner) to select a reference port as follows: Compare the system ID (comprising the system LACP priority and the system MAC address) of the actor with that of the partner. The system with the lower LACP priority value wins out. If they are the same, compare the system MAC addresses.

  • Page 59: Load Sharing Criteria For Link Aggregation Groups

    Because any port attribute or class-two configuration change on a member port may cause the aggregation state of the port and other member ports to change and thus affect services, you are recommended to do that with caution. In a dynamic aggregation group, when the aggregation state of a local port changes, the aggregation state of the peer port also changes accordingly.

  • Page 60: Configuring A Static Aggregation Group

    Port type Reference Stack ports IRF Configuration in the System Volume MAC address MAC Authentication Configuration in the Security Volume authentication-enabled ports port security-enabled ports Port Security Configuration in the Security Volume IP source guard-enabled ports IP Source Guard Configuration in the Security Volume 802.1X-enabled ports 802.1X Configuration in the Security Volume Removing an aggregate interface also removes the corresponding aggregation group.

  • Page 61: Configuring An Aggregate Interface

    To guarantee a successful dynamic aggregation, ensure that the peer ports of the ports aggregated at one end are also aggregated. The two ends can automatically negotiate the aggregation state of each member port. Follow these steps to configure a dynamic aggregation group: To do...

  • Page 62: Configuring The Description Of An Aggregate Interface

    Configuring the Description of an Aggregate Interface You can configure the description of an aggregate interface for administration purposes such as describing the purpose of the interface. Follow these steps to configure the description of an aggregate interface: To do... Use the command...

  • Page 63: Configuring Load Sharing For Link Aggregation Groups

    To do... Use the command... Remarks Enter system view — system-view interface bridge-aggregation Enter aggregate interface view — interface-number Required Shut down the aggregate By default, aggregate shutdown interface interfaces are up. Configuring Load Sharing for Link Aggregation Groups Configuring Load Sharing Criteria for Link Aggregation Groups You can determine how traffic is load-shared in a link aggregation group by configuring load sharing criteria.
  • Page 64 Currently, when you configure the global link-aggregation load sharing criterion or criteria, the switch supports the following criteria: Use a source IP address alone. Use a destination IP address alone. Use a source MAC address alone. Use a destination MAC address alone. Combine a source IP address and a destination IP address.

  • Page 65: Displaying And Maintaining Ethernet Link Aggregation

    Displaying and Maintaining Ethernet Link Aggregation To do... Use the command... Remarks Display the local system ID Available in any view display lacp system-id display link-aggregation Display the global or load-sharing mode [ interface group-specific link-aggregation Available in any view [ bridge-aggregation } load sharing criteria interface-number ] ]...
  • Page 66 Figure 1-4 Network diagram for static aggregation Configuration procedure Configure Device A # Create VLAN 10, and assign port GigabitEthernet1/0/4 to VLAN 10. <DeviceA> system-view [DeviceA] vlan 10 [DeviceA-vlan10] port gigabitEthernet 1/0/4 [DeviceA-vlan10] quit # Create VLAN 20, and assign port GigabitEthernet1/0/5 to VLAN 20. [DeviceA] vlan 20 [DeviceA-vlan20] port gigabitEthernet 1/0/5 [DeviceA-vlan20] quit...

  • Page 67: Dynamic Aggregation Configuration Example

    [DeviceA] interface bridge-aggregation 1 [DeviceA-Bridge-Aggregation1] port link-type trunk [DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20 Please wait... Done. Configuring GigabitEthernet1/0/1... Done. Configuring GigabitEthernet1/0/2... Done. Configuring GigabitEthernet1/0/3... Done. [DeviceA-Bridge-Aggregation1] quit # Configure to use the source and destination MAC addresses of packets as the global link-aggregation load sharing criteria.
  • Page 68 Configure a Layer 2 dynamic link aggregation group on Device A and Device B respectively, enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other end, and VLAN 20 at one end to communicate with VLAN 20 at the other end. Enable traffic to be load-shared across aggregation group member ports based on source and destination MAC addresses.
  • Page 69 # Configure Layer 2 aggregate interface 1 as a trunk port and assign it to VLANs 10 and 20. This configuration automatically propagates to all the member ports in link aggregation group 1. [DeviceA] interface bridge-aggregation 1 [DeviceA-Bridge-Aggregation1] port link-type trunk [DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20 Please wait...

  • Page 70: Aggregation Load Sharing Configuration Example

    Aggregation Load Sharing Configuration Example Network requirements As shown in Figure 1-6: Device A and Device B are connected by their Layer 2 Ethernet interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4. Configure two Layer 2 static link aggregation groups (1 and 2) on Device A and Device B respectively, enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other end, and VLAN 20 at one end to communicate with VLAN 20 at the other end.
  • Page 71 [DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1 [DeviceA-GigabitEthernet1/0/1] quit [DeviceA] interface gigabitEthernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1 [DeviceA-GigabitEthernet1/0/2] quit # Configure Layer 2 aggregate interface 1 as a trunk port and assign it to VLANs 10 and 20. This configuration automatically propagates to all the member ports in link aggregation group 1. [DeviceA] interface bridge-aggregation 1 [DeviceA-Bridge-Aggregation1] port link-type trunk [DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20...
  • Page 72 Configuring GigabitEthernet1/0/4... Done. [DeviceA-Bridge-Aggregation2] quit Configure Device B Configure Device B as you configure Device A. Verify the configurations # Display the summary information about all aggregation groups on Device A. [DeviceA] display link-aggregation summary Aggregation Interface Type: BAGG -- Bridge-Aggregation, RAGG -- Route-Aggregation Aggregation Mode: S -- Static, D -- Dynamic Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing Actor System ID: 0x8000, 000f-e2ff-0001...
  • Page 73 Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Introduction to Port Isolation ···················································································································1-1 Configuring the Isolation Group ··············································································································1-1 Assigning a Port to the Isolation Group···························································································1-1 Displaying and Maintaining Isolation Groups··························································································1-2 Port Isolation Configuration Example······································································································1-2...

  • Page 74: Port Isolation Configuration

    VLAN, allowing for great flexibility and security. Currently: S5120-EI series Ethernet switches support only one isolation group that is created automatically by the system as isolation group 1. You can neither remove the isolation group nor create other isolation groups on such devices.

  • Page 75: Displaying And Maintaining Isolation Groups

    Displaying and Maintaining Isolation Groups To do… Use the command… Remarks Display the isolation group Available in any view display port-isolate group information Port Isolation Configuration Example Network requirements Users Host A, Host B, and Host C are connected to GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 of Device.
  • Page 76 Uplink port support: NO Group ID: 1 Group members: GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/3...
  • Page 77 Table of Contents 1 MSTP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Introduction to STP ·································································································································1-1 Why STP ·········································································································································1-1 Protocol Packets of STP··················································································································1-1 Basic Concepts in STP····················································································································1-2 How STP works ·······························································································································1-3 Introduction to RSTP·······························································································································1-9 Introduction to MSTP ····························································································································1-10 Why MSTP ····································································································································1-10 Basic Concepts in MSTP···············································································································1-11 How MSTP Works ·························································································································1-14 Implementation of MSTP on Devices ····························································································1-15 Protocols and Standards ···············································································································1-15...

  • Page 78: Mstp Configuration

    MSTP Configuration When configuring MSTP, go to these sections for information you are interested in: Overview Introduction to STP Introduction to RSTP Introduction to MSTP MSTP Configuration Task List Configuring MSTP Displaying and Maintaining MSTP MSTP Configuration Example Overview As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, and in the mean time, allows for link redundancy.

  • Page 79: Basic Concepts In Stp

    Topology change notification (TCN) BPDUs, used for notifying the concerned devices of network topology changes, if any. Basic Concepts in STP Root bridge A tree network must have a root; hence the concept of root bridge was introduced in STP. There is one and only one root bridge in the entire network, and the root bridge can change along with changes of the network topology.

  • Page 80: How Stp Works

    Figure 1-1 A schematic diagram of designated bridges and designated ports All the ports on the root bridge are designated ports. Path cost Path cost is a reference value used for link selection in STP. By calculating path costs, STP selects relatively robust links and blocks redundant links, and finally prunes the network into a loop-free tree.
  • Page 81 For simplicity, the descriptions and examples below involve only four fields of configuration BPDUs: Root bridge ID (represented by device priority) Root path cost (related to the rate of the link connecting the port) Designated bridge ID (represented by device priority) Designated port ID (represented by port name) Calculation process of the STP algorithm Initial state...
  • Page 82 Initially, each STP-enabled device on the network assumes itself to be the root bridge, with the root bridge ID being its own device ID. By exchanging configuration BPDUs, the devices compare their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge. Selection of the root port and designated ports on a non-root device Table 1-3 describes the process of selecting the root port and designated ports.
  • Page 83 Figure 1-2 Network diagram for the STP algorithm Device A With priority 0 Device B With priority 1 Device C With priority 2 Initial state of each device Table 1-4 shows the initial state of each device. Table 1-4 Initial state of each device Device Port name BPDU of port...
  • Page 84 BPDU of port Device Comparison process after comparison Port BP1 receives the configuration BPDU of Device A {0, 0, 0, AP1}. Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port {1, 0, 1, BP1}, and updates the configuration BPDU of BP1.
  • Page 85 BPDU of port Device Comparison process after comparison After comparison: Because the root path cost of CP2 (9) (root path cost of the BPDU (5) plus path cost corresponding to CP2 (4)) is smaller than the root path cost of CP1 (10) (root path cost of the BPDU (0) + path cost corresponding to CP2 (10)), the BPDU Blocked port CP2: of CP2 is elected as the optimum BPDU, and CP2 is elected...

  • Page 86: Introduction To Rstp

    If a path becomes faulty, the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout. In this case, the device will generate a configuration BPDU with itself as the root and send out the BPDUs and TCN BPDUs. This triggers a new spanning tree calculation process to establish a new path to restore the network connectivity.

  • Page 87: Introduction To Mstp

    Introduction to MSTP Why MSTP Weaknesses of STP and RSTP STP does not support rapid state transition of ports. A newly elected root port or designated port must wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a point-to-point link or an edge port, which directly connects to a user terminal rather than to another device or a shared LAN segment.

  • Page 88: Basic Concepts In Mstp

    Basic Concepts in MSTP Figure 1-4 Basic concepts in MSTP Region A0 VLAN 1 mapped to instance 1 VLAN 2 mapped to instance 2 Other VLANs mapped to CIST BPDU BPDU Region D0 BPDU Region B0 VLAN 1 mapped to instance 1, VLAN 1 mapped to instance 1 B as regional root bridge VLAN 2 mapped to instance 2...
  • Page 89 VLAN-to-instance mapping table As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping relationships between VLANs and MSTIs. In Figure 1-4, for example, the VLAN-to-instance mapping table of region A0 is as follows: VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to CIST. MSTP achieves load balancing by means of the VLAN-to-instance mapping table.
  • Page 90 During MSTP calculation, a boundary port’s role on an MSTI is consistent with its role on the CIST. But that is not true with master ports. A master port on MSTIs is a root port on the CIST. Roles of ports MSTP calculation involves these port roles: root port, designated port, master port, alternate port, backup port, and so on.

  • Page 91: How Mstp Works

    Port states In MSTP, port states fall into the following three: Forwarding: the port learns MAC addresses and forwards user traffic; Learning: the port learns MAC addresses but does not forward user traffic; Discarding: the port neither learns MAC addresses nor forwards user traffic. When in different MSTIs, a port can be in different states.

  • Page 92: Implementation Of Mstp On Devices

    Within an MST region, the packet is forwarded along the corresponding MSTI. Between two MST regions, the packet is forwarded along the CST. Implementation of MSTP on Devices MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized by devices running MSTP and used for spanning tree calculation.
  • Page 93 Task Remarks Enabling the MSTP Feature Required Configuring an MST Region Required Configuring the Work Mode of an MSTP Device Optional Configuring the Timeout Factor Optional Configuring the Maximum Port Rate Optional Configuring Ports as Edge Ports Optional Configuring Configuring Path Costs of Ports Optional the leaf nodes Configuring Port Priority...

  • Page 94: Configuring Mstp

    Configuring MSTP Configuring an MST Region Make the following configurations on the root bridge and on the leaf nodes separately. Follow these steps to configure an MST region: To do... Use the command... Remarks Enter system view — system-view Enter MST region view —...

  • Page 95: Configuring The Root Bridge Or A Secondary Root Bridge

    Configuring the Root Bridge or a Secondary Root Bridge MSTP can determine the root bridge of a spanning tree through MSTP calculation. Alternatively, you can specify the current device as the root bridge or a secondary root bridge using the commands provided by the system.

  • Page 96: Configuring The Work Mode Of An Mstp Device

    After specifying the current device as the root bridge or a secondary root bridge, you cannot change the priority of the device. Alternatively, you can also configure the current device as the root bridge by setting the priority of the device to 0. For the device priority configuration, refer to Configuring the Priority of a Device.

  • Page 97: Configuring The Maximum Hops Of An Mst Region

    After configuring a device as the root bridge or a secondary root bridge, you cannot change the priority of the device. During root bridge selection, if all devices in a spanning tree have the same priority, the one with the lowest MAC address will be selected as the root bridge of the spanning tree. Configuring the Maximum Hops of an MST Region By setting the maximum hops of an MST region, you can restrict the region size.

  • Page 98: Configuring Timers Of Mstp

    Based on the network diameter you configured, MSTP automatically sets an optimal hello time, forward delay, and max age for the device. The configured network diameter is effective for the CIST only, and not for MSTIs. Each MST region is considered as a device. The network diameter must be configured on the root bridge.

  • Page 99: Configuring The Timeout Factor

    To do... Use the command... Remarks Optional Configure the max age timer stp timer max-age time 2,000 centiseconds (20 seconds) by default The length of the forward delay time is related to the network diameter of the switched network. Typically, the larger the network diameter is, the longer the forward delay time should be. Note that if the forward delay setting is too small, temporary redundant paths may be introduced;...

  • Page 100: Configuring The Maximum Port Rate

    To do... Use the command... Remarks Enter system view — system-view Required Configure the timeout factor of the device stp timer-factor factor 3 by default Configuring the Maximum Port Rate The maximum rate of a port refers to the maximum number of BPDUs the port can send within each hello time.

  • Page 101: Configuring Path Costs Of Ports

    To do... Use the command... Remarks Enter Ethernet interface interface interface-type Enter view, or Layer 2 aggregate interface-number Required interface interface view view or port Use either command. group view port-group manual Enter port group view port-group-name Required Configure the current ports as edge ports stp edged-port enable All ports are non-edge ports by default.
  • Page 102 Table 1-7 Link speed vs. path cost Duplex state Link speed 802.1d-1998 802.1t Private standard — 65535 200,000,000 200,000 Single Port 2,000,000 2,000 Aggregate Link 2 Ports 1,000,000 1,800 10 Mbps Aggregate Link 3 Ports 666,666 1,600 Aggregate Link 4 Ports 500,000 1,400 Single Port...

  • Page 103: Configuring Port Priority

    If you change the standard that the device uses in calculating the default path cost, the port path cost value set through the stp cost command will be invalid. When the path cost of a port is changed, MSTP will re-calculate the role of the port and initiate a state transition.

  • Page 104: Configuring The Link Type Of Ports

    When the priority of a port is changed, MSTP will re-calculate the role of the port and initiate a state transition. Generally, a lower priority value indicates a higher priority. If you configure the same priority value for all the ports on a device, the specific priority of a port depends on the index number of the port. Changing the priority of a port triggers a new spanning tree calculation process.

  • Page 105: Enabling The Output Of Port State Transition Information

    dot1s: 802.1s-compliant standard format, and legacy: Compatible format By default, the packet format recognition mode of a port is auto, namely the port automatically distinguishes the two MSTP packet formats, and determines the format of packets it will send based on the recognized format.

  • Page 106: Enabling The Mstp Feature

    To do... Use the command... Remarks Required Enable output of port state transition stp port-log { all | This function is enabled by information instance instance-id } default. Enabling the MSTP Feature You must enable MSTP for the device before any other MSTP-related configurations can take effect. Make this configuration on the root bridge and on the leaf nodes separately.

  • Page 107: Configuring Digest Snooping

    By then, you can perform an mCheck operation to force the port to migrate to the MSTP (or RSTP) mode. You can perform mCheck on a port through the following two approaches, which lead to the same result. Performing mCheck globally Follow these steps to perform global mCheck: To do...
  • Page 108 Before enabling digest snooping, ensure that associated devices of different vendors are interconnected and run MSTP. Configuring the Digest Snooping feature You can enable Digest Snooping only on a device that is connected to a third-party device that uses its private key to calculate the configuration digest.

  • Page 109: Configuring No Agreement Check

    Digest Snooping configuration example Network requirements Device A and Device B connect to Device C, a third-party device, and all these devices are in the same region. Enable Digest Snooping on Device A and Device B so that the three devices can communicate with one another.
  • Page 110 Figure 1-7 shows the rapid state transition mechanism on MSTP designated ports. Figure 1-7 Rapid state transition of an MSTP designated port Figure 1-8 shows rapid state transition of an RSTP designated port. Figure 1-8 Rapid state transition of an RSTP designated port Downstream device Upstream device Proposal for rapid transition...

  • Page 111: Configuring Protection Functions

    To do... Use the command... Remarks Enter system view — system-view Enter Ethernet interface view, or interface interface-type Enter interface Layer 2 aggregate interface-number Required or port group interface view Use either command. view port-group manual Enter port group view port-group-name Required Enable No Agreement Check...
  • Page 112 ports and start a new spanning tree calculation process. This will cause a change of network topology. Under normal conditions, these ports should not receive configuration BPDUs. However, if someone forges configuration BPDUs maliciously to attack the devices, network instability will occur. MSTP provides the BPDU guard function to protect the system against such attacks.
  • Page 113 To do... Use the command... Remarks Enter port group port-group manual view port-group-name Required Enable the root guard function for stp root-protection the port(s) Disabled by default Among loop guard, root guard and edge port settings, only one function (whichever is configured the earliest) can take effect on a port at the same time.

  • Page 114: Enabling Bpdu Dropping

    Enabling TC-BPDU guard When receiving topology change (TC) BPDUs (the BPDUs used to notify topology changes), a switch flushes its forwarding address entries. If someone forges TC-BPDUs to attack the switch, the switch will receive a large number of TC-BPDUs within a short time and be busy with forwarding address entry flushing.

  • Page 115: Displaying And Maintaining Mstp

    To do... Use the command... Remarks Enter port port-group manual group view port-group-name Required Enable BPDU dropping for the bpdu-drop any port(s) Disabled by default Displaying and Maintaining MSTP To do... Use the command... Remarks View information about abnormally Available in any view display stp abnormal-port blocked ports View information about ports blocked...
  • Page 116 Figure 1-10 Network diagram for MSTP configuration Configuration procedure VLAN and VLAN member port configuration Create VLAN 10, VLAN 20, and VLAN 30 on Device A and Device B respectively, create VLAN 10, VLAN 20, and VLAN 40 on Device C, and create VLAN 20, VLAN 30, and VLAN 40 on Device D; configure the ports on these devices as trunk ports and assign them to related VLANs.
  • Page 117 <DeviceB> system-view [DeviceB] stp region-configuration [DeviceB-mst-region] region-name example [DeviceB-mst-region] instance 1 vlan 10 [DeviceB-mst-region] instance 3 vlan 30 [DeviceB-mst-region] instance 4 vlan 40 [DeviceB-mst-region] revision-level 0 # Activate MST region configuration. [DeviceB-mst-region] active region-configuration [DeviceB-mst-region] quit # Specify the current device as the root bridge of MSTI 3. [DeviceB] stp instance 3 root primary # Enable MSTP globally.
  • Page 118 # Activate MST region configuration. [DeviceD-mst-region] active region-configuration [DeviceD-mst-region] quit # Enable MSTP globally. [DeviceD] stp enable Verifying the configurations You can use the display stp brief command to display brief spanning tree information on each device after the network is stable. # Display brief spanning tree information on Device A.
  • Page 119 GigabitEthernet1/0/2 ALTE DISCARDING NONE GigabitEthernet1/0/3 ROOT FORWARDING NONE Based on the above information, you can draw the MSTI corresponding to each VLAN, as shown in Figure 1-11. Figure 1-11 MSTIs corresponding to different VLANs 1-42...
  • Page 120 Table of Contents 1 LLDP Configuration···································································································································1-1 Overview ·················································································································································1-1 Background ·····································································································································1-1 Basic Concepts································································································································1-1 How LLDP Works ····························································································································1-5 Protocols and Standards ·················································································································1-6 LLDP Configuration Task List ·················································································································1-6 Performing Basic LLDP Configuration ····································································································1-7 Enabling LLDP·································································································································1-7 Setting LLDP Operating Mode ········································································································1-7 Setting the LLDP Re-Initialization Delay ·························································································1-8 Enabling LLDP Polling·····················································································································1-8 Configuring the TLVs to Be Advertised ···························································································1-8 Configuring the Management Address and Its Encoding Format ···················································1-9...

  • Page 121: Lldp Configuration

    LLDP Configuration When configuring LLDP, go to these sections for information you are interested in: Overview LLDP Configuration Task List Performing Basic LLDP Configuration Configuring CDP Compatibility Configuring LLDP Trapping Displaying and Maintaining LLDP LLDP Configuration Examples Overview Background In a heterogeneous network, it is important that different types of network devices from different vendors can discover one other and exchange configuration for interoperability and management sake.
  • Page 122 Figure 1-1 Ethernet II-encapsulated LLDP frame format The fields in the frame are described in Table 1-1: Table 1-1 Description of the fields in an Ethernet II-encapsulated LLDP frame Field Description The MAC address to which the LLDPDU is advertised. It is fixed to Destination MAC address 0x0180-C200-000E, a multicast MAC address.
  • Page 123 Field Description The MAC address of the sending port. If the port does not have a MAC Source MAC address address, the MAC address of the sending bridge is used. The SNAP type for the upper layer protocol. It is Type 0xAAAA-0300-0000-88CC for LLDP.
  • Page 124 VLAN Name A specific VLAN name on the port Protocol Identity Protocols supported on the port Currently, H3C devices support receiving but not sending protocol identity TLVs. IEEE 802.3 organizationally specific TLVs Table 1-5 IEEE 802.3 organizationally specific TLVs Type...

  • Page 125: How Lldp Works

    management. In addition, LLDP-MED TLVs make deploying voice devices in Ethernet easier. LLDP-MED TLVs are shown in Table 1-6: Table 1-6 LLDP-MED TLVs Type Description Allows a MED endpoint to advertise the supported LLDP-MED LLDP-MED Capabilities TLVs and its device type. Allows a network device or MED endpoint to advertise LAN type Network Policy and VLAN ID of the specific port, and the Layer 2 and Layer 3...

  • Page 126: Protocols And Standards

    Transmitting LLDP frames An LLDP-enabled port operating in TxRx mode or Tx mode sends LLDP frames to its directly connected devices both periodically and when the local configuration changes. To prevent the network from being overwhelmed by LLDP frames at times of frequent local device information change, an interval is introduced between two successive LLDP frames.

  • Page 127: Performing Basic Lldp Configuration

    LLDP-related configurations made in Ethernet interface view takes effect only on the current port, and those made in port group view takes effect on all ports in the current port group. Performing Basic LLDP Configuration Enabling LLDP To make LLDP take effect on certain ports, you need to enable LLDP both globally and on these ports. Follow these steps to enable LLDP: To do…...

  • Page 128: Setting The Lldp Re-Initialization Delay

    Setting the LLDP Re-Initialization Delay When LLDP operating mode changes on a port, the port initializes the protocol state machines after a certain delay. By adjusting the LLDP re-initialization delay, you can avoid frequent initializations caused by frequent LLDP operating mode changes on a port. Follow these steps to set the LLDP re-initialization delay for ports: To do…...

  • Page 129: Configuring The Management Address And Its Encoding Format

    Configuring the Management Address and Its Encoding Format LLDP encodes management addresses in numeric or character string format in management address TLVs. By default, management addresses are encoded in numeric format. If a neighbor encoded its management address in character string format, you can configure the encoding format of the management address as string on the connecting port to guarantee normal communication with the neighbor.

  • Page 130: Setting An Encapsulation Format For Lldpdus

    To do… Use the command… Remarks Optional Set the LLDPDU transmit lldp timer tx-interval interval interval 30 seconds by default Optional Set LLDPDU transmit delay lldp timer tx-delay delay 2 seconds by default Set the number of LLDP frames Optional sent each time fast LLDPDU lldp fast-count count 3 by default...

  • Page 131: Configuring Cdp Compatibility

    LLDP-CDP (CDP is short for the Cisco Discovery Protocol) packets use only SNAP encapsulation. Configuring CDP Compatibility For detailed information about voice VLAN, refer to VLAN Configuration in the Access Volume. You need to enable CDP compatibility for your device to work with Cisco IP phones. As your LLDP-enabled device cannot recognize CDP packets, it does not respond to the requests of Cisco IP phones for the voice VLAN ID configured on the device.

  • Page 132: Configuring Lldp Trapping

    To do… Use the command… Remarks Enter Enter Ethernet interface interface-type Ethernet interface view interface-number Required interface Use either command. Enter port view or port port-group manual port-group-name group view group view Required Configure CDP-compatible By default, lldp compliance admin-status cdp LLDP to operate in TxRx CDP-compatible LLDP txrx...

  • Page 133: Displaying And Maintaining Lldp

    Displaying and Maintaining LLDP To do… Use the command… Remarks Display the global LLDP display lldp local-information information or the information [ global | interface interface-type Available in any view contained in the LLDP TLVs to interface-number ] be sent through a port display lldp neighbor-information [ brief Display the information | interface interface-type interface-number...
  • Page 134 [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] lldp enable [SwitchA-GigabitEthernet1/0/1] lldp admin-status rx [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] lldp enable [SwitchA-GigabitEthernet1/0/2] lldp admin-status rx [SwitchA-GigabitEthernet1/0/2] quit Configure Switch B. # Enable LLDP globally. <SwitchB> system-view [SwitchB] lldp enable # Enable LLDP on GigabitEthernet1/0/1 (you can skip this step because LLDP is enabled on ports by default), and set the LLDP operating mode to Tx.
  • Page 135 Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV As the sample output shows, GigabitEthernet 1/0/1 of Switch A connects a MED device, and GigabitEthernet 1/0/2 of Switch A connects a non-MED device.

  • Page 136: Cdp-Compatible Lldp Configuration Example

    Number of sent optional TLV Number of received unknown TLV As the sample output shows, GigabitEthernet 1/0/2 of Switch A does not connect any neighboring devices. CDP-Compatible LLDP Configuration Example Network requirements As shown in Figure 1-5: GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 of Switch A are each connected to a Cisco IP phone.
  • Page 137 [SwitchA-GigabitEthernet1/0/1] lldp admin-status txrx [SwitchA-GigabitEthernet1/0/1] lldp compliance admin-status cdp txrx [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] lldp enable [SwitchA-GigabitEthernet1/0/2] lldp admin-status txrx [SwitchA-GigabitEthernet1/0/2] lldp compliance admin-status cdp txrx [SwitchA-GigabitEthernet1/0/2] quit Verify the configuration # Display the neighbor information on Switch A. [SwitchA] display lldp neighbor-information CDP neighbor-information of port 1[GigabitEthernet1/0/1]: CDP neighbor index : 1...
  • Page 138 Table of Contents 1 VLAN Configuration ··································································································································1-1 Introduction to VLAN ·······························································································································1-1 VLAN Overview ·······························································································································1-1 VLAN Fundamentals ·······················································································································1-2 Types of VLAN ································································································································1-3 Configuring Basic VLAN Settings ···········································································································1-3 Configuring Basic Settings of a VLAN Interface ·····················································································1-4 Port-Based VLAN Configuration ·············································································································1-5 Introduction to Port-Based VLAN ····································································································1-5 Assigning an Access Port to a VLAN ······························································································1-7 Assigning a Trunk Port to a VLAN···································································································1-8 Assigning a Hybrid Port to a VLAN ·································································································1-9...

  • Page 140: Vlan Configuration

    VLAN Configuration When configuring VLAN, go to these sections for information you are interested in: Introduction to VLAN Configuring Basic VLAN Settings Configuring Basic Settings of a VLAN Interface Port-Based VLAN Configuration MAC-Based VLAN Configuration Protocol-Based VLAN Configuration Displaying and Maintaining VLAN VLAN Configuration Example Introduction to VLAN VLAN Overview...
  • Page 141 Confining broadcast traffic within individual VLANs. This reduces bandwidth waste and improves network performance. Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2. To enable communication between VLANs, routers or Layer 3 switches are required. Flexible virtual workgroup creation.

  • Page 142: Types Of Vlan

    The Ethernet II encapsulation format is used here. Besides the Ethernet II encapsulation format, other encapsulation formats, including 802.2 LLC, 802.2 SNAP, and 802.3 raw, are also supported by Ethernet. The VLAN tag fields are also added to frames encapsulated in these formats for VLAN identification.

  • Page 143: Configuring Basic Settings Of A Vlan Interface

    As the default VLAN, VLAN 1 cannot be created or removed. You cannot manually create or remove VLANs reserved for special purposes. Dynamic VLANs cannot be removed with the undo vlan command. A VLAN with a QoS policy applied cannot be removed. For isolate-user-VLANs or secondary VLANs, if you have used the isolate-user-vlan command to create mappings between them, you cannot remove them until you remove the mappings between them first.

  • Page 144: Port-Based Vlan Configuration

    Before creating a VLAN interface for a VLAN, create the VLAN first. Port-Based VLAN Configuration Introduction to Port-Based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link type You can configure the link type of a port as access, trunk, or hybrid.
  • Page 145 Figure 1-4 Network diagram for port link type configuration Default VLAN By default, VLAN 1 is the default VLAN for all ports. You can configure the default VLAN for a port as required. Use the following guidelines when configuring the default VLAN on a port: Because an access port can join only one VLAN, its default VLAN is the VLAN to which it belongs and cannot be configured.

  • Page 146: Assigning An Access Port To A Vlan

    Actions (in the inbound direction) Actions (in the outbound Port type direction) Untagged frame Tagged frame Receive the frame if its VLAN ID is the same as the default VLAN ID. Tag the frame with Remove the default VLAN tag and Access the default VLAN Drop the frame if its...

  • Page 147: Assigning A Trunk Port To A Vlan

    To do… Use the command… Remarks Enter system view — system-view Enter Ethernet Required interface interface-type interface view interface-number Use either command. In Ethernet interface view, the Enter Layer-2 interface aggregate subsequent configurations apply bridge-aggregation to the current port. interface view Enter interface-number port...

  • Page 148: Assigning A Hybrid Port To A Vlan

    Follow these steps to assign a trunk port to one or multiple VLANs: To do… Use the command… Remarks Enter system view — system-view Enter Required interface interface-type Ethernet Use either command. interface-number interface view In Ethernet interface view, the subsequent configurations Enter Layer-2...
  • Page 149 Follow these steps to assign a hybrid port to one or multiple VLANs: To do… Use the command… Remarks Enter system view — system-view Enter Ethernet Required interface interface-type interface view interface-number Use either command. In Ethernet interface view, Enter Layer-2 interface bridge-aggregation subsequent aggregate...

  • Page 150: Mac-Based Vlan Configuration

    MAC-Based VLAN Configuration Introduction to MAC-Based VLAN MAC-based VLANs group VLAN members by MAC address. They are mostly used in conjunction with security technologies such as 802.1X to provide secure, flexible network access for terminal devices. MAC-based VLAN implementation With MAC-based VLAN configured, the device processes received packets as follows: When receiving an untagged frame, the device looks up the list of MAC-to-VLAN mappings based on the source MAC address of the frame for a match.
  • Page 151 MAC-based VLANs are available only on hybrid ports. Because MAC-based dynamic port assignment is mainly configured on the downlink ports of the user access devices, do not enable this function together with link aggregation. With MSTP enabled, if the MST instance for the corresponding VLAN is blocked, the packet with the unknown source MAC address will fail to be sent to the CPU.

  • Page 152: Protocol-Based Vlan Configuration

    Protocol-Based VLAN Configuration Introduction to Protocol-Based VLAN Protocol-based VLANs are only applicable on hybrid ports. In this approach, inbound packets are assigned to different VLANs based on their protocol types and encapsulation formats. The protocols that can be used for VLAN assignment include IP, IPX, and AppleTalk (AT).
  • Page 153 To do… Use the command… Remarks group view Use either command. Enter Layer-2 interface aggregate In Ethernet interface view, bridge-aggregation interface view subsequent interface-number configurations apply to the current port. In port group view, the subsequent configurations apply to all ports in the port group.

  • Page 154: Ip Subnet-Based Vlan Configuration

    IP Subnet-Based VLAN Configuration Introduction In this approach, packets are assigned to VLANs based on their source IP addresses and subnet masks. A port configured with IP subnet-based VLANs assigns a received untagged packet to a VLAN based on the source address of the packet. This feature is used to assign packets from the specified network segment or IP address to a specific VLAN.

  • Page 155: Displaying And Maintaining Vlan

    After you configure a command on a Layer-2 aggregate interface, the system starts applying the configuration to the aggregate interface and its aggregation member ports. If the system fails to do that on the aggregate interface, it stops applying the configuration to the aggregation member ports. If it fails to do that on an aggregation member port, it simply skips the port and moves to the next port.
  • Page 156 GigabitEthernet 1/0/1 allows packets from VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 to pass through. Figure 1-5 Network diagram for port-based VLAN configuration Configuration procedure Configure Device A # Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100. <DeviceA>...
  • Page 157 Unknown-speed mode, unknown-duplex mode Link speed type is autonegotiation, link duplex type is autonegotiation Flow-control is not enabled The Maximum Frame Length is 9216 Broadcast MAX-ratio: 100% Unicast MAX-ratio: 100% Multicast MAX-ratio: 100% Allow jumbo frame to pass PVID: 100 Mdi type: auto Link delay is 0(sec) Port link-type: trunk...

  • Page 158: Isolate-User-Vlan Configuration

    Isolate-User-VLAN Configuration When configuring an isolate-user VLAN, go to these sections for information you are interested in: Overview Configuring Isolate-User-VLAN Displaying and Maintaining Isolate-User-VLAN Isolate-User-VLAN Configuration Example Overview An isolate-user-VLAN adopts a two-tier VLAN structure. In this approach, two types of VLANs, isolate-user-VLAN and secondary VLAN, are configured on the same device.
  • Page 159 Assign non-trunk ports to the isolate-user-VLAN and ensure that at least one port takes the isolate-user-VLAN as its default VLAN; Assign non-trunk ports to each secondary VLAN and ensure that at least one port in a secondary VLAN takes the secondary VLAN as its default VLAN; Associate the isolate-user-VLAN with the specified secondary VLANs.

  • Page 160: Displaying And Maintaining Isolate-User-Vlan

    Displaying and Maintaining Isolate-User-VLAN To do... Use the command... Remarks Display the mapping between an display isolate-user-vlan isolate-user-VLAN and its secondary Available in any view [ isolate-user-vlan-id ] VLAN(s) Isolate-User-VLAN Configuration Example Network requirements Connect Device A to downstream devices Device B and Device C; Configure VLAN 5 on Device B as an isolate-user-VLAN, assign the uplink port GigabitEthernet 1/0/5 to VLAN 5, and associate VLAN 5 with secondary VLANs VLAN 2 and VLAN 3.
  • Page 161 [DeviceB] vlan 2 [DeviceB-vlan2] port gigabitethernet 1/0/2 [DeviceB-vlan2] quit # Associate the isolate-user-VLAN with the secondary VLANs. [DeviceB] isolate-user-vlan 5 secondary 2 to 3 Configure Device C # Configure the isolate-user-VLAN. <DeviceC> system-view [DeviceC] vlan 6 [DeviceC-vlan6] isolate-user-vlan enable [DeviceC-vlan6] port gigabitethernet 1/0/5 [DeviceC-vlan6] quit # Configure the secondary VLANs.
  • Page 162 gigabitethernet 1/0/2 gigabitethernet 1/0/5 VLAN ID: 3 VLAN Type: static Isolate-user-VLAN type : secondary Route Interface: not configured Description: VLAN 0003 Name: VLAN 0003 Tagged Ports: none Untagged Ports: gigabitethernet 1/0/1 gigabitethernet 1/0/5...

  • Page 163: Voice Vlan Configuration

    Voice VLAN Configuration When configuring a voice VLAN, go to these sections for information you are interested in: Overview Configuring a Voice VLAN Displaying and Maintaining Voice VLAN Voice VLAN Configuration Overview As voice communication technologies grow more mature, voice devices are more and more widely deployed, especially on broadband networks, where voice traffic and data traffic often co-exist.

  • Page 164: Voice Vlan Assignment Modes

    Number OUI address Vendor 00e0-bb00-0000 3Com phone In general, as the first 24 bits of a MAC address (in binary format), an OUI address is a globally unique identifier assigned to a vendor by IEEE. OUI addresses mentioned in this document, however, are different from those in common sense.
  • Page 165 Figure 3-2 Only IP phones access the network Both modes forward tagged packets according to their tags. The following tables list the required configurations on ports of different link types in order for these ports to support tagged or untagged voice traffic sent from IP phones when different voice VLAN assignment modes are configured.

  • Page 166: Security Mode And Normal Mode Of Voice Vlans

    Table 3-3 Required configurations on ports of different links types in order for the ports to support tagged voice traffic Voice VLAN Support for Port link type assignment untagged voice Configuration requirements mode traffic Automatic — Access Configure the default VLAN of the port as Manual the voice VLAN.

  • Page 167: Configuring A Voice Vlan

    Table 3-4 How a voice VLAN-enable port processes packets in security/normal mode Voice VLAN Packet type Packet processing mode working mode Untagged packets If the source MAC address of a packet matches an OUI address configured for the device, it is forwarded in the Packets carrying the voice VLAN;...

  • Page 168: Setting A Port To Operate In Manual Voice Vlan Assignment Mode

    To do... Use the command... Remarks Optional By default, each voice VLAN has default OUI voice vlan mac-address Add a recognizable addresses configured. Refer to Table 3-1 oui mask oui-mask OUI address [ description text ] the default OUI addresses of different vendors.

  • Page 169: Displaying And Maintaining Voice Vlan

    To do... Use the command... Remarks Refer to Assigning an Access Access port Use one of the three Assign the Port to a VLAN. approaches. port in manual voice VLAN Refer to Assigning a Trunk Port After you assign an access port Trunk port assignment to a...
  • Page 170 Device A uses voice VLAN 2 to transmit voice packets for IP phone A and voice VLAN 3 to transmit voice packets for IP phone B. Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to work in automatic voice VLAN assignment mode. In addition, if one of them has not received any voice packet in 30 minutes, the port is removed from the corresponding voice VLAN automatically.

  • Page 171: Manual Voice Vlan Assignment Mode Configuration Example

    [DeviceA-GigabitEthernet1/0/1] quit # Configure GigabitEthernet 1/0/2. [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] voice vlan mode auto [DeviceA-GigabitEthernet1/0/2] port link-type hybrid [DeviceA-GigabitEthernet1/0/2] voice vlan 3 enable [DeviceA-GigabitEthernet1/0/2] return Verification # Display the OUI addresses, OUI address masks, and description strings supported currently. <DeviceA>...
  • Page 172 Figure 3-4 Network diagram for manual voice VLAN assignment mode configuration Configuration procedure # Configure the voice VLAN to operate in security mode. (Optional. A voice VLAN operates in security mode by default.) <DeviceA> system-view [DeviceA] voice vlan security enable # Add a recognizable OUI address 0011-2200-0000.
  • Page 173 0060-b900-0000 ffff-ff00-0000 Philips/NEC phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3com phone # Display the current voice VLAN state. <DeviceA> display voice vlan state Maximum of Voice VLANs: 8 Current Voice VLANs: 1 Voice VLAN security mode: Security Voice VLAN aging time: 1440 minutes Voice VLAN enabled port and its mode: PORT VLAN...
  • Page 174 Table of Contents 1 GVRP Configuration ··································································································································1-1 Introduction to GVRP ······························································································································1-1 GARP···············································································································································1-1 GVRP···············································································································································1-3 Protocols and Standards ·················································································································1-4 GVRP Configuration Task List ················································································································1-4 Configuring GVRP Functions··················································································································1-4 Configuring GARP Timers·······················································································································1-5 Displaying and Maintaining GVRP··········································································································1-6 GVRP Configuration Examples···············································································································1-7 GVRP Configuration Example I·······································································································1-7 GVRP Configuration Example II······································································································1-8 GVRP Configuration Example III·····································································································1-9...

  • Page 175: Gvrp Configuration

    GVRP Configuration The GARP VLAN Registration Protocol (GVRP) is a GARP application. It functions based on the operating mechanism of GARP to maintain and propagate dynamic VLAN registration information for the GVRP devices on the network. When configuring GVRP, go to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Task List Configuring GVRP Functions...
  • Page 176 Hold timer –– When a GARP application entity receives the first registration request, it starts a Hold timer and collects succeeding requests. When the timer expires, the entity sends all these requests in one Join message. This helps you save bandwidth. Join timer ––...

  • Page 177: Gvrp

    GARP message format Figure 1-1 GARP message format Figure 1-1 illustrates the GARP message format. Table 1-1 describes the GARP message fields. Table 1-1 Description on the GARP message fields Field Description Value Protocol ID Protocol identifier for GARP One or multiple messages, each containing Message ––...

  • Page 178: Protocols And Standards

    about active VLAN members and through which port they can be reached. It thus ensures that all GVRP participants on a bridged LAN maintain the same VLAN registration information. The VLAN registration information propagated by GVRP includes both manually configured local static entries and dynamic entries from other devices.

  • Page 179: Configuring Garp Timers

    To do… Use the command… Remarks Enter Ethernet Enter Ethernet interface view, interface view or interface interface-type Required Layer 2 Layer 2 aggregate interface-number aggregate interface view Perform either of the interface view, commands. or port-group Enter port-group port-group manual view view port-group-name...

  • Page 180: Displaying And Maintaining Gvrp

    To do… Use the command… Remarks Enter Required Enter Ethernet or Ethernet Layer 2 Perform either of the interface interface-type interface aggregate commands. interface-number view, Layer interface view Depending on the view you 2 aggregate accessed, the subsequent interface configuration takes effect on a view, or Enter port-group port-group manual...

  • Page 181: Gvrp Configuration Examples

    To do… Use the command… Remarks display gvrp state interface Display the current GVRP state Available in any view interface-type interface-number vlan vlan-id display gvrp statistics [ interface Display statistics about GVRP Available in any view interface-list ] Display the global GVRP state Available in any view display gvrp status Display the information about...

  • Page 182: Gvrp Configuration Example Ii

    [DeviceB] gvrp # Configure port GigabitEthernet 1/0/1 as a trunk port, allowing all VLANs to pass through. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on trunk port GigabitEthernet 1/0/1. [DeviceB-GigabitEthernet1/0/1] gvrp [DeviceB-GigabitEthernet1/0/1] quit # Create VLAN 3 (a static VLAN).

  • Page 183: Gvrp Configuration Example Iii

    [DeviceA-GigabitEthernet1/0/1] quit # Create VLAN 2 (a static VLAN). [DeviceA] vlan 2 Configure Device B # Enable GVRP globally. <DeviceB> system-view [DeviceB] gvrp # Configure port GigabitEthernet 1/0/1 as a trunk port, allowing all VLANs to pass through. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet 1/0/1.
  • Page 184 [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port link-type trunk [DeviceA-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet 1/0/1 and set the GVRP registration type to forbidden on the port. [DeviceA-GigabitEthernet1/0/1] gvrp [DeviceA-GigabitEthernet1/0/1] gvrp registration forbidden [DeviceA-GigabitEthernet1/0/1] quit # Create VLAN 2 (a static VLAN). [DeviceA] vlan 2 Configure Device B # Enable GVRP globally.
  • Page 185 Table of Contents 1 QinQ Configuration ···································································································································1-1 Introduction to QinQ ································································································································1-1 Background and Benefits ················································································································1-1 How QinQ Works·····························································································································1-2 QinQ Frame Structure ·····················································································································1-2 Implementations of QinQ·················································································································1-3 Modifying the TPID in a VLAN Tag ·································································································1-3 Protocols and Standards ·················································································································1-4 QinQ Configuration Task List··················································································································1-5 Configuring Basic QinQ ··························································································································1-5 Enabling Basic QinQ ·······················································································································1-5 Configuring Selective QinQ·····················································································································1-5...

  • Page 186: Qinq Configuration

    QinQ Configuration When configuring QinQ, go to these sections for information you are interested in: Introduction to QinQ QinQ Configuration Task List Configuring Basic QinQ Configuring Selective QinQ Configuring the TPID Value in VLAN Tags QinQ Configuration Examples Throughout this document, customer network VLANs (CVLANs), also called inner VLANs, refer to the VLANs that a customer uses on the private network;...

  • Page 187: How Qinq Works

    How QinQ Works The devices in the public network forward a frame only according to its outer VLAN tag and learn its source MAC address into the MAC address table of the outer VLAN. The inner VLAN tag of the frame is transmitted as the payload.

  • Page 188: Implementations Of Qinq

    Figure 1-2 Single-tagged frame structure vs. double-tagged Ethernet frame structure The default maximum transmission unit (MTU) of an interface is 1500 bytes. The size of an outer VLAN tag is 4 bytes. Therefore, you are recommended to increase the MTU of each interface on the service provider network.

  • Page 189: Protocols And Standards

    Figure 1-3 VLAN tag structure of an Ethernet frame The device determines whether a received frame carries a SVLAN tag or a CVLAN tag by checking the corresponding TPID value. Upon receiving a frame, the device compares the configured TPID value with the value of the TPID field in the frame.

  • Page 190: Qinq Configuration Task List

    QinQ allows adding different outer VLAN tags based on different inner VLAN tags. H3C S5120-EI series switches support the configuration of basic QinQ and selective QinQ at the same time on a port and when the two features are both enabled on the port, frames that meet the selective QinQ condition are handled with selective QinQ on this port first, and the left frames are handled with basic QinQ.

  • Page 191: Configuring The Tpid Value In Vlan Tags

    Follow these steps to configure an outer VLAN tagging policy: To do... Use the command... Remarks Enter system view — system-view Enter Ethernet or Layer-2 interface interface-type Enter aggregate Required interface-number interface interface view view or port Use either command group view Enter port group port-group manual...
  • Page 192 Make configuration to achieve the following: Frames of VLAN 200 through VLAN 299 can be exchanged between Customer A1and Customer A2 through VLAN 10 of the service provider network. Frames of VLAN 250 through VLAN 350 can be exchanged between Customer B1 and Customer B2 through VLAN 50 of the service provider network.
  • Page 193 [ProviderA-GigabitEthernet1/0/2] port hybrid vlan 50 untagged # Enable basic QinQ on GigabitEthernet 1/0/2. [ProviderA-GigabitEthernet1/0/2] qinq enable [ProviderA-GigabitEthernet1/0/2] quit Configure GigabitEthernet 1/0/3 # Configure GigabitEthernet 1/0/3 as a trunk port to permit frames of VLAN 10 and 50 to pass through. [ProviderA] interface gigabitethernet 1/0/3 [ProviderA-GigabitEthernet1/0/3] port link-type trunk [ProviderA-GigabitEthernet1/0/3] port trunk permit vlan 10 50...

  • Page 194: Comprehensive Selective Qinq Configuration Example

    Comprehensive Selective QinQ Configuration Example Network requirements Provider A and Provider B are edge devices on the service provider network and are interconnected through trunk ports. They belong to SVLAN 1000 and SVLAN 2000 separately. Customer A, Customer B and Customer C are edge devices on the customer network. Third-party devices with a TPID value of 0x8200 are deployed between Provider A and Provider B.
  • Page 195 # Tag CVLAN 10 frames with SVLAN 1000. [ProviderA-GigabitEthernet1/0/1] qinq vid 1000 [ProviderA-GigabitEthernet1/0/1-vid-1000] raw-vlan-id inbound 10 [ProviderA-GigabitEthernet1/0/1-vid-1000] quit # Tag CVLAN 20 frames with SVLAN 2000. [ProviderA-GigabitEthernet1/0/1] qinq vid 2000 [ProviderA-GigabitEthernet1/0/1-vid-2000] raw-vlan-id inbound 20 [ProviderA-GigabitEthernet1/0/1-vid-2000] quit [ProviderA-GigabitEthernet1/0/1] quit Configure GigabitEthernet 1/0/2 # Configure GigabitEthernet 1/0/2 as a hybrid port to permit frames of VLAN 1000 to pass through, and configure GigabitEthernet 1/0/2 to send packets of VLAN 1000 with tag removed.
  • Page 196 [ProviderB-GigabitEthernet1/0/2] qinq vid 2000 [ProviderB-GigabitEthernet1/0/2-vid-2000] raw-vlan-id inbound 20 # Set the TPID value in the outer tag to 0x8200. [ProviderA-GigabitEthernet1/0/3] quit [ProviderA] qinq ethernet-type 8200 Configuration on third-party devices Configure the third-party devices between Provider A and Provider B as follows: configure the port connecting GigabitEthernet 1/0/3 of Provider A and that connecting GigabitEthernet 1/0/1 of Provider B to allow tagged frames of VLAN 1000 and VLAN 2000 to pass through.
  • Page 197 Table of Contents 1 BPDU Tunneling Configuration················································································································1-1 Introduction to BPDU Tunneling ·············································································································1-1 Background ·····································································································································1-1 BPDU Tunneling Implementation ····································································································1-2 Configuring BPDU Tunneling··················································································································1-4 Configuration Prerequisites ·············································································································1-4 Enabling BPDU Tunneling···············································································································1-4 Configuring Destination Multicast MAC Address for BPDUs ··························································1-5 BPDU Tunneling Configuration Examples ······························································································1-5 BPDU Tunneling for STP Configuration Example···········································································1-5 BPDU Tunneling for PVST Configuration Example ········································································1-7...

  • Page 198: Bpdu Tunneling Configuration

    BPDU Tunneling Configuration When configuring BPDU tunneling, go to these sections for information you are interested in: Introduction to BPDU Tunneling Configuring BPDU Tunneling BPDU Tunneling Configuration Examples Introduction to BPDU Tunneling As a Layer 2 tunneling technology, BPDU tunneling enables Layer 2 protocol packets from geographically dispersed customer networks to be transparently transmitted over specific channels across a service provider network.

  • Page 199: Bpdu Tunneling Implementation

    The encapsulated Layer 2 protocol packet (called bridge protocol data unit, BPDU) is forwarded to PE 2 at the other end of the service provider network, which decapsulates the packet, restores the original destination MAC address of the packet, and then sends the packet to User A network 2. Depending on the device models, BPDU tunneling may support the transparent transmission of these types of Layer 2 protocol packets: Cisco Discovery Protocol (CDP)
  • Page 200 To allow each network to calculate an independent spanning tree with STP, BPDU tunneling was introduced. BPDU tunneling delivers the following benefits: BPDUs can be transparently transmitted. BPDUs of the same customer network can be broadcast in a specific VLAN across the service provider network, so that the geographically dispersed networks of the same customer can implement consistent spanning tree calculation across the service provider network.

  • Page 201: Configuring Bpdu Tunneling

    Configuring BPDU Tunneling Configuration Prerequisites Before configuring BPDU tunneling for a protocol, enable the protocol in the customer network first. Assign the port on which you want to enable BPDU tunneling on the PE device and the connected port on the CE device to the same VLAN. Configure ports connecting network devices in the service provider network as trunk ports allowing packets of any VLAN to pass through.

  • Page 202: Configuring Destination Multicast Mac Address For Bpdus

    Enabling BPDU tunneling for a protocol in Layer 2 aggregate interface view Follow these steps to enable BPDU tunneling for a protocol in Layer 2 aggregate interface view: To do… Use the command… Remarks Enter system view — system-view interface Enter Layer 2 aggregate interface —...
  • Page 203 It is required that, after the configuration, CE 1 and CE 2 implement consistent spanning tree calculation across the service provider network, and that the destination multicast MAC address carried in BPDUs be 0x0100-0CCD-CDD0. Figure 1-3 Network diagram for configuring BPDU tunneling for STP Configuration procedure Configuration on PE 1 # Configure the destination multicast MAC address for BPDUs as 0x0100-0CCD-CDD0.

  • Page 204: Bpdu Tunneling For Pvst Configuration Example

    BPDU Tunneling for PVST Configuration Example Network requirements As shown in Figure 1-4: CE 1 and CE 2 are edges devices on the geographically dispersed network of User A; PE 1 and PE 2 are edge devices on the service provider network. All ports that connect service provider devices and customer devices and those that interconnect service provider devices are trunk ports and allow packets of any VLAN to pass through.
  • Page 205 [PE2] interface gigabitethernet 1/0/2 [PE2-GigabitEthernet1/0/2] port link-type trunk [PE2-GigabitEthernet1/0/2] port trunk permit vlan all # Disable STP on GigabitEthernet 1/0/2, and then enable BPDU tunneling for STP and PVST on it. [PE2-GigabitEthernet1/0/2] undo stp enable [PE2-GigabitEthernet1/0/2] bpdu-tunnel dot1q stp [PE2-GigabitEthernet1/0/2] bpdu-tunnel dot1q pvst...
  • Page 206 Table of Contents 1 Port Mirroring Configuration ····················································································································1-1 Introduction to Port Mirroring ··················································································································1-1 Classification of Port Mirroring ········································································································1-1 Implementing Port Mirroring ············································································································1-1 Configuring Local Port Mirroring ·············································································································1-3 Configuring Remote Port Mirroring ·········································································································1-4 Configuration Prerequisites ·············································································································1-4 Configuring a Remote Source Mirroring Group (on the Source Device)·········································1-4 Configuring a Remote Destination Mirroring Group (on the Destination Device) ···························1-6 Displaying and Maintaining Port Mirroring ······························································································1-7 Port Mirroring Configuration Examples ···································································································1-7...

  • Page 207: Port Mirroring Configuration

    Port Mirroring Configuration When configuring port mirroring, go to these sections for information you are interested in: Introduction to Port Mirroring Configuring Local Port Mirroring Configuring Remote Port Mirroring Displaying and Maintaining Port Mirroring Port Mirroring Configuration Examples Introduction to Port Mirroring Port mirroring is to copy the packets passing through a port (called a mirroring port) to another port (called the monitor port) connected with a monitoring device for packet analysis.
  • Page 208 Figure 1-1 Local port mirroring implementation How the device processes packets Traffic mirrored to Mirroring port Monitor port Monitor port Mirroring port Data monitoring device Remote port mirroring Remote port mirroring can mirror all packets but protocol packets. Remote port mirroring is implemented through the cooperation of a remote source mirroring group and a remote destination mirroring group as shown Figure 1-2.

  • Page 209: Configuring Local Port Mirroring

    Destination device The destination device is the device where the monitor port is located. On it, you must create the remote destination mirroring group. When receiving a packet, the destination device compares the VLAN ID carried in the packet with the ID of the probe VLAN configured in the remote destination mirroring group.

  • Page 210: Configuring Remote Port Mirroring

    A local port mirroring group takes effect only after its mirroring and monitor ports are configured. To ensure operation of your device, do not enable STP, MSTP, or RSTP on the monitor port. A port mirroring group can have multiple mirroring ports, but only one monitor port. A mirroring or monitor port to be configured cannot belong to an existing port mirroring group.
  • Page 211 To do… Use the command… Remarks Required mirroring-group groupid In system view mirroring-port mirroring-port-list You configure multiple { both | inbound | outbound } mirroring ports in a mirroring group. interface interface-type In system view, you can interface-number Configure assign a list of mirroring mirroring [ mirroring-group groupid ] ports to the mirroring...

  • Page 212: Configuring A Remote Destination Mirroring Group (On The Destination Device)

    To remove the VLAN configured as a remote probe VLAN, you must remove the remote probe VLAN with undo mirroring-group remote-probe vlan command first. Removing the probe VLAN can invalidate the remote source mirroring group. You are recommended to use a remote probe VLAN exclusively for the mirroring purpose. A port can belong to only one mirroring group.

  • Page 213: Displaying And Maintaining Port Mirroring

    When configuring the monitor port, use the following guidelines: The port can belong to only the current mirroring group. Disable these functions on the port: STP, MSTP, and RSTP. You are recommended to use a monitor port only for port mirroring. This is to ensure that the data monitoring device receives and analyzes only the mirrored traffic rather than a mix of mirrored traffic and normally forwarded traffic.

  • Page 214: Remote Port Mirroring Configuration Example

    Figure 1-3 Network diagram for local port mirroring configuration Switch A R&D department GE1/0/1 GE1/0/3 GE1/0/2 Switch C Data monitoring device Switch B Marketing department Configuration procedure Configure Switch C. # Create a local port mirroring group. <SwitchC> system-view [SwitchC] mirroring-group 1 local # Add port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to the port mirroring group as source ports.
  • Page 215 As shown in Figure 1-4, the administrator wants to monitor the packets sent from Department 1 and 2 through the data monitoring device. Use the remote port mirroring function to meet the requirement. Perform the following configurations: Use Switch A as the source device, Switch B as the intermediate device, and Switch C as the destination device.
  • Page 216 [SwitchA-GigabitEthernet1/0/3] port link-type trunk [SwitchA-GigabitEthernet1/0/3] port trunk permit vlan 2 Configure Switch B (the intermediate device). # Configure port GigabitEthernet 1/0/1 as a trunk port and configure the port to permit the packets of VLAN 2. <SwitchB> system-view [SwitchB] interface GigabitEthernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port link-type trunk [SwitchB-GigabitEthernet1/0/1] port trunk permit vlan 2 [SwitchB-GigabitEthernet1/0/1] quit...

  • Page 217: Traffic Mirroring Configuration

    Traffic Mirroring Configuration When configuring traffic mirroring, go to these sections for information you are interested in: Traffic Mirroring Overview Configuring Traffic Mirroring Displaying and Maintaining Traffic Mirroring Traffic Mirroring Configuration Examples Traffic Mirroring Overview Traffic mirroring is the action of copying the specified packets to the specified destination for packet analyzing and monitoring.

  • Page 218: Mirroring Traffic To The Cpu

    To do… Use the command… Remarks Required Create a behavior and enter By default, no traffic traffic behavior behavior-name behavior view behavior exists. Required Specify the destination By default, traffic mirroring is mirror-to interface interface-type interface for traffic mirroring not configured in a traffic interface-number behavior.

  • Page 219: Applying A Qos Policy

    To do… Use the command… Remarks Exit policy view — quit Apply the QoS policy See Applying a QoS Policy Required Applying a QoS Policy For details about applying a QoS policy, see QoS Configuration in the QoS Volume. Apply a QoS policy to an interface By applying a QoS policy to an interface, you can regulate the traffic sent or received on the interface.

  • Page 220: Displaying And Maintaining Traffic Mirroring

    For details about the qos vlan-policy command, see QoS Commands in the QoS Volume. Apply a QoS policy globally You can apply a QoS policy globally to the inbound direction of all ports. Follow these steps to apply a QoS policy globally: To do…...

  • Page 221: Configuration Procedure

    Figure 2-1 Network diagram for configuring traffic mirroring to a port Configuration Procedure Configure Switch: # Enter system view. <Sysname> system-view # Configure basic IPv4 ACL 2000 to match packets with the source IP address 192.168.0.1. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 192.168.0.1 0 [Sysname-acl-basic-2000] quit # Create class 1 and configure the class to use ACL 2000 for traffic classification.
  • Page 222 IP Services Volume Organization Manual Version 6W101-20100305 Product Version Release 2202 Organization The IP Services Volume is organized as follows: Features Description An IP address is a 32-bit address allocated to a network interface on a device that is attached to the Internet. This document describes: IP Address Introduction to IP addresses IP address configuration...
  • Page 223 Features Description UDP Helper functions as a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified server. This document describes: UDP Helper UDP Helper overview UDP Helper configuration Internet protocol version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet Engineering Task Force (IETF) as the successor to Internet protocol version 4 (IPv4).
  • Page 224 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special IP Addresses ······················································································································1-2 Subnetting and Masking ··················································································································1-2 Configuring IP Addresses ·······················································································································1-3 Assigning an IP Address to an Interface ·························································································1-3 IP Addressing Configuration Example·····························································································1-4 Displaying and Maintaining IP Addressing······························································································1-5...

  • Page 225: Ip Addressing Configuration

    IP Addressing Configuration When assigning IP addresses to interfaces on your device, go to these sections for information you are interested in: IP Addressing Overview Configuring IP Addresses Displaying and Maintaining IP Addressing IP Addressing Overview This section covers these topics: IP Address Classes Special IP Addresses IP Address Classes...

  • Page 226: Special Ip Addresses

    Table 1-1 IP address classes and ranges Class Address range Remarks The IP address 0.0.0.0 is used by a host at bootstrap for temporary communication. This address is never a valid destination address. 0.0.0.0 to 127.255.255.255 Addresses starting with 127 are reserved for loopback test. Packets destined to these addresses are processed locally as input packets rather than sent to the link.

  • Page 227: Configuring Ip Addresses

    In the absence of subnetting, some special addresses such as the addresses with the net ID of all zeros and the addresses with the host ID of all ones, are not assignable to hosts. The same is true for subnetting. When designing your network, you should note that subnetting is somewhat a tradeoff between subnets and accommodated hosts.

  • Page 228: Ip Addressing Configuration Example

    The primary IP address you assigned to the interface can overwrite the old one if there is any. You cannot assign secondary IP addresses to an interface that has BOOTP or DHCP configured. The primary and secondary IP addresses you assign to the interface can be located on the same network segment.

  • Page 229: Displaying And Maintaining Ip Addressing

    <Switch> ping 172.16.1.2 PING 172.16.1.2: 56 data bytes, press CTRL_C to break Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=255 time=25 ms Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=255 time=27 ms Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.1.2 ping statistics --- 5 packet(s) transmitted...
  • Page 230 Table of Contents 1 ARP Configuration·····································································································································1-1 ARP Overview·········································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ·····················································································································1-2 ARP Address Resolution Process···································································································1-2 ARP Table ·······································································································································1-3 Configuring ARP ·····································································································································1-4 Configuring a Static ARP Entry ·······································································································1-4 Configuring the Maximum Number of ARP Entries for an Interface ···············································1-4 Setting the Aging Time for Dynamic ARP Entries ···········································································1-5 Enabling the ARP Entry Check ·······································································································1-5 Configuring ARP Quick Notify ·········································································································1-5...

  • Page 231: Arp Configuration

    When configuring ARP, go to these sections for information you are interested in: ARP Overview Configuring ARP Configuring Gratuitous ARP Displaying and Maintaining ARP Support for configuring ARP Quick Notify is newly added in Release 2202P19 of S5120-EI series Ethernet switches, For details, refer to Configuring ARP Quick Notify. ARP Overview...

  • Page 232: Arp Message Format

    ARP Message Format Figure 1-1 ARP message format The following explains the fields in Figure 1-1. Hardware type: This field specifies the hardware address type. The value “1” represents Ethernet. Protocol type: This field specifies the type of the protocol address to be mapped. The hexadecimal value “0x0800”...

  • Page 233: Arp Table

    After receiving the ARP reply, Host A adds the MAC address of Host B to its ARP table. Meanwhile, Host A encapsulates the IP packet and sends it out. Figure 1-2 ARP address resolution process If Host A is not on the same subnet with Host B, Host A first sends an ARP request to the gateway. The target IP address in the ARP request is the IP address of the gateway.

  • Page 234: Configuring Arp

    in the non-permanent static ARP entry, the device adds the interface receiving the ARP reply to the non-permanent static ARP entry. Then the entry can be used for forwarding IP packets. Usually ARP dynamically resolves IP addresses to MAC addresses, without manual intervention. To allow communication with a device using a fixed IP-to-MAC mapping, configure a short static ARP entry for it.

  • Page 235: Setting The Aging Time For Dynamic Arp Entries

    To do… Use the command… Remarks Set the maximum number of Optional dynamic ARP entries that an arp max-learning-num number 256 by default. interface can learn Setting the Aging Time for Dynamic ARP Entries To keep pace with the network changes, the ARP table is refreshed. Each dynamic ARP entry in the ARP table has a limited lifetime rather than is always valid.

  • Page 236: Arp Configuration Example

    Figure 1-3 ARP quick notify application scenario With ARP quick notify enabled, the device updates the corresponding ARP entry immediately after the change of the mapping between a MAC address and an outbound interface to ensure nonstop data forwarding. Follow these steps to enable ARP quick notify: To do…...

  • Page 237: Configuring Gratuitous Arp

    [Sysname-GigabitEthernet1/0/1] port access vlan 10 [Sysname-GigabitEthernet1/0/1] quit [Sysname] interface vlan-interface 10 [Sysname-vlan-interface10] arp max-learning-num 100 [Sysname-vlan-interface10] quit [Sysname] arp static 192.168.1.1 000f-e201-0000 10 gigabitethernet 1/0/1 Configuring Gratuitous ARP Introduction to Gratuitous ARP A gratuitous ARP packet is a special ARP packet, in which the sender IP address and the target IP address are both the IP address of the sender, the sender MAC address is the MAC address of the sender, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff.
  • Page 238 To do… Use the command… Remarks Clear ARP entries from the reset arp { all | dynamic | static | slot ARP table slot-number | interface interface-type Available in user view interface-number } For distributed devices Clearing ARP entries from the ARP table may cause communication failures.

  • Page 239: Proxy Arp Configuration

    Proxy ARP Configuration When configuring proxy ARP, go to these sections for information you are interested in: Proxy ARP Overview Enabling Proxy ARP Displaying and Maintaining Proxy ARP Proxy ARP Overview If a host sends an ARP request for the MAC address of another host that actually resides on another network (but the sending host considers the requested host is on the same network) or that is isolated from the sending host at Layer 2, the device in between must be able to respond to the request with the MAC address of the receiving interface to allow Layer 3 communication between the two hosts.

  • Page 240: Local Proxy Arp

    You can solve the problem by enabling proxy ARP on Switch. After that, Switch can reply to the ARP request from Host A with the MAC address of VLAN-interface 1, and forward packets sent from Host A to Host B. In this case, Switch seems to be a proxy of Host B. A main advantage of proxy ARP is that it is added on a single router without disturbing routing tables of other routers in the network.

  • Page 241: Displaying And Maintaining Proxy Arp

    To do… Use the command… Remarks Required Enable local proxy ARP local-proxy-arp enable Disabled by default. Displaying and Maintaining Proxy ARP To do… Use the command… Remarks Display whether proxy ARP is display proxy-arp [ interface Available in any view enabled vlan-interface vlan-id ] Display whether local proxy...

  • Page 242: Local Proxy Arp Configuration Example In Case Of Port Isolation

    [Switch-Vlan-interface1] quit [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.20.99 255.255.255.0 [Switch-Vlan-interface2] proxy-arp enable [Switch-Vlan-interface2] quit Local Proxy ARP Configuration Example in Case of Port Isolation Network requirements Host A and Host B belong to the same VLAN, and connect to Switch B via GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3, respectively.

  • Page 243: Local Proxy Arp Configuration Example In Isolate-User-Vlan

    # Configure an IP address of VLAN-interface 2. <SwitchA> system-view [SwitchA] vlan 2 [SwitchA-vlan2] port gigabitethernet 1/0/2 [SwitchA-vlan2] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.10.100 255.255.0.0 The ping operation from Host A to Host B is unsuccessful because they are isolated at Layer 2. # Configure local proxy ARP to let Host A and Host B communicate at Layer 3.
  • Page 244 [SwitchB-vlan2] port gigabitethernet 1/0/2 [SwitchB-vlan2] quit [SwitchB] vlan 3 [SwitchB-vlan3] port gigabitethernet 1/0/3 [SwitchB-vlan3] quit [SwitchB] vlan 5 [SwitchB-vlan5] port gigabitethernet 1/0/1 [SwitchB-vlan5] isolate-user-vlan enable [SwitchB-vlan5] quit [SwitchB] isolate-user-vlan 5 secondary 2 3 Configure Switch A # Create VLAN 5 and add GigabitEthernet 1/0/1 to it. <SwitchA>...
  • Page 245 Table of Contents 1 DHCP Overview··········································································································································1-1 Introduction to DHCP ······························································································································1-1 DHCP Address Allocation ·······················································································································1-2 Allocation Mechanisms····················································································································1-2 Dynamic IP Address Allocation Process ·························································································1-2 IP Address Lease Extension ···········································································································1-3 DHCP Message Format ··························································································································1-3 DHCP Options·········································································································································1-4 DHCP Options Overview ·················································································································1-4 Introduction to DHCP Options ·········································································································1-4 Self-Defined Options ·······················································································································1-5 Protocols and Standards·························································································································1-8 2 DHCP Relay Agent Configuration ············································································································2-1...
  • Page 246 Prerequisites····································································································································4-5 Configuring DHCP Snooping to Support Option 82 ········································································4-5 Displaying and Maintaining DHCP Snooping ·························································································4-7 DHCP Snooping Configuration Examples ······························································································4-7 DHCP Snooping Configuration Example·························································································4-7 DHCP Snooping Option 82 Support Configuration Example ··························································4-8 5 BOOTP Client Configuration ····················································································································5-1 Introduction to BOOTP Client ·················································································································5-1 BOOTP Application ·························································································································5-1 Obtaining an IP Address Dynamically ·····························································································5-2 Protocols and Standards ·················································································································5-2...

  • Page 247: Dhcp Overview

    DHCP Snooping Configuration BOOTP Client Configuration DHCP Overview Support for enabling the DHCP relay agent to periodically refresh dynamic client entries is newly added in Release 2202P19 of S5120-EI series Ethernet switches. For details, refer to Configuring dynamic binding update interval.

  • Page 248: Dhcp Address Allocation

    A DHCP client can get an IP address and other configuration parameters from a DHCP server on another subnet via a DHCP relay agent. For information about the DHCP relay agent, refer to Introduction to DHCP Relay Agent. DHCP Address Allocation Allocation Mechanisms DHCP supports three mechanisms for IP address allocation.

  • Page 249: Dhcp Message Format

    After receiving the DHCP-ACK message, the client probes whether the IP address assigned by the server is in use by broadcasting a gratuitous ARP packet. If the client receives no response within a specified time, the client can use this IP address. Otherwise, the client sends a DHCP-DECLINE message to the server and requests an IP address again.

  • Page 250: Dhcp Options

    secs: Filled in by the client, the number of seconds elapsed since the client began address acquisition or renewal process. Currently this field is reserved and set to 0. flags: The leftmost bit is defined as the BROADCAST (B) flag. If this flag is set to 0, the DHCP server sent a reply back by unicast;...

  • Page 251: Self-Defined Options

    Option 121: Classless route option. It specifies a list of classless static routes (the destination addresses in these static routes are classless) that the requesting client should add to its routing table. Option 33: Static route option. It specifies a list of classful static routes (the destination addresses in these static routes are classful) that a client should add to its routing table.
  • Page 252 Figure 1-6 Format of the value field of the ACS parameter sub-option The value field of the service provider identifier sub-option contains the service provider identifier. Figure 1-7 shows the format of the value field of the PXE server address sub-option. Currently, the value of the PXE server type can only be 0.
  • Page 253 Figure 1-8 Sub-option 1 in normal padding format Sub-option 2: Padded with the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device that received the client’s request. The following figure gives its format. The value of the sub-option type is 2, and that of the remote ID type is 0. Figure 1-9 Sub-option 2 in normal padding format Verbose padding format The padding contents for sub-options in the verbose padding format are as follows:...

  • Page 254: Protocols And Standards

    Sub-option 1: IP address of the primary network calling processor, which is a server serving as the network calling control source and providing program downloads. Sub-option 2: IP address of the backup network calling processor that DHCP clients will contact when the primary one is unreachable.

  • Page 255: Dhcp Relay Agent Configuration

    DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: Introduction to DHCP Relay Agent DHCP Relay Agent Configuration Task List Configuring the DHCP Relay Agent Displaying and Maintaining DHCP Relay Agent Configuration DHCP Relay Agent Configuration Examples Troubleshooting DHCP Relay Agent Configuration The DHCP relay agent configuration is supported only on VLAN interfaces.

  • Page 256: Dhcp Relay Agent Support For Option 82

    Figure 2-1 DHCP relay agent application DHCP client DHCP client IP network DHCP relay agent DHCP client DHCP client DHCP server No matter whether a relay agent exists or not, the DHCP server and client interact with each other in a similar way (see section Dynamic IP Address Allocation Process).

  • Page 257: Dhcp Relay Agent Configuration Task List

    If a client’s Handling requesting Padding format The DHCP relay agent will… strategy message has… Drop Random Drop the message. Forward the message without changing Keep Random Option 82. Forward the message after replacing normal the original Option 82 with the Option 82 padded in normal format.

  • Page 258: Enabling The Dhcp Relay Agent On An Interface

    Follow these steps to enable DHCP: To do… Use the command… Remarks Enter system view — system-view Required Enable DHCP dhcp enable Disabled by default. Enabling the DHCP Relay Agent on an Interface With this task completed, upon receiving a DHCP request from the enabled interface, the relay agent will forward the request to a DHCP server for address allocation.

  • Page 259: Configuring The Dhcp Relay Agent Security Functions

    To do… Use the command… Remarks Required Correlate the DHCP server By default, no interface is dhcp relay server-select group with the current interface correlated with any DHCP group-id server group. You can specify up to twenty DHCP server groups on the relay agent and eight DHCP server addresses for each DHCP server group.
  • Page 260 Before enabling IP address check on an interface, you need to enable the DHCP service, and enable the DHCP relay agent on the interface; otherwise, the IP address check configuration is ineffective. The dhcp relay address-check enable command only checks IP and MAC addresses of clients. When using the dhcp relay security static command to bind an interface to a static binding entry, make sure that the interface is configured as a DHCP relay agent;...

  • Page 261: Configuring The Dhcp Relay Agent To Send A Dhcp-Release Request

    Follow these steps to enable unauthorized DHCP server detection: To do… Use the command… Remarks Enter system view — system-view Required Enable unauthorized DHCP dhcp relay server-detect server detection Disabled by default. With the unauthorized DHCP server detection enabled, the device puts a record once for each DHCP server.
  • Page 262 Configuring the DHCP relay agent to support Option 82 Follow these steps to configure the DHCP relay agent to support Option 82: To do… Use the command… Remarks Enter system view — system-view interface interface-type Enter interface view — interface-number Required Enable the relay agent to dhcp relay information...

  • Page 263: Displaying And Maintaining Dhcp Relay Agent Configuration

    Displaying and Maintaining DHCP Relay Agent Configuration To do… Use the command… Remarks Display information about DHCP display dhcp relay { all | server groups correlated to a specified interface interface-type or all interfaces interface-number } display dhcp relay information Display Option 82 configuration { all | interface interface-type information on the DHCP relay agent...

  • Page 264: Dhcp Relay Agent Option 82 Support Configuration Example

    Configuration procedure # Specify IP addresses for the interfaces (omitted). # Enable DHCP. <SwitchA> system-view [SwitchA] dhcp enable # Add DHCP server 10.1.1.1 into DHCP server group 1. [SwitchA] dhcp relay server-group 1 ip 10.1.1.1 # Enable the DHCP relay agent on VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] dhcp select relay # Correlate VLAN-interface 1 to DHCP server group 1.

  • Page 265: Troubleshooting Dhcp Relay Agent Configuration

    # Enable the DHCP relay agent to support Option 82, and perform Option 82-related configurations. [SwitchA-Vlan-interface1] dhcp relay information enable [SwitchA-Vlan-interface1] dhcp relay information strategy replace [SwitchA-Vlan-interface1] dhcp relay information circuit-id string company001 [SwitchA-Vlan-interface1] dhcp relay information remote-id string device001 You need to perform corresponding configurations on the DHCP server to make the Option 82 configurations function normally.

  • Page 266: Dhcp Client Configuration

    DHCP Client Configuration When configuring the DHCP client, go to these sections for information you are interested in: Introduction to DHCP Client Enabling the DHCP Client on an Interface Displaying and Maintaining the DHCP Client DHCP Client Configuration Example The DHCP client configuration is supported only on VLAN interfaces. When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition via a relay agent, the DHCP server cannot be a Windows 2000 Server or Windows 2003 Server.

  • Page 267: Displaying And Maintaining The Dhcp Client

    An interface can be configured to acquire an IP address in multiple ways, but these ways are mutually exclusive. The latest configuration will overwrite the previous one. After the DHCP client is enabled on an interface, no secondary IP address is configurable for the interface.
  • Page 268 <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address dhcp-alloc...

  • Page 269: Dhcp Snooping Configuration

    DHCP Snooping Configuration When configuring DHCP snooping, go to these sections for information you are interested in: DHCP Snooping Overview Configuring DHCP Snooping Basic Functions Configuring DHCP Snooping to Support Option 82 Displaying and Maintaining DHCP Snooping DHCP Snooping Configuration Examples The DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP server, and it can work when it is between the DHCP client and relay agent or between the DHCP client and server.

  • Page 270: Application Environment Of Trusted Ports

    Recording IP-to-MAC mappings of DHCP clients DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the clients, ports that connect to DHCP clients, and VLANs to which the ports belong. With DHCP snooping entries, DHCP snooping can implement the following: ARP detection: Whether ARP packets are sent from an authorized client is determined based on DHCP snooping entries.

  • Page 271: Dhcp Snooping Support For Option 82

    Figure 4-2 Configure trusted ports in a cascaded network Table 4-1 describes roles of the ports shown in Figure 4-2. Table 4-1 Roles of ports Trusted port disabled from Trusted port enabled to Device Untrusted port recording binding entries record binding entries Switch A GE1/0/1 GE1/0/3...

  • Page 272: Configuring Dhcp Snooping Basic Functions

    If a client’s Handling Padding requesting The DHCP snooping device will… strategy format message has… Drop Random Drop the message. Forward the message without changing Keep Random Option 82. Forward the message after replacing the normal original Option 82 with the Option 82 padded in normal format.

  • Page 273: Prerequisites

    You need to specify the ports connected to the valid DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP client must be in the same VLAN. You can specify Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces as trusted ports.
  • Page 274 To do… Use the command… Remarks dhcp-snooping information format Configure the Optional { normal | verbose padding format for [ node-identifier { mac | normal by default. Option 82 sysname | user-defined node-identifier } ] } Optional By default, the code type depends on the padding format of Option 82.

  • Page 275: Displaying And Maintaining Dhcp Snooping

    Displaying and Maintaining DHCP Snooping To do… Use the command… Remarks display dhcp-snooping [ ip Display DHCP snooping entries ip-address ] display dhcp-snooping Display Option 82 configuration information information { all | interface Available in any on the DHCP snooping device interface-type interface-number } view Display DHCP packet statistics on the...

  • Page 276: Dhcp Snooping Option 82 Support Configuration Example

    [SwitchB-GigabitEthernet1/0/1] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/1] quit DHCP Snooping Option 82 Support Configuration Example Network requirements As shown in Figure 4-3, enable DHCP snooping and Option 82 support on Switch B. Configure the handling strategy for DHCP requests containing Option 82 as replace. On GigabitEthernet 1/0/2, configure the padding content for the circuit ID sub-option as company001 and for the remote ID sub-option as device001.

  • Page 277: Bootp Client Configuration

    BOOTP Client Configuration While configuring a BOOTP client, go to these sections for information you are interested in: Introduction to BOOTP Client Configuring an Interface to Dynamically Obtain an IP Address Through BOOTP Displaying and Maintaining BOOTP Client Configuration BOOTP client configuration only applies to VLAN interfaces. If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows 2000 Server or Windows 2003 Server.

  • Page 278: Obtaining An Ip Address Dynamically

    Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to configure an IP address for the BOOTP client, without any BOOTP server. Obtaining an IP Address Dynamically A DHCP server can take the place of the BOOTP server in the following dynamic IP address acquisition.

  • Page 279: Displaying And Maintaining Bootp Client Configuration

    Displaying and Maintaining BOOTP Client Configuration To do… Use the command… Remarks Display related information on a display bootp client [ interface Available in any view BOOTP client interface-type interface-number ] BOOTP Client Configuration Example Network requirement As shown in Figure 5-1, Switch B’s port belonging to VLAN 1 is connected to the LAN.
  • Page 280 Table of Contents 1 DNS Configuration·····································································································································1-1 DNS Overview·········································································································································1-1 Static Domain Name Resolution ·····································································································1-1 Dynamic Domain Name Resolution ································································································1-1 DNS Proxy·······································································································································1-3 Configuring the DNS Client·····················································································································1-4 Configuring Static Domain Name Resolution ··················································································1-4 Configuring Dynamic Domain Name Resolution·············································································1-4 Configuring the DNS Proxy·····················································································································1-5 Displaying and Maintaining DNS ············································································································1-5 DNS Configuration Examples ·················································································································1-5 Static Domain Name Resolution Configuration Example································································1-5 Dynamic Domain Name Resolution Configuration Example···························································1-6...

  • Page 281: Dns Configuration

    DNS Configuration When configuring DNS, go to these sections for information you are interested in: DNS Overview Configuring the DNS Client Configuring the DNS Proxy Displaying and Maintaining DNS DNS Configuration Examples Troubleshooting DNS Configuration This document only covers IPv4 DNS configuration. For information about IPv6 DNS configuration, refer to IPv6 Basics Configuration in the IP Services Volume.
  • Page 282 The DNS server looks up the corresponding IP address of the domain name in its DNS database. If no match is found, it sends a query to a higher level DNS server. This process continues until a result, whether successful or not, is returned. The DNS client returns the resolution result to the application after receiving a response from the DNS server.

  • Page 283: Dns Proxy

    If an alias is configured for a domain name on the DNS server, the device can resolve the alias into the IP address of the host. DNS Proxy Introduction to DNS proxy A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server. As shown in Figure 1-2, a DNS client sends a DNS request to the DNS proxy, which forwards the...

  • Page 284: Configuring The Dns Client

    Configuring the DNS Client Configuring Static Domain Name Resolution Follow these steps to configure static domain name resolution: To do… Use the command… Remarks Enter system view –– system-view Configure a mapping between a host Required name and IP address in the static ip host hostname ip-address Not configured by default.

  • Page 285: Configuring The Dns Proxy

    Configuring the DNS Proxy Follow these steps to configure the DNS proxy: To do… Use the command… Remarks Enter system view — system-view Required Enable DNS proxy dns proxy enable Disabled by default. Displaying and Maintaining DNS To do… Use the command… Remarks Display the static domain name display ip host...

  • Page 286: Dynamic Domain Name Resolution Configuration Example

    data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=128 time=1 ms Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=128 time=4 ms Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=128 time=3 ms Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=128 time=2 ms Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=128 time=3 ms --- host.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received...
  • Page 287 Figure 1-5, right click Forward Lookup Zones, select New zone, and then follow the instructions to create a new zone named com. Figure 1-5 Create a zone # Create a mapping between the host name and IP address. Figure 1-6 Add a host Figure 1-6, right click zone com, and then select New Host to bring up a dialog box as shown in Figure...
  • Page 288 Figure 1-7 Add a mapping between domain name and IP address Configure the DNS client # Enable dynamic domain name resolution. <Sysname> system-view [Sysname] dns resolve # Specify the DNS server 2.1.1.2. [Sysname] dns server 2.1.1.2 # Configure com as the name suffix. [Sysname] dns domain com Configuration verification # Execute the ping host command on the Switch to verify that the communication between the Switch...

  • Page 289: Dns Proxy Configuration Example

    DNS Proxy Configuration Example Network requirements Specify Switch A as the DNS server of Switch B (the DNS client). Switch A acts as a DNS proxy. The IP address of the real DNS server is 4.1.1.1. Switch B implements domain name resolution through Switch A. Figure 1-8 Network diagram for DNS proxy Configuration procedure Before performing the following configuration, assume that Switch A, the DNS server, and the host are...

  • Page 290: Troubleshooting Dns Configuration

    # Specify the DNS server 2.1.1.2. [SwitchB] dns server 2.1.1.2 Configuration verification # Execute the ping host.com command on Switch B to verify that the communication between the Switch and the host is normal and that the corresponding destination IP address is 3.1.1.1. [SwitchB] ping host.com Trying DNS resolve, press CTRL_C to break Trying DNS server (2.1.1.2)
  • Page 291 Table of Contents 1 IP Performance Optimization Configuration···························································································1-1 IP Performance Overview ·······················································································································1-1 Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network ············1-1 Enabling Reception of Directed Broadcasts to a Directly Connected Network·······························1-1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network ·····························1-2 Configuration Example ····················································································································1-2 Configuring TCP Optional Parameters ···································································································1-3 Configuring ICMP to Send Error Packets ·······························································································1-4...

  • Page 292: Ip Performance Optimization Configuration

    IP Performance Optimization Configuration When optimizing IP performance, go to these sections for information you are interested in: IP Performance Overview Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network Configuring TCP Optional Parameters Configuring ICMP to Send Error Packets Displaying and Maintaining IP Performance Optimization IP Performance Overview In some network environments, you can adjust the IP parameters to achieve best network performance.

  • Page 293: Enabling Forwarding Of Directed Broadcasts To A Directly Connected Network

    Enabling Forwarding of Directed Broadcasts to a Directly Connected Network Follow these steps to enable the device to forward directed broadcasts: To do… Use the command… Remarks Enter system view — system-view interface interface-type Enter interface view — interface-number Required Enable the interface to forward ip forward-broadcast [ acl By default, the device is...

  • Page 294: Configuring Tcp Optional Parameters

    [SwitchA-Vlan-interface3] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 2.2.2.2 24 # Enable VLAN-interface 2 to forward directed broadcasts. [SwitchA-Vlan-interface2] ip forward-broadcast Configure Switch B # Enable Switch B to receive directed broadcasts. <SwitchB> system-view [SwitchB] ip forward-broadcast # Configure a static route to the host. [SwitchB] ip route-static 1.1.1.1 24 2.2.2.2 # Configure an IP address for VLAN-interface 2.

  • Page 295: Configuring Icmp To Send Error Packets

    Actual length of the finwait timer = (Configured length of the finwait timer – 75) + configured length of the synwait timer Configuring ICMP to Send Error Packets Sending error packets is a major function of ICMP. In case of network abnormalities, ICMP packets are usually sent by the network or transport layer protocols to notify corresponding devices so as to facilitate control and management.
  • Page 296 If the source uses “strict source routing" to send packets, but the intermediate device finds that the next hop specified by the source is not directly connected, the device will send the source a “source routing failure” ICMP error packet. When forwarding a packet, if the MTU of the sending interface is smaller than the packet but the packet has been set “Don’t Fragment”, the device will send the source a “fragmentation needed and Don’t Fragment (DF)-set”...

  • Page 297: Displaying And Maintaining Ip Performance Optimization

    Displaying and Maintaining IP Performance Optimization To do… Use the command… Remarks Display current TCP connection state display tcp status Display TCP connection statistics display tcp statistics Display UDP statistics display udp statistics display ip statistics [ slot Display statistics of IP packets slot-number ] display icmp statistics [ slot Display statistics of ICMP flows...
  • Page 298 Table of Contents 1 UDP Helper Configuration ························································································································1-1 Introduction to UDP Helper ·····················································································································1-1 Configuring UDP Helper ·························································································································1-1 Displaying and Maintaining UDP Helper·································································································1-2 UDP Helper Configuration Examples······································································································1-2 UDP Helper Configuration Example································································································1-2...

  • Page 299: Udp Helper Configuration

    UDP Helper Configuration When configuring UDP Helper, go to these sections for information you are interested in: Introduction to UDP Helper Configuring UDP Helper Displaying and Maintaining UDP Helper UDP Helper Configuration Examples UDP Helper can be currently configured on VLAN interfaces only. Introduction to UDP Helper Sometimes, a host needs to forward broadcasts to obtain network configuration information or request the names of other devices on the network.

  • Page 300: Displaying And Maintaining Udp Helper

    To do… Use the command… Remarks interface interface-type Enter interface view — interface-number Required Specify the destination server to which UDP packets No destination server is specified udp-helper server ip-address are to be forwarded by default. The UDP Helper enabled device cannot forward DHCP broadcast packets. That is to say, the UDP port number cannot be set to 67 or 68.
  • Page 301 Figure 1-1 Network diagram for UDP Helper configuration Configuration procedure The following configuration assumes that a route from Switch A to the network segment 10.2.0.0/16 is available. # Enable UDP Helper. <SwitchA> system-view [SwitchA] udp-helper enable # Enable the forwarding broadcast packets with the UDP destination port 55. [SwitchA] udp-helper port 55 # Specify the destination server 10.2.1.1 on VLAN-interface 1.
  • Page 302 Table of Contents 1 IPv6 Basics Configuration ························································································································1-1 IPv6 Overview ·········································································································································1-1 IPv6 Features ··································································································································1-1 Introduction to IPv6 Address ···········································································································1-3 Introduction to IPv6 Neighbor Discovery Protocol···········································································1-5 IPv6 PMTU Discovery ·····················································································································1-8 Introduction to IPv6 DNS ·················································································································1-9 Protocols and Standards ·················································································································1-9 IPv6 Basics Configuration Task List ·······································································································1-9 Configuring Basic IPv6 Functions ·········································································································1-10 Enabling IPv6 ································································································································1-10 Configuring an IPv6 Unicast Address····························································································1-10...

  • Page 303: Ipv6 Basics Configuration

    IPv6 Basics Configuration When configuring IPv6 basics, go to these sections for information you are interested in: IPv6 Overview IPv6 Basics Configuration Task List Configuring Basic IPv6 Functions Configuring IPv6 NDP Configuring PMTU Discovery Configuring IPv6 TCP Properties Configuring ICMPv6 Packet Sending Configuring IPv6 DNS Client Displaying and Maintaining IPv6 Basics Configuration IPv6 Configuration Example...
  • Page 304 the IPv4 address size, the basic IPv6 header size is 40 bytes and is only twice the IPv4 header size (excluding the Options field). Figure 1-1 Comparison between IPv4 packet header format and basic IPv6 packet header format Adequate address space The source and destination IPv6 addresses are both 128 bits (16 bytes) long.

  • Page 305: Introduction To Ipv6 Address

    Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemented through a group of Internet Control Message Protocol Version 6 (ICMPv6) messages that manage the information exchange between neighbor nodes on the same link. The group of ICMPv6 messages takes the place of Address Resolution Protocol (ARP) messages, Internet Control Message Protocol version 4 (ICMPv4) router discovery messages, and ICMPv4 redirection messages and provides a series of other functions.
  • Page 306 Anycast address: An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the target interface is nearest to the source, according to a routing protocol’s measure of distance).

  • Page 307: Introduction To Ipv6 Neighbor Discovery Protocol

    Multicast address IPv6 multicast addresses listed in Table 1-2 are reserved for special purpose. Table 1-2 Reserved IPv6 multicast addresses Address Application FF01::1 Node-local scope all nodes multicast address FF02::1 Link-local scope all nodes multicast address FF01::2 Node-local scope all routers multicast address FF02::2 Link-local scope all routers multicast address FF05::2...
  • Page 308 Duplicate address detection Router/prefix discovery and address autoconfiguration Redirection Table 1-3 lists the types and functions of ICMPv6 messages used by the NDP. Table 1-3 Types and functions of ICMPv6 messages ICMPv6 message Number Function Used to acquire the link-layer address of a neighbor Neighbor solicitation (NS) Used to verify whether the neighbor is reachable message...
  • Page 309 After receiving the NS message, node B judges whether the destination address of the packet is its solicited-node multicast address. If yes, node B learns the link-layer address of node A, and then unicasts an NA message containing its link-layer address. Node A acquires the link-layer address of node B from the NA message.

  • Page 310: Ipv6 Pmtu Discovery

    The router returns an RA message containing information such as prefix information option. (The router also regularly sends an RA message.) The node automatically generates an IPv6 address and other information for its interface according to the address prefix and other configuration parameters in the RA message. In addition to an address prefix, the prefix information option also contains the preferred lifetime and valid lifetime of the address prefix.

  • Page 311: Introduction To Ipv6 Dns

    The source host uses its MTU to send packets to the destination host. If the MTU supported by a forwarding interface is smaller than the packet size, the forwarding device will discard the packet and return an ICMPv6 error packet containing the interface MTU to the source host.

  • Page 312: Configuring Basic Ipv6 Functions

    Task Remarks Configuring ICMPv6 Packet Sending Optional Configuring IPv6 DNS Client Optional Configuring Basic IPv6 Functions Enabling IPv6 Before performing IPv6-related configurations, you need to Enable IPv6. Otherwise, an interface cannot forward IPv6 packets even if it has an IPv6 address configured. Follow these steps to Enable IPv6: To do...

  • Page 313: Configuring Ipv6 Ndp

    To do... Use the command... Remarks Automatically Optional generate a link-local ipv6 address auto By default, after an IPv6 address for the Configure link-local site-local address or interface an IPv6 aggregatable global unicast link-local address is configured for an Manually assign a address interface, a link-local address ipv6 address...

  • Page 314: Configuring The Maximum Number Of Neighbors Dynamically Learned

    Follow these steps to configure a static neighbor entry: To do... Use the command... Remarks Enter system view — system-view ipv6 neighbor ipv6-address mac-address { vlan-id Configure a static port-type port-number | interface interface-type Required neighbor entry interface-number } You can adopt either of the two methods above to configure a static neighbor entry. After a static neighbor entry is configured by using the first method, the device needs to resolve the corresponding Layer 2 port information of the VLAN interface.
  • Page 315 Table 1-4 Parameters in an RA message and their descriptions Parameters Description When sending an IPv6 packet, a host uses the value to fill the Cur Hop Limit Cur hop limit field in IPv6 headers. The value is also filled into the Cur Hop Limit field in response messages of a device.
  • Page 316 To do… Use the command… Remarks Disable the RA Required message undo ipv6 nd ra halt By default, RA messages are suppressed. suppression Optional By default, the maximum interval for sending RA messages is 600 seconds, and Configure the the minimum interval is 200 seconds. maximum and ipv6 nd ra interval minimum intervals for...

  • Page 317: Configuring The Maximum Number Of Attempts To Send An Ns Message For Dad

    Configuring the Maximum Number of Attempts to Send an NS Message for DAD An interface sends a neighbor solicitation (NS) message for duplicate address detection after acquiring an IPv6 address. If the interface does not receive a response within a specified time (determined by the ipv6 nd ns retrans-timer command), it continues to send an NS message.

  • Page 318: Configuring Ipv6 Tcp Properties

    Follow these steps to configure the aging time for dynamic PMTUs: To do… Use the command… Remarks Enter system view — system-view Optional Configure the aging time for ipv6 pathmtu age age-time dynamic PMTUs 10 minutes by default. Configuring IPv6 TCP Properties The IPv6 TCP properties you can configure include: synwait timer: When a SYN packet is sent, the synwait timer is triggered.

  • Page 319: Enable Sending Of Multicast Echo Replies

    To do… Use the command… Remarks Enter system view — system-view Optional By default, the capacity of a token bucket is 10 Configure the Ipv6 icmp-error { bucket and the update interval is 100 milliseconds. That capacity and is, at most 10 IPv6 ICMP error packets can be bucket-size | ratelimit update interval of interval } *...

  • Page 320: Configuring Ipv6 Dns Client

    Configuring IPv6 DNS Client Configuring Static IPv6 Domain Name Resolution Configuring static IPv6 domain name resolution is to establish the mapping between a host name and an IPv6 address. When using such applications as Telnet, you can directly input a host name and the system will resolve the host name into an IPv6 address.

  • Page 321: Displaying And Maintaining Ipv6 Basics Configuration

    Displaying and Maintaining IPv6 Basics Configuration To do… Use the command… Remarks Display DNS suffix information display dns domain [ dynamic ] Display IPv6 dynamic domain name display dns ipv6 dynamic-host cache information Display IPv6 DNS server information display dns ipv6 server [ dynamic ] display ipv6 fib [ slot-number ] Display the IPv6 FIB entries [ ipv6-address ]...

  • Page 322: Ipv6 Configuration Example

    The display dns domain command is the same as the one of IPv4 DNS. For details about the commands, refer to DNS Commands in the IP Services Volume. IPv6 Configuration Example Network requirements Host, Switch A and Switch B are directly connected through Ethernet ports. Add the Ethernet ports into corresponding VLANs, configure IPv6 addresses for the VLAN interfaces and verify the connectivity between them.
  • Page 323 [SwitchA-Vlan-interface1] undo ipv6 nd ra halt Configure Switch B # Enable IPv6. <SwitchB> system-view [SwitchB] ipv6 # Configure an aggregatable global unicast address for VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ipv6 address 3001::2/64 # Configure an IPv6 static route with destination IP address 2001::/64 and next hop address 3001::1. [SwitchB-Vlan-interface2] ipv6 route-static 2001:: 64 3001::1 Configure Host Enable IPv6 for Host to automatically get an IPv6 address through IPv6 NDP.
  • Page 324 InBadOptions: ReasmReqds: ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: 25747 OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: [SwitchA-Vlan-interface1] display ipv6 interface vlan-interface 1 verbose Vlan-interface1 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es):...
  • Page 325 ReasmReqds: ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: 1012 OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Display the IPv6 interface settings on Switch B. [SwitchB-Vlan-interface2] display ipv6 interface vlan-interface 2 verbose Vlan-interface2 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1234 Global unicast address(es):...
  • Page 326 InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Ping Switch A and Switch B on Host, and ping Switch A and Host on Switch B to verify the connectivity between them. When you ping a link-local address, you should use the “–i”...

  • Page 327: Troubleshooting Ipv6 Basics Configuration

    Troubleshooting IPv6 Basics Configuration Symptom The peer IPv6 address cannot be pinged. Solution Use the display current-configuration command in any view or the display this command in system view to verify that IPv6 is enabled. Use the display ipv6 interface command in any view to verify that the IPv6 address of the interface is correct and the interface is up.
  • Page 328 Table of Contents 1 Dual Stack Configuration··························································································································1-1 Dual Stack Overview·······························································································································1-1 Configuring Dual Stack ···························································································································1-1...

  • Page 329: Dual Stack Overview

    Dual Stack Configuration When configuring dual stack, go to these sections for information you are interested in: Dual Stack Overview Configuring Dual Stack Dual Stack Overview Dual stack is the most direct approach to making IPv6 nodes compatible with IPv4 nodes. The best way for an IPv6 node to be compatible with an IPv4 node is to maintain a complete IPv4 stack.
  • Page 330 To do… Use the command… Remarks Required ip address ip-address By default, no IP Configure an IPv4 address for the interface { mask | mask-length } address is [ sub ] configured. Use either ipv6 address Manually specify { ipv6-address prefix-length command.
  • Page 331 Table of Contents 1 sFlow Configuration ··································································································································1-1 sFlow Overview·······································································································································1-1 Introduction to sFlow ·······················································································································1-1 Operation of sFlow ··························································································································1-1 Configuring sFlow ···································································································································1-2 Displaying and Maintaining sFlow···········································································································1-2 sFlow Configuration Example ·················································································································1-3 Troubleshooting sFlow Configuration ·····································································································1-4 The Remote sFlow Collector Cannot Receive sFlow Packets ························································1-4...

  • Page 332: Sflow Configuration

    sFlow Configuration When configuring sFlow, go to these sections for information you are interested in: sFlow Overview Configuring sFlow Displaying and Maintaining sFlow sFlow Configuration Example Troubleshooting sFlow Configuration sFlow Overview Introduction to sFlow Sampled Flow (sFlow) is a traffic monitoring technology mainly used to collect and analyze traffic statistics.

  • Page 333: Configuring Sflow

    When the sFlow packet buffer overflows or the one-second timer expires, the sFlow agent sends sFlow packets to the specified sFlow collector. Configuring sFlow The sFlow feature enables the remote sFlow collector to monitor the network and analyze sFlow packet statistics.

  • Page 334: Sflow Configuration Example

    sFlow Configuration Example Network requirements Host A and Server are connected to Switch through GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 respectively. Host B works as an sFlow collector with IP address 3.3.3.2 and port number 6343, and is connected to Switch through GigabitEthernet 1/0/3. GigabitEthernet 1/0/3 belongs to VLAN 1, having an IP address of 3.3.3.1.

  • Page 335: Troubleshooting Sflow Configuration

    Collector IP:3.3.3.2 Port:6343 Interval(s): 30 sFlow Port Information: Interface Direction Rate Mode Status GE1/0/1 In/Out 100000 Random Active Troubleshooting sFlow Configuration The Remote sFlow Collector Cannot Receive sFlow Packets Symptom The remote sFlow collector cannot receive sFlow packets. Analysis sFlow is not enabled globally because the sFlow agent or/and the sFlow collector is/are not specified.
  • Page 336 IP Routing Volume Organization Manual Version 6W101-20100305 Product Version Release 2202 Organization The IP Routing Volume is organized as follows: Features Description This document describes: IP Routing Overview Introduction to IP routing and routing table Routing protocol overview A static route is manually configured by the administrator. The proper configuration and usage of static routes can improve network performance and ensure bandwidth for important network applications.
  • Page 337 Table of Contents 1 IP Routing Overview··································································································································1-1 Routing····················································································································································1-1 Routing Table and FIB Table ··········································································································1-1 Routing Protocol Overview ·····················································································································1-3 Static Routing and Dynamic Routing·······························································································1-3 Routing Protocols and Routing Priority ···························································································1-3 Displaying and Maintaining a Routing Table···························································································1-4...

  • Page 338: Routing

    Static routes: Routes that are manually configured. Dynamic routes: Routes that are discovered dynamically by routing protocols. Dynamic routing protocol is not supported on the S5120-EI Series Ethernet Switches. Each entry in the FIB table specifies which physical interface a packet destined for a certain destination...
  • Page 339 Introduction to routing table Each router maintains a local routing table. Each routing protocol also maintains a protocol routing table. Routing table of a protocol A protocol routing table stores routes discovered by the routing protocol. A routing protocol can redistribute and advertise routes generated by other protocols. For example, OSPF can redistribute direct routes, static routes and IS-IS routes to the OSPF routing table and then advertise those routes.

  • Page 340: Routing Protocol Overview

    Figure 1-1 A sample routing table Router A Router F 17.0.0.1 17.0.0.0 17.0.0.3 16.0.0.2 11.0.0.2 17.0.0.2 Router D 16.0.0.0 11.0.0.0 14.0.0.3 11.0.0.1 16.0.0.1 14.0.0.2 14.0.0.4 Router B 14.0.0.0 Router G 15.0.0.2 12.0.0.1 14.0.0.1 Router E 12.0.0.0 15.0.0.0 13.0.0.2 15.0.0.1 12.0.0.2 13.0.0.3 13.0.0.1 13.0.0.0...

  • Page 341: Displaying And Maintaining A Routing Table

    Routing approach Priority DIRECT STATIC UNKNOWN The smaller the priority value, the higher the priority. The priority for a direct route is always 0, which you cannot change. Any other type of routes can have their priorities manually configured. Each static route can be configured with a different priority. IPv4 and IPv6 routes have their own respective routing tables.
  • Page 342 To do… Use the command… Remarks Display IPv6 routing display ipv6 routing-table ipv6-address1 Available in any information for an IPv6 address prefix-length1 ipv6-address2 prefix-length2 view range [ verbose ] Clear specified IPv6 routing Available in user reset ipv6 routing-table statistics protocol table statistics { all | protocol } view...
  • Page 343 Table of Contents 1 Static Routing Configuration····················································································································1-1 Introduction ·············································································································································1-1 Static Route ·····································································································································1-1 Default Route···································································································································1-1 Application Environment of Static Routing ······················································································1-2 Configuring a Static Route ······················································································································1-2 Configuration Prerequisites ·············································································································1-2 Configuration Procedure··················································································································1-2 Detecting Reachability of the Static Route’s Nexthop ············································································1-3 Detecting Nexthop Reachability Through Track··············································································1-3 Displaying and Maintaining Static Routes·······························································································1-4 Static Route Configuration Example ·······································································································1-4 Basic Static Route Configuration Example······················································································1-4...

  • Page 344: Static Routing Configuration

    Static Routing Configuration When configuring a static route, go to these sections for information you are interested in: Introduction Configuring a Static Route Detecting Reachability of the Static Route’s Nexthop Displaying and Maintaining Static Routes Static Route Configuration Example The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. Introduction Static Route A static route is a manually configured.

  • Page 345: Application Environment Of Static Routing

    Application Environment of Static Routing Before configuring a static route, you need to know the following concepts: Destination address and mask In the ip route-static command, an IPv4 address is in dotted decimal format and a mask can be either in dotted decimal format or in the form of mask length (the digits of consecutive 1s in the mask).

  • Page 346: Detecting Reachability Of The Static Route's Nexthop

    When configuring a static route, the static route does not take effect if you specify the next hop address first and then configure it as the IP address of a local interface. If you do not specify the preference when configuring a static route, the default preference will be used.

  • Page 347: Displaying And Maintaining Static Routes

    To configure this feature for an existing static route, simply associate the static route with a track entry. For a non-existent static route, configure it and associate it with a Track entry. If a static route needs route recursion, the associated track entry must monitor the nexthop of the recursive route instead of that of the static route;...
  • Page 348 Configuration procedure Configuring IP addresses for interfaces (omitted) Configuring static routes # Configure a default route on Switch A. <SwitchA> system-view [SwitchA] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2 # Configure two static routes on Switch B. <SwitchB> system-view [SwitchB] ip route-static 1.1.2.0 255.255.255.0 1.1.4.1 [SwitchB] ip route-static 1.1.3.0 255.255.255.0 1.1.5.6 # Configure a default route on Switch C <SwitchC>...
  • Page 349 127.0.0.0/8 Direct 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 127.0.0.1 InLoop0 1.1.6.0/24 Direct 0 1.1.6.1 Vlan100 1.1.6.1/32 Direct 0 127.0.0.1 InLoop0 # Use the ping command on Host B to check reachability to Host A, assuming Windows XP runs on the two hosts.
  • Page 350 Table of Contents 1 IPv6 Static Routing Configuration ···········································································································1-1 Introduction to IPv6 Static Routing··········································································································1-1 Features of IPv6 Static Routes········································································································1-1 Default IPv6 Route ··························································································································1-1 Configuring an IPv6 Static Route············································································································1-1 Configuration prerequisites ·············································································································1-1 Configuring an IPv6 Static Route ····································································································1-2 Displaying and Maintaining IPv6 Static Routes ······················································································1-2 IPv6 Static Routing Configuration Example ····························································································1-2...

  • Page 351: Ipv6 Static Routing Configuration

    IPv6 Static Routing Configuration When configuring IPv6 Static Routing, go to these sections for information you are interested in: Introduction to IPv6 Static Routing Configuring an IPv6 Static Route Displaying and Maintaining IPv6 Static Routes IPv6 Static Routing Configuration Example The term “router”...

  • Page 352: Displaying And Maintaining Ipv6 Static Routes

    Enabling IPv6 packet forwarding Ensuring that the neighboring nodes are IPv6 reachable Configuring an IPv6 Static Route Follow these steps to configure an IPv6 static route: To do… Use the commands… Remarks Enter system view system-view — Required ipv6 route-static ipv6-address prefix-length [ interface-type The default Configure an IPv6 static route...
  • Page 353 Figure 1-1 Network diagram for static routes Configuration procedure Configure the IPv6 addresses of all VLAN interfaces (Omitted) Configure IPv6 static routes. # Configure the default IPv6 static route on SwitchA. <SwitchA> system-view [SwitchA] ipv6 route-static :: 0 4::2 # Configure two IPv6 static routes on SwitchB. <SwitchB>...
  • Page 354 NextHop : 1::1 Preference Interface : Vlan-interface100 Cost Destination : 1::1/128 Protocol : Direct NextHop : ::1 Preference Interface : InLoop0 Cost Destination : FE80::/10 Protocol : Direct NextHop : :: Preference Interface : NULL0 Cost # Verify the connectivity with the ping command. [SwitchA] ping ipv6 3::1 PING 3::1 : 56 data bytes, press CTRL_C to break...
  • Page 355 IP Multicast Volume Organization Manual Version 6W101-20100305 Product Version Release 2202 Organization The IP Multicast Volume is organized as follows: Features Description This document describes the main concepts in multicast: Introduction to Multicast Multicast Overview Multicast Models Multicast Architecture Multicast Packets Forwarding Mechanism Running at the data link layer, IGMP Snooping is a multicast control mechanism on the Layer 2 Ethernet switch and it is used for multicast group management and control.
  • Page 356 Table of Contents 1 Multicast Overview ····································································································································1-1 Introduction to Multicast ··························································································································1-1 Comparison of Information Transmission Techniques····································································1-1 Features of Multicast ·······················································································································1-4 Common Notations in Multicast·······································································································1-5 Advantages and Applications of Multicast·······················································································1-5 Multicast Models ·····································································································································1-5 Multicast Architecture······························································································································1-6 Multicast Addresses ························································································································1-7 Multicast Protocols ························································································································1-11 Multicast Packet Forwarding Mechanism ·····························································································1-13...

  • Page 357: Multicast Overview

    Multicast Overview This manual chiefly focuses on the IP multicast technology and device operations. Unless otherwise stated, the term “multicast” in this document refers to IP multicast. Introduction to Multicast As a technique coexisting with unicast and broadcast, the multicast technique effectively addresses the issue of point-to-multipoint data transmission.
  • Page 358 Figure 1-1 Unicast transmission Host A Receiver Host B Source Host C Receiver Host D IP network Receiver Packets for Host B Host E Packets for Host D Packets for Host E Assume that Host B, Host D and Host E need the information. A separate transmission channel needs to be established from the information source to each of these hosts.
  • Page 359 Figure 1-2 Broadcast transmission Assume that only Host B, Host D, and Host E need the information. If the information is broadcast to the subnet, Host A and Host C also receive it. In addition to information security issues, this also causes traffic flooding on the same subnet.

  • Page 360: Features Of Multicast

    Figure 1-3 Multicast transmission The multicast source (Source in the figure) sends only one copy of the information to a multicast group. Host B, Host D and Host E, which are receivers of the information, need to join the multicast group. The routers on the network duplicate and forward the information based on the distribution of the group members.

  • Page 361: Common Notations In Multicast

    For a better understanding of the multicast concept, you can assimilate multicast transmission to the transmission of TV programs, as shown in Table 1-1. Table 1-1 An analogy between TV transmission and multicast transmission TV transmission Multicast transmission A TV station transmits a TV program through A multicast source sends multicast data to a a channel.

  • Page 362: Multicast Architecture

    ASM model In the ASM model, any sender can send information to a multicast group as a multicast source, and numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group. In this model, receivers are not aware of the position of multicast sources in advance.

  • Page 363: Multicast Addresses

    Multicast Addresses To allow communication between multicast sources and multicast group members, network-layer multicast addresses, namely, multicast IP addresses must be provided. In addition, a technique must be available to map multicast IP addresses to link-layer multicast MAC addresses. IP multicast addresses IPv4 multicast addresses Internet Assigned Numbers Authority (IANA) assigned the Class D address space (224.0.0.0 to 239.255.255.255) for IPv4 multicast.
  • Page 364 Address Description 224.0.0.7 Shared Tree (ST) routers 224.0.0.8 ST hosts 224.0.0.9 Routing Information Protocol version 2 (RIPv2) routers 224.0.0.11 Mobile agents 224.0.0.12 Dynamic Host Configuration Protocol (DHCP) server/relay agent 224.0.0.13 All Protocol Independent Multicast (PIM) routers 224.0.0.14 Resource Reservation Protocol (RSVP) encapsulation 224.0.0.15 All Core-Based Tree (CBT) routers 224.0.0.16...
  • Page 365 Description When set to 0, it indicates that this address is an IPv6 multicast address permanently-assigned by IANA When set to 1, it indicates that this address is a transient, or dynamically assigned IPv6 multicast address Scope: 4 bits, indicating the scope of the IPv6 internetwork for which the multicast traffic is intended. Possible values of this field are given in Table 1-5.
  • Page 366 Figure 1-6 IPv4-to-MAC address mapping The high-order four bits of a multicast IPv4 address are 1110, indicating that this address is a multicast address, and only 23 bits of the remaining 28 bits are mapped to a MAC address, so five bits of the multicast IPv4 address are lost.

  • Page 367: Multicast Protocols

    Multicast Protocols Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols, which include IGMP/MLD, PIM/IPv6 PIM, MSDP, and MBGP/IPv6 MBGP; we refer to IP multicast working at the data link layer as Layer 2 multicast and the corresponding multicast protocols as Layer 2 multicast protocols, which include IGMP Snooping/MLD Snooping, and multicast VLAN/IPv6 multicast VLAN.
  • Page 368 In the ASM model, multicast routes come in intra-domain routes and inter-domain routes. An intra-domain multicast routing protocol is used to discover multicast sources and build multicast distribution trees within an AS so as to deliver multicast data to receivers. Among a variety of mature intra-domain multicast routing protocols, protocol independent multicast (PIM) is a popular one.

  • Page 369: Multicast Packet Forwarding Mechanism

    Multicast Packet Forwarding Mechanism In a multicast model, a multicast source sends information to the host group identified by the multicast group address in the destination address field of IP multicast packets. Therefore, to deliver multicast packets to receivers located in different parts of the network, multicast routers on the forwarding path usually need to forward multicast packets received on one incoming interface to multiple outgoing interfaces.
  • Page 370 Table of Contents 1 IGMP Snooping Configuration ·················································································································1-1 IGMP Snooping Overview·······················································································································1-1 Principle of IGMP Snooping ············································································································1-1 Basic Concepts in IGMP Snooping ·································································································1-2 How IGMP Snooping Works············································································································1-3 Protocols and Standards ·················································································································1-5 IGMP Snooping Configuration Task List·································································································1-5 Configuring Basic Functions of IGMP Snooping·····················································································1-6 Configuration Prerequisites ·············································································································1-6 Enabling IGMP Snooping ················································································································1-6 Configuring the Version of IGMP Snooping ····················································································1-7...

  • Page 371: Igmp Snooping Configuration

    IGMP Snooping Configuration When configuring IGMP Snooping, go to the following sections for information you are interested in: IGMP Snooping Overview IGMP Snooping Configuration Task List Displaying and Maintaining IGMP Snooping IGMP Snooping Configuration Examples Troubleshooting IGMP Snooping Configuration IGMP Snooping Overview Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups.

  • Page 372: Basic Concepts In Igmp Snooping

    Reducing Layer 2 broadcast packets, thus saving network bandwidth. Enhancing the security of multicast traffic. Facilitating the implementation of per-host accounting. Basic Concepts in IGMP Snooping IGMP Snooping related ports As shown in Figure 1-2, Router A connects to the multicast source, IGMP Snooping runs on Switch A and Switch B, Host A and Host C are receiver hosts (namely, multicast group members).

  • Page 373: How Igmp Snooping Works

    Aging timers for dynamic ports in IGMP Snooping and related messages and actions Table 1-1 Aging timers for dynamic ports in IGMP Snooping and related messages and actions Message before Timer Description Action after expiry expiry For each dynamic IGMP general query of router port, the switch The switch removes Dynamic router port...
  • Page 374 When receiving a membership report A host sends an IGMP report to the IGMP querier in the following circumstances: Upon receiving an IGMP query, a multicast group member host responds with an IGMP report. When intended to join a multicast group, a host sends an IGMP report to the IGMP querier to announce that it is interested in the multicast information addressed to that group.

  • Page 375: Protocols And Standards

    Upon receiving the IGMP leave message from a host, the IGMP querier resolves the multicast group address in the message and sends an IGMP group-specific query to that multicast group through the port that received the leave message. Upon receiving the IGMP group-specific query, the switch forwards it through all its router ports in the VLAN and all member ports for that multicast group, and performs the following to the port on which it received the IGMP leave message: If any IGMP report in response to the group-specific query is received on the port (suppose it is a...

  • Page 376: Configuring Basic Functions Of Igmp Snooping

    Configurations made in IGMP Snooping view are effective for all VLANs, while configurations made in VLAN view are effective only for ports belonging to the current VLAN. For a given VLAN, a configuration made in IGMP Snooping view is effective only if the same configuration is not made in VLAN view.

  • Page 377: Configuring The Version Of Igmp Snooping

    IGMP Snooping must be enabled globally before it can be enabled in a VLAN. When you enable IGMP Snooping in a specified VLAN, this function takes effect for the ports in this VLAN only. Configuring the Version of IGMP Snooping By configuring an IGMP Snooping version, you actually configure the version of IGMP messages that IGMP Snooping can process.

  • Page 378: Configuring Aging Timers For Dynamic Ports

    Configuring Aging Timers for Dynamic Ports If the switch receives no IGMP general queries or PIM hello messages on a dynamic router port, the switch removes the port from the router port list when the aging timer of the port expires. If the switch receives no IGMP reports for a multicast group on a dynamic member port, the switch removes the port from the outgoing port list of the forwarding table entry for that multicast group when the aging timer of the port for that group expires.

  • Page 379: Configuring Simulated Joining

    Follow these steps to configure static ports: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port/Layer 2 Required interface-number aggregate port view or port Use either approach group view port-group manual port-group-name Required igmp-snooping static-group Configure the port(s) as static group-address [ source-ip...
  • Page 380 Follow these steps to configure simulated joining: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port/Layer 2 Required interface-number aggregate port view or port Use either approach group view port-group manual port-group-name igmp-snooping host-join Required Configure simulated (*, G) or group-address [ source-ip...

  • Page 381: Configuring Igmp Snooping Querier

    Configuring fast leave processing on a port or a group of ports Follow these steps to configure fast leave processing on a port or a group of ports: To do... Use the command... Remarks Enter system view — system-view Enter Ethernet port/Layer 2 Required interface interface-type interface-number aggregate port view or port...

  • Page 382: Configuring Igmp Queries And Responses

    It is meaningless to configure an IGMP Snooping querier in a multicast network running IGMP. Although an IGMP Snooping querier does not take part in IGMP querier elections, it may affect IGMP querier elections because it sends IGMP general queries with a low source IP address. Configuring IGMP Queries and Responses You can tune the IGMP general query interval based on actual condition of the network.

  • Page 383: Configuring Source Ip Address Of Igmp Queries

    To do... Use the command... Remarks Configure the maximum Optional igmp-snooping max-response-time response time to IGMP general 10 seconds by default interval queries Optional Configure the IGMP igmp-snooping last-member query interval 1 second by default last-member-query-interval interval In the configuration, make sure that the IGMP general query interval is larger than the maximum response time for IGMP general queries.

  • Page 384: Configuring A Multicast Group Filter

    Before configuring an IGMP Snooping policy, prepare the following data: ACL rule for multicast group filtering The maximum number of multicast groups that can pass the ports Configuring a Multicast Group Filter On an IGMP Snooping–enabled switch, the configuration of a multicast group allows the service provider to define restrictions on multicast programs available to different users.

  • Page 385: Configuring The Function Of Dropping Unknown Multicast Data

    Disabled by default S5120-EI series switches, when enabled to filter IPv4 multicast data based on the source ports, are automatically enabled to filter IPv6 multicast data based on the source ports. Configuring the Function of Dropping Unknown Multicast Data Unknown multicast data refers to multicast data for which no entries exist in the IGMP Snooping forwarding table.

  • Page 386: Configuring Igmp Report Suppression

    To do... Use the command... Remarks Required Enable the function of dropping igmp-snooping unknown multicast data Disabled by default drop-unknown Configuring IGMP Report Suppression When a Layer 2 device receives an IGMP report from a multicast group member, the device forwards the message to the Layer 3 device directly connected with it.

  • Page 387: Configuring Multicast Group Replacement

    When the number of multicast groups a port has joined reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the IGMP Snooping forwarding table, and the hosts on this port need to join the multicast groups again. If you have configured static or simulated joins on a port, however, when the number of multicast groups on the port exceeds the configured threshold, the system deletes all the forwarding entries persistent to that port from the IGMP Snooping forwarding table and applies the static or simulated...

  • Page 388: Displaying And Maintaining Igmp Snooping

    Configuring multicast group replacement on a port or a group of ports Follow these steps to configure multicast group replacement on a port or a group of ports: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port/Layer 2 Required interface-number...

  • Page 389: Igmp Snooping Configuration Examples

    IGMP Snooping Configuration Examples Configuring Group Policy and Simulated Joining Network requirements As shown in Figure 1-3, Router A connects to the multicast source through GigabitEthernet 1/0/2 and to Switch A through GigabitEthernet 1/0/1. IGMPv2 is required on Router A, IGMP Snooping version 2 is required on Switch A, and Router A will act as the IGMP querier on the subnet.
  • Page 390 [RouterA-GigabitEthernet1/0/2] pim dm [RouterA-GigabitEthernet1/0/2] quit Configure Switch A # Enable IGMP Snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping [SwitchA-igmp-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 to this VLAN, and enable IGMP Snooping and the function of dropping unknown multicast traffic in the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 [SwitchA-vlan100] igmp-snooping enable...

  • Page 391: Static Port Configuration

    IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Attribute: Host Port Host port(s):total 2 port. GE1/0/3 (D) ( 00:03:23 ) GE1/0/4 (D) ( 00:04:10 ) MAC group(s): MAC group address:0100-5e01-0101 Host port(s):total 2 port. GE1/0/3 GE1/0/4 As shown above, GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 of Switch A has joined multicast...
  • Page 392 Network diagram Figure 1-4 Network diagram for static port configuration Source Switch A GE1/0/2 GE1/0/1 1.1.1.2/24 10.1.1.1/24 GE1/0/1 Router A 1.1.1.1/24 IGMP querier Switch C GE1/0/5 GE1/0/2 GE1/0/2 Host C Switch B Receiver Host B Host A Receiver Configuration procedure Configure IP addresses Configure an IP address and subnet mask for each interface as per Figure...
  • Page 393 [SwitchA-vlan100] quit # Configure GigabitEthernet 1/0/3 to be a static router port. [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] igmp-snooping static-router-port vlan 100 [SwitchA-GigabitEthernet1/0/3] quit Configure Switch B # Enable IGMP Snooping globally. <SwitchB> system-view [SwitchB] igmp-snooping [SwitchB-igmp-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to this VLAN, and enable IGMP Snooping in the VLAN.
  • Page 394 Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 2 port. GE1/0/1 (D) ( 00:01:30 ) GE1/0/3 IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Attribute: Host Port Host port(s):total 1 port.

  • Page 395: Igmp Snooping Querier Configuration

    IGMP Snooping Querier Configuration Network requirements As shown in Figure 1-5, in a Layer 2–only network environment, two multicast sources Source 1 and Source 2 send multicast data to multicast groups 224.1.1.1 and 225.1.1.1 respectively, Host A and Host C are receivers of multicast group 224.1.1.1, while Host B and Host D are receivers of multicast group 225.1.1.1.
  • Page 396 # Enable the IGMP-Snooping querier function in VLAN 100 [SwitchA-vlan100] igmp-snooping querier # Set the source IP address of IGMP general queries and group-specific queries to 192.168.1.1 in VLAN 100. [SwitchA-vlan100] igmp-snooping general-query source-ip 192.168.1.1 [SwitchA-vlan100] igmp-snooping special-query source-ip 192.168.1.1 [SwitchA-vlan100] quit Configure Switch B # Enable IGMP Snooping globally.

  • Page 397: Troubleshooting Igmp Snooping Configuration

    Troubleshooting IGMP Snooping Configuration Switch Fails in Layer 2 Multicast Forwarding Symptom A switch fails to implement Layer 2 multicast forwarding. Analysis IGMP Snooping is not enabled. Solution Enter the display current-configuration command to view the running status of IGMP Snooping. If IGMP Snooping is not enabled, use the igmp-snooping command to enable IGMP Snooping globally, and then use igmp-snooping enable command to enable IGMP Snooping in VLAN view.
  • Page 398 Table of Contents 1 Multicast VLAN Configuration··················································································································1-1 Introduction to Multicast VLAN················································································································1-1 Multicast VLAN Configuration Task List··································································································1-3 Configuring Sub-VLAN-Based Multicast VLAN ······················································································1-3 Configuration Prerequisites ·············································································································1-3 Configuring Sub-VLAN-Based Multicast VLAN···············································································1-3 Configuring Port-Based Multicast VLAN ·································································································1-4 Configuration Prerequisites ·············································································································1-4 Configuring User Port Attributes······································································································1-4 Configuring Multicast VLAN Ports ···································································································1-5 Displaying and Maintaining Multicast VLAN ···························································································1-6 Multicast VLAN Configuration Examples ································································································1-6...

  • Page 399: Multicast Vlan Configuration

    Multicast VLAN Configuration When configuring multicast VLAN, go to these sections for information you are interested in: Introduction to Multicast VLAN Multicast VLAN Configuration Task List Configuring Sub-VLAN-Based Multicast VLAN Configuring Port-Based Multicast VLAN Displaying and Maintaining Multicast VLAN Multicast VLAN Configuration Examples Introduction to Multicast VLAN As shown in Figure...
  • Page 400 Figure 1-2 Sub-VLAN-based multicast VLAN Multicast packets VLAN 10 (Multicast VLAN) VLAN 2 VLAN 2 Receiver VLAN 3 Host A VLAN 4 VLAN 3 Receiver Host B Router A Switch A Source IGMP querier VLAN 4 Receiver Host C After the configuration, IGMP Snooping manages router ports in the multicast VLAN and member ports in the sub-VLANs.

  • Page 401: Multicast Vlan Configuration Task List

    For information about IGMP Snooping, router ports, and member ports, refer to IGMP Snooping Configuration in the IP Multicast Volume. For information about VLAN tags, refer to VLAN Configuration in the Access Volume. Multicast VLAN Configuration Task List Complete the following tasks to configure multicast VLAN: Task Remarks Configuring Sub-VLAN-Based Multicast VLAN...

  • Page 402: Configuring Port-Based Multicast Vlan

    The VLAN to be configured as a multicast VLAN must exist. The VLANs to be configured as sub-VLANs of the multicast VLAN must exist and must not be sub-VLANs of another multicast VLAN. The total number of sub-VLANs of a multicast VLAN must not exceed 63. Configuring Port-Based Multicast VLAN When configuring port-based multicast VLAN, you need to configure the attributes of each user port and then assign the ports to the multicast VLAN.

  • Page 403: Configuring Multicast Vlan Ports

    Follow these steps to configure user port attributes: To do... Use the command... Remarks Enter system view — system-view interface interface-type interface-number Required Enter port view or port group port-group { manual view Use either command port-group-name | aggregation agg-id } Required Configure the user port link port link-type hybrid...

  • Page 404: Displaying And Maintaining Multicast Vlan

    Configuring multicast VLAN ports in port view or port group view Follow these steps to configure multicast VLAN ports in port view or port group view: To do… Use this command… Remarks Enter system view — system-view Required Configure the specified VLAN as a multicast VLAN and enter Not a multicast VLAN by multicast-vlan vlan-id...
  • Page 405 Configure the sub-VLAN-based multicast VLAN feature so that Router A just sends multicast data to Switch A through the multicast VLAN and Switch A forwards the traffic to the receivers that belong to different user VLANs. Network diagram Figure 1-4 Network diagram for sub-VLAN-based multicast VLAN configuration Source IGMP querier Router A...
  • Page 406 [SwitchA-vlan2] port gigabitethernet 1/0/2 [SwitchA-vlan2] quit The configuration for VLAN 3 and VLAN 4 is similar to the configuration for VLAN 2. # Create VLAN 10, assign GigabitEthernet 1/0/1 to this VLAN and enable IGMP Snooping in the VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] igmp-snooping enable [SwitchA-vlan10] quit...
  • Page 407 Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 0 port. IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Host port(s):total 1 port. GE1/0/3 MAC group(s): MAC group address:0100-5e01-0101 Host port(s):total 1 port.
  • Page 408 Port-Based Multicast VLAN Configuration Network requirements As shown in Figure 1-5, Router A connects to a multicast source (Source) through GigabitEthernet 1/0/1, and to Switch A through GigabitEthernet 1/0/2. IGMPv2 is required on Router A. IGMPv2 Snooping is required on Switch A. Router A acts as the IGMP querier.
  • Page 409 [RouterA-GigabitEthernet1/0/1] quit [RouterA] interface gigabitethernet 1/0/2 [RouterA-GigabitEthernet1/0/2] pim dm [RouterA-GigabitEthernet1/0/2] igmp enable Configure Switch A # Enable IGMP Snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping [SwitchA-igmp-snooping] quit # Create VLAN 10, assign GigabitEthernet 1/0/1 to VLAN 10, and enable IGMP Snooping in this VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] igmp-snooping enable...
  • Page 410 Total 1 multicast-vlan(s) Multicast vlan 10 subvlan list: no subvlan port list: GE1/0/2 GE1/0/3 GE1/0/4 # View the IGMP Snooping multicast group information on Switch A. [SwitchA] display igmp-snooping group Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):10.
  • Page 411 Table of Contents 1 MLD Snooping Configuration···················································································································1-1 MLD Snooping Overview ························································································································1-1 Introduction to MLD Snooping·········································································································1-1 Basic Concepts in MLD Snooping···································································································1-2 How MLD Snooping Works ·············································································································1-3 Protocols and Standards ·················································································································1-5 MLD Snooping Configuration Task List ··································································································1-5 Configuring Basic Functions of MLD Snooping ······················································································1-6 Configuration Prerequisites ·············································································································1-6 Enabling MLD Snooping··················································································································1-6 Configuring the Version of MLD Snooping ······················································································1-7...

  • Page 412: Mld Snooping Configuration

    MLD Snooping Configuration When configuring MLD Snooping, go to these sections for information you are interested in: MLD Snooping Overview MLD Snooping Configuration Task List Displaying and Maintaining MLD Snooping MLD Snooping Configuration Examples Troubleshooting MLD Snooping MLD Snooping Overview Multicast Listener Discovery Snooping (MLD Snooping) is an IPv6 multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups.
  • Page 413 Reducing Layer 2 broadcast packets, thus saving network bandwidth. Enhancing the security of multicast traffic. Facilitating the implementation of per-host accounting. Basic Concepts in MLD Snooping MLD Snooping related ports As shown in Figure 1-2, Router A connects to the multicast source, MLD Snooping runs on Switch A and Switch B, Host A and Host C are receiver hosts (namely, IPv6 multicast group members).

  • Page 414: How Mld Snooping Works

    Whenever mentioned in this document, a router port is a router-connecting port on the switch, rather than a port on a router. Unless otherwise specified, router/member ports mentioned in this document include static and dynamic ports. On an MLD Snooping-enabled switch, the ports that received MLD general queries with the source address other than 0::0 or IPv6 PIM hello messages are dynamic router ports.
  • Page 415 General queries The MLD querier periodically sends MLD general queries to all hosts and routers (FF02::1) on the local subnet to find out whether IPv6 multicast group members exist on the subnet. Upon receiving an MLD general query, the switch forwards it through all ports in the VLAN except the port on which it received the MLD query and performs the following: If the port on which it the switch received the MLD query is a dynamic router port in its router port list, the switch resets the aging timer for this dynamic router port.

  • Page 416: Protocols And Standards

    If the forwarding table entry does not exist or if the outgoing port list does not contain the port, the switch discards the MLD done message instead of forwarding it to any port. If the forwarding table entry exists and the outgoing port list contains the port, the switch forwards the MLD done message to all router ports in the native VLAN.

  • Page 417: Configuring Basic Functions Of Mld Snooping

    Task Remarks Configuring an IPv6 Multicast Group Filter Optional Configuring IPv6 Multicast Source Port Filtering Optional Configuring an MLD Configuring MLD Report Suppression Optional Snooping Policy Configuring Maximum Multicast Groups that Can Be Optional Joined on a Port Configuring IPv6 Multicast Group Replacement Optional Configurations made in MLD Snooping view are effective for all VLANs, while configurations made in VLAN view are effective only for ports belonging to the current VLAN.

  • Page 418: Configuring Mld Snooping Port Functions

    To do... Use the command... Remarks Enter VLAN view — vlan vlan-id Required Enable MLD Snooping in the mld-snooping enable VLAN Disabled by default MLD Snooping must be enabled globally before it can be enabled in a VLAN. When you enable MLD Snooping in a specified VLAN, this function takes effect for ports in this VLAN only.

  • Page 419: Configuring Aging Timers For Dynamic Ports

    Configure the corresponding port groups Before configuring MLD Snooping port functions, prepare the following data: Aging time of dynamic router ports, Aging timer of dynamic member ports, and IPv6 multicast group and IPv6 multicast source addresses Configuring Aging Timers for Dynamic Ports If the switch receives no MLD general queries or IPv6 PIM hello messages on a dynamic router port, the switch removes the port from the router port list when the aging timer of the port expires.

  • Page 420: Configuring Simulated Joining

    Follow these steps to configure static ports: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port/Layer 2 Required interface-number aggregate port view or port Use either approach group view port-group manual port-group-name mld-snooping static-group Required Configure the port(s) as static ipv6-group-address [ source-ip...
  • Page 421 Follow these steps to configure simulated joining: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port/Layer 2 Required interface-number aggregate port view or port Use either approach group view port-group manual port-group-name mld-snooping host-join Required Configure simulated joining ipv6-group-address [ source-ip...

  • Page 422: Configuring Mld Snooping Querier

    Configuring fast leave processing on a port or a group of ports Follow these steps to configure fast leave processing on a port or a group of ports: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port/Layer 2 Required interface-number...

  • Page 423: Configuring Mld Queries And Responses

    To do... Use the command... Remarks Enter system view — system-view Enter VLAN view — vlan vlan-id Required Enable the MLD Snooping mld-snooping querier querier Disabled by default It is meaningless to configure an MLD Snooping querier in an IPv6 multicast network running MLD. Although an MLD Snooping querier does not take part in MLD querier elections, it may affect MLD querier elections because it sends MLD general queries with a low source IPv6 address.

  • Page 424: Configuring Source Ipv6 Addresses Of Mld Queries

    Configuring MLD queries and responses in a VLAN Follow these steps to configure MLD queries and responses in a VLAN To do... Use the command... Remarks Enter system view — system-view Enter VLAN view — vlan vlan-id Optional mld-snooping query-interval Configure MLD query interval 125 seconds by default interval...

  • Page 425: Configuring An Mld Snooping Policy

    Configuring an MLD Snooping Policy Configuration Prerequisites Before configuring an MLD Snooping policy, complete the following tasks: Enable MLD Snooping in the VLAN Before configuring an MLD Snooping policy, prepare the following data: IPv6 ACL rule for IPv6 multicast group filtering The maximum number of IPv6 multicast groups that can pass the ports Configuring an IPv6 Multicast Group Filter On a MLD Snooping–enabled switch, the configuration of an IPv6 multicast group filter allows the...

  • Page 426: Configuring Ipv6 Multicast Source Port Filtering

    To do... Use the command... Remarks Required By default, no group filter is Configure an IPv6 multicast configured on the current mld-snooping group-policy group filter acl6-number [ vlan vlan-list ] port, that is, hosts on this port can join any valid IPv6 multicast group.

  • Page 427: Configuring Mld Report Suppression

    Configuring MLD Report Suppression When a Layer 2 device receives an MLD report from an IPv6 multicast group member, the Layer 2 device forwards the message to the Layer 3 device directly connected with it. Thus, when multiple members belonging to an IPv6 multicast group exist on the Layer 2 device, the Layer 3 device directly connected with it will receive duplicate MLD reports from these members.

  • Page 428: Configuring Ipv6 Multicast Group Replacement

    When the number of IPv6 multicast groups that can be joined on a port reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the MLD Snooping forwarding table, and the hosts on this port need to join IPv6 multicast groups again.

  • Page 429: Displaying And Maintaining Mld Snooping

    Configuring IPv6 multicast group replacement on a port or a group of ports Follow these steps to configure IPv6 multicast group replacement on a port or a group of ports: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port/Layer 2...

  • Page 430: Mld Snooping Configuration Examples

    MLD Snooping Configuration Examples Configuring IPv6 Group Policy and Simulated Joining Network requirements As shown in Figure 1-3, Router A connects to the IPv6 multicast source through GigabitEthernet 1/0/2 and to Switch A through GigabitEthernet 1/0/1. Router A is the MLD querier on the subnet. MLDv1 is required on Router A, MLD Snooping version 1 is required on Switch A, and Router A will act as the MLD querier on the subnet.
  • Page 431 [RouterA-GigabitEthernet1/0/2] pim ipv6 dm [RouterA-GigabitEthernet1/0/2] quit Configure Switch A # Enable MLD Snooping globally. <SwitchA> system-view [SwitchA] mld-snooping [SwitchA-mld-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 to this VLAN, and enable MLD Snooping in the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 [SwitchA-vlan100] mld-snooping enable...

  • Page 432: Static Port Configuration

    IP group address:FF1E::101 (::, FF1E::101): Attribute: Host Port Host port(s):total 2 port. GE1/0/3 (D) ( 00:03:23 ) GE1/0/4 (D) ( 00:04:10 ) MAC group(s): MAC group address:3333-0000-0101 Host port(s):total 2 port. GE1/0/3 GE1/0/4 As shown above, GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 of Switch A have joined IPv6 multicast group FF1E::101.
  • Page 433 Network diagram Figure 1-4 Network diagram for static port configuration Source Switch A GE1/0/2 GE1/0/1 1::2/64 2001::1/64 GE1/0/1 Router A 1::1/64 MLD querier Switch C GE1/0/5 GE1/0/2 GE1/0/2 Host C Switch B Receiver Host B Host A Receiver Configuration procedure Enable IPv6 forwarding and configure IPv6 addresses Enable IPv6 forwarding and configure an IPv6 address and prefix length for each interface as per Figure...
  • Page 434 [SwitchA-vlan100] quit # Configure GigabitEthernet 1/0/3 to be a static router port. [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] mld-snooping static-router-port vlan 100 [SwitchA-GigabitEthernet1/0/3] quit Configure Switch B # Enable MLD Snooping globally. <SwitchB> system-view [SwitchB] mld-snooping [SwitchB-mld-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to this VLAN, and enable MLD Snooping in the VLAN.
  • Page 435 Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 2 port. GE1/0/1 (D) ( 00:01:30 ) GE1/0/3 IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Attribute: Host Port Host port(s):total 1 port.

  • Page 436: Mld Snooping Querier Configuration

    MLD Snooping Querier Configuration Network requirements As shown in Figure 1-5, in a Layer-2-only network environment, two multicast sources Source 1 and Source 2 send IPv6 multicast data to multicast groups FF1E::101 and FF1E::102 respectively, Host A and Host C are receivers of multicast group FF1E::101, while Host B and Host D are receivers of multicast group FF1E::102.

  • Page 437: Troubleshooting Mld Snooping

    [SwitchB] ipv6 [SwitchB] mld-snooping [SwitchB-mld-snooping] quit # Create VLAN 100, add GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 into VLAN 100. [SwitchB] vlan 100 [SwitchB-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 # Enable the MLD Snooping feature in VLAN 100. [SwitchB-vlan100] mld-snooping enable [SwitchB-vlan100] quit Configurations of Switch C and Switch D are similar to the configuration of Switch B.

  • Page 438: Configured Ipv6 Multicast Group Policy Fails To Take Effect

    Configured IPv6 Multicast Group Policy Fails to Take Effect Symptom Although an IPv6 multicast group policy has been configured to allow hosts to join specific IPv6 multicast groups, the hosts can still receive IPv6 multicast data addressed to other groups. Analysis The IPv6 ACL rule is incorrectly configured.
  • Page 439 Table of Contents 1 IPv6 Multicast VLAN Configuration ·········································································································1-1 Introduction to IPv6 Multicast VLAN ·······································································································1-1 IPv6 Multicast VLAN Configuration Task List ·························································································1-3 Configuring IPv6 Sub-VLAN-Based IPv6 Multicast VLAN ······································································1-3 Configuration Prerequisites ·············································································································1-3 Configuring Sub-VLAN-Based IPv6 Multicast VLAN·······································································1-3 Configuring Port-Based IPv6 Multicast VLAN·························································································1-4 Configuration Prerequisites ·············································································································1-4 Configuring User Port Attributes······································································································1-4 Configuring IPv6 Multicast VLAN Ports···························································································1-5...

  • Page 440: Introduction To Ipv6 Multicast Vlan

    IPv6 Multicast VLAN Configuration When configuring IPv6 multicast VLAN, go to these sections for information you are interested in: Introduction to IPv6 Multicast VLAN IPv6 Multicast VLAN Configuration Task List Configuring IPv6 Sub-VLAN-Based IPv6 Multicast VLAN Configuring Port-Based IPv6 Multicast VLAN Displaying and Maintaining IPv6 Multicast VLAN IPv6 Multicast VLAN Configuration Examples Introduction to IPv6 Multicast VLAN...
  • Page 441 Figure 1-2 Sub-VLAN-based IPv6 multicast VLAN IPv6 Multicast packets VLAN 10 (IPv6 Multicast VLAN) VLAN 2 VLAN 2 Receiver VLAN 3 Host A VLAN 4 VLAN 3 Receiver Host B Router A Switch A Source MLD querier VLAN 4 Receiver Host C After the configuration, MLD snooping manages router ports in the IPv6 multicast VLAN and member ports in the sub-VLANs.

  • Page 442: Ipv6 Multicast Vlan Configuration Task List

    For information about MLD Snooping, router ports, and member ports, refer to MLD Snooping Configuration in the IP Multicast Volume. For information about VLAN tags, refer to VLAN Configuration in the Access Volume. IPv6 Multicast VLAN Configuration Task List Complete the following tasks to configure IPv6 multicast VLAN: Configuration task Remarks Configuring IPv6 Sub-VLAN-Based IPv6 Multicast VLAN...

  • Page 443: Configuring Port-Based Ipv6 Multicast Vlan

    To do… Use the command… Remarks Required Configure the specified VLAN(s) as sub-VLAN(s) of the By default, an IPv6 multicast subvlan vlan-list IPv6 multicast VLAN VLAN has no sub-VLANs. The VLAN to be configured as an IPv6 multicast VLAN must exist. The VLANs to be configured as the sub-VLANs of the IPv6 multicast VLAN must exist and must not be sub-VLANs of another IPv6 multicast VLAN.

  • Page 444: Configuring Ipv6 Multicast Vlan Ports

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Required interface-number Enter port view or port group view Use either approach. port-group manual port-group-name Required Configue the user port link type port link-type hybrid as hybrid Access by default Specify the user VLAN that Required...

  • Page 445: Displaying And Maintaining Ipv6 Multicast Vlan

    Configure IPv6 multicast VLAN ports in terface view or port group view Follow these steps to configure IPv6 multicast VLAN ports in port view or port group view: To do… Use this command… Remarks Enter system view — system-view Configure the specified Required VLAN as an IPv6 multicast Not an IPv6 multicast...
  • Page 446 Configure the sub-VLAN-based IPv6 multicast VLAN feature so that Router A just sends IPv6 multicast data to Switch A through the IPv6 multicast VLAN and Switch A forwards the traffic to the receivers that belong to different user VLANs. Figure 1-4 Network diagram for sub-VLAN-based IPv6 multicast VLAN configuration Source MLD querier Router A...
  • Page 447 The configuration for VLAN 3 and VLAN 4 is similar to the configuration for VLAN 2. # Create VLAN 10, assign GigabitEthernet 1/0/1 to this VLAN and enable MLD Snooping in the VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] mld-snooping enable [SwitchA-vlan10] quit # Configure VLAN 10 as an IPv6 multicast VLAN and configure VLAN 2 through VLAN 4 as its...

  • Page 448: Port-Based Multicast Vlan Configuration Example

    IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Host port(s):total 1 port. GE1/0/3 MAC group(s): MAC group address:3333-0000-0101 Host port(s):total 1 port. GE1/0/3 Vlan(id):4. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 0 port.
  • Page 449 Switch A’s GigabitEthernet 1/0/1 belongs to VLAN 10, GigabitEthernet 1/0/2 through GigabitEthernet 1/0/4 belong to VLAN 2 through VLAN 4 respectively, and Host A through Host C are attached to GigabitEthernet 1/0/2 through GigabitEthernet 1/0/4 of Switch A. The IPv6 multicast source sends IPv6 multicast data to IPv6 multicast group FF1E::101. Host A, Host B, and Host C are receivers of the IPv6 multicast group.
  • Page 450 # Create VLAN 10, assign GigabitEthernet 1/0/1 to VLAN 10, and enable MLD Snooping in this VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] mld-snooping enable [SwitchA-vlan10] quit # Create VLAN 2 and enable MLD Snooping in the VLAN. [SwitchA] vlan 2 [SwitchA-vlan2] mld-snooping enable [SwitchA-vlan2] quit...
  • Page 451 Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):10. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 1 port. GE1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Host port(s):total 3 port.
  • Page 452 QoS Volume Organization Manual Version 6W101-20100305 Product Version Release 2202 Organization The QoS Volume is organized as follows: Features Description For network traffic, the Quality of Service (QoS) involves bandwidth, delay, and packet loss rate during traffic forwarding process. In a network, you can improve the QoS by guaranteeing the bandwidth, and reducing the delay, jitter, and packet loss rate.
  • Page 453 Table of Contents 1 QoS Overview ············································································································································1-1 Introduction to QoS ·································································································································1-1 Introduction to QoS Service Models ·······································································································1-1 Best-Effort Service Model················································································································1-1 IntServ Service Model ·····················································································································1-1 DiffServ Service Model ····················································································································1-2 QoS Techniques Overview ·····················································································································1-2 Positions of the QoS Techniques in a Network···············································································1-2 2 QoS Configuration Approaches···············································································································2-1 QoS Configuration Approach Overview ··································································································2-1 Non Policy-Based Configuration ·····································································································2-1...
  • Page 454 Configuration Procedure··················································································································4-6 Configuration Example ····················································································································4-6 Configuring the Line Rate ·······················································································································4-6 Configuration Procedure··················································································································4-6 Configuration Example ····················································································································4-7 Displaying and Maintaining Traffic Policing, GTS, and Line Rate ··························································4-7 5 Congestion Management Configuration ·································································································5-1 Congestion Management Overview········································································································5-1 Causes, Impacts, and Countermeasures of Congestion·································································5-1 Congestion Management Policies···································································································5-1 Congestion Management Configuration Approaches ·············································································5-4 Configuring Congestion Management ····································································································5-5 Configuring SP Queuing··················································································································5-5...

  • Page 455: Qos Overview

    QoS Overview This chapter covers the following topics: Introduction to QoS Introduction to QoS Service Models QoS Techniques Overview Introduction to QoS For network traffic, the Quality of Service (QoS) involves bandwidth, delay, and packet loss rate during traffic forwarding process. In a network, you can improve the QoS by guaranteeing the bandwidth, and reducing the delay, jitter, and packet loss rate.

  • Page 456: Diffserv Service Model

    However, the Inter-Serv model imposes extremely high requirements on devices. In a network with heavy data traffic, the Inter-Serv model imposes very great pressure on the storage and processing capabilities of devices. On the other hand, the Inter-Serv model is poor in scalability, and therefore, it is hard to be deployed in the core Internet network.
  • Page 457 Congestion avoidance monitors the usage status of network resources and is usually applied to the outgoing traffic of a port. As congestion becomes worse, it actively reduces the amount of traffic by dropping packets.

  • Page 458: Qos Configuration Approaches

    QoS Configuration Approaches This chapter covers the following topics: QoS Configuration Approach Overview Configuring a QoS Policy QoS Configuration Approach Overview Two approaches are available for you to configure QoS: policy-based and non policy-based. Some QoS features can be configured in either approach while some can be configured only in one approach.

  • Page 459: Configuring A Qos Policy

    Configuring a QoS Policy Figure 2-1 shows how to configure a QoS policy. Figure 2-1 QoS policy configuration procedure Defining a Class To define a class, you need to specify a name for it and then configure match criteria in class view. Follow these steps to define a class: To do…...
  • Page 460 Form Description Specifies to match an IPv6 ACL specified by its number or name. The access-list-number argument specifies an ACL by its number, which acl ipv6 { access-list-number | name acl-name } ranges from 2000 to 3999; the name acl-name keyword-argument combination specifies an ACL by its name.

  • Page 461: Defining A Traffic Behavior

    If multiple matching rules with the acl or acl ipv6 keyword specified are defined in a class, the actual logical relationship between these rules is or when the policy is applied. If multiple matching rules with the customer-vlan-id or service-vlan-id keyword specified are defined in a class, the actual logical relationship between these rules is or.

  • Page 462: Applying The Qos Policy

    To do… Use the command… Remarks Enter system view — system-view Create a policy and enter policy Required qos policy policy-name view Associate a class with a classifier tcl-name behavior Required behavior in the policy behavior-name If an ACL is referenced by a QoS policy for defining traffic match criteria, packets matching the ACL are organized as a class and the behavior defined in the QoS policy applies to the class regardless of whether the match mode of the if-match clause is deny or permit.
  • Page 463 Follow these steps to apply the QoS policy to an interface: To do… Use the command… Remarks Enter system view — system-view Enter Use either command interface interface-type interface Enter Settings in interface view take interface-number view interface effect on the current interface; view or port settings in port group view take Enter port...
  • Page 464 If a user profile is active, the QoS policy, except ACLs referenced in the QoS policy, applied to it cannot be configured or removed. If the user profile is being used by online users, the referenced ACLs cannot be modified either. The QoS policies applied in user profile view support only the remark, car, and filter actions.

  • Page 465: Displaying And Maintaining Qos Policies

    Displaying and Maintaining QoS Policies To do… Use the command… Remarks Display information about a display qos policy class and the corresponding user-defined [ policy-name Available in any view actions associated by a policy [ classifier classifier-name ] ] display qos policy interface Display information about the [ interface-type Available in any view...

  • Page 466: Priority Mapping Configuration

    Priority Mapping Configuration When configuring priority mapping, go to these sections for information you are interested in: Priority Mapping Overview Priority Mapping Configuration Tasks Configuring Priority Mapping Displaying and Maintaining Priority Mapping Priority Mapping Configuration Examples Priority Mapping Overview Introduction to Priority Mapping The priorities of a packet determine its transmission priority.

  • Page 467: Priority Trust Mode On A Port

    The priority trust mode on a port decides which priority is used for priority mapping table lookup. For the priority mapping purpose, port priority was introduced so that you can use it for priority mapping in addition to priority fields carried in packets. There are three priority trust modes on H3C S5120-EI series switches: dot1p: Uses the 802.1p priority carried in packets for priority mapping.

  • Page 468: Priority Mapping Configuration Tasks

    Figure 3-1 Priority mapping procedure for an Ethernet packet Receive a packet on a port Which priority is 802.1p trusted on the Port priority in packets port? Use the port priority as the Use the port priority DSCP 802.1p priority for Is the packet as the 802.1p priority in packets...

  • Page 469: Configuring Priority Mapping

    Task Remarks Configuring a Priority Mapping Table Optional Configuring the Priority Trust Mode on a Port Optional Configuring the Port Priority of a Port Optional Configuring Priority Mapping Configuring a Priority Mapping Table Follow these steps to configure an uncolored priority mapping table: To do…...

  • Page 470: Configuring The Port Priority Of A Port

    To do… Use the command… Remarks Trust the undo qos trust port priority Display the priority trust Optional display qos trust interface mode configuration on [ interface-type interface-number ] Available in any view the port Configuring the Port Priority of a Port You can change the port priority of a port used for priority mapping.
  • Page 471 For information about priority marking, refer to Priority Marking Configuration. Network requirements As shown in Figure 3-2, the enterprise network of a company interconnects all departments through Device. The network is described as follows: The marketing department connects to GigabitEthernet 1/0/1 of Device, which sets the 802.1p priority of traffic from the marketing department to 3.
  • Page 472 Figure 3-2 Network diagram for priority mapping table and priority marking configuration Configuration procedure Configure trusting port priority # Set the port priority of GigabitEthernet 1/0/1 to 3. <Device> system-view [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] qos priority 3 [Device-GigabitEthernet1/0/1] quit # Set the port priority of GigabitEthernet 1/0/2 to 4.
  • Page 473 Configure priority marking # Mark the HTTP traffic of the management department, marketing department, and R&D department to the Internet with 802.1p priorities 4, 5, and 3 respectively. Use the priority mapping table configured above to map the 802.1p priorities to local precedence values 6, 4, and 2 respectively for differentiated traffic treatment.

  • Page 474: Traffic Policing And Line Rate Overview

    Traffic Policing, Traffic Shaping, and Line Rate Configuration When configuring traffic policing and line rate, go to these sections for information you are interested in: Traffic Policing and Line Rate Overview Configuring Traffic Policing Configuring GTS Configuring the Line Rate Displaying and Maintaining Traffic Policing, GTS, and Line Rate Traffic Policing and Line Rate Overview Without limits on user traffic, a network can be overwhelmed very easily.

  • Page 475: Traffic Policing

    Evaluation is performed for each arriving packet. In each evaluation, if the number of tokens in the bucket is enough, the traffic conforms to the specification and the tokens for forwarding the packet are taken away; if the number of tokens in the bucket is not enough, the traffic is excessive. Complicated evaluation You can set two token buckets, the C bucket and the E bucket, to evaluate traffic in a more complicated environment and achieve more policing flexibility.

  • Page 476: Traffic Shaping

    Forwarding the traffic if the evaluation result is “conforming.” Dropping the traffic if the evaluation result is “excess.” Marking a conforming packet or a non-conforming packet with a new DSCP precedence value and forwarding the packet. Traffic Shaping Traffic shaping provides measures to adjust the rate of outbound traffic actively. A typical traffic shaping application is to limit the local traffic output rate according to the downstream traffic policing parameters.

  • Page 477: Line Rate

    Line Rate The line rate of a physical interface specifies the maximum rate for forwarding packets (including critical packets). Line rate also uses token buckets for traffic control. With line rate configured on an interface, all packets to be sent through the interface are firstly handled by the token bucket at line rate. If there are enough tokens in the token bucket, packets can be forwarded;...

  • Page 478: Configuration Example

    To do… Use the command… Remarks car cir committed-information-rate [ cbs committed-burst-size [ ebs Configure a traffic policing excess-burst-size ] ] [ pir Required action peak-information-rate ] [ green action ] [ red action ] [ yellow action ] Exit behavior view —...

  • Page 479: Configuring Gts

    Configuring GTS Configuration Procedure On the S5120-EI series, traffic shaping is implemented as queue-based GTS, that is, configuring GTS parameters for packets of a certain queue. Follow these steps to configure queue-based GTS: To do… Use the command… Remarks Enter system view —...

  • Page 480: Configuration Example

    [Sysname-GigabitEthernet1/0/1] qos lr outbound cir 512 Displaying and Maintaining Traffic Policing, GTS, and Line Rate On the S5120-EI series switches, you can configure traffic policing in policy-based approach. For related displaying and maintaining commands, refer to Displaying and Maintaining QoS Policies.

  • Page 481: Congestion Management Configuration

    Congestion Management Configuration When configuring hardware congestion management, go to these sections for information you are interested in: Congestion Management Overview Congestion Management Configuration Approaches Configuring Congestion Management Displaying and Maintaining Congestion Management Congestion Management Overview Causes, Impacts, and Countermeasures of Congestion Network congestion is a major factor contributed to service quality degrading on a traditional network.
  • Page 482 The S5120-EI series support the following four queue scheduling methods: Scheduling all queues with the strict priority (SP) algorithm.
  • Page 483 Figure 5-3 Schematic diagram for WRR queuing Assume there are eight output queues on a port. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. On a 100 Mbps port, you can configure the weight values of WRR queuing to 5, 3, 1, 1, 5, 3, 1, and 10 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0 respectively).

  • Page 484: Congestion Management Configuration Approaches

    Short packets and long packets are fairly scheduled: if there are both long packets and short packets in queues, statistically the short packets should be scheduled preferentially to reduce the jitter between packets as a whole. Compared with FQ, WFQ takes weights into account when determining the queue scheduling order. Statistically, WFQ gives high priority traffic more scheduling opportunities than low priority traffic.

  • Page 485: Configuring Congestion Management

    Task Remarks Configuring WFQ Queuing Optional Configuring SP+WRR Queues Optional Configuring Congestion Management Configuring SP Queuing Configuration procedure Follow these steps to configure SP queuing: To do… Use the command… Remarks Enter system view — system-view Enter Use either command interface interface-type Enter interface...

  • Page 486: Configuring Wfq Queuing

    To do… Use the command… Remarks Enter Use either command interface interface-type interface Enter Settings in interface view take interface-number view interface effect on the current interface; view or port settings in port group view take Enter port group view port-group manual effect on all ports in the port group view...

  • Page 487: Configuring Sp+Wrr Queues

    To do… Use the command… Remarks group view settings in port group view take Enter port port-group manual effect on all ports in the port group view port-group-name group. Required By default, all the ports adopt the WRR queue scheduling Enable WFQ queuing algorithm, with the weight qos wfq...
  • Page 488 To do… Use the command… Remarks Enter Use either command Enter interface interface-type interface view interface interface-number Settings in interface view take effect view or on the current interface; settings in Enter port port group port-group manual port group view take effect on all ports group view view port-group-name...

  • Page 489: Displaying And Maintaining Congestion Management

    Displaying and Maintaining Congestion Management To do… Use the command… Remarks Display WRR queue display qos wrr interface [ interface-type configuration information interface-number ] Available in any Display SP queue configuration display qos sp interface [ interface-type information interface-number ] view Display WFQ queue display qos wfq interface [ interface-type...

  • Page 490: Traffic Filtering Configuration

    Traffic Filtering Configuration When configuring traffic filtering, go to these sections for information you are interested in: Traffic Filtering Overview Configuring Traffic Filtering Traffic Filtering Configuration Example Traffic Filtering Overview You can filter in or filter out a class of traffic by associating the class with a traffic filtering action. For example, you can filter packets sourced from a specific IP address according to network status.

  • Page 491: Traffic Filtering Configuration Example

    To do… Use the command… Remarks Associate the class with the classifier tcl-name behavior traffic behavior in the QoS — behavior-name policy Exit policy view — quit Applying the QoS policy to an To an interface — interface Apply the Applying the QoS policy to online To online users —...
  • Page 492 # Create a behavior named behavior_1, and configure the traffic filtering action for the behavior to drop packets. [DeviceA] traffic behavior behavior_1 [DeviceA-behavior-behavior_1] filter deny [DeviceA-behavior-behavior_1] quit # Create a policy named policy, and associate class classifier_1 with behavior behavior_1 in the policy.

  • Page 493: Priority Marking Configuration

    Priority Marking Configuration When configuring priority marking, go to these sections for information you are interested in: Priority Marking Overview Configuring Priority Marking Priority Marking Configuration Example Priority Marking Overview Priority marking can be used together with priority mapping. For details, refer to Priority Mapping Table and Priority Marking Configuration Example.

  • Page 494: Priority Marking Configuration Example

    To do… Use the command… Remarks Set the IP precedence for remark ip-precedence Optional packets ip-precedence-value Set the local precedence remark local-precedence Optional for packets local-precedence Exit behavior view — quit Create a policy and enter — qos policy policy-name policy view Associate the class with classifier tcl-name behavior...
  • Page 495 Figure 7-1 Network diagram for priority marking configuration Internet Data server Host A 192.168.0.1/24 GE1/0/1 GE1/0/2 Mail server 192.168.0.2/24 Host B Device File server 192.168.0.3/24 Configuration procedure # Create advanced ACL 3000, and configure a rule to match packets with destination IP address 192.168.0.1.
  • Page 496 [Device] traffic behavior behavior_dbserver [Device-behavior-behavior_dbserver] remark local-precedence 4 [Device-behavior-behavior_dbserver] quit # Create a behavior named behavior_mserver, and configure the action of setting the local precedence value to 3 for the behavior. [Device] traffic behavior behavior_mserver [Device-behavior-behavior_mserver] remark local-precedence 3 [Device-behavior-behavior_mserver] quit # Create a behavior named behavior_fserver, and configure the action of setting the local precedence value to 2 for the behavior.

  • Page 497: Traffic Redirecting Configuration

    Traffic Redirecting Configuration When configuring traffic redirecting, go to these sections for information you are interested in: Traffic Redirecting Overview Configuring Traffic Redirecting Traffic Redirecting Overview Traffic Redirecting Traffic redirecting is the action of redirecting the packets matching the specific match criteria to a certain location for processing.
  • Page 498 To do… Use the command… Remarks Globally Applying the QoS policy globally — Generally, the action of redirecting traffic to the CPU and the action of redirecting traffic to an interface are mutually exclusive with each other in the same traffic behavior. You can use the display traffic behavior command to view the traffic redirecting configuration.

  • Page 499: Class-Based Accounting Configuration

    Create a behavior and enter Required traffic behavior behavior-name behavior view Optional The class-based accounting Configure the accounting function on S5120-EI series accounting action switches counts traffic in the number of packets. Exit behavior view — quit Create a policy and enter —...

  • Page 500: Displaying And Maintaining Traffic Accounting

    Displaying and Maintaining Traffic Accounting After completing the configuration above, you can verify the configuration with the display qos policy interface, or display qos vlan-policy command depending on the occasion where the QoS policy is applied. Class-Based Accounting Configuration Example Class-Based Accounting Configuration Example Network requirements As shown in...
  • Page 501 [DeviceA-GigabitEthernet1/0/1] quit # Display traffic statistics to verify the configuration. [DeviceA] display qos policy interface gigabitethernet 1/0/1 Interface: GigabitEthernet1/0/1 Direction: Inbound Policy: policy Classifier: classifier_1 Operator: AND Rule(s) : If-match acl 2000 Behavior: behavior_1 Accounting Enable: 58 (Packets)

  • Page 502: Appendix

    Appendix This chapter covers the following appendixes: Appendix A Acronym Appendix B Default Priority Mapping Tables Appendix C Introduction to Packet Precedences Appendix A Acronym Table 10-1 Appendix A Acronym Acronym Full spelling Assured Forwarding Best Effort Committed Access Rate Committed Burst Size CBWFQ Class Based Weighted Fair Queuing...

  • Page 503: Appendix B Default Priority Mapping Tables

    Acronym Full spelling Provider Edge Per-hop Behavior Peak Information Rate Priority Queuing Quality of Service Random Early Detection RSVP Resource Reservation Protocol Real Time Protocol Service Level Agreement Traffic Engineering Type of Service Traffic Policing Traffic Shaping VoIP Voice over IP Virtual Private Network Weighted Fair Queuing WRED...

  • Page 504: Appendix C Introduction To Packet Precedences

    Input priority value dot1p-lp mapping dot1p-dp mapping Table 10-3 The default dscp-lp, dscp-dp, dscp-dot1p, and dscp-exp priority mapping tables Input priority value dscp-dp mapping dscp-dot1p mapping DSCP Drop precedence (dp) 802.1p priority (dot1p) 0 to 7 8 to 15 16 to 23 24 to 31 32 to 39 40 to 47...

  • Page 505: Priority

    Table 10-4 Description on IP precedence IP precedence (decimal) IP precedence (binary) Description Routine priority immediate flash flash-override critical internet network Table 10-5 Description on DSCP values DSCP value (decimal) DSCP value (binary) Description 101110 001010 af11 001100 af12 001110 af13 010010 af21...
  • Page 506 802.1p Priority 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2. Figure 10-2 An Ethernet frame with an 802.1Q tag header As shown in Figure 10-2, the 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two...
  • Page 507 Table of Contents 1 User Profile Configuration························································································································1-1 User Profile Overview ·····························································································································1-1 User Profile Configuration·······················································································································1-1 User Profile Configuration Task List································································································1-1 Creating a User Profile ····················································································································1-2 Applying a QoS Policy to User Profile ·····························································································1-2 Enabling a User Profile····················································································································1-3 Displaying and Maintaining User Profile ·································································································1-3...

  • Page 508: User Profile Configuration

    User Profile Configuration When configuring user profile, go to these sections for information you are interested in: User Profile Overview User Profile Configuration Displaying and Maintaining User Profile User Profile Overview User profile provides a configuration template to save predefined configurations. Based on different application scenarios, you can configure different items for a user profile, such as Committed Access Rate (CAR), Quality of Service (QoS), and so on.

  • Page 509: Creating A User Profile

    Creating a User Profile Configuration Prerequisites Before creating a user profile, you need to configure authentication parameters. User profile supports 802.1X authentications. You need to perform the related configurations (for example, username, password, authentication scheme, domain and binding between a user profile and user) on the client, the device and authentication server.

  • Page 510: Displaying And Maintaining User Profile

    When a user profile is active, you cannot configure or remove the QoS policy applied to it. The QoS policies applied in user profile view support only the remark, car, and filter actions. Do not apply an empty QoS policy in user profile view, because even if you can do that, the user profile cannot be activated.
  • Page 511 Security Volume Organization Manual Version 6W101-20100305 Product Version Release 2202 Organization The Security Volume is organized as follows: Features Description Authentication, Authorization and Accounting (AAA) provide a uniform framework used for configuring these three security functions to implement the network security management. This document describes: Introduction to AAA, RADIUS and HWTACACS AAA configuration RADIUS configuration...
  • Page 512 Features Description Port security is a MAC address-based security mechanism for network access controlling. It is an extension to the existing 802.1X authentication and MAC authentication. This document describes: Enabling Port Security Setting the Maximum Number of Secure MAC Addresses Port Security Setting the Port Security Mode Configuring Port Security Features...
  • Page 513 Table of Contents 1 AAA Configuration ····································································································································1-1 Introduction to AAA ·································································································································1-1 Introduction to RADIUS···························································································································1-2 Client/Server Model ·························································································································1-2 Security and Authentication Mechanisms ·······················································································1-3 Basic Message Exchange Process of RADIUS ··············································································1-3 RADIUS Packet Format···················································································································1-4 Extended RADIUS Attributes ··········································································································1-7 Introduction to HWTACACS····················································································································1-7 Differences Between HWTACACS and RADIUS············································································1-8 Basic Message Exchange Process of HWTACACS ·······································································1-8 Protocols and Standards·······················································································································1-10 AAA Configuration Task List ·················································································································1-10...
  • Page 514 Specifying the HWTACACS Authorization Servers·······································································1-32 Specifying the HWTACACS Accounting Servers··········································································1-32 Setting the Shared Key for HWTACACS Packets·········································································1-33 Configuring Attributes Related to the Data Sent to HWTACACS Server······································1-33 Setting Timers Regarding HWTACACS Servers ··········································································1-34 Displaying and Maintaining HWTACACS······················································································1-35 AAA Configuration Examples················································································································1-35 AAA for Telnet Users by a HWTACACS Server ···········································································1-35 AAA for Telnet Users by Separate Servers···················································································1-37 AAA for SSH Users by a RADIUS Server ·····················································································1-38...

  • Page 515: Aaa Configuration

    AAA Configuration When configuring AAA, go to these sections for information you are interested in: Introduction to AAA Introduction to RADIUS Introduction to HWTACACS Protocols and Standards AAA Configuration Task List Configuring AAA Configuring RADIUS Configuring HWTACACS AAA Configuration Examples Troubleshooting AAA Introduction to AAA Authentication, Authorization, and Accounting (AAA) provides a uniform framework for configuring...

  • Page 516: Introduction To Radius

    requirements. For example, you can use the HWTACACS server for authentication and authorization, and the RADIUS server for accounting. The three security functions are described as follows: Authentication: Identifies remote users and judges whether a user is legal. Authorization: Grants different users different rights. For example, a user logging into the server can be granted the permission to access and print the files in the server.

  • Page 517: Security And Authentication Mechanisms

    Figure 1-2 RADIUS server components Users: Stores user information such as the usernames, passwords, applied protocols, and IP addresses. Clients: Stores information about RADIUS clients, such as the shared keys and IP addresses. Dictionary: Stores information about the meanings of RADIUS protocol attributes and their values. Security and Authentication Mechanisms Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared key, which is never transmitted over the network.

  • Page 518: Radius Packet Format

    The host initiates a connection request carrying the username and password to the RADIUS client. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key.
  • Page 519 Code Packet type Description From the server to the client. If all the attribute values carried in the Access-Request are acceptable, that is, Access-Accept the authentication succeeds, the server sends an Access-Accept response. From the server to the client. If any attribute value carried in the Access-Request is unacceptable, the Access-Reject server rejects the user and sends an...
  • Page 520 Attribute Attribute Service-Type Acct-Multi-Session-Id Framed-Protocol Acct-Link-Count Framed-IP-Address Acct-Input-Gigawords Framed-IP-Netmask Acct-Output-Gigawords Framed-Routing (unassigned) Filter-ID Event-Timestamp Framed-MTU 56-59 (unassigned) Framed-Compression CHAP-Challenge Login-IP-Host NAS-Port-Type Login-Service Port-Limit Login-TCP-Port Login-LAT-Port (unassigned) Tunnel-Type Reply_Message Tunnel-Medium-Type Callback-Number Tunnel-Client-Endpoint Callback-ID Tunnel-Server-Endpoint (unassigned) Acct-Tunnel-Connection Framed-Route Tunnel-Password Framed-IPX-Network ARAP-Password State ARAP-Features Class ARAP-Zone-Access...

  • Page 521: Extended Radius Attributes

    Vendor-ID (four bytes): Indicates the ID of the vendor. Its most significant byte is 0 and the other three bytes contain a code complying with RFC 1700. The vendor ID of H3C is 2011. Vendor-Type: Indicates the type of the sub-attribute.

  • Page 522: Differences Between Hwtacacs And Radius

    Differences Between HWTACACS and RADIUS HWTACACS and RADIUS have many common features, like implementing AAA, using a client/server model, using shared keys for user information security and having good flexibility and extensibility. Meanwhile, they also have differences, as listed in Table 1-3.
  • Page 523 Figure 1-6 Basic message exchange process of HWTACACS for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login...

  • Page 524: Aaa Configuration Task List

    11) The HWTACACS server sends back an authentication response indicating that the user has passed authentication. 12) The HWTACACS client sends the user authorization request packet to the HWTACACS server. 13) The HWTACACS server sends back the authorization response, indicating that the user is authorized now.

  • Page 525: Radius Configuration Task List

    For login users, it is necessary to configure the authentication mode for logging into the user interface as scheme. For detailed information, refer to Login Configuration of the System Volume. AAA Configuration Task List Task Remarks Creating an ISP Domain Required Configuring ISP Domain Attributes Optional...

  • Page 526: Hwtacacs Configuration Task List

    HWTACACS Configuration Task List Task Remarks Creating a HWTACACS scheme Required Specifying the HWTACACS Authentication Servers Required Specifying the HWTACACS Authorization Servers Optional Specifying the HWTACACS Accounting Servers Optional Setting the Shared Key for HWTACACS Packets Required Configuring Attributes Related to the Data Sent to HWTACACS Server Optional Setting Timers Regarding HWTACACS Servers Optional...

  • Page 527: Configuring Isp Domain Attributes

    Follow these steps to create an ISP domain: To do… Use the command… Remarks Enter system view — system-view Create an ISP domain and Required domain isp-name enter ISP domain view Return to system view — quit Optional By default, the system has a domain default enable Specify the default ISP domain default ISP domain named...

  • Page 528: Configuring Aaa Authentication Methods For An Isp Domain

    A self-service RADIUS server, for example, iMC, is required for the self-service server localization function to work. With the self-service function, a user can manage and control his or her accounting information or card number. A server with self-service software is a self-service server. Configuring AAA Authentication Methods for an ISP Domain In AAA, authentication, authorization, and accounting are separate processes.

  • Page 529: Configuring Aaa Authorization Methods For An Isp Domain

    To do… Use the command… Remarks Optional authentication lan-access { local Specify the authentication method | none | radius-scheme The default authentication method for LAN users radius-scheme-name [ local ] } is used by default. authentication login Optional { hwtacacs-scheme Specify the authentication method hwtacacs-scheme-name [ local ] | The default authentication method...
  • Page 530 of these types is called an EXEC user). The default right for FTP users is to use the root directory of the device. Before configuring authorization methods, complete these three tasks: For HWTACACS authorization, configure the HWTACACS scheme to be referenced first. For RADIUS authorization, the RADIUS authorization scheme must be the same as the RADIUS authentication scheme;...

  • Page 531: Configuring Aaa Accounting Methods For An Isp Domain

    The authorization method specified with the authorization default command is for all types of users and has a priority lower than that for a specific access mode. RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme.

  • Page 532: Configuring Local User Attributes

    Follow these steps to configure AAA accounting methods for an ISP domain: To do… Use the command… Remarks Enter system view — system-view Create an ISP domain and enter Required domain isp-name ISP domain view Optional Enable the accounting optional accounting optional feature Disabled by default...
  • Page 533 A local user represents a set of user attributes configured on a device and is uniquely identified by the username. For a user requesting a network service to pass local authentication, you must add an entry for it in the local user database of the device as follows: create a local user and configure attributes in local user view.
  • Page 534 To do… Use the command… Remarks Optional When created, a local user Place the local user to the state of state { active | block } is in the state of active by active or blocked default, and the user can request network services.

  • Page 535: Configuring User Group Attributes

    user interface. For details regarding authentication method and commands accessible to user interface, refer to Login Configuration in the System Volume. Binding attributes are checked upon authentication of a local user. If the checking fails, the user fails the authentication. Therefore, be cautious when deciding which binding attributes should be configured for a local user.

  • Page 536: Displaying And Maintaining Aaa

    Displaying and Maintaining AAA To do… Use the command… Remarks Display the configuration information of a specified ISP display domain [ isp-name ] Available in any view domain or all ISP domains display connection [ access-type { dot1x | mac-authentication } | domain isp-name | interface Display information about...

  • Page 537: Specifying The Radius Authentication/Authorization Servers

    To do… Use the command… Remarks Enter system view — system-view Required Create a RADIUS scheme and radius scheme enter RADIUS scheme view Not defined by default radius-scheme-name A RADIUS scheme can be referenced by more than one ISP domain at the same time. Specifying the RADIUS Authentication/Authorization Servers Follow these steps to specify the RADIUS authentication/authorization servers: To do…...

  • Page 538: Setting The Shared Key For Radius Packets

    To do… Use the command… Remarks Specify the primary RADIUS Required primary accounting accounting server ip-address [ port-number ] Configure at least one of the commands Specify the secondary RADIUS secondary accounting No accounting server by default accounting server ip-address [ port-number ] Enable the device to buffer Optional stop-accounting-buffer...

  • Page 539: Setting The Upper Limit Of Radius Request Retransmission Attempts

    To do… Use the command… Remarks Required Create a RADIUS scheme and radius scheme enter RADIUS scheme view Not defined by default radius-scheme-name Set the shared key for RADIUS Required key { accounting | authentication/authorization or authentication } string No key by default accounting packets The shared key configured on the device must be the same as that configured on the RADIUS server.

  • Page 540: Setting The Status Of Radius Servers

    To do… Use the command… Remarks Optional Specify the RADIUS server server-type { extended | By default, the supported type supported by the device standard } RADIUS server type is standard. If you change the type of RADIUS server, the data stream destined to the original RADIUS server will be restored to the default unit.

  • Page 541: Configuring Attributes Related To Data To Be Sent To The Radius Server

    To do… Use the command… Remarks Set the status of the primary RADIUS state primary authentication authentication/authorization { active | block } server Set the status of the primary Optional state primary accounting RADIUS accounting server { active | block } active for every server configured with IP address in Set the status of the secondary...

  • Page 542: Setting Timers Regarding Radius Servers

    Some earlier RADIUS servers cannot recognize usernames that contain an ISP domain name. In this case, the device must remove the domain name before sending a username including a domain name. You can configure the user-name-format without-domain command on the device for this purpose.

  • Page 543: Specifying A Security Policy Server

    To do… Use the command… Remarks Optional Set the real-time accounting timer realtime-accounting interval 12 minutes by default minutes The maximum number of retransmission attempts of RADIUS packets multiplied by the RADIUS server response timeout period cannot be greater than 75 and the upper limit of this product is determined by the upper limit of the timeout time of different access modules.

  • Page 544: Enabling The Listening Port Of The Radius Client

    You can specify up to eight security policy servers for a RADIUS scheme. Enabling the Listening Port of the RADIUS Client Follow these steps to enable the listening port of the RADIUS client: To do… Use the command… Remarks Enter system view —...

  • Page 545: Creating A Hwtacacs Scheme

    Creating a HWTACACS scheme The HWTACACS protocol is configured on a per scheme basis. Before performing other HWTACACS configurations, follow these steps to create a HWTACACS scheme and enter HWTACACS scheme view: To do… Use the command… Remarks Enter system view —...

  • Page 546: Specifying The Hwtacacs Authorization Servers

    Specifying the HWTACACS Authorization Servers Follow these steps to specify the HWTACACS authorization servers: To do… Use the command… Remarks Enter system view — system-view Create a HWTACACS scheme Required hwtacacs scheme and enter HWTACACS scheme Not defined by default hwtacacs-scheme-name view Specify the primary...

  • Page 547: Setting The Shared Key For Hwtacacs Packets

    It is recommended to specify only the primary HWTACACS accounting server if backup is not required. If both the primary and secondary accounting servers are specified, the secondary one is used when the primary one is not reachable. The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

  • Page 548: Setting Timers Regarding Hwtacacs Servers

    To do… Use the command… Remarks data-flow-format { data Optional { byte | giga-byte | kilo-byte Specify the unit for data flows or The defaults are as follows: | mega-byte } | packet packets to be sent to a { giga-packet | kilo-packet | byte for data flows, and HWTACACS server mega-packet |...

  • Page 549: Displaying And Maintaining Hwtacacs

    For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. Note that if the device does not receive any response to the information, it does not disconnect the online users forcibly The real-time accounting interval must be a multiple of 3.
  • Page 550 Figure 1-7 Configure AAA for Telnet users by a HWTACACS server Authentication/Accounting server 10.1.1.1/24 Internet Telnet user Switch Configuration procedure # Configure the IP addresses of the interfaces (omitted). # Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users.

  • Page 551: Aaa For Telnet Users By Separate Servers

    AAA for Telnet Users by Separate Servers Network requirements As shown in Figure 1-8, configure the switch to provide local authentication, HWTACACS authorization, and RADIUS accounting services to Telnet users. The user name and the password for Telnet users are both hello.

  • Page 552: Aaa For Ssh Users By A Radius Server

    [Switch-radius-rd] primary accounting 10.1.1.1 1813 [Switch-radius-rd] key accounting expert [Switch-radius-rd] server-type extended [Switch-radius-rd] user-name-format without-domain [Switch-radius-rd] quit # Create a local user named hello. [Switch] local-user hello [Switch-luser-hello] service-type telnet [Switch-luser-hello] password simple hello [Switch-luser-hello] quit # Configure the AAA methods for the ISP domain. [Switch] domain bbb [Switch-isp-bbb] authentication login local [Switch-isp-bbb] authorization login hwtacacs-scheme hwtac...
  • Page 553 Specify the ports for authentication and accounting as 1812 and 1813 respectively Select Device Management Service as the service type Select H3C as the access device type Select the access device from the device list or manually add the device with the IP address of 10.1.1.2...
  • Page 554 Figure 1-11 Add an account for device management Configure the switch # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch access the server.

  • Page 555: Troubleshooting Aaa

    [Switch-radius-rad] user-name-format with-domain [Switch-radius-rad] quit # Configure the AAA methods for the domain. [Switch] domain bbb [Switch-isp-bbb] authentication login radius-scheme rad [Switch-isp-bbb] authorization login radius-scheme rad [Switch-isp-bbb] accounting login radius-scheme rad [Switch-isp-bbb] quit When using SSH to log in, a user enters a username in the form userid@bbb for authentication using domain bbb.

  • Page 556: Troubleshooting Hwtacacs

    The communication links between the NAS and the RADIUS server work well at both physical and link layers. The IP address of the RADIUS server is correctly configured on the NAS. UDP ports for authentication/authorization/accounting configured on the NAS are the same as those configured on the RADIUS server.
  • Page 557 Table of Contents 1 802.1X Configuration·································································································································1-1 802.1X Overview·····································································································································1-1 Architecture of 802.1X ·····················································································································1-2 Authentication Modes of 802.1X ·····································································································1-2 Basic Concepts of 802.1X ···············································································································1-2 EAP over LANs································································································································1-3 EAP over RADIUS···························································································································1-5 802.1X Authentication Triggering ····································································································1-5 Authentication Process of 802.1X ···································································································1-6 802.1X Timers ·································································································································1-8 Extensions to 802.1X·······················································································································1-9 Features Working Together with 802.1X·························································································1-9 Configuring 802.1X ·······························································································································1-11...

  • Page 558: 802.1X Overview

    802.1X Configuration Support for online user handshake security function is added in Release 2202P19 of S5120-EI series Ethernet switches. For details, refer to Online User Handshake Function. When configuring 802.1X, go to these sections for information you are interested in: 802.1X Overview...

  • Page 559: Architecture

    Authentication Process of 802.1X 802.1X Timers Features Working Together with 802.1X Architecture of 802.1X 802.1X operates in the typical client/server model and defines three entities: client, device, and server, as shown in Figure 1-1. Figure 1-1 Architecture of 802.1X Client: An entity to be authenticated by the device residing on the same LAN. A client is usually a user-end device and initiates 802.1X authentication through 802.1X client software supporting the EAP over LANs (EAPOL) protocol.

  • Page 560: Eap Over Lans

    The controlled port and uncontrolled port are two parts of the same port. Any frames arriving at the port are visible to both of them. Authorized state and unauthorized state The device uses the authentication server to authenticate a client trying to access the LAN and controls the status of the controlled port depending on the authentication result, putting the controlled port in the authorized state or unauthorized state, as shown in Figure...
  • Page 561 Figure 1-3 EAPOL frame format PAE Ethernet type: Protocol type. It takes the value 0x888E. Protocol version: Version of the EAPOL protocol supported by the EAPOL frame sender. Type: Type of the EAPOL frame. Table 1-1 lists the types that the device currently supports. Table 1-1 Types of EAPOL frames Type Description...

  • Page 562: Eap Over Radius

    To solve the problem, the device also supports EAPOL-Start frames whose destination address is a broadcast MAC address. In this case, the H3C iNode 802.1X client is required. Unsolicited triggering of the device The device can trigger authentication by sending EAP-Request/Identity packets to unauthenticated clients periodically (every 30 seconds by default).

  • Page 563: Authentication Process

    Authentication Process of 802.1X An 802.1X device communicates with a remotely located RADIUS server in two modes: EAP relay and EAP termination. The following description takes the EAP relay as an example to show the 802.1X authentication process. EAP relay EAP relay is an IEEE 802.1X standard mode.
  • Page 564 Upon receiving the EAP-Response/Identity packet, the device relays the packet in a RADIUS Access-Request packet to the authentication server. When receiving the RADIUS Access-Request packet, the RADIUS server compares the identify information against its user information table to obtain the corresponding password information. Then, it encrypts the password information using a randomly generated challenge, and sends the challenge information through a RADIUS Access-Challenge packet to the device.

  • Page 565: 802.1X Timers

    Figure 1-8 Message exchange in EAP termination mode Client Device Server EAPOL EAPOR EAPOL-Start EAP-Request / Identity EAP-Response / Identity EAP-Request / MD5 challenge EAP-Response / MD5 challenge RADIUS Access-Request (CHAP-Response / MD5 challenge) RADIUS Access-Accept (CHAP-Success) EAP-Success Port authorized Handshake timer Handshake request [ EAP-Request / Identity ]...

  • Page 566: Extensions

    Handshake timer (handshake-period): After a client passes authentication, the device sends to the client handshake requests at this interval to check whether the client is online. If the device receives no response after sending the allowed maximum number of handshake requests, it considers that the client is offline.
  • Page 567 The assigned VLAN neither changes nor affects the configuration of a port. However, as the assigned VLAN has higher priority than the initial VLAN of the port, it is the assigned VLAN that takes effect after a user passes authentication. After the user goes offline, the port returns to the initial VLAN of the port. For details about VLAN configuration, refer to VLAN Configuration in the Access Volume.

  • Page 568: Configuring 802.1X

    The online user handshake security function helps prevent online users from using illegal client software to exchange handshake messages with the device. Using illegal client software for handshake message exchange may result in escape from some security inspection functions, such as proxy detection and dual network interface card (NIC) detection.

  • Page 569: Configuring 802.1X For A Port

    To do… Use the command… Remarks specified or all ports Set the maximum Optional dot1x max-user user-number number of users [ interface interface-list ] 256 by default for specified or all ports Set the maximum number of Optional attempts to send an authentication dot1x retry max-retry-value 2 by default request to a client...
  • Page 570 To do… Use the command… Remarks In system view dot1x interface interface-list Required Enable 802.1X for one or more Use either approach. interface interface-type interface-number In Ethernet ports interface view Disabled by default dot1x Configuring 802.1X parameters for a port Follow these steps to configure 802.1X parameters for a port: To do…...

  • Page 571: Configuring An 802.1X Guest Vlan

    Once enabled with the 802.1X multicast trigger function, a port sends multicast trigger messages to the client periodically to initiate authentication. For a user-side device sending untagged traffic, the voice VLAN function and 802.1X are mutually exclusive and cannot be configured together on the same port. For details about voice VLAN, refer to VLAN Configuration in the Access Volume.

  • Page 572: 802.1X Configuration Example

    To do… Use the command… Remarks reset dot1x statistics [ interface Clear 802.1X statistics Available in user view interface-list ] 802.1X Configuration Example Network requirements The access control method of macbased is required on the port GigabitEthernet 1/0/1 to control clients.
  • Page 573 The following configuration procedure covers most AAA/RADIUS configuration commands for the device, while configuration on the 802.1X client and RADIUS server are omitted. For information about AAA/RADIUS configuration commands, refer to AAA Configuration in the Security Volume. # Configure the IP addresses for each interface. (Omitted) # Add local access user localuser, enable the idle cut function, and set the idle cut interval.

  • Page 574: Guest Vlan And Vlan Assignment Configuration Example

    [Device-isp-aabbcc.net] quit # Configure aabbcc.net as the default domain. [Device] domain default enable aabbcc.net # Enable 802.1X globally. [Device] dot1x # Enable 802.1X for port GigabitEthernet 1/0/1. [Device] interface GigabitEthernet 1/0/1 [Device-GigabitEthernet1/0/1] dot1x [Device-GigabitEthernet1/0/1] quit # Set the port access control method. (Optional. The default settings meet the requirement.) [Device] dot1x port-method macbased interface GigabitEthernet 1/0/1 Guest VLAN and VLAN Assignment Configuration Example Network requirements...
  • Page 575 Figure 1-11 Network diagram with the port in the guest VLAN Figure 1-12 Network diagram when the client passes authentication Configuration procedure The following configuration procedure uses many AAA/RADIUS commands. For detailed configuration of these commands, refer to AAA Configuration in the Security Volume. Configurations on the 802.1X client and RADIUS server are omitted.

  • Page 576: Acl Assignment Configuration Example

    [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit # Configure authentication domain system and specify to use RADIUS scheme 2000 for users of the domain. [Device] domain system [Device-isp-system] authentication default radius-scheme 2000 [Device-isp-system] authorization default radius-scheme 2000 [Device-isp-system] accounting default radius-scheme 2000 [Device-isp-system] quit # Enable 802.1X globally.
  • Page 577 Figure 1-13 Network diagram for ACL assignment Configuration procedure # Configure the IP addresses of the interfaces. (Omitted) # Configure the RADIUS scheme. <Device> system-view [Device] radius scheme 2000 [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.1.2 1813 [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit...
  • Page 578 C:\> 1-21...

  • Page 579: Overview

    802.1X-based EAD Fast Deployment Configuration When configuring EAD fast deployment, go to these sections for information you are interested in: EAD Fast Deployment Overview Configuring EAD Fast Deployment Displaying and Maintaining EAD Fast Deployment EAD Fast Deployment Configuration Example Troubleshooting EAD Fast Deployment EAD Fast Deployment Overview Overview Endpoint Admission Defense (EAD) is an integrated endpoint access control solution.

  • Page 580: Configuring Ead Fast Deployment

    Configuring EAD Fast Deployment Currently, MAC authentication and port security cannot work together with EAD fast deployment. Once MAC authentication or port security is enabled globally, the EAD fast deployment is disabled automatically. Configuration Prerequisites Enable 802.1X globally. Enable 802.1X on the specified port, and set the access control mode to auto. Configuration Procedure Configuring a freely accessible network segment A freely accessible network segment, also called a free IP, is a network segment that users can access...

  • Page 581: Displaying And Maintaining Ead Fast Deployment

    Configuring the IE redirect URL Follow these steps to configure the IE redirect URL: To do… Use the command… Remarks Enter system view — system-view Required Configure the IE redirect URL dot1x url url-string No redirect URL is configured by default. The redirect URL and the freely accessible network segment must belong to the same network segment.
  • Page 582 After successful 802.1X authentication, the host can access outside network. Figure 2-1 Network diagram for EAD fast deployment Internet Free IP: WEB server 192.168.2.3/24 GE1/0/1 192.168.2.0/24 192.168.1.1/24 Host Device 192.168.1.10/24 Configuration procedure Configure the WEB server Before using the EAD fast deployment function, you need to configure the WEB server to provide the download service of 802.1X client software.

  • Page 583: Troubleshooting Ead Fast Deployment

    Troubleshooting EAD Fast Deployment Users Cannot be Redirected Correctly Symptom When a user enters an external website address in the IE browser, the user is not redirected to the specified URL. Analysis The address is in the string format. In this case, the operating system of the host regards the string a website name and tries to have it resolved.
  • Page 584 Table of Contents 1 HABP Configuration ··································································································································1-1 Introduction to HABP·······························································································································1-1 Configuring HABP ···································································································································1-2 Configuring the HABP Server··········································································································1-2 Configuring an HABP Client ············································································································1-2 Displaying and Maintaining HABP ··········································································································1-3 HABP Configuration Example·················································································································1-3...

  • Page 585: Introduction To Habp

    HABP Configuration When configuring HABP, go to these sections for the information you are interested in: Introduction to HABP Configuring HABP Displaying and Maintaining HABP HABP Configuration Example Introduction to HABP The HW Authentication Bypass Protocol (HABP) is used to enable the downstream network devices of an 802.1X or MAC authentication enabled access device to bypass 802.1X authentication and MAC authentication.

  • Page 586: Configuring Habp

    server learns the MAC addresses of all the clients, it registers the MAC addresses as HABP entries. Then, link layer frames exchanged between the clients can bypass the 802.1X authentication on ports of the server without affecting the normal operation of the whole network. All HABP packets must travel in a specified VLAN.

  • Page 587: Displaying And Maintaining Habp

    As HABP is enabled and works in client mode by default, this configuration task is optional. Follow these steps to configure an HABP client: To do… Use the command… Remarks Enter system view — system-view Optional Enable HABP habp enable Enabled by default Optional Configure HABP to work in client...
  • Page 588 Figure 1-2 Network diagram for HABP configuration Configuration procedure Configure Switch A # Perform 802.1X related configurations on Switch A. For detailed configurations, refer to 802.1X Configuration in the Security Volume. # Enable HABP. <SwitchA> system-view [SwitchA] habp enable # Configure HABP to work in server mode, allowing HABP packets to be transmitted in the management VLAN.
  • Page 589 Table of Contents 1 MAC Authentication Configuration··········································································································1-1 MAC Authentication Overview ················································································································1-1 RADIUS-Based MAC Authentication·······························································································1-1 Local MAC Authentication ···············································································································1-1 Related Concepts····································································································································1-2 MAC Authentication Timers·············································································································1-2 Quiet MAC Address·························································································································1-2 VLAN Assigning·······························································································································1-2 Guest VLAN of MAC Authentication································································································1-2 ACL Assigning ·································································································································1-3 Configuring MAC Authentication·············································································································1-3 Configuration Prerequisites ·············································································································1-3 Configuration Procedure··················································································································1-3 Configuring a Guest VLAN······················································································································1-4 Configuration Prerequisites ·············································································································1-4...

  • Page 590: Mac Authentication Configuration

    MAC Authentication Configuration When configuring MAC authentication, go to these sections for information you are interested in: MAC Authentication Overview Related Concepts Configuring MAC Authentication Displaying and Maintaining MAC Authentication MAC Authentication Configuration Examples MAC Authentication Overview MAC authentication provides a way for authenticating users based on ports and MAC addresses. Once detecting a new MAC address, the device initiates the authentication process.

  • Page 591: Related Concepts

    Related Concepts MAC Authentication Timers The following timers function in the process of MAC authentication: Offline detect timer: At this interval, the device checks to see whether there is traffic from a user. Once detecting that there is no traffic from a user within this interval, the device logs the user out and sends to the RADIUS server a stop accounting request.

  • Page 592: Acl Assigning

    ACL Assigning ACLs assigned by an authorization server are referred to as authorization ACLs, which are designed to control access to network resources. If the RADIUS server is configured with authorization ACLs, the device will permit or deny data flows traversing through the port through which a user accesses the device according to the authorization ACLs.

  • Page 593: Configuring A Guest Vlan

    To do… Use the command… Remarks Optional mac-authentication timer Set the server timeout timer 100 seconds by default server-timeout server-timeout-value Optional mac-authentication Configure the username and user-name-format { fixed [ account By default, the user’s source MAC password for MAC name ] [ password { cipher | simple } address serves as the username authentication...

  • Page 594: Displaying And Maintaining Mac Authentication

    Different ports can be configured with different guest VLANs, but a port can be configured with only one guest VLAN. If you configure both the 802.1X authentication MGV and the MAC authentication MGV on a port, only the 802.1X authentication MGV will take effect. For description on 802.1X authentication MGV, refer to 802.1X Configuration in the Security Volume.
  • Page 595 Configuration procedure Configure MAC authentication on the device # Add a local user, setting the username and password as 00-e0-fc-12-34-56, the MAC address of the user. <Device> system-view [Device] local-user 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] service-type lan-access [Device-luser-00-e0-fc-12-34-56] quit # Configure ISP domain aabbcc.net, and specify that the users in the domain use local authentication.

  • Page 596: Radius-Based Mac Authentication Configuration Example

    RADIUS-Based MAC Authentication Configuration Example Network requirements As illustrated in Figure 1-2, a host is connected to the device through port GigabitEthernet 1/0/1. The device authenticates, authorizes and keeps accounting on the host through the RADIUS server. MAC authentication is required on every port to control user access to the Internet. Set the offline detect timer to 180 seconds and the quiet timer to 3 minutes.

  • Page 597: Acl Assignment Configuration Example

    # Enable MAC authentication for port GigabitEthernet 1/0/1. [Device] mac-authentication interface GigabitEthernet 1/0/1 # Specify the ISP domain for MAC authentication. [Device] mac-authentication domain 2000 # Set the MAC authentication timers. [Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180 # Specify to use the username aaa and password 123456 for MAC authentication of all users.
  • Page 598 Figure 1-3 Network diagram for ACL assignment Configuration procedure Make sure that there is a route available between the RADIUS server and the switch. In this example, the switch uses the default username type (user MAC address) for MAC authentication. Therefore, you need to add the username and password of each user on the RADIUS server correctly.
  • Page 599 [Sysname] mac-authentication user-name-format mac-address # Enable MAC authentication for port GigabitEthernet 1/0/1. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] mac-authentication After completing the above configurations, you can use the ping command to verify whether the ACL 3000 assigned by the RADIUS server functions. C:\>ping 10.0.0.1 Pinging 10.0.0.1 with 32 bytes of data: Request timed out.
  • Page 600 Table of Contents 1 Port Security Configuration······················································································································1-1 Introduction to Port Security····················································································································1-1 Port Security Overview ····················································································································1-1 Port Security Features·····················································································································1-1 Port Security Modes ························································································································1-2 Support for Guest VLAN··················································································································1-5 Port Security Configuration Task List······································································································1-5 Enabling Port Security·····························································································································1-5 Configuration Prerequisites ·············································································································1-5 Configuration Procedure··················································································································1-5 Setting the Maximum Number of Secure MAC Addresses·····································································1-6 Setting the Port Security Mode ···············································································································1-7 Configuration Prerequisites ·············································································································1-7 Configuring Procedure·····················································································································1-7...

  • Page 601: Port Security Configuration

    Port Security Configuration When configuring port security, go to these sections for information you are interested in: Introduction to Port Security Port Security Configuration Task List Displaying and Maintaining Port Security Port Security Configuration Examples Troubleshooting Port Security Introduction to Port Security Port Security Overview Port security is a MAC address-based security mechanism for network access controlling.

  • Page 602: Port Security Modes

    Intrusion protection The intrusion protection feature checks the source MAC addresses in inbound frames and takes a pre-defined action accordingly upon detecting illegal frames. The action may be disabling the port temporarily, disabling the port permanently, or blocking frames from the MAC address for three minutes (unmodifiable).
  • Page 603 Feature that On the port, if you want to… Use the security mode… can be triggered These security mode naming rules may help you remember the modes: userLogin specifies 802.1X authentication and port-based access control. macAddress specifies MAC address authentication. Else specifies that the authentication method before Else is applied first.
  • Page 604 wireless users, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication. Perform MAC authentication macAddressWithRadius: A port in this mode performs MAC authentication for users and services multiple users. Perform a combination of MAC authentication and 802.1X authentication macAddressOrUserLoginSecure This mode is the combination of macAddressWithRadius and userLoginSecure modes.

  • Page 605: Port Security Configuration Task List

    userLogin specifies port-based 802.1X authentication. macAddress specifies MAC address authentication. Else specifies that the authentication method before Else is applied first. If the authentication fails, the protocol type of the authentication request determines whether to turn to the authentication method following the Else. In a security mode with Or, the protocol type of the authentication request determines which authentication method is to be used.

  • Page 606: Setting The Maximum Number Of Secure Mac Addresses

    To do… Use the command… Remarks Required Enable port security port-security enable Disabled by default Note that: Enabling port security resets the following configurations on a port to the bracketed defaults. Then, values of these configurations cannot be changed manually; the system will adjust them based on the port security mode automatically: 802.1X (disabled), port access control method (macbased), and port access control mode (auto) MAC authentication (disabled)

  • Page 607: Setting The Port Security Mode

    Setting the Port Security Mode Configuration Prerequisites Before setting the port security mode, ensure that: 802.1X is disabled, the port access control method is macbased, and the port access control mode is auto. MAC authentication is disabled. The port does not belong to any aggregation group. The above requirements must be all met.

  • Page 608: Configuring Port Security Features

    You cannot change the maximum number of secure MAC addresses allowed on a port that operates in autoLearn mode. OUI, defined by IEEE, is the first 24 bits of the MAC address and uniquely identifies a device vendor. You can configure multiple OUI values. However, a port in userLoginWithOUI mode allows only one 802.1X user and one user whose MAC address contains a specified OUI.

  • Page 609: Configuring Intrusion Protection

    Configuring Intrusion Protection The intrusion protection enables a device to perform either of the following security policies when it detects illegal frames: blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC addresses list and discards frames with blocked source MAC addresses. A blocked MAC address is restored to normal after being blocked for three minutes, which is fixed and cannot be changed.

  • Page 610: Configuring Secure Mac Addresses

    Configuring Secure MAC Addresses Secure MAC addresses are special MAC addresses. They never age out or get lost if saved before the device restarts. One secure MAC address can be added to only one port in the same VLAN. Thus, you can bind a MAC address to one port in the same VLAN.

  • Page 611: Displaying And Maintaining Port Security

    To do… Use the command… Remarks interface-number Required Ignore the authorization By default, a port uses the port-security authorization information from the RADIUS authorization information from the ignore server RADIUS server. Displaying and Maintaining Port Security To do… Use the command… Remarks Display port security configuration information, operation information,...
  • Page 612 [Switch-GigabitEthernet1/0/1] port-security max-mac-count 64 # Set the port security mode to autoLearn. [Switch-GigabitEthernet1/0/1] port-security port-mode autolearn # Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered. [Switch-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily [Switch-GigabitEthernet1/0/1] quit [Switch] port-security timer disableport 30 Verify the configuration After completing the above configurations, you can use the following command to view the port security configuration information:...

  • Page 613: Configuring The Userloginwithoui Mode

    MAC Addr: 0.2.0.0.0.21 VLAN ID: 1 IfAdminStatus: 1 In addition, you will see that the port security feature has disabled the port if you issue the following command: [Switch-GigabitEthernet1/0/1] display interface gigabitethernet 1/0/1 GigabitEthernet1/0/1 current state: Port Security Disabled IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558 Description: GigabitEthernet1/0/1 Interface ..
  • Page 614 Figure 1-2 Network diagram for configuring the userLoginWithOUI mode Configuration procedure The following configuration steps cover some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Configuration in the Security Volume. Configurations on the host and RADIUS servers are omitted. Configure the RADIUS protocol # Configure a RADIUS scheme named radsun.
  • Page 615 # Add five OUI values. [Switch] port-security oui 1234-0100-1111 index 1 [Switch] port-security oui 1234-0200-1111 index 2 [Switch] port-security oui 1234-0300-1111 index 3 [Switch] port-security oui 1234-0400-1111 index 4 [Switch] port-security oui 1234-0500-1111 index 5 [Switch] interface gigabitethernet 1/0/1 # Set the port security mode to userLoginWithOUI. [Switch-GigabitEthernet1/0/1] port-security port-mode userlogin-withoui Verify the configuration After completing the above configurations, you can use the following command to view the...
  • Page 616 Index is 5, OUI value is 123405 GigabitEthernet1/0/1 is link-up Port mode is userLoginWithOUI NeedToKnow mode is disabled Intrusion Protection mode is NoAction Max MAC address number is not configured Stored MAC address number is 0 Authorization is permitted After an 802.1X user gets online, you can see that the number of secure MAC addresses stored is 1. You can also use the following command to view information about 802.1X users: <Switch>...

  • Page 617: Configuring The Macaddresselseuserloginsecure Mode

    MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 1234-0300-0011 Learned GigabitEthernet1/0/1 AGING 1 mac address(es) found Configuring the macAddressElseUserLoginSecure Mode Network requirements The client is connected to the switch through GigabitEthernet 1/0/1. The switch authenticates the client by the RADIUS server. If the authentication succeeds, the client is authorized to access the Internet. Restrict port GigabitEthernet 1/0/1 of the switch as follows: Allow more than one MAC authenticated user to log on.
  • Page 618 Verify the configuration After completing the above configurations, you can use the following command to view the port security configuration information: <Switch> display port-security interface gigabitethernet 1/0/1 Equipment port-security is enabled Trap is disabled Disableport Timeout: 20s OUI value: GigabitEthernet1/0/1 is link-up Port mode is macAddressElseUserLoginSecure NeedToKnow mode is NeedToKnowOnly Intrusion Protection mode is NoAction...

  • Page 619: Troubleshooting Port Security

    The maximal retransmitting times EAD quick deploy configuration: EAD timeout: Total maximum 802.1X user resource number is 1024 per slot Total current used 802.1X resource number is 1 GigabitEthernet1/0/1 is link-up 802.1X protocol is enabled Handshake is enabled Handshake secure is disabled Periodic reauthentication is disabled The port is an authenticator Authentication Mode is Auto...

  • Page 620: Cannot Configure Secure Mac Addresses

    Cannot Configure Secure MAC Addresses Symptom Cannot configure secure MAC addresses. [Switch-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1 Error: Security MAC address configuration failed. Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn.
  • Page 621 Table of Contents 1 IP Source Guard Configuration················································································································1-1 IP Source Guard Overview ·····················································································································1-1 Configuring a Static Binding Entry ··········································································································1-2 Configuring Dynamic Binding Function···································································································1-2 Displaying and Maintaining IP Source Guard ·························································································1-3 IP Source Guard Configuration Examples ······························································································1-3 Static Binding Entry Configuration Example····················································································1-3 Dynamic Binding Function Configuration Example ·········································································1-4 Troubleshooting IP Source Guard ··········································································································1-6 Failed to Configure Static Binding Entries and Dynamic Binding Function·····································1-6...

  • Page 622: Ip Source Guard Configuration

    IP Source Guard Configuration When configuring IP Source Guard, go to these sections for information you are interested in: IP Source Guard Overview Configuring a Static Binding Entry Configuring Dynamic Binding Function Displaying and Maintaining IP Source Guard IP Source Guard Configuration Examples Troubleshooting IP Source Guard IP Source Guard Overview By filtering packets on a per-port basis, IP source guard prevents illegal packets from traveling through...

  • Page 623: Configuring A Static Binding Entry

    Configuring a Static Binding Entry Follow these steps to configure a static binding entry: To do… Use the command… Remarks Enter system view — system-view Enter Ethernet port view — interface interface-type interface-number user-bind { ip-address ip-address | Required ip-address ip-address mac-address Configure a static binding entry No static binding entry mac-address | mac-address mac-address }...

  • Page 624: Displaying And Maintaining Ip Source Guard

    To implement dynamic binding in IP source guard, make sure that DHCP snooping or DHCP Relay is configured and works normally. For DHCP configuration information, refer to DHCP Configuration in the System Volume. The dynamic binding function can be configured on Ethernet ports and VLAN interfaces. A port takes only the latest dynamic binding entries configured on it.

  • Page 625: Dynamic Binding Function Configuration Example

    Configuration procedure Configure Switch A # Configure the IP addresses of various interfaces (omitted). # Configure port GigabitEthernet 1/0/2 of Switch A to allow only IP packets with the source MAC address of 00-01-02-03-04-05 and the source IP address of 192.168.0.3 to pass. <SwitchA>...
  • Page 626 On port GigabitEthernet 1/0/1 of Switch A, enable dynamic binding function to prevent attackers from using forged IP addresses to attack the server. For detailed configuration of a DHCP server, refer to DHCP Configuration in the IP Service Volume. Network diagram Figure 1-2 Network diagram for configuring dynamic binding function Configuration procedure Configure Switch A...

  • Page 627: Troubleshooting Ip Source Guard

    The client binding table for all untrusted ports. Type : D--Dynamic , S--Static Type IP Address MAC Address Lease VLAN Interface ==== =============== ============== ============ ==== ================= 192.168.0.1 0001-0203-0406 86335 GigabitEthernet1/0/1 As you see, port GigabitEthernet 1/0/1 has obtained the dynamic entries generated by DHCP snooping after it is configured with dynamic binding function.
  • Page 628 Table of Contents 1 SSH2.0 Configuration································································································································1-1 SSH2.0 Overview····································································································································1-1 Introduction to SSH2.0 ····················································································································1-1 Operation of SSH ····························································································································1-1 Configuring the Device as an SSH Server······························································································1-4 SSH Server Configuration Task List································································································1-4 Generating a DSA or RSA Key Pair ································································································1-4 Enabling SSH Server·······················································································································1-5 Configuring the User Interfaces for SSH Clients·············································································1-5 Configuring a Client Public Key·······································································································1-6 Configuring an SSH User ················································································································1-7 Setting the SSH Management Parameters ·····················································································1-8...

  • Page 629: Ssh2.0 Configuration

    SSH2.0 Configuration When configuring SSH2.0, go to these sections for information you are interested in: SSH2.0 Overview Configuring the Device as an SSH Server Configuring the Device as an SSH Client Displaying and Maintaining SSH SSH Server Configuration Examples SSH Client Configuration Examples SSH2.0 Overview Introduction to SSH2.0 Secure Shell (SSH) offers an approach to securely logging into a remote device.
  • Page 630 Stages Description communicate with each other. Version negotiation The server opens port 22 to listen to connection requests from clients. The client sends a TCP connection request to the server. After the TCP connection is established, the server sends the first packet to the client, which includes a version identification string in the format “SSH-<primary protocol...
  • Page 631 Before the negotiation, the server must have already generated a DSA or RSA key pair, which is not only used for generating the session key, but also used by the client to authenticate the identity of the server. For details about DSA and RSA key pairs, refer to Public Key Configuration in the Security Volume.

  • Page 632: Configuring The Device As An Ssh Server

    back to the client an SSH_SMSG_SUCCESS packet and goes on to the interactive session stage with the client. Otherwise, the server sends back to the client an SSH_SMSG_FAILURE packet, indicating that the processing fails or it cannot resolve the request. Interaction In this stage, the server and the client exchanges data in the following way: The client encrypts and sends the command to be executed to the server.

  • Page 633: Enabling Ssh Server

    For details about the public-key local create command, refer to Public Key Commands in the Security Volume. To ensure that all SSH clients can log into the SSH server successfully, you are recommended to generate both DSA and RSA key pairs on the SSH server. This is because different SSH clients may use different publickey algorithms, though a single client usually uses only one type of publickey algorithm.

  • Page 634: Configuring A Client Public Key

    To do… Use the command… Remarks mode is password. Optional Configure the user interface(s) to protocol inbound { all | ssh } All protocols are supported by support SSH login default. For detailed information about the authentication-mode and protocol inbound commands, refer to User Interface Commands of the System Volume.

  • Page 635: Configuring An Ssh User

    To do… Use the command… Remarks Enter public key view — public-key peer keyname Enter public key code view — public-key-code begin Required Configure a client public key Enter the content of the public key Spaces and carriage returns are allowed between characters.

  • Page 636: Setting The Ssh Management Parameters

    A user without an SSH account can still pass password authentication and log into the server through Stelnet or SFTP, as long as the user can pass AAA authentication and the service type is SSH. An SSH server supports up to 1024 SSH users. The service type of an SSH user can be Stelnet (Secure Telnet) or SFTP (Secure FTP).

  • Page 637: Configuring The Device As An Ssh Client

    To do… Use the command… Remarks Optional Enable the SSH server to work with ssh server compatible-ssh1x By default, the SSH server can SSH1 clients enable work with SSH1 clients. Optional Set the RSA server key pair update 0 by default, that is, the RSA server ssh server rekey-interval hours interval key pair is not updated.

  • Page 638: Configuring Whether First-Time Authentication Is Supported

    Configuring Whether First-time Authentication is Supported When the device connects to the SSH server as an SSH client, you can configure whether the device supports first-time authentication. With first-time authentication, when an SSH client not configured with the server host public key accesses the server for the first time, the user can continue accessing the server, and save the host public key on the client.

  • Page 639: Displaying And Maintaining Ssh

    To do... Use the command… Remarks preferred HMAC ssh2 ipv6 server [ port-number ] [ identity-key { dsa algorithms and | rsa } | prefer-ctos-cipher { aes128 | des } | preferred key prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } For an IPv4 exchange algorithm | prefer-kex { dh-group-exchange | dh-group1 |...
  • Page 640 Figure 1-1 Switch acts as server for password authentication Configuration procedure Configure the SSH server # Generate RSA and DSA key pairs and enable the SSH server. <Switch> system-view [Switch] public-key local create rsa [Switch] public-key local create dsa [Switch] ssh server enable # Configure an IP address for VLAN interface 1.

  • Page 641: When Switch Acts As Server For Publickey Authentication

    Figure 1-2 SSH client configuration interface In the window shown in Figure 1-2, click Open. If the connection is normal, you will be prompted to enter the username and password. After entering the correct username (client001) and password (aabbcc), you can enter the configuration interface. When Switch Acts as Server for Publickey Authentication Network requirements As shown in...
  • Page 642 Configure the SSH client # Generate an RSA key pair. Run PuTTYGen.exe, select SSH-2 RSA and click Generate. Figure 1-4 Generate a key pair on the client 1) While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1-5.
  • Page 643 Figure 1-5 Generate a key pair on the client 2) After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 1-6 Generate a key pair on the client 3) Likewise, to save the private key, click Save private key.
  • Page 644 Figure 1-7 Save a key pair on the client 4) Then, you need to transmit the public key file to the server through FTP or TFTP. Configure the SSH server # Generate RSA and DSA key pairs and enable SSH server. <Switch>...
  • Page 645 Figure 1-8 SSH client configuration interface 1) Select Connection/SSH/Auth from the navigation tree. The following window appears. Click Browse… to bring up the file selection window, navigate to the private key file and click OK. 1-17...

  • Page 646: Ssh Client Configuration Examples

    Figure 1-9 SSH client configuration interface 2) In the window shown in Figure 1-9, click Open. If the connection is normal, you will be prompted to enter the username. After entering the correct username (client002), you can enter the configuration interface.
  • Page 647 # Create an IP address for VLAN interface 1, which the SSH client will use as the destination for SSH connection. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [SwitchB-Vlan-interface1] quit # Set the authentication mode for the user interfaces to AAA. [SwitchB] user-interface vty 0 4 [SwitchB-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.

  • Page 648: When Switch Acts As Client For Publickey Authentication

    0D757262C4584C44C211F18BD96E5F0 [SwitchA-pkey-key-code]61C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE 65BE6C265854889DC1EDBD13EC8B274 [SwitchA-pkey-key-code]DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B0 6FD60FE01941DDD77FE6B12893DA76E [SwitchA-pkey-key-code]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B3 68950387811C7DA33021500C773218C [SwitchA-pkey-key-code]737EC8EE993B4F2DED30F48EDACE915F0281810082269009E 14EC474BAF2932E69D3B1F18517AD95 [SwitchA-pkey-key-code]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02 492B3959EC6499625BC4FA5082E22C5 [SwitchA-pkey-key-code]B374E16DD00132CE71B020217091AC717B612391C76C1FB2E 88317C1BD8171D41ECB83E210C03CC9 [SwitchA-pkey-key-code]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC 9B09EEF0381840002818000AF995917 [SwitchA-pkey-key-code]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5D F257523777D033BEE77FC378145F2AD [SwitchA-pkey-key-code]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F71 01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-key-code]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2D [SwitchA-pkey-key-code]485348 [SwitchA-pkey-key-code] public-key-code end [SwitchA-pkey-public-key] peer-public-key end # Specify the host public key for the SSH server (10.165.87.136) as key1. [SwitchA] ssh client authentication server 10.165.87.136 assign publickey key1 [SwitchA] quit # Establish an SSH connection to server 10.165.87.136.
  • Page 649 Configuration procedure During SSH server configuration, the client public key is required. Therefore, you are recommended to use the client software to generate a DSA key pair on the client before configuring the SSH server. Configure the SSH client # Create VLAN interface 1 and assign an IP address to it. <SwitchA>...
  • Page 650 Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.165.87.136 ... The Server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n Later, you will find that you have logged into Switch B successfully. 1-22...

  • Page 651: Sftp Service

    SFTP Service When configuring SFTP, go to these sections for information you are interested in: SFTP Overview Configuring an SFTP Server Configuring an SFTP Client SFTP Client Configuration Example SFTP Server Configuration Example SFTP Overview The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer.

  • Page 652: Configuring An Sftp Client

    When the device functions as the SFTP server, only one client can access the SFTP server at a time. If the SFTP client uses WinSCP, a file on the server cannot be modified directly; it can only be downloaded to a local place, modified, and then uploaded to the server. Configuring the SFTP Connection Idle Timeout Period Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down, so that a user cannot occupy a connection for nothing.

  • Page 653: Working With The Sftp Directories

    To do… Use the command… Remarks sftp server [ port-number ] [ identity-key { dsa | Establish a rsa } | prefer-ctos-cipher { aes128 | des } | connection to prefer-ctos-hmac { md5 | md5-96 | sha1 | the remote IPv4 sha1-96 } | prefer-kex { dh-group-exchange | SFTP server dh-group1 | dh-group14 } | prefer-stoc-cipher...

  • Page 654: Working With Sftp Files

    Working with SFTP Files SFTP file operations include: Changing the name of a file Downloading a file Uploading a file Displaying a list of the files Deleting a file Follow these steps to work with SFTP files: To do… Use the command… Remarks sftp [ ipv6 ] server [ port-number ] [ identity-key { dsa | rsa } |...

  • Page 655: Terminating The Connection To The Remote Sftp Server

    Terminating the Connection to the Remote SFTP Server Follow these steps to terminate the connection to the remote SFTP server: To do… Use the command… Remarks sftp [ ipv6 ] server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { aes128 | des } | Required prefer-ctos-hmac { md5 | md5-96 | sha1 |...
  • Page 656 [SwitchA] quit Then, you need to transmit the public key file to the server through FTP or TFTP. Configure the SFTP server # Generate RSA and DSA key pairs and enable the SSH server. <SwitchB> system-view [SwitchB] public-key local create rsa [SwitchB] public-key local create dsa [SwitchB] ssh server enable # Enable the SFTP server.
  • Page 657 Are you sure to delete it? [Y/N]:y This operation may take a long time.Please wait... File successfully Removed sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx...

  • Page 658: Sftp Server Configuration Example

    <SwitchA> SFTP Server Configuration Example Network requirements As shown in Figure 2-2, an SSH connection is established between the host and the switch. The host, an SFTP client, logs into the switch for file management and file transfer. An SSH user uses password authentication with the username being client002 and the password being aabbcc.
  • Page 659 There are many kinds of SSH client software. The following takes the PSFTP of Putty Version 0.58 as an example. The PSFTP supports only password authentication. # Establish a connection with the remote SFTP server. Run the psftp.exe to launch the client interface as shown in Figure 2-3, and enter the following command:...
  • Page 660 Table of Contents 1 PKI Configuration ······································································································································1-1 Introduction to PKI···································································································································1-1 PKI Overview···································································································································1-1 PKI Terms········································································································································1-1 Architecture of PKI···························································································································1-2 Applications of PKI ··························································································································1-3 Operation of PKI ······························································································································1-3 PKI Configuration Task List ····················································································································1-3 Configuring an Entity DN ························································································································1-4 Configuring a PKI Domain ······················································································································1-5 Submitting a PKI Certificate Request······································································································1-7 Submitting a Certificate Request in Auto Mode ··············································································1-7 Submitting a Certificate Request in Manual Mode ··········································································1-7...

  • Page 661: Pki Configuration

    PKI Configuration When configuring PKI, go to these sections for information you are interested in: Introduction to PKI PKI Configuration Task List Displaying and Maintaining PKI PKI Configuration Examples Troubleshooting PKI Introduction to PKI This section covers these topics: PKI Overview PKI Terms Architecture of PKI Applications of PKI...

  • Page 662: Architecture Of Pki

    An existing certificate may need to be revoked when, for example, the user name changes, the private key leaks, or the user stops the business. Revoking a certificate is to remove the binding of the public key with the user identity information. In PKI, the revocation is made through certificate revocation lists (CRLs).

  • Page 663: Pki Configuration Task List

    PKI repository A PKI repository can be a Lightweight Directory Access Protocol (LDAP) server or a common database. It stores and manages information like certificate requests, certificates, keys, CRLs and logs while providing a simple query function. LDAP is a protocol for accessing and managing PKI information. An LDAP server stores user information and digital certificates from the RA server and provides directory navigation service.

  • Page 664: Configuring An Entity Dn

    Task Remarks Configuring an Entity DN Required Configuring a PKI Domain Required Submitting a Certificate Request in Auto Mode Required Submitting a PKI Certificate Request Use either approach Submitting a Certificate Request in Manual Mode Retrieving a Certificate Manually Optional Configuring PKI Certificate Optional Destroying a Local RSA Key Pair...

  • Page 665: Configuring A Pki Domain

    To do… Use the command… Remarks Optional Configure the common name for No common name is specified by common-name name the entity default. Optional Configure the country code for the No country code is specified by country country-code-str entity default. Optional Configure the FQDN for the entity fqdn name-str...
  • Page 666 any certificate. Sometimes, the registration management function is provided by the CA, in which case no independent RA is required. You are recommended to deploy an independent RA. URL of the registration server An entity sends a certificate request to the registration server through Simple Certification Enrollment Protocol (SCEP), a dedicated protocol for an entity to communicate with a CA.

  • Page 667: Submitting A Pki Certificate Request

    Currently, up to two PKI domains can be created on a device. The CA name is required only when you retrieve a CA certificate. It is not used when in local certificate request. Currently, the URL of the server for certificate request does not support domain name resolving. Submitting a PKI Certificate Request When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate.

  • Page 668: Retrieving A Certificate Manually

    To do… Use the command… Remarks Enter system view — system-view Enter PKI domain view — pki domain domain-name Optional Set the certificate request mode to certificate request mode manual manual Manual by default Return to system view — quit Refer to Retrieving a Certificate Retrieve a CA certificate manually...

  • Page 669: Configuring Pki Certificate Verification

    Prepare for certificate verification. Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration. Follow these steps to retrieve a certificate manually: To do… Use the command… Remarks Enter system view — system-view pki retrieval-certificate { ca | local } domain Online domain-name Retrieve a...

  • Page 670: Destroying A Local Rsa Key Pair

    To do… Use the command… Remarks Manually pki retrieval-crl domain Retrieve CRLs Required domain-name pki validate-certificate { ca | Verify the validity of a certificate Required local } domain domain-name Configuring CRL-checking-disabled PKI certificate verification Follow these steps to configure CRL-checking-disabled PKI certificate verification: To do…...

  • Page 671: Deleting A Certificate

    Deleting a Certificate When a certificate requested manually is about to expire or you want to request a new certificate, you can delete the current local certificate or CA certificate. Follow these steps to delete a certificate: To do… Use the command… Remarks Enter system view —...

  • Page 672: Pki Configuration Examples

    To do… Use the command… Remarks display pki certificate Display information about one or all attribute-group { group-name | Available in any view certificate attribute groups all } Display information about one or all display pki certificate certificate attribute-based access Available in any view access-control-policy control policies...
  • Page 673 Subject DN: DN information of the CA, including the Common Name (CN), Organization Unit (OU), Organization (O), and Country (C). The other attributes may be left using the default values. # Configure extended attributes. After configuring the basic attributes, you need to perform configuration on the jurisdiction configuration page of the CA server.
  • Page 674 Apply for certificates # Retrieve the CA certificate and save it locally. [Switch] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..

  • Page 675: Requesting A Certificate From A Ca Running Windows 2003 Server

    D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.crl Signature Algorithm: sha1WithRSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE B30C0133 C4363F2F 73454D51 E9F95962 EDE9E590 E7458FA6 765A0D3F C4047BC2 9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4A 3E598D81 96476875 E2F86C33...
  • Page 676 plug-in installation completes, a URL is displayed, which you need to configure on the switch as the URL of the server for certificate registration. Modify the certificate service attributes From the start menu, select Control Panel > Administrative Tools > Certificate Authority. If the CA server and SCEP plug-in have been installed successfully, there should be two certificates issued by the CA to the RA.
  • Page 677 Apply for certificates # Retrieve the CA certificate and save it locally. [Switch] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..

  • Page 678: Configuring A Certificate Attribute-Based Access Control Policy

    X509v3 Subject Key Identifier: B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1 X509v3 Authority Key Identifier: keyid:9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points: URI:http://l00192b/CertEnroll/CA%20server.crl URI:file://\\l00192b\CertEnroll\CA server.crl Authority Information Access: CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20server.crt CA Issuers - URI:file://\\l00192b\CertEnroll\l00192b_CA server.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 81029589 7BFA1CBD 20023136 B068840B (Omitted) You can also use some other display commands to view detailed information about the CA certificate.
  • Page 679 For detailed information about SSL configuration, refer to SSL Configuration in the Security Volume. For detailed information about HTTPS configuration, refer to HTTP Configuration in the System Volume. The PKI domain to be referenced by the SSL policy must be created in advance. For detailed configuration of the PKI domain, refer to Configure the PKI domain.

  • Page 680: Troubleshooting Pki

    Troubleshooting PKI Failed to Retrieve a CA Certificate Symptom Failed to retrieve a CA certificate. Analysis Possible reasons include these: The network connection is not proper. For example, the network cable may be damaged or loose. No trusted CA is specified. The URL of the registration server for certificate request is not correct or not configured.

  • Page 681: Failed To Retrieve Crls

    Failed to Retrieve CRLs Symptom Failed to retrieve CRLs. Analysis Possible reasons include these: The network connection is not proper. For example, the network cable may be damaged or loose. No CA certificate has been retrieved before you try to retrieve CRLs. The IP address of LDAP server is not configured.
  • Page 682 Table of Contents 1 SSL Configuration ·····································································································································1-1 SSL Overview ·········································································································································1-1 SSL Security Mechanism ················································································································1-1 SSL Protocol Stack··························································································································1-2 SSL Configuration Task List ···················································································································1-2 Configuring an SSL Server Policy···········································································································1-3 Configuration Prerequisites ·············································································································1-3 Configuration Procedure··················································································································1-3 SSL Server Policy Configuration Example ······················································································1-4 Configuring an SSL Client Policy ············································································································1-6 Configuration Prerequisites ·············································································································1-6 Configuration Procedure··················································································································1-6 Displaying and Maintaining SSL ·············································································································1-6...

  • Page 683: Ssl Configuration

    SSL Configuration When configuring SSL, go to these sections for information you are interested in: SSL Overview SSL Configuration Task List Displaying and Maintaining SSL Troubleshooting SSL SSL Overview Secure Sockets Layer (SSL) is a security protocol providing secure connection service for TCP-based application layer protocols, for example, HTTP protocol.

  • Page 684: Ssl Configuration Task List

    For details about symmetric key algorithms, asymmetric key algorithm RSA and digital signature, refer to Public Key Configuration in the Security Volume. For details about PKI, certificate, and CA, refer to PKI Configuration in the Security Volume. SSL Protocol Stack As shown in Figure 1-2, the SSL protocol consists of two layers of protocols: the SSL record protocol at...

  • Page 685: Configuring An Ssl Server Policy

    Configuring an SSL Server Policy An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy takes effect only after it is associated with an application layer protocol, HTTP protocol, for example.

  • Page 686: Ssl Server Policy Configuration Example

    If you enable client authentication here, you must request a local certificate for the client. Currently, SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds to SSL 3.1. When the device acts as an SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify Hello packets from clients running SSL 2.0.
  • Page 687 # Create a PKI entity named en, and configure the common name as http-server1 and the FQDN as ssl.security.com. <Device> system-view [Device] pki entity en [Device-pki-entity-en] common-name http-server1 [Device-pki-entity-en] fqdn ssl.security.com [Device-pki-entity-en] quit # Create a PKI domain named 1, specify the trusted CA as ca server, the authority for certificate request as RA, the URL of the RA server as http://10.1.2.2/certsrv/mscep/mscep.dll, and the entity for certificate request as en.

  • Page 688: Configuring An Ssl Client Policy

    For details about PKI configuration commands, refer to PKI Commands in the Security Volume. For details about the public-key local create rsa command, refer to Public Key Commands in the Security Volume. For details about HTTPS, refer to HTTP Configuration in the System Volume. Configuring an SSL Client Policy An SSL client policy is a set of SSL parameters for a client to use when connecting to the server.

  • Page 689: Troubleshooting Ssl

    To do… Use the command… Remarks information { policy-name | all } Display SSL client policy display ssl client-policy information { policy-name | all } Troubleshooting SSL SSL Handshake Failure Symptom As the SSL server, the device fails to handshake with the SSL client. Analysis SSL handshake failure may result from the following causes: The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or...
  • Page 690 Table of Contents 1 Public Key Configuration··························································································································1-1 Asymmetric Key Algorithm Overview······································································································1-1 Basic Concepts································································································································1-1 Key Algorithm Types ·······················································································································1-1 Asymmetric Key Algorithm Applications··························································································1-1 Configuring the Local Asymmetric Key Pair····························································································1-2 Creating an Asymmetric Key Pair ···································································································1-2 Displaying or Exporting the Local RSA or DSA Host Public Key ····················································1-3 Destroying an Asymmetric Key Pair································································································1-3 Configuring the Public Key of a Peer ······································································································1-3 Displaying and Maintaining Public Keys ·································································································1-4...

  • Page 691: Public Key Configuration

    Public Key Configuration When configuring public keys, go to these sections for information you are interested in: Asymmetric Key Algorithm Overview Configuring the Local Asymmetric Key Pair Configuring the Public Key of a Peer Displaying and Maintaining Public Keys Public Key Configuration Examples Asymmetric Key Algorithm Overview Basic Concepts Algorithm: A set of transformation rules for encryption and decryption.

  • Page 692: Configuring The Local Asymmetric Key Pair

    Encryption/decryption: The information encrypted with a receiver's public key can be decrypted by the receiver possessing the corresponding private key. This is used to ensure confidentiality. Digital signature: The information encrypted with a sender's private key can be decrypted by anyone who has access to the sender's public key, thereby proving that the information is from the sender and has not been tampered with.

  • Page 693: Displaying Or Exporting The Local Rsa Or Dsa Host Public Key

    Configuration of the public-key local create command can survive a reboot. The public-key local create rsa command generates two key pairs: one server key pair and one host key pair. Each key pair consists of a public key and a private key. The length of an RSA key modulus is in the range 512 to 2048 bits.

  • Page 694: Displaying And Maintaining Public Keys

    Import it from the public key file: The system automatically converts the public key to a string coded using the PKCS (Public Key Cryptography Standards). Before importing the public key, you must upload the peer's public key file (in binary) to the local host through FTP or TFTP. If you choose to input the public key, the public key must be in a correct format.

  • Page 695: Public Key Configuration Examples

    Public Key Configuration Examples Configuring the Public Key of a Peer Manually Network requirements Device A is authenticated by Device B when accessing Device B, so the public key of Device A should be configured on Device B in advance. In this example: RSA is used.

  • Page 696: Importing The Public Key Of A Peer From A Public Key File

    307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E 35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E8 4B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001 Configure Device B # Configure the host public key of Device A on Device B. In public key code view, input the host public key of Device A. The host public key is the content of HOST_KEY displayed on Device A using the display public-key local dsa public command.
  • Page 697 NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++ ++++++ ++++++++ ++++++++ # Display the public keys of the created RSA key pairs. [DeviceA] display public-key local rsa public ===================================================== Time of Key pair created: 09:50:06...
  • Page 698 Password: 230 User logged in. [ftp] binary 200 Type set to I. [ftp] put devicea.pub 227 Entering Passive Mode (10,1,1,2,5,148). 125 BINARY mode data connection already open, transfer starting for /devicea.pub. 226 Transfer complete. FTP: 299 byte(s) sent in 0.189 second(s), 1.00Kbyte(s)/sec. Import the host public key of Device A to Device B # Import the host public key of Device A from the key file devicea.pub to Device B.
  • Page 699 Table of Contents 1 ACL Overview ············································································································································1-1 Introduction to ACL ·································································································································1-1 Introduction······································································································································1-1 Application of ACLs on the Switch ··································································································1-1 Introduction to IPv4 ACL ·························································································································1-2 IPv4 ACL Classification ···················································································································1-2 IPv4 ACL Naming ····························································································································1-2 IPv4 ACL Match Order ····················································································································1-3 IPv4 ACL Step ·································································································································1-4 Effective Period of an IPv4 ACL ······································································································1-4 IP Fragments Filtering with IPv4 ACL ·····························································································1-4 Introduction to IPv6 ACL ·························································································································1-5...
  • Page 700 Configuring a Basic IPv6 ACL·················································································································3-1 Configuration Prerequisites ·············································································································3-1 Configuration Procedure··················································································································3-1 Configuration Example ····················································································································3-2 Configuring an Advanced IPv6 ACL ·······································································································3-2 Configuration Prerequisites ·············································································································3-3 Configuration Procedure··················································································································3-3 Configuration Example ····················································································································3-4 Copying an IPv6 ACL······························································································································3-4 Configuration Prerequisites ·············································································································3-4 Configuration Procedure··················································································································3-4 Displaying and Maintaining IPv6 ACLs ···································································································3-5 IPv6 ACL Configuration Example ···········································································································3-5 Network Requirements ····················································································································3-5 Configuration Procedure··················································································································3-5...

  • Page 701: Acl Overview

    ACL Overview In order to filter traffic, network devices use sets of rules, called access control lists (ACLs), to identify and handle packets. When configuring ACLs, go to these chapters for information you are interested in: ACL Overview IPv4 ACL Configuration IPv6 ACL Configuration ACL Application for Packet Filtering Unless otherwise stated, ACLs refer to both IPv4 ACLs and IPv6 ACLs throughout this document.

  • Page 702: Introduction To Ipv4 Acl

    When an ACL is assigned to a piece of hardware and referenced by a QoS policy for traffic classification, the switch does not take action according to the traffic behavior definition on a packet that does not match the ACL. When an ACL is referenced by a piece of software to control Telnet, SNMP, and Web login users, the switch denies all packets that do not match the ACL.

  • Page 703: Ipv4 Acl Match Order

    The name of an IPv4 ACL must be unique among IPv4 ACLs. However, an IPv4 ACL and an IPv6 ACL can share the same name. IPv4 ACL Match Order An ACL may consist of multiple rules, which specify different matching criteria. These criteria may have overlapping or conflicting parts.

  • Page 704: Ipv4 Acl Step

    Sort rules by source MAC address mask first and compare packets against the rule configured with more ones in the source MAC address mask. If two rules are present with the same number of ones in their source MAC address masks, look at the destination MAC address masks.

  • Page 705: Introduction To Ipv6 Acl

    Introduction to IPv6 ACL This section covers these topics: IPv6 ACL Classification IPv6 ACL Naming IPv6 ACL Match Order IPv6 ACL Step Effective Period of an IPv6 ACL IPv6 ACL Classification IPv6 ACLs, identified by ACL numbers, fall into three categories, as shown in Table 1-2.

  • Page 706: Acl Application

    Depth-first match for a basic IPv6 ACL The following shows how your device performs depth-first match in a basic IPv6 ACL: Sort rules by source IPv6 address prefix first and compare packets against the rule configured with a longer prefix for the source IPv6 address. In case of a tie, compare packets against the rule configured first.

  • Page 707: Ipv4 Acl Configuration

    IPv4 ACL Configuration When configuring an IPv4 ACL, go to these sections for information you are interested in: Creating a Time Range Configuring a Basic IPv4 ACL Configuring an Advanced IPv4 ACL Configuring an Ethernet Frame Header ACL Copying an IPv4 ACL Displaying and Maintaining IPv4 ACLs IPv4 ACL Configuration Example Creating a Time Range...

  • Page 708: Configuration Example

    on the day or days of the week only within the specified period. For example, to create a time range that is active from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59 12/31/2004 command.

  • Page 709: Configuration Procedure

    Configuration Procedure Follow these steps to configure a basic IPv4 ACL: To do… Use the command… Remarks Enter system view –– system-view Required The default match order is config. acl number acl-number Create a basic IPv4 ACL [ name acl-name ] If you specify a name for an IPv4 ACL and enter its view [ match-order { auto |...

  • Page 710: Configuring An Advanced Ipv4 Acl

    <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 1.1.1.1 0 # Verify the configuration. [Sysname-acl-basic-2000] display acl 2000 Basic ACL 2000, named -none-, 1 rule, ACL's step is 5 rule 0 deny source 1.1.1.1 0 (5 times matched) Configuring an Advanced IPv4 ACL Advanced IPv4 ACLs match packets based on source IP address, destination IP address, protocol carried over IP, and other protocol header fields, such as the TCP/UDP source port number, TCP/UDP...

  • Page 711: Configuration Example

    To do… Use the command… Remarks rule [ rule-id ] { deny | permit } protocol [ { established | { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn Required syn-value | urg urg-value } * } | destination { dest-addr To create or modify multiple rules, dest-wildcard | any } |...

  • Page 712: Configuring An Ethernet Frame Header Acl

    <Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80 # Verify the configuration. [Sysname-acl-adv-3000] display acl 3000 Advanced ACL 3000, named -none-, 1 rule, ACL's step is 5 rule 0 permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq www (5 times matched) Configuring an Ethernet Frame Header ACL Ethernet frame header ACLs match packets based on Layer 2 protocol header fields such as source...

  • Page 713: Configuration Example

    Note that: You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same. You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.

  • Page 714: Displaying And Maintaining Ipv4 Acls

    The source IPv4 ACL and the destination IPv4 ACL must be of the same type. The destination ACL does not take the name of the source IPv4 ACL. Displaying and Maintaining IPv4 ACLs To do... Use the command… Remarks Display information about one or all IPv4 display acl { acl-number | all | Available in any ACLs...

  • Page 715: Configuration Procedure

    Configuration Procedure Create a time range for office hours # Create a periodic time range spanning 8:00 to 18:00 in working days. <Switch> system-view [Switch] time-range trname 8:00 to 18:00 working-day Define an ACL to control access to the salary query server # Configure a rule to control access of the R&D Department to the salary query server.
  • Page 716 [Switch] interface GigabitEthernet 1/0/2 [Switch-GigabitEthernet1/0/2] qos apply policy p_rd inbound [Switch-GigabitEthernet1/0/2] quit # Apply QoS policy p_market to interface GigabitEthernet 1/0/3. [Switch] interface GigabitEthernet 1/0/3 [Switch-GigabitEthernet1/0/3] qos apply policy p_market inbound 2-10...

  • Page 717: Ipv6 Acl Configuration

    IPv6 ACL Configuration When configuring IPv6 ACLs, go to these sections for information you are interested in: Creating a Time Range Configuring a Basic IPv6 ACL Configuring an Advanced IPv6 ACL Copying an IPv6 ACL Displaying and Maintaining IPv6 ACLs IPv6 ACL Configuration Example Creating a Time Range Refer to...

  • Page 718: Configuration Example

    To do… Use the command… Remarks Optional Configure a description By default, a basic IPv6 ACL has no ACL description text for the basic IPv6 ACL description. Optional Configure a rule By default, an IPv6 ACL rule has no rule rule rule-id comment text description description.

  • Page 719: Configuration Procedure

    Advanced IPv6 ACLs are numbered in the range 3000 to 3999. Compared with basic IPv6 ACLs, they allow of more flexible and accurate filtering. Configuration Prerequisites If you want to reference a time range in a rule, define it with the time-range command first. Configuration Procedure Follow these steps to configure an advanced IPv6 ACL: To do…...

  • Page 720: Configuration Example

    When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same. You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6-number [ name acl6-name ] match-order { auto | config } command, but only when the ACL does not contain any rules.

  • Page 721: Displaying And Maintaining Ipv6 Acls

    The source IPv6 ACL and the destination IPv6 ACL must be of the same type. The destination ACL does not take the name of the source IPv6 ACL. Displaying and Maintaining IPv6 ACLs To do… Use the command… Remarks Display information about one or all display acl ipv6 { acl6-number | all | Available in any IPv6 ACLs...
  • Page 722 [Switch] traffic classifier c_rd [Switch-classifier-c_rd] if-match acl ipv6 2000 [Switch-classifier-c_rd] quit # Configure traffic behavior b_rd to deny matching packets. [Switch] traffic behavior b_rd [Switch-behavior-b_rd] filter deny [Switch-behavior-b_rd] quit # Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd. [Switch] qos policy p_rd [Switch-qospolicy-p_rd] classifier c_rd behavior b_rd [Switch-qospolicy-p_rd] quit...

  • Page 723: Acl Application For Packet Filtering

    ACL Application for Packet Filtering When applying an ACL for packet filtering, go to these sections for information you are interested in: Filtering IPv4 Packets Filtering IPv6 Packets ACL Application Example You can apply an ACL to the inbound or direction of an Ethernet interface or VLAN interface to filter packets: Applied to an Ethernet interface, an ACL can filter all IPv4 packets and IPv6 packets that are received on the interface.

  • Page 724: Filtering Ipv6 Packets

    To do… Use the command… Remarks Exit to system view — quit Required Configure the interval for By default, the interval is 0, that acl logging frequence collecting and outputting IPv4 is, no IPv4 packet filtering logs frequence packet filtering logs are output.

  • Page 725: Acl Application Example

    The packet filtering statistics are managed and output as device log information by the information center. The packet filtering statistics are of the severity level of 6, that is, informational. Informational messages are not output to the console by default; therefore, you need to modify the log information output rule for the informational message output to be sent to the console or other destinations.

  • Page 726: Applying An Acl To A Vlan Interface

    [DeviceA-acl-basic-2009] quit # Apply ACL 2009 to the inbound direction of interface GigabitEthernet 1/0/1. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] packet-filter 2009 inbound # Configure the device to collect and output IPv4 packet filtering logs at an interval of 10 minutes. [DeviceA] acl logging frequence 10 # Configure the device to output informational log messages to the console.
  • Page 727 Table of Contents 1 ARP Attack Protection Configuration······································································································1-1 ARP Attack Protection Overview ············································································································1-1 ARP Attack Protection Configuration Task List ······················································································1-1 Configuring ARP Defense Against IP Packet Attacks ············································································1-2 Introduction······································································································································1-2 Configuring ARP Source Suppression ····························································································1-2 Enabling ARP Black Hole Routing ··································································································1-3 Displaying and Maintaining ARP Source Suppression ···································································1-3 Configuring ARP Packet Rate Limit ········································································································1-3 Introduction······································································································································1-3...

  • Page 728: Arp Attack Protection Configuration

    ARP Attack Protection Configuration When configuring ARP attack Protection, go to these sections for information you are interested in: Configuring ARP Defense Against IP Packet Attacks Configuring ARP Packet Rate Limit Configuring Source MAC Address Based ARP Attack Detection Configuring ARP Packet Source MAC Address Consistency Check Configuring ARP Active Acknowledgement Configuring ARP Detection ARP Attack Protection Overview...

  • Page 729: Configuring Arp Defense Against Ip Packet Attacks

    Task Remarks Optional Configuring ARP Packet Source MAC Configure this function on gateways Address Consistency Check (recommended). User and Optional gateway Configuring ARP Active Acknowledgement Configure this function on gateways spoofing (recommended). prevention Optional Configuring ARP Detection Configure this function on access devices (recommended).

  • Page 730: Configuring Arp Packet Rate Limit

    Enabling ARP Black Hole Routing Follow these steps to configure ARP black hole routing: To do… Use the command… Remarks Enter system view — system-view Optional Enable ARP black hole routing arp resolving-route enable Enabled by default Displaying and Maintaining ARP Source Suppression To do…...

  • Page 731: Configuration Procedure

    detection entry is aged out, the device generates an alarm and filters out ARP packets sourced from that MAC address (in filter mode), or only generates an alarm (in monitor mode). A gateway or critical server may send a large number of ARP packets. To prevent these ARP packets from being discarded, you can specify the MAC address of the gateway or server as a protected MAC address.

  • Page 732: Configuration Procedure

    Configuration Procedure Follow these steps to enable ARP packet source MAC address consistency check: To do… Use the command… Remarks Enter system view — system-view Required Enable ARP packet source MAC arp anti-attack valid-check address consistency check Disabled by default. enable Configuring ARP Active Acknowledgement Introduction...

  • Page 733: Introduction To Arp Detection

    For information about DHCP snooping, refer to DHCP Configuration in the IP Services Volume. For information about 802.1X, refer to 802.1X Configuration in the Security Volume. Introduction to ARP Detection The ARP detection feature allows only the ARP packets of legal clients to be forwarded. Enabling ARP Detection Based on DHCP Snooping Entries/802.1x Security Entries/Static IP-to-MAC Bindings With this feature enabled, the device compares the source IP and MAC addresses of an ARP packet...
  • Page 734 After you enable ARP detection based on static IP-to-MAC bindings, the device, upon receiving an ARP packet from an ARP trusted/untrusted port, compares the source IP and MAC addresses of the ARP packet against the static IP-to-MAC bindings. If an entry with a matching IP address but a different MAC address is found, the ARP packet is considered invalid and discarded.

  • Page 735: Configuring Arp Detection Based On Specified Objects

    To do… Use the command… Remarks Optional Not configured by default. Configure a static arp detection static-bind If the ARP attack detection mode is IP-to-MAC binding for ARP ip-address mac-address static-bind, you need to configure detection static IP-to-MAC bindings for ARP detection.

  • Page 736: Displaying And Maintaining Arp Detection

    ip: Checks both the source and destination IP addresses in an ARP packet. The all-zero, all-one or multicast IP addresses are considered invalid and the corresponding packets are discarded. With this object specified, the source and destination IP addresses of ARP replies, and the source IP address of ARP requests are checked.

  • Page 737: Arp Detection Configuration Example Ii

    Configuration procedure Add all the ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A (the configuration procedure is omitted). Configure a DHCP server (the configuration procedure is omitted). Configure Host A and Host B as DHCP clients (the configuration procedure is omitted). Configure Switch B # Enable DHCP snooping.
  • Page 738 Configure Host A and Host B as local 802.1X access users. Figure 1-2 Network diagram for ARP detection configuration Configuration procedure Add all the ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A (the configuration procedure is omitted).
  • Page 739 # Enable ARP detection based on 802.1X security entries. [SwitchB] arp detection mode dot1x 1-12...
  • Page 740 High Availability Volume Organization Manual Version 6W101-20100305 Product Version Release 2202 Organization The High Availability Volume is organized as follows: Features Description Smart Link is a solution for active-standby link redundancy backup and rapid transition in dual-uplink networking. This document describes: Smart Link Smart Link Overview Configuring a Smart Link Device...
  • Page 741 Features Description In the use of fibers, link errors, namely unidirectional links, are likely to occur. DLDP is designed to detect such errors. This document describes: DLDP Introduction Enabling DLDP Setting DLDP Mode DLDP Setting the Interval for Sending Advertisement Packets Setting the DelayDown Timer Setting the Port Shutdown Mode Configuring DLDP Authentication...
  • Page 742 Table of Contents 1 Smart Link Configuration ·························································································································1-2 Smart Link Overview ·······························································································································1-2 Terminology·····································································································································1-3 How Smart Link Works ····················································································································1-4 Smart Link Configuration Task List ·········································································································1-5 Configuring a Smart Link Device ············································································································1-5 Configuration Prerequisites ·············································································································1-5 Configuring Protected VLANs for a Smart Link Group····································································1-6 Configuring Member Ports for a Smart Link Group·········································································1-6 Configuring Role Preemption for a Smart Link Group·····································································1-7 Enabling the Sending of Flush Messages ·······················································································1-7...

  • Page 743: Smart Link Configuration

    Smart Link Configuration When configuring Smart Link, go to these sections for information that you are interested in: Smart Link Overview Configuring a Smart Link Device Configuring an Associated Device Displaying and Maintaining Smart Link Smart Link Configuration Examples Smart Link Overview To avoid single-point failures and guarantee network reliability, downstream devices are usually dual uplinked to upstream devices.

  • Page 744: Terminology

    For more information about STP and RRPP, refer to MSTP Configuration in the Access Volume and RRPP Configuration in the High Availability Volume. Smart Link is a feature developed to address the slow convergence issue with STP. It provides link redundancy as well as fast convergence in a dual uplink network, allowing the backup link to take over quickly when the primary link fails.

  • Page 745: How Smart Link Works

    Receive control VLAN The receive control VLAN is used for receiving and processing flush messages. When link switchover occurs, the devices (such as Device A, Device B, and Device E in Figure 1-1) receive and process flush messages in the receive control VLAN and refresh their MAC address forwarding entries and ARP/ND entries.

  • Page 746: Smart Link Configuration Task List

    configured with role preemption, GE1/0/1 takes over to forward traffic as soon as the former master link recovers, while GE1/0/2 is automatically blocked and placed in the standby state. Load sharing mechanism A ring network may carry traffic of multiple VLANs. Smart link can forward traffic of different VLANs in different smart link groups, thus implementing load sharing.

  • Page 747: Configuring Protected Vlans For A Smart Link Group

    A loop may occur on the network during the time when STP is disabled but Smart Link has not yet taken effect on a port. Configuring Protected VLANs for a Smart Link Group Follow these steps to configure the protected VLANs for a smart link group: To do…...

  • Page 748: Configuring Role Preemption For A Smart Link Group

    To do… Use the command… Remarks Enter system view — system-view Enter Ethernet interface view or layer 2 interface interface-type — aggregate interface view interface-number Configure member ports for a smart link port smart-link group group-id Required group { master | slave } Configuring Role Preemption for a Smart Link Group Follow these steps to configure role preemption for a smart link group: To do…...

  • Page 749: Smart Link Device Configuration Example

    The control VLAN configured for a smart link group must be different from that configured for any other smart link group. Make sure that the configured control VLAN already exists, and assign the smart link group member ports to the control VLAN. The control VLAN of a smart link group should also be one of its protected VLANs.

  • Page 750: Configuring An Associated Device

    Configuring an Associated Device Enabling the Receiving of Flush Messages You do not need to enable all ports on the associated devices to receive flush messages sent from the transmit control VLAN, only those on the master and slave links between the smart link device and the destination device.

  • Page 751: Displaying And Maintaining Smart Link

    Displaying and Maintaining Smart Link To do... Use the command… Remarks Display smart link group display smart-link group Available in any view information { group-id | all } Display information about the Available in any view display smart-link flush received flush messages Clear the statistics about flush Available in user view reset smart-link statistics...
  • Page 752 [DeviceC-mst-region] instance 1 vlan 11 to 20 [DeviceC-mst-region] instance 2 vlan 21 to 30 [DeviceC-mst-region] active region-configuration [DeviceC-mst-region] quit # Disable STP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 separately, and configure them as trunk ports that permit VLANs 1 through 30. [DeviceC] interface gigabitethernet 1/0/1 [DeviceC-GigabitEthernet1/0/1] undo stp enable [DeviceC-GigabitEthernet1/0/1] port link-type trunk...
  • Page 753 [DeviceD-GigabitEthernet1/0/1] quit [DeviceD] interface gigabitethernet 1/0/2 [DeviceD-GigabitEthernet1/0/2] undo stp enable [DeviceD-GigabitEthernet1/0/2] port link-type trunk [DeviceD-GigabitEthernet1/0/2] port trunk permit vlan 1 to 30 [DeviceD-GigabitEthernet1/0/2] quit # Create smart link group 1 and configure all VLANs mapped to MSTIs 0 through 2 as the protected VLANs.
  • Page 754 [DeviceE] interface gigabitethernet 1/0/1 [DeviceE-GigabitEthernet1/0/1] port link-type trunk [DeviceE-GigabitEthernet1/0/1] port trunk permit vlan 1 to 30 [DeviceE-GigabitEthernet1/0/1] smart-link flush enable [DeviceE-GigabitEthernet1/0/1] quit [DeviceE] interface gigabitethernet 1/0/2 [DeviceE-GigabitEthernet1/0/2] port link-type trunk [DeviceE-GigabitEthernet1/0/2] port trunk permit vlan 1 to 30 [DeviceE-GigabitEthernet1/0/2] smart-link flush enable [DeviceE-GigabitEthernet1/0/2] quit [DeviceE] interface gigabitethernet 1/0/3 [DeviceE-GigabitEthernet1/0/3] port link-type trunk...

  • Page 755: Multiple Smart Link Groups Load Sharing Configuration Example

    You can use the display smart-link flush command to display the flush messages received on each device. For example: # Display the flush messages received on Device B. [DeviceB] display smart-link flush Received flush packets Receiving interface of the last flush packet : GigabitEthernet1/0/3 Receiving time of the last flush packet : 16:25:21 2009/02/21...
  • Page 756 [DeviceC-mst-region] quit # Disable STP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 separately, configure the ports as trunk ports, and assign them to VLAN 1 through VLAN 200. [DeviceC] interface gigabitethernet 1/0/1 [DeviceC-GigabitEthernet1/0/1] undo stp enable [DeviceC-GigabitEthernet1/0/1] port link-type trunk [DeviceC-GigabitEthernet1/0/1] port trunk permit vlan 1 to 200 [DeviceC-GigabitEthernet1/0/1] quit [DeviceC] interface gigabitethernet 1/0/2 [DeviceC-GigabitEthernet1/0/2] undo stp enable...
  • Page 757 # Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports and assign them to VLANs 1 through 200; enable flush message receiving on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 and configure VLAN 10 and VLAN 101 as the receive control VLANs. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 1 to 200...
  • Page 758 [DeviceA-GigabitEthernet1/0/2] smart-link flush enable control-vlan 10 101 [DeviceA-GigabitEthernet1/0/2] quit Verifying the configurations You can use the display smart-link group command to display the smart link group configuration on each device. For example: # Display the smart link group configuration on Device C. [DeviceC] display smart-link group all Smart link group 1 information: Device ID: 000f-e23d-5af0...
  • Page 759 Table of Contents 1 Monitor Link Configuration ······················································································································1-1 Overview ·················································································································································1-1 Terminology·····································································································································1-1 How Monitor Link Works··················································································································1-2 Configuring Monitor Link ·························································································································1-2 Configuration Prerequisites ·············································································································1-2 Creating a Monitor Link Group ········································································································1-2 Configuring Monitor Link Group Member Ports···············································································1-3 Displaying and Maintaining Monitor Link ································································································1-3 Monitor Link Configuration Example ·······································································································1-4...

  • Page 760: Monitor Link Configuration

    Monitor Link Configuration When configuring monitor link, go to these sections for information you are interested in: Overview Configuring Monitor Link Displaying and Maintaining Monitor Link Monitor Link Configuration Example Overview Monitor link is a port collaboration function. Monitor link is usually used in conjunction with Layer 2 topology protocols.

  • Page 761: Configuring Monitor Link

    Uplink/Downlink ports Uplink port and downlink port are two port roles in monitor link groups: Uplink ports refer to the monitored ports. The state of a monitor link group adapts to that of its member uplink ports. When a monitor link group contains no uplink port or all the uplink ports are down, the monitor link group becomes down;...

  • Page 762: Displaying And Maintaining Monitor Link

    Configuring Monitor Link Group Member Ports You can configure member ports for a monitor link group either in monitor link group view or interface view. The configurations made in these two views lead to the same result. In monitor link group view Follow these steps to configure member ports for a monitor link group in monitor link group view: To do…...

  • Page 763: Monitor Link Configuration Example

    Monitor Link Configuration Example Network requirements As shown in Figure 1-2: VLANs 1 through 10, 11 through 20, and 21 through 30 are mapped to MSTIs 0, 1, and 2 respectively. Traffic of VLANs 1 through 30 on Device C is dual-uplinked to Device A through a smart link group.
  • Page 764 [DeviceC-GigabitEthernet1/0/1] undo stp enable [DeviceC-GigabitEthernet1/0/1] port link-type trunk [DeviceC-GigabitEthernet1/0/1] port trunk permit vlan 1 to 30 [DeviceC-GigabitEthernet1/0/1] quit [DeviceC] interface gigabitethernet 1/0/2 [DeviceC-GigabitEthernet1/0/2] undo stp enable [DeviceC-GigabitEthernet1/0/2] port link-type trunk [DeviceC-GigabitEthernet1/0/2] port trunk permit vlan 1 to 30 [DeviceC-GigabitEthernet1/0/2] quit # Create smart link group 1, and configure all the VLANs mapped to MSTIs 0 through 2 as the protected VLANs for smart link group 1.
  • Page 765 [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 1 to 30 [DeviceB-GigabitEthernet1/0/1] smart-link flush enable [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] port link-type trunk [DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 1 to 30 [DeviceB-GigabitEthernet1/0/2] smart-link flush enable [DeviceB-GigabitEthernet1/0/2] quit # Create monitor link group 1, and then configure GigabitEthernet 1/0/1 as an uplink port and GigabitEthernet 1/0/2 as a downlink port for monitor link group 1.
  • Page 766 Member Role Status ------------------------------------------ GigabitEthernet1/0/1 UPLINK GigabitEthernet1/0/2 DOWNLINK UP # Check information about monitor link group 1 on Device D. [DeviceD] display monitor-link group 1 Monitor link group 1 information: Group status: DOWN Last-up-time: 16:35:27 2009/4/21 Last-down-time: 16:37:19 2009/4/21 Member Role Status ------------------------------------------...
  • Page 767 Table of Contents 1 RRPP Configuration ··································································································································1-1 RRPP Overview ······································································································································1-1 Background ·····································································································································1-1 Basic Concepts in RRPP·················································································································1-2 RRPPDUs········································································································································1-4 RRPP Timers···································································································································1-5 How RRPP Works ···························································································································1-5 Typical RRPP Networking ···············································································································1-7 Protocols and Standards ·················································································································1-9 RRPP Configuration Task List ················································································································1-9 Creating an RRPP Domain ···················································································································1-10 Configuring Control VLANs···················································································································1-11 Configuring Protected VLANs ···············································································································1-11 Configuring RRPP Rings ······················································································································1-12...

  • Page 768: Background

    RRPP Configuration When configuring RRPP, go to these sections for information you are interested in: RRPP Overview RRPP Configuration Task List Creating an RRPP Domain Configuring Control VLANs Configuring Protected VLANs Configuring RRPP Rings Activating an RRPP Domain Configuring RRPP Timers Configuring an RRPP Ring Group Displaying and Maintaining RRPP RRPP Configuration Examples...

  • Page 769: Basic Concepts In Rrpp

    Basic Concepts in RRPP Figure 1-1 RRPP networking diagram RRPP domain The interconnected devices with the same domain ID and control VLANs constitute an RRPP domain. An RRPP domain contains the following elements: primary ring, subring, control VLAN, master node, transit node, primary port, secondary port, common port, and edge port.
  • Page 770 IP address configuration is prohibited on the control VLAN interfaces. Data VLAN A data VLAN is a VLAN dedicated to transferring data packets. Both RRPP ports and non-RRPP ports can be assigned to a data VLAN. Node Each device on an RRPP ring is referred to as a node. The role of a node is configurable. There are the following node roles: Master node: Each ring has one and only one master node.

  • Page 771: Rrppdus

    Common port and edge port The ports connecting the edge node and assistant-edge node to the primary ring are common ports. The ports connecting the edge node and assistant-edge node only to the subrings are edge ports. As shown in Figure 1-1, Device B and Device C lie on Ring 1 and Ring 2.

  • Page 772: How Rrpp Works

    RRPPDUs of subrings are transmitted as data packets in the primary ring, while RRPPDUs of the primary ring can only be transmitted within the primary ring. RRPP Timers When RRPP checks the link state of an Ethernet ring, the master node sends Hello packets out the primary port according to the Hello timer and determines whether its secondary port receives the Hello packets based on the Fail timer.
  • Page 773 while sending Common-Flush-FDB packet to instruct all the transit nodes, the edge nodes and the assistant-edge nodes to update their own MAC entries and ARP/ND entries. After each node updates its own entries, traffic is switched to the normal link. Ring recovery The master node may find the ring is restored after a period of time after the ports belonging to the RRPP domain on the transit nodes, the edge nodes, or the assistant-edge nodes are brought up again.

  • Page 774: Typical Rrpp Networking

    Typical RRPP Networking Here are several typical networking applications. Single ring As shown in Figure 1-2, there is only a single ring in the network topology. In this case, you only need to define an RRPP domain. Figure 1-2 Schematic diagram for a single-ring network Tangent rings As shown in Figure...
  • Page 775 Figure 1-4 Schematic diagram for an intersecting-ring network Dual homed rings As shown in Figure 1-5, there are two or more rings in the network topology and two similar common nodes between rings. In this case, you only need to define an RRPP domain, and configure one ring as the primary ring and the other rings as subrings.

  • Page 776: Rrpp Configuration Task List

    Figure 1-6 Schematic diagram for a single-ring load balancing network Device A Device B Domain 1 Ring 1 Domain 2 Device D Device C Intersecting-ring load balancing In an intersecting-ring network, you can also achieve load balancing by configuring multiple domains. As shown in Figure 1-7, Ring 1 is the primary ring and Ring 2 is the subring in both Domain 1 and...

  • Page 777: Creating An Rrpp Domain

    Complete the following tasks to configure RRPP: Task Remarks Required Creating an RRPP Domain Perform this task on all nodes in the RRPP domain. Required Configuring Control VLANs Perform this task on all nodes in the RRPP domain. Required Configuring Protected VLANs Perform this task on all nodes in the RRPP domain.

  • Page 778: Configuring Control Vlans

    Configuring Control VLANs Before configuring RRPP rings in an RRPP domain, configure the same control VLANs for all nodes in the RRPP domain first. Perform this configuration on all nodes in the RRPP domain to be configured. Follow these steps to configure control VLANs: To do…...

  • Page 779: Configuring Rrpp Rings

    Configuring RRPP Rings When configuring an RRPP ring, you must make some configurations on the ports connecting each node to the RRPP ring before configuring the nodes. RRPP ports, that is, ports connecting devices to an RRPP ring, must be Layer-2 GE ports, Layer-2 XGE ports, or Layer-2 aggregate interfaces and cannot be member ports of any aggregation group, service loopback group, or smart link group.
  • Page 780 For detailed information about the port link-type trunk command and port trunk permit vlan { vlan-id-list | all } command, refer to VLAN Commands in the Access Volume. For detailed information about the undo stp enable command, refer to MSTP Commands in the Access Volume.
  • Page 781 To do… Use the command… Remarks Enter system view — system-view Enter RRPP domain view — rrpp domain domain-id ring ring-id node-mode transit Specify the current device as a [ primary-port interface-type transit node of the ring, and interface-number ] [ secondary-port Required specify the primary port and the interface-type interface-number ] level...

  • Page 782: Activating An Rrpp Domain

    Activating an RRPP Domain To activate an RRPP domain on the current device, enable the RRPP protocol and RRPP rings for the RRPP domain on the current device. Perform this operation on all nodes in the RRPP domain. Follow these steps to activate an RRPP domain: To do…...

  • Page 783: Configuring An Rrpp Ring Group

    The Fail timer value must be equal to or greater than three times the Hello timer value. To avoid temporary loops when the primary ring fails in a dual-homed-ring network, ensure that the difference between the Fail timer value on the master node of the subring and that on the master node of the primary ring is greater than twice the Hello timer value of the master node of the subring.

  • Page 784: Displaying And Maintaining Rrpp

    Displaying and Maintaining RRPP To do… Use the command… Remarks Display brief RRPP information display rrpp brief Display RRPP group display rrpp ring-group configuration information [ ring-group-id ] Available in any view Display detailed RRPP display rrpp verbose domain information domain-id [ ring ring-id ] display rrpp statistics domain Display RRPP statistics...
  • Page 785 <DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] undo stp enable [DeviceA-GigabitEthernet1/0/1] port link-type trunk [DeviceA-GigabitEthernet1/0/1] port trunk permit vlan all [DeviceA-GigabitEthernet1/0/1] qos trust dot1p [DeviceA-GigabitEthernet1/0/1] quit [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] undo stp enable [DeviceA-GigabitEthernet1/0/2] port link-type trunk [DeviceA-GigabitEthernet1/0/2] port trunk permit vlan all [DeviceA-GigabitEthernet1/0/2] qos trust dot1p [DeviceA-GigabitEthernet1/0/2] quit # Create RRPP domain 1, configure VLAN 4092 as the primary control VLAN of RRPP domain 1, and...

  • Page 786: Intersecting Ring Configuration Example

    [DeviceB] rrpp domain 1 [DeviceB-rrpp-domain1] control-vlan 4092 [DeviceB-rrpp-domain1] protected-vlan reference-instance 0 to 16 # Configure Device B as the transit node of primary ring 1, with GigabitEthernet 1/0/1 as the primary port and GigabitEthernet 1/0/2 as the secondary port, and enable ring 1. [DeviceB-rrpp-domain1] ring node-mode...
  • Page 787 Figure 1-9 Network diagram for intersecting rings configuration Configuration procedure Configuration on Device A # Disable STP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, configure the two ports as trunk ports, and assign them to all VLANs, and configure them to trust the 802.1p precedence of the received packets.
  • Page 788 [DeviceA] rrpp enable Configuration on Device B # Disable STP on GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3, configure the ports as trunk ports, and assign them to all VLANs, and configure them to trust the 802.1p precedence of the received packets. <DeviceB>...
  • Page 789 <DeviceC> system-view [DeviceC] interface gigabitethernet 1/0/1 [DeviceC-GigabitEthernet1/0/1] undo stp enable [DeviceC-GigabitEthernet1/0/1] port link-type trunk [DeviceC-GigabitEthernet1/0/1] port trunk permit vlan all [DeviceC-GigabitEthernet1/0/1] qos trust dot1p [DeviceC-GigabitEthernet1/0/1] quit [DeviceC] interface gigabitethernet 1/0/2 [DeviceC-GigabitEthernet1/0/2] undo stp enable [DeviceC-GigabitEthernet1/0/2] port link-type trunk [DeviceC-GigabitEthernet1/0/2] port trunk permit vlan all [DeviceC-GigabitEthernet1/0/2] qos trust dot1p [DeviceC-GigabitEthernet1/0/2] quit [DeviceC] interface gigabitethernet 1/0/3...
  • Page 790 [DeviceD-GigabitEthernet1/0/1] qos trust dot1p [DeviceD-GigabitEthernet1/0/1] quit [DeviceD] interface gigabitethernet 1/0/2 [DeviceD-GigabitEthernet1/0/2] undo stp enable [DeviceD-GigabitEthernet1/0/2] port link-type trunk [DeviceD-GigabitEthernet1/0/2] port trunk permit vlan all [DeviceD-GigabitEthernet1/0/2] qos trust dot1p [DeviceD-GigabitEthernet1/0/2] quit # Create RRPP domain 1, configure VLAN 4092 as the primary control VLAN of RRPP domain 1, and configure VLANs mapped to MSTIs 0 through 16 as the protected VLANs of RRPP domain 1.

  • Page 791: Intersecting-Ring Load Balancing Configuration Example

    [DeviceE-rrpp-domain1] ring node-mode master primary-port gigabitethernet 1/0/1 secondary-port gigabitethernet 1/0/2 level 1 [DeviceE-rrpp-domain1] ring 2 enable [DeviceE-rrpp-domain1] quit # Enable RRPP. [DeviceE] rrpp enable Verification After the configuration, you can use the display command to view RRPP configuration and operational information on each device.
  • Page 792 Configuration procedure Configuration on Device A # Create VLANs 10 and 20, map VLAN 10 to MSTI 1 and VLAN 20 to MSTI 2, and activate MST region configuration. <DeviceA> system-view [DeviceA] vlan 10 [DeviceA-vlan10] quit [DeviceA] vlan 20 [DeviceA-vlan20] quit [DeviceA] stp region-configuration [DeviceA-mst-region] instance 1 vlan 10 [DeviceA-mst-region] instance 2 vlan 20...
  • Page 793 [DeviceA] rrpp domain 2 [DeviceA-rrpp-domain2] control-vlan 105 [DeviceA-rrpp-domain2] protected-vlan reference-instance 2 # Configure Device A as the master node of primary ring 1, with GigabitEthernet 1/0/2 as the master port and GigabitEthernet 1/0/1 as the secondary port, and enable ring 1. [DeviceA-rrpp-domain2] ring node-mode...
  • Page 794 [DeviceB-GigabitEthernet1/0/3] port link-type trunk [DeviceB-GigabitEthernet1/0/3] undo port trunk permit vlan 1 [DeviceB-GigabitEthernet1/0/3] port trunk permit vlan 20 [DeviceB-GigabitEthernet1/0/3] qos trust dot1p [DeviceB-GigabitEthernet1/0/3] quit # Disable STP on GigabitEthernet 1/0/4, configure the port as a trunk port, remove it from VLAN 1, and assign it to VLAN 10, and configure it to trust the 802.1p precedence of the received packets.
  • Page 795 # Enable RRPP. [DeviceB] rrpp enable Configuration on Device C # Create VLANs 10 and 20, map VLAN 10 to MSTI 1 and VLAN 20 to MSTI 2, and activate MST region configuration. <DeviceC> system-view [DeviceC] vlan 10 [DeviceC-vlan10] quit [DeviceC] vlan 20 [DeviceC-vlan20] quit [DeviceC] stp region-configuration...
  • Page 796 [DeviceC-GigabitEthernet1/0/4] port link-type trunk [DeviceC-GigabitEthernet1/0/4] undo port trunk permit vlan 1 [DeviceC-GigabitEthernet1/0/4] port trunk permit vlan 10 [DeviceC-GigabitEthernet1/0/4] qos trust dot1p [DeviceC-GigabitEthernet1/0/4] quit # Create RRPP domain 1, configure VLAN 10 as the primary control VLAN of RRPP domain 1, and configure the VLAN mapped to MSTI 1 as the protected VLAN of RRPP domain 1.
  • Page 797 [DeviceD] vlan 20 [DeviceD-vlan20] quit [DeviceD] stp region-configuration [DeviceD-mst-region] instance 1 vlan 10 [DeviceD-mst-region] instance 2 vlan 20 [DeviceD-mst-region] active region-configuration [DeviceD-mst-region] quit # Disable STP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, configure the two ports as trunk ports, remove them from VLAN 1, and assign them to VLAN 10 and VLAN 20, and configure them to trust the 802.1p precedence of the received packets.
  • Page 798 [DeviceD-rrpp-domain2] quit # Enable RRPP. [DeviceD] rrpp enable Configuration on Device E # Create VLAN 20, map VLAN 20 to MSTI 2, and activate MST region configuration. <DeviceE> system-view [DeviceE] vlan 20 [DeviceE-vlan20] quit [DeviceE] stp region-configuration [DeviceE-mst-region] instance 2 vlan 20 [DeviceE-mst-region] active region-configuration [DeviceE-mst-region] quit # Disable STP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, configure the two ports as trunk...
  • Page 799 <DeviceF> system-view [DeviceF] vlan 10 [DeviceF-vlan10] quit [DeviceF] stp region-configuration [DeviceF-mst-region] instance 1 vlan 10 [DeviceF-mst-region] active region-configuration [DeviceF-mst-region] quit # Disable STP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, configure the two ports as trunk ports, remove them from VLAN 1, and assign them to VLAN 10, and configure them to trust the 802.1p precedence of the received packets.

  • Page 800: Troubleshooting

    [DeviceC-rrpp-ring-group1] domain 2 ring 2 [DeviceC-rrpp-ring-group1] domain 1 ring 3 Verification After the configuration, you can use the display command to view RRPP configuration and operational information on each device. Troubleshooting Symptom: When the link state is normal, the master node cannot receive Hello packets, and the master node unblocks the secondary port.
  • Page 801 Table of Contents 1 DLDP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Background ·····································································································································1-1 How DLDP Works····························································································································1-2 DLDP Configuration Task List·················································································································1-8 Enabling DLDP········································································································································1-9 Setting DLDP Mode ································································································································1-9 Setting the Interval for Sending Advertisement Packets·······································································1-10 Setting the DelayDown Timer ···············································································································1-10 Setting the Port Shutdown Mode ··········································································································1-11 Configuring DLDP Authentication ·········································································································1-12 Resetting DLDP State ···························································································································1-12 Displaying and Maintaining DLDP ········································································································1-13...

  • Page 802: Overview

    DLDP Configuration When performing DLDP configuration, go to these sections for information you are interested in: Overview DLDP Configuration Task List Enabling DLDP Setting DLDP Mode Setting the Interval for Sending Advertisement Packets Setting the DelayDown Timer Setting the Port Shutdown Mode Configuring DLDP Authentication Resetting DLDP State Displaying and Maintaining DLDP...

  • Page 803: How Dldp Works

    Unconnected or broken fiber optical port The Device link detection protocol (DLDP) is an H3C technology for dealing with unidirectional links that may occur in a network. On detecting a unidirectional link, DLDP, as configured, can shut down the related port automatically or prompt users to take actions to avoid network problems.
  • Page 804 State Indicates… All neighbors are bi-directionally reachable or DLDP has been in Advertisement active state for more than five seconds. This is a relatively stable state where no unidirectional link has been detected. DLDP enters this state if it receives a packet from an unknown neighbor.
  • Page 805 DLDP timer Description In the enhanced mode, this timer is triggered if no packet is received from a neighbor when the entry aging timer expires. Enhanced timer is set to 1 second. Enhanced timer After the Enhanced timer is triggered, the device sends up to eight probe packets to the neighbor at a frequency of one packet per second.
  • Page 806 Figure 1-2 A scenario for the Enhanced DLDP mode GE1/0/50 GE1/0/50 (up) (down) Device A Device B Ethernet Tx end Rx end optical port Fiber link Unconnected or broken fiber In normal DLDP mode, only fiber cross-connected unidirectional links (as shown in Figure 1-1 ) can be detected.
  • Page 807 Table 1-4 DLDP packet types and DLDP states DLDP state Type of DLDP packets sent Active Advertisement packet with RSY tag Advertisement Normal Advertisement packet Probe Probe packet Disable Disable packet and RecoverProbe packet When a device transits from a DLDP state other than Inactive state or Disable state to Initial state, it sends Flush packets.
  • Page 808 Packet type Processing procedure If the corresponding neighbor entry does not exist, creates the neighbor entry, triggers the Entry timer, and transits to Probe state. If the neighbor information it carries conflicts with the corresponding locally Retrieves the maintained neighbor entry, drops the Echo packet neighbor packet.

  • Page 809: Dldp Configuration Task List

    The DLDP down port sends out a RecoverProbe packet, which carries only information about the local port, every two seconds. Upon receiving the RecoverProbe packet, the remote end returns a RecoverEcho packet. Upon receiving the RecoverEcho packet, the local port checks whether neighbor information in the RecoverEcho packet is the same as the local port information.

  • Page 810: Enabling Dldp

    For DLDP to work properly, enable DLDP on both sides and make sure these settings are consistent: the interval for sending Advertisement packets, DLDP authentication mode, and password. DLDP does not process any link aggregation control protocol (LACP) events. The links in an aggregation are treated as individual links in DLDP.

  • Page 811: Setting The Interval For Sending Advertisement Packets

    Enhanced mode: In this mode, DLDP actively detects neighbors when the corresponding neighbor entries age out. The system can thus identify two types of unidirectional links: cross-connected fibers and disconnected fibers. Follow these steps to set DLDP mode: To do… Use the command…...

  • Page 812: Setting The Port Shutdown Mode

    To do… Use the command… Remarks Enter system view — system-view Optional Set the DelayDown timer dldp delaydown-timer time 1 second by default DelayDown timer setting applies to all DLDP-enabled ports. Setting the Port Shutdown Mode On detecting a unidirectional link, the ports can be shut down in one of the following two modes. Manual mode.

  • Page 813: Configuring Dldp Authentication

    Configuring DLDP Authentication You can guard your network against attacks and vicious probes by configuring an appropriate DLDP authentication mode, which can be clear text authentication or MD5 authentication. If your network is safe, you can choose not to authenticate. Follow these steps to configure DLDP authentication: To do…...

  • Page 814: Displaying And Maintaining Dldp

    Resetting DLDP State in Port view/Port Group View Resetting DLDP state in port view or port group view applies to the current port or all the ports in the port group shut down by DLDP. Follow these steps to reset DLDP state in port view/port group view: To do…...
  • Page 815 Configuration procedure Configuration on Device A # Enable DLDP globally and then on GigabitEthernet1/0/50 and GigabitEthernet 1/0/51 respectively. <DeviceA> system-view [DeviceA] dldp enable [DeviceA] interface gigabitethernet 1/0/50 [DeviceA-GigabitEthernet1/0/50] dldp enable [DeviceA-GigabitEthernet1/0/50] quit [DeviceA] interface gigabitethernet 1/0/51 [DeviceA-GigabitEthernet1/0/51] dldp enable [DeviceA-GigabitEthernet1/0/51] quit # Set the interval for sending Advertisement packets to 6 seconds.
  • Page 816 DLDP global status : enable DLDP interval : 6s DLDP work-mode : enhance DLDP authentication-mode : none DLDP unidirectional-shutdown : auto DLDP delaydown-timer : 2s The number of enabled ports is 2. Interface GigabitEthernet1/0/50 DLDP port state : disable DLDP link state : down The neighbor number of the port is 0.

  • Page 817: Troubleshooting

    Neighbor port index : 59 Neighbor state : two way Neighbor aged time : 11 The output information indicates that both GigabitEthernet 1/0/50 and GigabitEthernet 1/0/51 are in Advertisement state and the links are up, which means unidirectional links are not detected and the two ports are restored.
  • Page 818 Table of Contents 1 Ethernet OAM Configuration ····················································································································1-1 Ethernet OAM Overview ·························································································································1-1 Background ·····································································································································1-1 Major Functions of Ethernet OAM ···································································································1-1 Ethernet OAMPDUs ························································································································1-1 How Ethernet OAM Works ··············································································································1-3 Standards and Protocols ·················································································································1-6 Ethernet OAM Configuration Task List ···································································································1-6 Configuring Basic Ethernet OAM Functions ···························································································1-6 Configuring Link Monitoring ····················································································································1-7 Configuring Errored Symbol Event Detection ·················································································1-7 Configuring Errored Frame Event Detection ···················································································1-7...

  • Page 819: Ethernet Oam Configuration

    Ethernet OAM Configuration When configuring the Ethernet OAM function, go to these sections for information you are interested in: Ethernet OAM Overview Ethernet OAM Configuration Task List Configuring Basic Ethernet OAM Functions Configuring Link Monitoring Enabling OAM Remote Loopback Displaying and Maintaining Ethernet OAM Configuration Ethernet OAM Configuration Example Ethernet OAM Overview Background...
  • Page 820 Figure 1-1 Formats of different types of Ethernet OAMPDUs The fields in an OAMPDU are described as follows: Table 1-1 Description of the fields in an OAMPDU Field Description Destination MAC address of the Ethernet OAMPDU. It is a slow protocol multicast address 0180c2000002. As slow Dest addr protocol packet cannot be forwarded by bridges, Ethernet OAMPDUs cannot be forwarded.

  • Page 821: How Ethernet Oam Works

    Table 1-2 Functions of different types of OAMPDUs OAMPDU type Function Used for transmitting state information of an Ethernet OAM entity (including the Information information about the local device and remote devices, and customized OAMPDU information) to the remote Ethernet OAM entity and maintaining OAM connections Event Used by link monitoring to notify the remote OAM entity when it detects problems...
  • Page 822 OAM connections can be initiated only by OAM entities operating in active OAM mode, while those operating in passive mode wait and respond to the connection requests sent by their peers. No OAM connection can be established between OAM entities operating in passive OAM mode. After an Ethernet OAM connection is established, the Ethernet OAM entities on both sides exchange Information OAMPDUs periodically to keep the Ethernet OAM connection valid.
  • Page 823 An unexpected fault, such as power failure, occurred. Critical event An undetermined critical event happened. The support of S5120-EI series Ethernet switches for information OAMPDUs carrying critical link events is as follows: S5120-EI series Ethernet switches are able to receive information OAMPDUs carrying the critical...

  • Page 824: Ethernet Oam Configuration Task List

    non-OAMPDUs to its peer. After receiving these PDUs, the peer does not forward them according to their destination addresses. Instead, it returns them to the sender along the original path. Remote loopback enables you to check the link status and locate link failures. Performing remote loopback periodically helps to detect network faults in time.

  • Page 825: Configuring Link Monitoring

    To change the Ethernet OAM operating mode on an Ethernet OAM-enabled port, you need to first disable Ethernet OAM on the port. Configuring Link Monitoring After Ethernet OAM connections are established, the link monitoring periods and thresholds configured in this section take effect on all Ethernet ports automatically. Configuring Errored Symbol Event Detection An errored symbol event occurs when the number of detected symbol errors over a specific detection interval exceeds the predefined threshold.

  • Page 826: Enabling Oam Remote Loopback

    Configuring Errored Frame Period Event Detection An errored frame period event occurs if the number of frame errors in specific number of received frames exceeds the predefined threshold. Follow these steps to configure errored frame period event detection: To do… Use the command…...

  • Page 827: Displaying And Maintaining Ethernet Oam Configuration

    To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Required Enable Ethernet OAM remote oam loopback loopback Disabled by default. Because enabling Ethernet OAM remote loopback impacts other services, use this function with caution. Ethernet OAM remote loopback is available only after the Ethernet OAM connection is established and can be performed only by the Ethernet OAM entities operating in active Ethernet OAM mode.

  • Page 828: Ethernet Oam Configuration Example

    To do… Use the command… Remarks Available Clear statistics on Ethernet OAM packets reset oam [ interface interface-type in user and Ethernet OAM link error events interface-number ] view only Ethernet OAM Configuration Example Network requirements Enable Ethernet OAM on Device A and Device B to auto-detect link errors between the two devices.
  • Page 829 [DeviceA] display oam configuration Configuration of the link event window/threshold : -------------------------------------------------------------------------- Errored-symbol Event period(in seconds) Errored-symbol Event threshold Errored-frame Event period(in seconds) Errored-frame Event threshold Errored-frame-period Event period(in ms) 1000 Errored-frame-period Event threshold Errored-frame-seconds Event period(in seconds) Errored-frame-seconds Event threshold According to the above output information, the detection period of errored frame events is 20 seconds, the detection threshold is 10 seconds, and all the other parameters use the default values.
  • Page 830 Table of Contents 1 CFD Configuration·····································································································································1-1 Overview ·················································································································································1-1 Basic Concepts in CFD ···················································································································1-1 CFD Functions·································································································································1-4 Protocols and Standards ·················································································································1-4 CFD Configuration Task List···················································································································1-4 Basic Configuration Tasks ······················································································································1-5 Configuring Service Instance ··········································································································1-5 Configuring MEP ·····························································································································1-6 Configuring MIP Generation Rules··································································································1-6 Configuring CC on MEPs························································································································1-7 Configuration Prerequisites ·············································································································1-7 Configuring Procedure·····················································································································1-7 Configuring LB on MEPs·························································································································1-8...

  • Page 831: Cfd Configuration

    CFD Configuration When configuring CFD, go to these sections for information you are interested in: Overview CFD Configuration Task List Basic Configuration Tasks Configuring CC on MEPs Configuring LB on MEPs Configuring LT on MEPs Displaying and Maintaining CFD CFD Configuration Examples Overview Connectivity Fault Detection (CFD), which conforms to Connectivity Fault Management (CFM) defined by IEEE 802.1ag, is an end-to-end per-VLAN link layer Operations, Administration and Maintenance...
  • Page 832 Figure 1-1 Two nested MDs CFD exchanges messages and performs operations on a per-domain basis. By planning MDs properly in a network, you can use CFD to rapidly locate failure points. Maintenance association A maintenance association (MA) is a set of maintenance points (MPs) in an MD. An MA is identified by the “MD name + MA name”.
  • Page 833 As shown in Figure 1-2, an outward-facing MEP sends packets to its host port. Figure 1-3 Inward-facing MEP As shown in Figure 1-3, an inward-facing MEP does not send packets to its host port. Rather, it sends packets to other ports on the device. A MIP is internal to an MD.

  • Page 834: Cfd Configuration Task List

    CFD Functions CFD works effectively only in properly-configured networks. Its functions, which are implemented through the MPs, include: Continuity check (CC) Loopback (LB) Linktrace (LT) Continuity check Continuity check is responsible for checking the connectivity between MEPs. Connectivity faults are usually caused by device faults or configuration errors.

  • Page 835: Basic Configuration Tasks

    Tasks Remarks Required Basic Configuration Tasks These configurations are the foundation for other configuration tasks. Required Configuring CC on MEPs Configuring the MEPs to send CCMs to manage link connectivity Optional Configuring LB on MEPs Checking link state by testing link connectivity Optional Configuring LT on MEPs Tracing link fault and finding the path between the source MEP and...

  • Page 836: Configuring Mip Generation Rules

    To do... Use the command... Remarks Required Create an MD cfd md md-name level level-value Not created by default Required cfd ma ma-name md md-name Create an MA Not created by default vlan vlan-id Required cfd service-instance instance-id Create a service instance Not created by default md md-name ma ma-name These configuration tasks are the foundation for other CFD configuration tasks.

  • Page 837: Configuring Cc On Meps

    To do... Use the command... Remarks Enter system view — system-view Required cfd mip-rule { explicit | Configure the rules for default } service-instance By default, neither the MIPs nor the rules generating MIPs for generating MIPs are configured. instance-id MIPs are generated on each port automatically according to the rules specified in the cfd mip-rule command.

  • Page 838: Configuring Lb On Meps

    To do... Use the command... Remarks cfd cc service-instance Required Enable CCM sending on a MEP instance-id mep mep-id Disabled by default enable The relationship between the interval field value in the CCM messages, the interval between CCM messages and the timeout time of the remote MEP is illustrated in Table 1-2.

  • Page 839: Displaying And Maintaining Cfd

    To implement the first function, the specified MEP first sends LTM messages to the target MEP. Based on the LTR messages in response to the LTM messages, the path between the two MEPs can be identified. In the latter case, after LT messages automatic sending is enabled, if a MEP fails to receive the CCMs from the remote MEP within 3.5 sending intervals, the link between the two is regarded as faulty and LTMs will be sent out.

  • Page 840: Cfd Configuration Examples

    To do... Use the command... Remarks display cfd linktrace-reply Display LTR information [ service-instance instance-id Available in any view received by a MEP [ mep mep-id ] ] display cfd remote-mep Display the information of a Available in any view service-instance instance-id remote MEP mep mep-id...

  • Page 841: Configuring Mep And Enabling Cc On It

    [DeviceA] cfd enable [DeviceA] cfd md MD_A level 5 [DeviceA] cfd ma MA_MD_A md MD_A vlan 100 [DeviceA] cfd service-instance 1 md MD_A ma MA_MD_A Configuration on Device C <DeviceC> system-view [DeviceC] cfd enable [DeviceC] cfd md MD_B level 3 [DeviceC] cfd ma MA_MD_B md MD_B vlan 100 [DeviceC] cfd service-instance 2 md MD_B ma MA_MD_B Configuration on Device B (configuration on Device D is the same as that on Device B)
  • Page 842 Figure 1-6 Network diagram of MD and MEP configuration Configuration procedure On Device A <DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] cfd mep 1001 service-instance 1 inbound [DeviceA-GigabitEthernet1/0/1] cfd remote-mep 5001 service-instance 1 mep 1001 [DeviceA-GigabitEthernet1/0/1] cfd remote-mep 4002 service-instance 1 mep 1001 [DeviceA-GigabitEthernet1/0/1] cfd mep service-instance 1 mep 1001 enable [DeviceA-GigabitEthernet1/0/1] cfd cc service-instance 1 mep 1001 enable On Device B...

  • Page 843: Configuring The Rules For Generating Mips

    [DeviceE-GigabitEthernet1/0/4] cfd remote-mep 1001 service-instance 1 mep 5001 [DeviceE-GigabitEthernet1/0/4] cfd remote-mep 4002 service-instance 1 mep 5001 [DeviceE-GigabitEthernet1/0/4] cfd mep service-instance 1 mep 5001 enable [DeviceE-GigabitEthernet1/0/4] cfd cc service-instance 1 mep 5001 enable After the above configuration, you can use the commands display cfd mp and display cfd mep to verify your configuration.

  • Page 844: Configuring Lb On Meps

    Configuring LB on MEPs Network requirements Use the LB function to trace the fault source after CC detects a link fault. As shown in Figure 1-6, enable LB on Device A so that Device A can send LBM messages to MEPs on Device D.
  • Page 845 Table of Contents 1 Track Configuration···································································································································1-1 Track Overview ·······································································································································1-1 Collaboration Between the Track Module and the Detection Modules ···········································1-1 Collaboration Between the Track Module and the Application Modules·········································1-2 Track Configuration Task List ·················································································································1-2 Configuring Collaboration Between the Track Module and the Detection Modules ·······························1-2 Configuring Track-NQA Collaboration·····························································································1-2 Configuring Collaboration Between the Track Module and the Application Modules·····························1-3 Configuring Track-Static Routing Collaboration ··············································································1-3...

  • Page 846: Track Configuration

    Track Configuration When configuring Track, go to these sections for information you are interested in: Track Overview Track Configuration Task List Configuring Collaboration Between the Track Module and the Detection Modules Configuring Collaboration Between the Track Module and the Application Modules Displaying and Maintaining Track Object(s) Track Configuration Examples Track Overview...

  • Page 847: Track Configuration Task List

    If the probe succeeds, the status of the corresponding Track object is Positive; If the probe fails, the status of the corresponding Track object is Negative. If the probe result is invalid (for example, the NQA test group collaborating with the track entry does not exist.), the status of the track entry is Invalid.

  • Page 848: Configuring Collaboration Between The Track Module And The Application Modules

    To do… Use the command… Remarks Create a Track object and track track-entry-number nqa Required associate it with the specified entry admin-name No Track object is created by Reaction entry of the NQA test operation-tag reaction default. group item-number When you configure a Track object, the specified NQA test group and Reaction entry can be nonexistent.

  • Page 849: Displaying And Maintaining Track Object

    For the configuration of Track-Static Routing collaboration, the specified static route can be an existent or nonexistent one. For an existent static route, the static route and the specified Track object are associated directly; for a nonexistent static route, the system creates the static route and then associates it with the specified Track object.
  • Page 850 Configuration procedure Configure the IP address of each interface as shown in Figure 1-2. Configure a static route on Switch A and associate it with the Track object. # Configure the address of the next hop of the static route to Switch C as 10.2.1.1, and configure the static route to associate with Track object 1.
  • Page 851 Destination/Mask Proto Cost NextHop Interface 10.1.1.0/24 Static 60 10.2.1.1 Vlan3 10.2.1.0/24 Direct 0 10.2.1.2 Vlan3 10.2.1.2/32 Direct 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 127.0.0.1 InLoop0 The output information above indicates the NQA test result, that is, the next hop 10.2.1.1 is reachable (the status of the Track object is Positive), and the configured static route is valid.
  • Page 852 System Volume Organization Manual Version 6W101-20100305 Product Version Release 2202 Organization The System Volume is organized as follows: Features Description Upon logging into a device, you can configure user interface properties and manage the system conveniently. This document describes: How to log in to your Ethernet switch Introduction to the user interface and common configurations Logging In Through the Console Port Login...
  • Page 853 Features Description A major function of the file system is to manage storage devices, mainly including creating the file system, creating, deleting, modifying and renaming a file or a directory and opening a file. This document describes: File System File system management Management Configuration File Management FTP configuration...
  • Page 854 Features Description The Power over Ethernet (PoE) feature enables the power sourcing equipment (PSE) to feed powered devices (PDs) from Ethernet ports through twisted pair cables. This document describes: PoE overview Configuring the PoE Interface Configuring PoE power management Configuring the PoE monitoring function Online upgrading the PSE processing software Configuring a PD Disconnection Detection Mode Enabling the PSE to detect nonstandard PDs...
  • Page 855 Features Description Intelligent Resilient Framework (IRF) allows you to build an IRF, namely a united device, by interconnecting multiple devices through IRF ports. You can manage all the devices in the IRF by managing the united device. This document describes: IRF Overview IRF Working Process Configuring IRF...
  • Page 856 Table of Contents 1 Logging In to an Ethernet Switch ············································································································1-1 Logging In to an Ethernet Switch ············································································································1-1 Introduction to User Interface··················································································································1-1 Supported User Interfaces ··············································································································1-1 Users and User Interfaces···············································································································1-2 User Interface Number ····················································································································1-2 Common User Interface Configuration····························································································1-2 2 Logging In Through the Console Port·····································································································2-1 Introduction ·············································································································································2-1 Setting Up the Connection to the Console Port ······················································································2-1 Console Port Login Configuration ···········································································································2-3...
  • Page 857 Configuration procedure ··················································································································4-3 Command Accounting Configuration Example ·······················································································4-4 Network diagram ·····························································································································4-4 Configuration procedure ··················································································································4-4 5 Logging in Through Web-based Network Management System ··························································5-1 Introduction ·············································································································································5-1 Web Server Configuration·······················································································································5-1 Displaying Web Users·····························································································································5-2 Configuration Example····························································································································5-2 6 Logging In Through NMS··························································································································6-1 Introduction ·············································································································································6-1 Connection Establishment Using NMS ···································································································6-1 7 Specifying Source for Telnet Packets ·····································································································7-1 Introduction ·············································································································································7-1...

  • Page 858: Logging In To An Ethernet Switch

    Introduction to User Interface Supported User Interfaces As the AUX port and the Console port of a H3C series switch are the same one, you will be in the AUX user interface if you log in through this port. H3C S5120-EI series Ethernet switch supports two types of user interfaces: AUX and VTY.

  • Page 859: Users And User Interfaces

    Users and User Interfaces A device can support one AUX ports and multiple Ethernet interfaces, and thus multiple user interfaces are supported. These user interfaces do not associate with specific users. When the user initiates a connection request, based on the login type the system automatically assigns a type of idle user interface with the smallest number to the user.
  • Page 860 Optional login | shell | motd } text Optional Set a system name for the sysname string switch The default name is H3C Enter one or more user user-interface [ type ] — interface views first-number [ last-number ] Display the information about...

  • Page 861: Logging In Through The Console Port

    To log in through the Console port is the most common way to log in to a switch. It is also the prerequisite to configure other login methods. By default, you can log in to an H3C S5120-EI series Ethernet switch through its Console port only.
  • Page 862 If you use a PC to connect to the Console port, launch a terminal emulation utility (such as HyperTerminal in Windows 9X/Windows 2000/Windows XP) and perform the configuration shown Figure 2-2 through Figure 2-4 for the connection to be created. Normally, the parameters of a terminal are configured as those listed in Table 2-1.

  • Page 863: Console Port Login Configuration

    Figure 2-4 Set port parameters terminal window Turn on the switch. The user will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <H3C>) appears after the user presses the Enter key.

  • Page 864: Common Configuration

    Configuration Description Optional Data bits databits { 5 | 6 | 7 | 8 } The default data bits of a Console port is 8. Configure the Optional command level AUX user By default, commands of level 3 available to the interface are available to the users user privilege level level...

  • Page 865: Console Port Login Configuration With Authentication Mode Being None

    Authentication Console port login configuration Description mode Optional Perform Perform common common configuration for Refer to Common Configuration configuration Console port login details. AAA configuration Optional Specify to specifies whether perform local Local authentication is performed by to perform local authentication default.
  • Page 866 Configuration Example Network requirements Assume the switch is configured to allow you to login through Telnet, and your user level is set to the administrator level (level 3). After you telnet to the switch, you need to limit the console user at the following aspects.

  • Page 867: Console Port Login Configuration With Authentication Mode Being Password

    [Sysname-ui-aux0] idle-timeout 6 After the above configuration, to ensure a successful login, the console user needs to change the corresponding configuration of the terminal emulation program running on the PC, to make the configuration consistent with that on the switch. Refer to Setting Up the Connection to the Console Port for details.
  • Page 868 Network diagram Figure 2-6 Network diagram for AUX user interface configuration (with the authentication mode being password) Configuration procedure # Enter system view. <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify to authenticate the user logging in through the Console port using the local password. [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text).

  • Page 869: Console Port Login Configuration With Authentication Mode Being Scheme

    Console Port Login Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to perform Console port login configuration (with authentication mode being scheme): To do… Use the command… Remarks Enter system view — system-view Enter AUX user interface user-interface aux 0 —...
  • Page 870 Note that, when you log in to an Ethernet switch using the scheme authentication mode, your access rights depend on your user level defined in the AAA scheme. When the local authentication mode is used, the user levels are specified using the authorization-attribute level level command.

  • Page 871: Configuring Command Authorization

    # Create a local user named guest and enter local user view. [Sysname] local-user guest # Set the authentication password to 123456 (in plain text). [Sysname-luser-guest] password simple 123456 # Set the service type to Terminal. [Sysname-luser-guest] service-type terminal [Sysname-luser-guest] quit # Enter AUX user interface view.

  • Page 872: Configuring Command Accounting

    Follow these steps to enable command authorization: To do… Use the command… Remarks Enter system view — system-view Enter AUX user interface view — user-interface aux Required Disabled by default, that is, Enable command authorization command authorization users can execute commands without authorization.

  • Page 873: Logging In Through Telnet/Ssh

    Logging In Through Telnet/SSH Logging In Through Telnet When logging in through Telnet, go to these sections for information you are interested in: Introduction Telnet Connection Establishment Telnet Login Configuration with Authentication Mode Being None Telnet Login Configuration with Authentication Mode Being Password Telnet Login Configuration with Authentication Mode Being Scheme Configuring Command Authorization Configuring Command Accounting...
  • Page 874 Step 5: Enter the password when the Telnet window displays “Login authentication” and prompts for login password. The CLI prompt (such as <H3C>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.
  • Page 875 Step 4: Enter the password. If the password is correct, the CLI prompt (such as <H3C>) appears. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.

  • Page 876: Telnet Login Configuration Task List

    Common Configuration Table 3-2 lists the common Telnet configuration. Table 3-2 Common Telnet configuration Configuration Remarks Enter system view — system-view By default, a switch does Make the switch to operate as a Telnet not operate as a Telnet telnet server enable Server server user-interface vty...

  • Page 877: Telnet Login Configuration With Authentication Mode Being None

    Table 3-3 Telnet login configuration tasks when different authentication modes are adopted Task Description Telnet Login Configuration with Authentication Configure not to authenticate users logging in user Mode Being None interfaces Configure to authenticate users logging in to user Telnet Login Configuration with Authentication interfaces using a local password and configure the Mode Being Password local password...

  • Page 878: Telnet Login Configuration With Authentication Mode Being Password

    Figure 3-4 Network diagram for Telnet configuration (with the authentication mode being none) Configuration procedure # Enter system view, and enable the Telnet service. <Sysname> system-view [Sysname] telnet server enable # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging in to VTY 0.
  • Page 879 Note that if you configure to authenticate the users in the password mode, the command level available to users logging in to a switch depends on both the authentication-mode password command and the user privilege level level command. Configuration Example Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in to VTY 0:...

  • Page 880: Telnet Login Configuration With Authentication Mode Being Scheme

    Telnet Login Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to perform Telnet configuration (with authentication mode being scheme): To do… Use the command… Remarks Enter system view — system-view Enter one or more VTY user user-interface vty —...
  • Page 881 When the RADIUS or HWTACACS authentication mode is used, the user levels are set on the corresponding RADIUS or HWTACACS servers. For more information about AAA, RADIUS, and HWTACACS, see AAA Configuration in the Security Volume. Configuration Example Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in to VTY 0: Configure the name of the local user to be “guest”.

  • Page 882: Logging In Through Ssh

    # Configure to authenticate users logging in to VTY 0 in the scheme mode. [Sysname-ui-vty0] authentication-mode scheme # Configure Telnet protocol is supported. [Sysname-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20.

  • Page 883: Configuring Command Accounting

    To do… Use the command… Remarks Required Disabled by default, that is, Enable command authorization command authorization users can execute commands without authorization. Configuring Command Accounting Command accounting allows the HWTACACS server to record all commands executed on the device regardless of the command execution result.

  • Page 884: User Interface Configuration Examples

    User Interface Configuration Examples User Authentication Configuration Example Network diagram As shown in Figure 4-1, command levels should be configured for different users to secure Device: The device administrator accesses Device through the console port on Host A. When the administrator logs in to the device, username and password are not required.

  • Page 885: Command Authorization Configuration Example

    [Device-ui-vty0-4] quit # Create a RADIUS scheme and configure the IP address and UDP port for the primary authentication server for the scheme. Ensure that the port number be consistent with that on the RADIUS server. Set the shared key for authentication packets to expert for the scheme and the RADIUS server type of the scheme to extended.
  • Page 886 Configuration procedure # Assign an IP address to Device to make Device be reachable from Host A and HWTACACS server respectively. The configuration is omitted. # Enable the telnet service on Device. <Device> system-view [Device] telnet server enable # Set to use username and password authentication when users use VTY 0 to log in to Device. The command that the user can execute depends on the authentication result.

  • Page 887: Command Accounting Configuration Example

    Command Accounting Configuration Example Network diagram As shown in Figure 4-3, configure the commands that the login users execute to be recorded on the HWTACACS server to control and monitor user operations. Figure 4-3 Network diagram for configuring command accounting HWTACAS server 192.168.2.20/24 Console Connection...
  • Page 888 [Device-radius-rad] quit # Create ISP domain system, and configure the ISP domain system to use HWTACACS scheme tac for accounting of command line users [Device] domain system [Device-isp-system] accounting command hwtacacs-scheme tac [Device-isp-system] quit...

  • Page 889: Web Server Configuration

    Logging in Through Web-based Network Management System Introduction An S5120-EI series switch has a built-in Web server. You can log in to an S5120-EI series switch through a Web browser and manage and maintain the switch intuitively by interacting with the built-in Web server.

  • Page 890: Displaying Web Users

    To do… Use the command… Remarks Optional Configure the authorization By default, no authorization authorization-attribute level attributes for the local user attribute is configured for a level local user. Optional Specify the service types for By default, no service is service-type telnet the local user authorized to a user.
  • Page 891 Step 4: Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch (here it is http://10.153.17.82). (Make sure the route between the Web-based network management terminal and the switch is available.) Step 5: When the login interface (shown in Figure...

  • Page 892: Logging In Through Nms

    Logging In Through NMS When logging in through NMS, go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through an NMS (network management station), and then configure and manage the switch through the agent module on the switch.

  • Page 893: Specifying Source For Telnet Packets

    Specifying Source for Telnet Packets When specifying source IP address/interface for Telnet packets, go to these sections for information you are interested in: Introduction Specifying Source IP address/Interface for Telnet Packets Displaying the source IP address/Interface Specified for Telnet Packets Introduction To improve security and make it easier to manage services, you can specify source IP addresses/interfaces for Telnet clients.

  • Page 894: Displaying The Source Ip Address/Interface Specified For Telnet Packets

    To do… Use the command… Remarks telnet client source { ip Optional Specify source IP ip-address | interface address/interface for Telnet By default, no source IP interface-type packets address/interface is specified. interface-number } The IP address specified must be a local IP address. When specifying the source interface for Telnet packets, make sure the interface already exists.

  • Page 895: Controlling Login Users

    Controlling Login Users When controlling login users, go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Introduction Multiple ways are available for controlling different types of login users, as listed in Table 8-1.

  • Page 896: Controlling Telnet Users By Source And Destination Ip Addresses

    To do… Use the command… Remarks rule [ rule-id ] { permit | deny } [ source { sour-addr Define rules for the ACL sour-wildcard | any } | Required time-range time-name | fragment | logging ]* Quit to system view —...

  • Page 897: Controlling Telnet Users By Source Mac Addresses

    Controlling Telnet Users by Source MAC Addresses This configuration needs to be implemented by Layer 2 ACL; a Layer 2 ACL ranges from 4000 to 4999. For the definition of ACL, refer to ACL Configuration in the Security Volume. Follow these steps to control Telnet users by source MAC addresses: To do…...

  • Page 898: Controlling Network Management Users By Source Ip Addresses

    [Sysname-ui-vty0-4] acl 2000 inbound Controlling Network Management Users by Source IP Addresses You can manage a H3C S5120-EI series Ethernet switch through network management software. Network management users can access switches through SNMP. You need to perform the following two operations to control network management users by source IP addresses.
  • Page 899 # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to access the switch. [Sysname] snmp-agent community read h3c acl 2000 [Sysname] snmp-agent group v2c h3cgroup acl 2000 [Sysname] snmp-agent usm-user v2c h3cuser h3cgroup acl 2000...

  • Page 900: Controlling Web Users By Source Ip Addresses

    Controlling Web Users by Source IP Addresses The S5120-EI series Ethernet switches support Web-based remote management, which allows Web users to access the switches using the HTTP protocol. By referencing access control lists (ACLs), you can control the access of Web users to the switches.
  • Page 901 Figure 8-3 Configure an ACL to control the access of HTTP users to the switch 10.110.100.46 Host A IP network Switch Host B 10.110.100.52 Configuration procedure # Create a basic ACL. <Sysname> system-view [Sysname] acl number 2030 match-order config [Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0 # Reference the ACL to allow only Web users using IP address 10.110.100.52 to access the switch.
  • Page 902 Table of Contents 1 Basic Configurations·································································································································1-1 Configuration Display ······························································································································1-1 Entering System View ·····························································································································1-2 Exiting the Current View ·························································································································1-2 Exiting to User View ································································································································1-2 Configuring the Device Name ·················································································································1-3 Configuring the System Clock·················································································································1-3 Configuring the system clock ··········································································································1-3 Displaying the system clock ············································································································1-3 Enabling/Disabling the Display of Copyright Information········································································1-6 Configuring a Banner ······························································································································1-6 Introduction to banners····················································································································1-6...

  • Page 903: Basic Configurations

    Basic Configurations While performing basic configurations of the system, go to these sections for information you are interested in: Configuration Display Entering System View Exiting the Current View Exiting to User View Configuring the Device Name Configuring the System Clock Enabling/Disabling the Display of Copyright Information Configuring a Banner Configuring CLI Hotkeys...

  • Page 904: Entering System View

    To do… Use the command… Remarks Display the configuration saved on the storage media of the display saved-configuration [ by-linenum ] device For details of the display saved-configuration command, refer to File System Management Commands in the System Volume. Entering System View After you log in to the device, you will automatically enter user view.

  • Page 905: Configuring The Device Name

    Optional Configure the device name sysname sysname The device name is “H3C” by default. Configuring the System Clock Configuring the system clock The system clock, displayed by system time stamp, is decided by the configured relative time, time zone, and daylight saving time. You can view the system clock by using the display clock command.
  • Page 906 original system clock. If you combine these three commands in different ways, the system clock is displayed in the ways shown in Table 1-1. The meanings of the parameters in the configuration column are as follows: 1 indicates date-time has been configured with the clock datetime. 2 indicates time-zone has been configured with the clock timezone command and the offset time is zone-offset.
  • Page 907 System clock displayed by the Configuration Example display clock command date-time is in the daylight saving Configure: clock summer-time ss one-off time range: 1:00 2007/1/1 1:00 2007/8/8 2 and clock datetime 1:30 2007/1/1 If the value of “date-time” - “summer-offset” is not in the Display: 23:30:00 UTC Sun 12/31/2006 summer-time range, “date-time”...

  • Page 908: Enabling/Disabling The Display Of Copyright Information

    The display format of copyright information is as shown below: **************************************************************************** * Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed.

  • Page 909: Configuring Cli Hotkeys

    Configuring a banner When you configure a banner, the system supports two input modes. One is to input all the banner information right after the command keywords. The start and end characters of the input text must be the same but are not part of the banner information. In this case, the input text, together with the command keywords, cannot exceed 510 characters.
  • Page 910 By default, the Ctrl+G, Ctrl+L and Ctrl+O hotkeys are configured with command line and the Ctrl+T and Ctrl+U commands are NULL. Ctrl+G corresponds to the display current-configuration command. Ctrl+L corresponds to the display ip routing-table command. Ctrl+O corresponds to the undo debugging all command. Table 1-2 Hotkeys reserved by the system Hotkey Function...

  • Page 911: Configuring Command Aliases

    These hotkeys are defined by the device. When you interact with the device from terminal software, these keys may be defined to perform other operations. If so, the definition of the terminal software will dominate. Configuring Command Aliases You can replace the first keyword of a command supported by the device with your preferred keyword by configuring the command alias function.

  • Page 912: Configuring User Privilege Level

    levels, which are visit, monitor, system, and manage from low to high, and identified respectively by 0 through 3. Table 1-3 describes the levels of the commands. Table 1-3 Default command levels Level Privilege Description Involves commands for network diagnosis and commands for accessing an external device.
  • Page 913 To do… Use the command… Remarks local-user command to create a local User either approach user and enter local user For local authentication, if view. Using local you do not configure the authentication Use the level keyword in the user level, the user level is Configure the authorization-attribute 0, that is, users of this level...
  • Page 914 Follow these steps to configure the user privilege level under a user interface (SSH publickey authentication type): To do… Use the command… Remarks Required if users adopt the SSH login mode, and only username, instead of password Configure the authentication For the details, refer to SSH2.0 is needed at authentication.
  • Page 915 [Sysname-ui-vty0-4] user privilege level 1 By default, when users telnet to the device, they can only use the following commands after passing the authentication: <Sysname> ? User view commands: cluster Run cluster command display Display current system information ping Ping function quit Exit from current command view ssh2...

  • Page 916: Switching User Privilege Level

    Switching user privilege level Users can switch their user privilege level temporarily without logging out and disconnecting the current connection; after the switch, users can continue to configure the device without the need of relogin and reauthentication, but the commands that they can execute have changed. For example, if the current user privilege level is 3, the user can configure system parameters;...

  • Page 917: Displaying And Maintaining Basic Configurations

    Modifying command level All the commands in a view are defaulted to different levels, as shown in Table 1-3. The administrator can modify the command level based on users’ needs to make users of a lower level use commands with a higher level or improve device security. Follow these steps to modify the command level: To do…...
  • Page 918 For the detailed description of the display users command, refer to Login Commands in the System Volume. Support for the display configure-user and display current-configuration command depends on the device model. The display commands discussed above are for the global configuration. Refer to the corresponding section for the display command for specific protocol and interface.

  • Page 919: Cli Features

    CLI Features This section covers the following topics: Introduction to CLI Online Help with Command Lines Synchronous Information Output Undo Form of a Command Editing Features CLI Display Saving History Command Command Line Error Information Introduction to CLI CLI is an interaction interface between devices and users. Through CLI, you can configure your devices by entering commands and view the output information and verify your configurations, thus facilitating your configuration and management of your devices.

  • Page 920: Synchronous Information Output

    bootrom Update/read/backup/restore bootrom Change current directory clock Specify the system clock cluster Run cluster command copy Copy from one file to another debugging Enable system debugging functions delete Delete a file List files on a file system display Show running system information ..omitted..

  • Page 921: Undo Form Of A Command

    You can use the info-center synchronous command to enable synchronous information output. For the detailed description of this function, refer to Information Center Configuration in the System Volume. Undo Form of a Command Adding the keyword undo can form an undo command. Almost every configuration command has an undo form.

  • Page 922: Cli Display

    CLI Display By filtering the output information, you can find the wanted information effectively. If there is a lot of information to be displayed, the system displays the information in multiple screens. When the information is displayed in multiple screens, you can also filter the output information to pick up the wanted information.
  • Page 923 Character Meaning Remarks Hyphen. It connects two values (the For example, “1-9” means numbers from smaller one before it and the bigger one 1 to 9 (inclusive); “a-h” means from a to h after it) to indicate a range together with (inclusive).

  • Page 924: Saving History Commands

    Character Meaning Remarks Escape character. If single special For example, “\\” can match a string characters listed in this table follow \, the containing “\”, “\^” can match a string specific meanings of the characters will containing “^”, and “\\b” can match a be removed.

  • Page 925: Command Line Error Information

    needed. By default, the CLI can save up to ten commands for each user. You can use the history-command max-size command to set the capacity of the history commands buffer for the current user interface (For the detailed description of the history-command max-size command, refer to Login Commands in the System Volume).
  • Page 927 Table of Contents 1 Device Management ··································································································································1-1 Device Management Overview ···············································································································1-1 Device Management Configuration Task List ·························································································1-1 Configuring the Exception Handling Method ··························································································1-1 Rebooting a Device·································································································································1-2 Configuring the Scheduled Automatic Execution Function·····································································1-3 Upgrading Device Software ····················································································································1-4 Device Software Overview ··············································································································1-4 Upgrading the Boot ROM Program Through Command Lines ·······················································1-5 Upgrading the Boot File Through Command Lines·········································································1-5 Disabling Boot ROM Access···················································································································1-6...

  • Page 928: Device Management

    Device Management When configuring device management, go to these sections for information you are interested in: Device Management Overview Device Management Configuration Task List Configuring the Exception Handling Method Rebooting a Device Configuring the Scheduled Automatic Execution Function Upgrading Device Software Disabling Boot ROM Access Configuring a Detection Interval Clearing the 16-bit Interface Indexes Not Used in the Current System...

  • Page 929: Rebooting A Device

    maintain: The system maintains the current situation, and does not take any measure to recover itself. Therefore, you need to recover the system manually, such as reboot the system. Sometimes, it is difficult for the system to recover, or some prompts that are printed during the failure are lost after the reboot.

  • Page 930: Configuring The Scheduled Automatic Execution Function

    Use the save command to save the current configuration before you reboot the device to avoid configuration lost. (For details of the save command, refer to File System Management Configuration in the System Volume.) Use the display startup command and the display boot-loader command to verify the configuration files and the startup file to be used at the next system startup before you reboot the device.

  • Page 931: Upgrading Device Software

    After the specified automatic execution time is reached, the system executes the specified command in the background without displaying any information except system information such as log, trap and debug. The system does not require any interactive information when it is executing the specified command.

  • Page 932: Upgrading The Boot Rom Program Through Command Lines

    The Boot ROM program and system boot file can both be upgraded through the Boot ROM menu or command lines. The following sections describe the upgrading through command lines. For instructions about how to upgrade them through the Boot ROM menu, refer to the installation menu of your device. Upgrading the Boot ROM Program Through Command Lines Follow these steps to upgrade the Boot ROM program: Copy the Boot ROM program to the root directory of the device's storage medium using FTP or...

  • Page 933: Disabling Boot Rom Access

    To execute the boot-loader command successfully, you must save the file for the next device boot under the root directory of the storage media on a member device. The names of the files for the next boot of the master and slaves may be different, but the versions of the files must be the same;...

  • Page 934: Clearing The 16-Bit Interface Indexes Not Used In The Current System

    Clearing the 16-bit Interface Indexes Not Used in the Current System In practical networks, the network management software requires the device to provide a uniform, stable 16-bit interface index. That is, a one-to-one relationship should be kept between the interface name and the interface index in the same device.

  • Page 935: Identifying Pluggable Transceivers

    H3C You can use the Vendor Name field in the prompt information of the display transceiver command to identify an anti-spoofing pluggable transceiver customized by H3C. If the field is H3C, it is considered an H3C-customized pluggable transceiver.

  • Page 936: Displaying And Maintaining Device Management Configuration

    [ interface-type optical transceiver(s) customized by H3C only. interface-number ] customized by H3C Displaying and Maintaining Device Management Configuration Follow these steps to display and maintain device management configuration: To do…...

  • Page 937: Device Management Configuration Examples

    Device Management Configuration Examples Remote Scheduled Automatic Upgrade Configuration Example (Centralized Device) Network requirement As shown in Figure 1-2, the current software version is soft-version1 for Device. Upgrade the software version of Device to soft-version2 and configuration file to new-config at a time when few services are processed (for example, at 3 am) through remote operations.

  • Page 938: Remote Scheduled Automatic Upgrade Configuration Example (Centralized Irf Device)

    <Device> ftp 2.2.2.2 Trying 2.2.2.2 ... Press CTRL+K to abort Connected to 2.2.2.2. 220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user User(2.2.2.2:(none)):aaa 331 Give me your password, please Password: 230 Logged in successfully [ftp] # Download file auto-update.txt on the FTP server. [ftp] ascii [ftp] get auto-update.txt # Download file new-config.cfg on the FTP server.
  • Page 939 Obtain the boot file and configuration file through legitimate channels, such as the official website of H3C, agents, and technical staff. Save these files under the working path of the TFTP server for the access of the TFTP clients.
  • Page 940 ... Done! Setting the slave board ... Slot 2: Set next configuration file successfully # Specify file soft-version2.bin as the boot file for the next boot for all members. <IRF> boot-loader file soft-version2.bin slot all main This command will set the boot file of the specified board. Continue? [Y/N]:y The specified file will be used as the main boot file at the next reboot on slot 1! The specified file will be used as the main boot file at the next reboot on slot 2! # Reboot the device.
  • Page 941 Table of Contents 1 File System Management Configuration ·································································································1-1 File System Management ·······················································································································1-1 File System Overview······················································································································1-1 Filename Formats····························································································································1-1 Directory Operations························································································································1-2 File Operations ································································································································1-3 Batch Operations·····························································································································1-5 Storage Medium Operations ···········································································································1-6 Setting File System Prompt Modes ·································································································1-6 File System Operations Example ····································································································1-7 Configuration File Management··············································································································1-7 Configuration File Overview ············································································································1-8 Saving the Current Configuration ····································································································1-9...
  • Page 942 Single Device Upgrade····················································································································3-4 IRF System Upgrade ·······················································································································3-5...

  • Page 943: File System Management Configuration

    File System Management Configuration When configuring file system management, go to these sections for information you are interested in: File System Management Configuration File Management Displaying and Maintaining Device Configuration File System Management This section covers these topics: File System Overview Filename Formats Directory Operations File Operations...
  • Page 944 ID. For the S5120-EI series, when you specify a configuration file (.cfg file), startup file (.bin file), or Boot ROM file by inputting its name in the format of drive:/[path]/file-name), the total length of the name cannot exceed 63 characters.
  • Page 945 Changing the current working directory To do… Use the command… Remarks Required Change the current working cd { directory | .. | / } directory Available in user view Creating a directory To do… Use the command… Remarks Required Create a directory mkdir directory Available in user view Removing a directory...
  • Page 946 Displaying file information To do… Use the command… Remarks Required Display file or directory dir [ /all ] [ file-url ] information Available in user view Displaying the contents of a file To do… Use the command… Remarks Required Display the contents of Currently only a .txt file can be displayed.
  • Page 947 The files in the recycle bin still occupy storage space. To delete a file in the recycle bin, you need to execute the reset recycle-bin command in the directory that the file originally belongs. It is recommended to empty the recycle bin timely with the reset recycle-bin command to save storage space.

  • Page 948: Storage Medium Operations

    Execution of a batch file does not guarantee the successful execution of every command in the batch file. If a command has error settings or the conditions for executing the command are not satisfied, this command will fail to be executed, and the system will skip the command to the next one. Storage Medium Operations Managing space of the storage medium When some space of a storage medium becomes inaccessible due to abnormal operations for example,...

  • Page 949: File System Operations Example

    To prevent undesirable consequence resulting from misoperations, the alert mode is preferred. To do… Use the command… Remarks Enter system view — system-view Optional Set the operation prompt mode file prompt { alert | quiet } of the file system The default is alert.

  • Page 950: Configuration File Overview

    Saving the Current Configuration Setting Configuration Rollback Specifying a Startup Configuration File for the Next System Startup Backing Up the Startup Configuration File Deleting the Startup Configuration File for the Next Startup Restoring the Startup Configuration File Displaying and Maintaining Device Configuration Configuration File Overview A configuration file saves the device configurations in command lines in text format.

  • Page 951: Saving The Current Configuration

    You can specify the main and backup startup configuration files for the next boot of the device in the following two methods: Specify them when saving the current configuration. For detailed configuration, refer to Saving the Current Configuration. Specify them when specifying the startup configuration file for the next system startup. For detailed configuration, refer to Specifying a Startup Configuration File for the Next System Startup.

  • Page 952: Setting Configuration Rollback

    Modes in saving the configuration Fast saving mode. This is the mode when you use the save command without the safely keyword. The mode saves the file more quickly but is likely to lose the existing configuration file if the device reboots or the power fails during the process.
  • Page 953 is generated by using the backup function (manually or automatically). Configuration rollback is applied in the following situations: The current configurations are wrong; and there are too many wrong configurations to locate or to correct one by one. Rolling back the current configuration to a correct one is needed. The application environment has changed and the device has to run in a configuration state based on a previous configuration file without being rebooted.
  • Page 954 Configuring parameters for saving the current running configuration Before the current running configuration is saved manually or automatically, the file path and filename prefix must be configured. After that, the system saves the current running configuration with the specified filename (filename prefix_serial number.cfg) to the specified path. The filename of a saved configuration file is like 20080620archive_1.cfg, or 20080620archive_2.cfg.
  • Page 955 The saving and rollback operations are executed only on the master. To make the configuration rollback take effect on the new master after an active/standby switchover, execute the archive configuration location command to specify the path and filename prefix of the saved configuration file on both the master and slaves.
  • Page 956 Saving the current running configuration manually Automatic saving of the current running configuration occupies system resources, and frequent saving greatly affects system performance. Therefore, if the system configuration does not change frequently, you are recommended to disable the automatic saving of the current running configuration and save it manually.

  • Page 957: Specifying A Startup Configuration File For The Next System Startup

    Specifying a Startup Configuration File for the Next System Startup A startup configuration file is the configuration file to be used at the next system startup. You can specify a configuration file as the startup configuration file to be used at the next system startup in the following two ways: Use the save command.

  • Page 958: Deleting The Startup Configuration File For The Next Startup

    Before the backup operation, you should: Ensure that the server is reachable, the server is enabled with TFTP service, and the client has permission to read and write. Use the display startup command (in user view) to see whether you have set the startup configuration file.

  • Page 959: Displaying And Maintaining Device Configuration

    To do… Use the command… Remarks Restore the startup Required restore startup-configuration configuration file to be used at Available in user view from src-addr src-filename the next system startup The restore operation restores the main startup configuration file. Before restoring a configuration file, you should ensure that the server is reachable, the server is enabled with TFTP service, and the client has read and write permission.

  • Page 960: Ftp Configuration

    FTP Configuration When configuring FTP, go to these sections for information you are interested in: FTP Overview Configuring the FTP Client Configuring the FTP Server Displaying and Maintaining FTP FTP Overview Introduction to FTP The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client over a TCP/IP network.
  • Page 961 Table 2-1 Configuration when the device serves as the FTP client Device Configuration Remarks If the remote FTP server supports anonymous FTP, the device can Use the ftp command to establish the log in to it directly; if not, the Device (FTP client) connection to the remote FTP server device must obtain the FTP...

  • Page 962: Configuring The Ftp Client

    Configuring the FTP Client Establishing an FTP Connection To access an FTP server, an FTP client must establish a connection with the FTP server. Two ways are available to establish a connection: using the ftp command to establish the connection directly; using the open command in FTP client view.

  • Page 963: Establishing An Ftp Connection

    If no primary IP address is configured on the specified source interface, no FTP connection can be established. If you use the ftp client source command to first configure the source interface and then the source IP address of the transmitted packets, the newly configured source IP address will take effect instead of the current source interface, and vice versa.
  • Page 964 To do… Use the command… Remarks View the detailed information of the dir [ remotefile [ localfile ] ] Optional files/directories on the FTP server View the names of the files/directories on ls [ remotefile [ localfile ] ] Optional the FTP server Download a file from the FTP server get remotefile [ localfile ]...

  • Page 965: Ftp Client Configuration Example

    FTP Client Configuration Example Single Device Upgrade Network requirements As shown in Figure 2-2, use Device as an FTP client and PC as the FTP server. Their IP addresses are 10.2.1.1/16 and 10.1.1.1/16 respectively. An available route exists between Device and PC. Device downloads a startup file from PC for device upgrade, and uploads the configuration file to PC for backup.

  • Page 966: Irf System Upgrade

    [ftp] put config.cfg back-config.cfg 227 Entering Passive Mode (10,1,1,1,4,2). 125 ASCII mode data connection already open, transfer starting for /config.cfg. 226 Transfer complete. FTP: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec. [ftp] bye # Specify newest.bin as the main startup file to be used at the next startup. <Sysname>...
  • Page 967 Configuration procedure If the available memory space of the device is not enough, use the fixdisk command to clear the memory or use the delete /unreserved file-url command to delete the files not in use and then perform the following operations. # Log in to the server through FTP.

  • Page 968: Configuring The Ftp Server

    <Sysname> reboot The startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to Device Management Commands in the System Volume.

  • Page 969: Configuring Authentication And Authorization On The Ftp Server

    To do… Use the command… Remarks Manually release the FTP Optional connection established with the free ftp user username Available in user view specified username Configuring Authentication and Authorization on the FTP Server To allow an FTP user to access certain directories on the FTP server, you need to create an account for the user, authorizing access to the directories and associating the username and password with the account.

  • Page 970: Ftp Server Configuration Example

    FTP Server Configuration Example Single Device Upgrade Network requirements As shown in Figure 2-4, use Device as an FTP server, and the PC as the FTP client. Their IP addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. An available route exists between Device and PC.
  • Page 971 -rw- 478164 Apr 26 2000 14:52:35 s5120ei_505.btm -rw- Apr 26 2000 12:04:04 patch_xxx.bin -rw- 2337 Apr 26 2000 14:16:48 sfp.cfg -rw- 2195 Apr 26 2000 14:10:41 5120ei.cfg 15240 KB total (11004 KB free) <Sysname> delete /unreserved flash:/sfp.cfg Configure the PC (FTP Client) # Log in to the FTP server through FTP.

  • Page 972: Irf System Upgrade

    The startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to Device Management Commands in the System Volume. IRF System Upgrade Network requirements As shown in...
  • Page 973 [Sysname] ftp server enable [Sysname] quit # Check files on your device. Remove those redundant to ensure adequate space for the startup file to be uploaded. <Sysname> dir Directory of flash:/ -rw- 10471471 Sep 18 2008 02:45:15 s5120eih3c-d501.bin -rw- 9989823 Jul 14 2008 19:30:46 s5120eih3cd_b57.bin -rw-...

  • Page 974: Displaying And Maintaining Ftp

    # Copy the startup file newest.bin to the root directory of the storage medium on a slave (with the member ID 2). <Sysname> copy newest.bin slot2#flash:/ # Specify newest.bin as the main startup file to be used at the next startup for all the member devices. <Sysname>...

  • Page 975: Tftp Configuration

    TFTP Configuration When configuring TFTP, go to these sections for information you are interested in: TFTP Overview Configuring the TFTP Client Displaying and Maintaining the TFTP Client TFTP Client Configuration Example TFTP Overview Introduction to TFTP The Trivial File Transfer Protocol (TFTP) provides functions similar to those provided by FTP, but it is less complex than FTP in interactive access interface and authentication.

  • Page 976: Configuring The Tftp Client

    When the device serves as the TFTP client, you need to perform the following configuration: Table 3-1 Configuration when the device serves as the TFTP client Device Configuration Remarks Configure the IP address and routing function, and ensure that the route between the device and the TFTP server is available.

  • Page 977: Displaying And Maintaining The Tftp Client

    Follow these steps to configure the TFTP client: To do… Use the command… Remarks Enter system view — system-view Optional Control the access to the TFTP tftp-server [ ipv6 ] acl By default, the access to the servers from the device through TFTP servers from the device acl-number is not controlled.

  • Page 978: Tftp Client Configuration Example

    TFTP Client Configuration Example Single Device Upgrade Network requirements As shown in Figure 3-2, use a PC as the TFTP server and Device as the TFTP client. Their IP addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. An available route exists between Device and PC.
  • Page 979 The startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to Device Management Commands in the System Volume. IRF System Upgrade Network requirements As shown in...
  • Page 980 Download application file newest.bin from PC to the root directory of the storage medium on the master. <Sysname> tftp 1.2.1.1 get newest.bin Download application file newest.bin from PC to the root directory of the storage medium on a slave (with the member ID 2). <Sysname>...
  • Page 981 Table of Contents 1 HTTP Configuration···································································································································1-1 HTTP Overview·······································································································································1-1 How HTTP Works····························································································································1-1 Logging In to the Device Through HTTP·························································································1-1 Protocols and Standards ·················································································································1-1 Enabling the HTTP Service·····················································································································1-1 Configuring the Port Number of the HTTP Service·················································································1-2 Associating the HTTP Service with an ACL····························································································1-2 Displaying and Maintaining HTTP···········································································································1-3 HTTP Configuration Example ·················································································································1-3 2 HTTPS Configuration ································································································································2-1...

  • Page 982: Http Configuration

    HTTP Configuration When configuring HTTP, go to these sections for information you are interested in: HTTP Overview Enabling the HTTP Service HTTP Configuration Associating the HTTP Service with an ACL Displaying and Maintaining HTTP HTTP Overview The Hypertext Transfer Protocol (HTTP) is used for transferring web page information across the Internet.

  • Page 983: Configuring The Port Number Of The Http Service

    Follow these steps to enable the HTTP service: To do… Use the command… Remarks Enter system view — system-view Required Enable the HTTP service ip http enable Enabled by default. Configuring the Port Number of the HTTP Service Configuration of the port number of the HTTP service can reduce the attacks from illegal users on the HTTP service.

  • Page 984: Displaying And Maintaining Http

    Displaying and Maintaining HTTP To do… Use the command… Remarks Display information about HTTP Available in any view display ip http HTTP Configuration Example Network requirements As shown in Figure 1-1, filter users logging in through Web interface according to the source IP addresses, implementing that only users in the 10.1.1.0/24 segment can access and control the device through the Web interface.

  • Page 986: Https Configuration

    HTTPS Configuration When configuring HTTPS, go to these sections for information you are interested in: HTTPS Overview HTTPS Configuration Task List Associating the HTTPS Service with an SSL Server Policy Enabling the HTTPS Service Associating the HTTPS Service with a Certificate Attribute Access Control Policy Configuring the Port Number of the HTTPS Service Associating the HTTPS Service with an ACL Displaying and Maintaining HTTPS...

  • Page 987: Associating The Https Service With An Ssl Server Policy

    Associating the HTTPS Service with an SSL Server Policy You need to associate the HTTPS service with a created SSL server policy before enabling the HTTPS service. Follow these steps to associate the HTTPS service with an SSL server policy: To do…...

  • Page 988: Associating The Https Service With A Certificate Attribute Access Control Policy

    After the HTTPS service is enabled, you can use the display ip https command to view the state of the HTTPS service and verify the configuration. Enabling of the HTTPS service will trigger an SSL handshake negotiation process. During the process, if the local certificate of the device already exists, the SSL negotiation is successfully performed, and the HTTPS service can be started normally.

  • Page 989: Associating The Https Service With An Acl

    To do… Use the command… Remarks Enter system view — system-view Optional Configure the port number of the By default, the port number of the ip https port port-number HTTPS service HTTPS service is 443. If you execute the ip https port command for multiple times, the last configured port number is used. Associating the HTTPS Service with an ACL Associating the HTTPS service with an ACL can filter out requests from some clients to let pass only clients that pass the ACL filtering.
  • Page 990 Configure Device as the HTTPS server and apply a certificate for Device. Apply a certificate for the HTTPS client Host for Device to authenticate it. The name of the CA (Certificate Authority) that issues certificate to Device is new-ca. In this configuration example, Windows Server serves as CA and you need to install Simple Certificate Enrollment Protocol (SCEP) component.
  • Page 991 # Configure an SSL server policy myssl, specify PKI domain 1 for it, and enable the SSL server to perform certificate-based authentication of the client. [Device] ssl server-policy myssl [Device-ssl-server-policy-myssl] pki-domain 1 [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit # Configure certificate attribute group mygroup1, and configure the attribute rules, and specify that the Distinguished Name (DN) in the issuer name includes new-ca.
  • Page 992 Table of Contents 1 SNMP Configuration··································································································································1-1 SNMP Overview······································································································································1-1 SNMP Mechanism···························································································································1-1 SNMP Protocol Version···················································································································1-2 MIB Overview ··································································································································1-2 SNMP Configuration ·······························································································································1-3 Configuring SNMP Logging ····················································································································1-5 Introduction to SNMP Logging ········································································································1-5 Enabling SNMP Logging ·················································································································1-5 SNMP Trap Configuration·······················································································································1-6 Enabling the Trap Function ·············································································································1-6 Configuring Trap Parameters ··········································································································1-7 Displaying and Maintaining SNMP··········································································································1-8 SNMP Configuration Example ················································································································1-9...
  • Page 993 SNMP Configuration When configuring SNMP, go to these sections for information you are interested in: SNMP Overview SNMP Configuration Configuring SNMP Logging SNMP Trap Configuration Displaying and Maintaining SNMP SNMP Configuration Example SNMP Logging Configuration Example SNMP Overview Simple Network Management Protocol (SNMP) offers a framework to monitor network devices through TCP/IP protocol suite.

  • Page 994: Snmp Protocol Version

    SNMP Protocol Version Currently, SNMP agents support SNMPv1, SNMPv2c and SNMPv3. SNMPv1 uses community name for authentication, which defines the relationship between an SNMP NMS and an SNMP agent. SNMP packets with community names that did not pass the authentication on the device will simply be discarded. A community name performs a similar role as a key word and can be used to regulate access from NMS to agent.
  • Page 995 Optional The defaults are as follows: snmp-agent sys-info Configure SNMP agent system { contact sys-contact | Hangzhou H3C Tech. Co., Ltd. information location sys-location | version for contact, { all | { v1 | v2c | v3 }* } } Hangzhou China for location, and SNMP v3 for the version.
  • Page 996 Required The defaults are as follows: snmp-agent sys-info Configure SNMP agent system { contact sys-contact | Hangzhou H3C Tech. Co., Ltd. information location sys-location | version for contact, { { v1 | v2c | v3 }* | all } } Hangzhou China for location and SNMP v3 for the version.

  • Page 997: Configuring Snmp Logging

    To do… Use the command… Remarks snmp-agent mib-view Optional Create or update MIB view { excluded | included } content for an SNMP agent view-name oid-tree [ mask ViewDefault by default mask-value ] The validity of a USM user depends on the engine ID of the SNMP agent. If the engine ID when the USM user is created is not identical to the current engine ID, the USM user is invalid.

  • Page 998: Snmp Trap Configuration

    Logs occupy storage space of the device, thus affecting the performance of the device. Therefore, it is recommended to disable SNMP logging. The size of SNMP logs cannot exceed that allowed by the information center, and the total length of the node field and value field of each log record cannot exceed 1K bytes;...

  • Page 999: Configuring Trap Parameters

    To enable an interface to send linkUp/linkDown traps when its state changes, you need to enable the trap function of interface state changes on an interface and globally. Use the enable snmp trap updown command to enable the trap function on an interface, and use the snmp-agent trap enable [ standard [ linkdown | linkup ] * ] command to enable this function globally.

  • Page 1000: Displaying And Maintaining Snmp

    To do… Use the command… Remarks Optional Configure the holding time of snmp-agent trap life seconds the traps in the queue 120 seconds by default An extended linkUp/linkDown trap is the standard linkUp/linkDown trap (defined in RFC) appended with interface description and interface type information. If the extended messages are not supported on the NMS, disable this function to let the device send standard linkUp/linkDown traps.

  • Page 1001: Snmp Configuration Example

    SNMP Configuration Example Network requirements The NMS connects to the agent, a switch, through an Ethernet. The IP address of the NMS is 1.1.1.2/24. The IP address of the VLAN interface on the switch is 1.1.1.1/24. The NMS monitors and manages the agent using SNMPv2c. The agent reports errors or faults to the NMS.

  • Page 1002: Snmp Logging Configuration Example

    With SNMPv2c, the user needs to specify the read only community, the read and write community, the timeout time, and number of retries. The user can inquire and configure the device through the NMS. The configurations on the agent and the NMS must match. SNMP Logging Configuration Example Network requirements The NMS and the agent are connected through an Ethernet...
  • Page 1003 # Enable SNMP logging on the agent to log the GET and SET operations of the NMS. [Sysname] snmp-agent log get-operation [Sysname] snmp-agent log set-operation The following log information is displayed on the terminal when the NMS performs the GET operation to the agent.

Table of Contents