H3C S5120-EI Series Operation Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Network Router
  5. S5120-EI Series
  6. Operation manual

H3C S5120-EI Series Operation Manual

Hide thumbs Also See for S5120-EI Series:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual, Operating Manual
H3C S5120-EI Series Ethernet Switches
Operation Manual
Hangzhou H3C Technologies Co., Ltd.
Manual Version: 6W100-20090630
Product Version: Release 2202

Advertisement

Chapters

Table of Contents
loading
Need help?

Need help?

Do you have a question about the S5120-EI Series and is the answer not in the manual?

Questions and answers

Related Manuals for H3C S5120-EI Series

Summary of Contents for H3C S5120-EI Series

  • Page 1 H3C S5120-EI Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co., Ltd. Manual Version: 6W100-20090630 Product Version: Release 2202...
  • Page 2 SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V G, V G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.

  • Page 3: About This Manual

    About This Manual Organization H3C S5120-EI Series Ethernet Switches Operation Manual is organized as follows: Volume Features 00-Product Product Overview Acronyms Overview Ethernet Port Link Aggregation Port Isolation DLDP LLDP MSTP Smart Link Monitor Link 01-Access VLAN GVRP QinQ BPDU Tunneling...
  • Page 4 Conventions The manual uses the following conventions: Command conventions Convention Description Boldface The keywords of a command line are in Boldface. Command arguments are in italic. italic Items (keywords or arguments) in square brackets [ ] are optional. Alternative items are grouped in braces and separated by vertical bars. { x | y | ...
  • Page 5 Related Documentation In addition to this manual, each H3C S5120-EI Series Ethernet Switch documentation set includes the following: Manual Description It introduces the installation procedure, commissioning, H3C S5120-EI Series Ethernet Switches maintenance and monitoring of the S5120-EI Series Installation Manual Ethernet switches.
  • Page 6 Troubleshoot Online You will find support tools posted on the web site at http://www.h3cnetworks.com/ under Support, Knowledgebase. The Knowledgebase helps you troubleshoot H3C products. This query-based interactive tool contains thousands of technical solutions. Access Software Downloads Software Updates are the bug fix / maintenance releases for the version of software initially purchased with the product.

  • Page 7: Table Of Contents

    Table of Contents 1 Obtaining the Documentation ··················································································································1-1 H3C Website ···········································································································································1-1 Software Release Notes ·························································································································1-1 2 Product Features ·······································································································································2-1 Introduction to Product ····························································································································2-1 Feature Lists ···········································································································································2-1 3 Features······················································································································································3-1 Access Volume ·······································································································································3-1 IP Services Volume·································································································································3-3 IP Routing Volume ··································································································································3-5 IP Multicast Volume ································································································································3-5 QoS Volume············································································································································3-6...

  • Page 8: Obtaining The Documentation

    H3C website Software release notes H3C Website You can access the most up-to-date H3C product documentation on the World Wide Web at this URL: http://www.h3c.com. Software Release Notes With software upgrade, new software features may be added. You can acquire the information about...

  • Page 9: Product Features

    With IRF, multiple S5120-EI switches can be interconnected as a logical entity to form a new intelligent network featuring high availability, scalability, and manageability. Feature Lists The S5120-EI series support abundant features and the related documents are divided into the volumes as listed in Table 2-1.
  • Page 10 Volume Features Basic System Device File System Login Configuration Management Management MAC Address HTTP SNMP RMON Table Management 07-System System Information Volume Maintaining and Track Center Debugging Cluster Hotfix Management Automatic IRF Stack Configuration...

  • Page 11: Features

    Features The following sections provide an overview of the main features of each module supported by the S5120-EI series. Access Volume Table 3-1 Features in Access volume Features Description This document describes: Combo Port Configuration Basic Ethernet Interface Configuration Configuring Flow Control on an Ethernet Interface...
  • Page 12 Features Description LLDP enables a device to maintain and manage its own and its immediate neighbor’s device information, based on which the network management system detects and determines the conditions of the communications links. This document describes: Introduction to LLDP LLDP Performing Basic LLDP Configuration Configuring the Encapsulation Format for LLDPDUs...

  • Page 13: Ip Services Volume

    Features Description BPDU tunneling enables transparently transmission of customer network BPDU frames over the service provider network. This document describes: BPDU Tunnel Introduction to BPDU Tunneling Configuring BPDU Transparent Transmission Configuring Destination Multicast MAC Address for BPDU Tunnel Frames Ethernet OAM is a tool monitoring Layer-2 link status. It helps network administrators manage their networks effectively.
  • Page 14 Features Description Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address. This document describes: ARP Overview Configuring ARP Configuring Gratuitous ARP Proxy ARP and Local Proxy ARP configuration ARP Attack Defense configuration DHCP is built on a client-server model, in which the client sends a configuration request and then the server returns a reply to send configuration parameters such as an IP address to the client.

  • Page 15: Ip Routing Volume

    IP Routing Volume Table 3-3 Features in the IP Routing volume Features Description This document describes: IP Routing Overview Introduction to IP routing and routing table Routing protocol overview A static route is manually configured by the administrator. The proper configuration and usage of static routes can improve network performance and ensure bandwidth for important network applications.

  • Page 16: Qos Volume

    QoS Volume Table 3-5 Features in the QoS volume Features Description This document describes: QoS overview QoS policy configuration Priority mapping configuration Traffic policing Configuration Traffic shaping Configuration Line rate configuration Congestion management Traffic mirroring configuration User profile provides a configuration template to save predefined configurations.

  • Page 17: System Volume

    Features Description Port security is a MAC address-based security mechanism for network access controlling. It is an extension to the existing 802.1X authentication and MAC authentication. This document describes: Enabling Port Security Port Security Setting the Maximum Number of Secure MAC Addresses Setting the Port Security Mode Configuring Port Security Features Configuring Secure MAC Addresses...
  • Page 18 Features Description Basic system configuration involves the configuration of device name, system clock, welcome message, user privilege levels and so on. This document describes: Basic System Configuration Configuration display Basic configurations CLI features Through the device management function, you can view the current condition of your device and configure running parameters.
  • Page 19 Features Description For the majority of protocols and features supported, the system provides corresponding debugging information to help users diagnose errors. This System Maintenance document describes: and Debugging Maintenance and debugging overview Maintenance and debugging configuration As the system information hub, Information Center classifies and manages all types of system information.
  • Page 20 Features Description Network Time Protocol (NTP) is the TCP/IP that advertises the accurate time throughout the network. This document describes: NTP overview Configuring the Operation Modes of NTP Configuring Optional Parameters of NTP Configuring Access-Control Rights Configuring NTP Authentication Hotfix is a fast, cost-effective method to fix software defects of the device without interrupting the running services.
  • Page 21 Appendix A Acronyms # A B C D E F G H I K L M N O P Q R S T U V W X Z Acronyms Full spelling Return 10GE Ten-GigabitEthernet Return Authentication, Authorization and Accounting Activity Based Costing Area Border Router Alternating Current ACKnowledgement...
  • Page 22 Acronyms Full spelling Border Gateway Protocol BIMS Branch Intelligent Management System BOOTP Bootstrap Protocol BPDU Bridge Protocol Data Unit Basic Rate Interface Bootstrap Router BitTorrent Burst Tolerance Return Call Appearance Certificate Authority Committed Access Rate Committed Burst Size Class Based Queuing Constant Bit Rate Core-Based Tree International Telephone and Telegraph Consultative...
  • Page 23 Acronyms Full spelling Connectivity Verification Return Deeper Application Recognition Data Circuit-terminal Equipment Database Description Digital Data Network DHCP Dynamic Host Configuration Protocol Designated IS DLCI Data Link Connection Identifier DLDP Device Link Detection Protocol Domain Name System Downstream on Demand Denial of Service Designated Router DSCP...
  • Page 24 Acronyms Full spelling Forward Defect Indication Forwarding Equivalence Class Fast Failure Detection Forwarding Group Forwarding information base FIFO First In First Out FQDN Full Qualified Domain Name Frame Relay Fast ReRoute FRTT Fairness Round Trip Time Functional Test File Transfer Protocol Return GARP Generic Attribute Registration Protocol...
  • Page 25 Acronyms Full spelling International Business Machines ICMP Internet Control Message Protocol ICMPv6 Internet Control Message Protocol for IPv6 IDentification/IDentity IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force IGMP Internet Group Management Protocol IGMP-Snooping Internet Group Management Protocol Snooping Interior Gateway Protocol Incoming Label Map Internet Locator Service...
  • Page 26 Acronyms Full spelling LACP Link Aggregation Control Protocol LACPDU Link Aggregation Control Protocol Data Unit Local Area Network Link Control Protocol LDAP Lightweight Directory Access Protocol Label Distribution Protocol Label Edge Router LFIB Label Forwarding Information Base Label Information Base Link Layer Control LLDP Link Layer Discovery Protocol...
  • Page 27 Acronyms Full spelling Multicast Listener Discovery Protocol MLD-Snooping Multicast Listener Discovery Snooping Meet-Me Conference MODEM MOdulator-DEModulator Multilink PPP MP-BGP Multiprotocol extensions for BGP-4 Middle-level PE MP-group Multilink Point to Point Protocol group MPLS Multiprotocol Label Switching MPLSFW Multi-protocol Label Switch Forward Multicast Port Management Mobile Switching Center MSDP...
  • Page 28 Acronyms Full spelling Network Management Station NPDU Network Protocol Data Unit Network Provider Edge Network Quality Analyzer NSAP Network Service Access Point NetStream Collector N-SEL NSAP Selector NSSA Not-So-Stubby Area NTDP Neighbor Topology Discovery Protocol Network Time Protocol Return Operation Administration and Maintenance OAMPDU OAM Protocol Data Units OC-3...
  • Page 29 Acronyms Full spelling Power over Ethernet Point Of Presence Packet Over SDH Point-to-Point Protocol PPTP Point to Point Tunneling Protocol PPVPN Provider-provisioned Virtual Private Network Priority Queuing Primary Reference Clock Primary Rate Interface Protection Switching Power Sourcing Equipment PSNP Partial SNP Permanent Virtual Channel Pseudo wires Return...
  • Page 30 Acronyms Full spelling Resilient Packet Ring Rendezvous Point Tree RRPP Rapid Ring Protection Protocol Reservation State Block RSOH Regenerator Section Overhead RSTP Rapid Spanning Tree Protocol RSVP Resource ReserVation Protocol RTCP Real-time Transport Control Protocol Route Table Entry Real-time Transport Protocol Real-time Transport Protocol Return Source Active...
  • Page 31 Acronyms Full spelling Shortest Path First Shortest Path Tree Secure Shell Synchronization Status Marker Source-Specific Multicast Shared Tree STM-1 SDH Transport Module -1 STM-16 SDH Transport Module -16 STM-16c SDH Transport Module -16c STM-4c SDH Transport Module -4c Spanning Tree Protocol Signalling Virtual Connection Switch-MDT Switch-Multicast Distribution Tree...
  • Page 32 Acronyms Full spelling Return Variable Bit Rate Virtual Channel Identifier Virtual Ethernet Virtual File System VLAN Virtual Local Area Network Virtual Leased Lines Video On Demand VoIP Voice over IP Virtual Operate System VPDN Virtual Private Dial-up Network VPDN Virtual Private Data Network Virtual Path Identifier VPLS Virtual Private Local Switch...
  • Page 33 Access Volume Organization Manual Version 6W100-20090630 Product Version Release 2202 Organization The Access Volume is organized as follows: Features Description This document describes: Combo Port Configuration Basic Ethernet Interface Configuration Configuring Flow Control on an Ethernet Interface Configuring the Suppression Time of Physical-Link-State Change on an Ethernet Interface Configuring Loopback Testing on an Ethernet Interface Configuring a Port Group...
  • Page 34 Features Description In the use of fibers, link errors, namely unidirectional links, are likely to occur. DLDP is designed to detect such errors. This document describes: DLDP Introduction Enabling DLDP Setting DLDP Mode DLDP Setting the Interval for Sending Advertisement Packets Setting the DelayDown Timer Setting the Port Shutdown Mode Configuring DLDP Authentication...
  • Page 35 Features Description GVRP is a GARP application. This document describes: GARP overview GVRP GVRP configuration GARP Timers configuration As defined in IEEE802.1Q, 12 bits are used to identify a VLAN ID, so a device can support a maximum of 4094 VLANs. The QinQ feature extends the VLAN space by allowing Ethernet frames to travel across the service provider network with double VLAN tags.
  • Page 36 Features Description Port mirroring copies packets passing through a port to another port connected with a monitoring device for packet analysis to help implement network monitoring and troubleshooting. This document describes: Port Mirroring Port Mirroring overview Local port mirroring configuration Remote port mirroring configuration...
  • Page 37 Table of Contents 1 Ethernet Interface Configuration ·············································································································1-1 General Ethernet Interface Configuration ·······························································································1-1 Combo Port Configuration ···············································································································1-1 Basic Ethernet Interface Configuration····························································································1-2 Configuring Flow Control on an Ethernet Interface ·········································································1-3 Configuring the Suppression Time of Physical-Link-State Change on an Ethernet Interface ········1-3 Configuring Loopback Testing on an Ethernet Interface·································································1-4 Configuring a Port Group·················································································································1-4 Configuring an Auto-negotiation Transmission Rate·······································································1-5...

  • Page 38: Ethernet Interface Configuration

    Ethernet Interface Configuration General Ethernet Interface Configuration GE and 10GE ports on the S5120-EI series Ethernet switches are numbered in the following format: interface type A/B/C. A: Number of a member device in an IRF stack. If no IRF stack is formed, this value is 1.

  • Page 39: Basic Ethernet Interface Configuration

    In case of a Combo port, only one interface (either the optical port or the electrical port) is active at a time. That is, once the optical port is active, the electrical port will be inactive automatically, and vice versa. Basic Ethernet Interface Configuration Configuring an Ethernet interface Three types of duplex modes are available to Ethernet interfaces:...

  • Page 40: Configuring Flow Control On An Ethernet Interface

    10GE ports can be displayed only when 10GE interface module expansion cards are available on the device. 10GE ports do not support the duplex command or the speed command. Configuring Flow Control on an Ethernet Interface When flow control is enabled on both sides, if traffic congestion occurs at the ingress interface, it will send a Pause frame notifying the egress interface to temporarily suspend the sending of packets.

  • Page 41: Configuring Loopback Testing On An Ethernet Interface

    Configuring Loopback Testing on an Ethernet Interface You can enable loopback testing to check whether the Ethernet interface functions properly. Note that no data packets can be forwarded during the testing. Loopback testing falls into the following two categories: Internal loopback testing, which is performed within switching chips to test the functions related to the Ethernet interfaces.

  • Page 42: Configuring An Auto-Negotiation Transmission Rate

    To do… Use the command… Remarks Add Ethernet interfaces to the manual group-member interface-list Required port group Configuring an Auto-negotiation Transmission Rate Usually, the transmission rate on an Ethernet port is determined through negotiation with the peer end, which can be any rate within the capacity range. With auto-negotiation rate configured, you can enable the Ethernet port to negotiate only part of the transmission rates within its capacity.

  • Page 43: Configuring Storm Suppression

    This function is available for auto-negotiation-capable Gigabit Layer-2 Ethernet electrical ports only.. If you repeatedly use the speed and the speed auto commands to configure the transmission rate on a port, only the latest configuration takes effect. Configuring Storm Suppression You can use the following commands to suppress the broadcast, multicast, and unknown unicast traffic.

  • Page 44: Setting The Interval For Collecting Ethernet Interface Statistics

    To do… Use the command… Remarks Optional By default, all unknown unicast traffic Set the unknown unicast unicast-suppression is allowed to pass through an interface, storm suppression ratio { ratio | pps max-pps } that is, unknown unicast traffic is not suppressed.

  • Page 45: Enabling Loopback Detection On An Ethernet Interface

    To do… Use the command… Remarks frames the length of 9,216 bytes to interface interface-type pass through all Layer 2 In Ethernet interface-number Ethernet interfaces. interface view jumboframe enable Enabling Loopback Detection on an Ethernet Interface If a port receives a packet that it sent out, a loop occurs. Loops may cause broadcast storms. The purpose of loopback detection is to detect loops on an interface.

  • Page 46: Configuring The Mdi Mode For An Ethernet Interface

    Loopback detection on a given port is enabled only after the loopback-detection enable command has been configured in both system view and the interface view of the port. Loopback detection on all ports will be disabled after the configuration of the undo loopback-detection enable command under system view.

  • Page 47: Testing The Cable On An Ethernet Interface

    To do… Use the command… Remarks Optional Defaults to auto. That is, the Configure the MDI mode for the mdi { across | auto | normal } Ethernet interface determines Ethernet interface the physical pin roles (transmit or receive) through negotiation. Testing the Cable on an Ethernet Interface 10-Gigabit Ethernet ports and Combo ports operating as optical interfaces do not support this feature.
  • Page 48 With the storm constrain function enabled on an Ethernet interface, you can specify the system to act as follows when the traffic detected exceeds the threshold. Blocking the interface. In this case, the interface is blocked and thus stops forwarding the traffic of this type till the traffic detected is lower than the threshold.

  • Page 49: Displaying And Maintaining An Ethernet Interface

    For network stability sake, configure the interval for generating traffic statistics to a value that is not shorter than the default. The storm constrain function, after being enabled, requires a complete statistical period (specified by the storm-constrain interval command) to collect traffic data, and analyzes the data in the next period.
  • Page 50 Table of Contents 1 Link Aggregation Configuration ··············································································································1-1 Overview ·················································································································································1-1 Basic Concepts of Link Aggregation ·······························································································1-1 Link Aggregation Modes··················································································································1-3 Load Sharing Mode of an Aggregation Group ················································································1-5 Link Aggregation Configuration Task List ·······························································································1-5 Configuring an Aggregation Group ·········································································································1-6 Configuring a Static Aggregation Group··························································································1-6 Configuring a Dynamic Aggregation Group·····················································································1-7 Configuring an Aggregate Interface ········································································································1-7 Configuring the Description of an Aggregate Interface ···································································1-8...

  • Page 51: Link Aggregation Configuration

    Link Aggregation Configuration When configuring link aggregation, go to these sections for information you are interested in: Overview Link Aggregation Configuration Task List Configuring an Aggregation Group Configuring an Aggregate Interface Configuring a Load Sharing Mode for Load-Sharing Link Aggregation Groups Displaying and Maintaining Link Aggregation Link Aggregation Configuration Examples Overview...
  • Page 52 Currently, the S5120-EI series Ethernet switches support returning Marker Response PDUs only after dynamic link aggregation member ports receive Marker PDUs. Operational key When aggregating ports, link aggregation control automatically assigns each port an operational key based on the port attributes, including the configurations of the port rate, duplex mode and link state.

  • Page 53: Link Aggregation Modes

    Class-two configurations Class-two configurations are listed in Table 1-1. In an aggregation group, if the configurations of a member port are different from the class-two configurations, that member port cannot be a selected port. Table 1-1 Class-two configurations Type Considerations Port isolation Whether a port has joined an isolation group QinQ enable state (enable/disable), outer VLAN tags to be added, inner-to-outer...
  • Page 54 Static aggregation limits the number of selected ports in an aggregation group. When the number of the candidate selected ports is under the limit, all the candidate selected ports become selected ports. When the limit is exceeded, set the candidate selected ports with smaller port numbers in the selected state and those with greater port numbers in the unselected state.

  • Page 55: Load Sharing Mode Of An Aggregation Group

    Load Sharing Mode of an Aggregation Group The link aggregation groups created on the S5120-EI series Ethernet switches always operate in load sharing mode, even when they contain only one member port Link Aggregation Configuration Task List...

  • Page 56: Configuring An Aggregation Group

    Configuring an Aggregation Group The following ports cannot be assigned to an aggregation group: Stack ports, RRPP-enabled ports, MAC address authentication-enabled ports, port security-enabled ports, IP source guard-enabled ports, and 802.1x-enabled ports. You are recommended not to assign reflector ports of port mirroring to an aggregation group. For details about reflector ports, refer to Port Mirroring Configuration in the Access Volume.

  • Page 57: Configuring A Dynamic Aggregation Group

    Configuring a Dynamic Aggregation Group Follow these steps to configure a Layer 2 dynamic aggregation group: To do... Use the command... Remarks Enter system view system-view — Optional By default, the system LACP priority is 32768. Set the system LACP lacp system-priority Changing the system LACP priority priority...

  • Page 58: Configuring The Description Of An Aggregate Interface

    Enabling LinkUp/LinkDown Trap Generation for an Aggregate Interface Shutting Down an Aggregate Interface Configuring the Description of an Aggregate Interface Follow these steps to configure the description of an aggregate interface: To do... Use the command... Remarks Enter system view system-view —...

  • Page 59: Configuring A Load Sharing Mode For Load-Sharing Link Aggregation Groups

    To do... Use the command... Remarks Enter Layer 2 aggregate interface bridge-aggregation — interface view interface-number Required Shut down the aggregate shutdown By default, aggregate interfaces interface are up. After shutting down an aggregate interface, you are recommended not to use the shutdown command and then the undo shutdown command on the member interfaces of the corresponding link aggregation group.

  • Page 60: Displaying And Maintaining Link Aggregation

    To do… Use the command… Remarks Enter system view system-view — Enter Layer 2 aggregate interface bridge-aggregation — interface view interface-number Required By default, the load sharing mode of an aggregation group is the Configure the load link-aggregation load-sharing mode global load sharing mode.

  • Page 61: Layer 2 Dynamic Aggregation Configuration Example

    Aggregate the ports on each device to form a static link aggregation group, thus balancing outgoing traffic across the member ports. In addition, perform load sharing based on source and destination MAC addresses. Figure 1-1 Network diagram for Layer 2 static aggregation Configuration procedure Configure Device A # Configure the device to perform load sharing based on source and destination MAC addresses for link...

  • Page 62: Layer 2 Aggregation Load Sharing Mode Configuration Example

    Figure 1-2 Network diagram for Layer 2 dynamic aggregation Configuration procedure Configure Device A # Configure the device to perform load sharing based on source and destination MAC addresses for link aggregation groups. <DeviceA> system-view [DeviceA] link-aggregation load-sharing mode source-mac destination-mac # Create a Layer 2 aggregate interface Bridge-Aggregation 1 and configure the interface to work in dynamic aggregation mode.
  • Page 63 Figure 1-3 Network diagram for Layer 2 aggregation load sharing mode configuration Configuration procedure Configure Device A # Configure the global link aggregation load sharing mode as the source MAC-based load sharing mode. <DeviceA> system-view [DeviceA] link-aggregation load-sharing mode source-mac # Create Layer 2 aggregate interface Bridge-aggregation 1.
  • Page 64 Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Introduction to Port Isolation ···················································································································1-1 Configuring the Isolation Group for a Single-Isolation-Group Device·····················································1-1 Assigning a Port to the Isolation Group···························································································1-1 Displaying and Maintaining Isolation Groups··························································································1-2 Port Isolation Configuration Example······································································································1-2...

  • Page 65: Port Isolation Configuration

    Currently: S5120-EI series Ethernet switches support only one isolation group that is created automatically by the system as isolation group 1. These devices are referred to as single-isolation-group devices. You can neither remove the isolation group nor create other isolation groups on such devices.

  • Page 66: Displaying And Maintaining Isolation Groups

    Displaying and Maintaining Isolation Groups To do… Use the command… Remarks Display the isolation group information on a display port-isolate group Available in any view single-isolation-group device Port Isolation Configuration Example Network requirements Users Host A, Host B, and Host C are connected to GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 of Device.
  • Page 67 Port-isolate group information: Uplink port support: NO Group ID: 1 Group members: GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/3...
  • Page 68 Table of Contents 1 DLDP Configuration ··································································································································1-1 Overview ·················································································································································1-1 DLDP Introduction ···························································································································1-2 DLDP Fundamentals ·······················································································································1-2 DLDP Configuration Task List·················································································································1-8 Enabling DLDP········································································································································1-9 Setting DLDP Mode ································································································································1-9 Setting the Interval for Sending Advertisement Packets·······································································1-10 Setting the DelayDown Timer ···············································································································1-10 Setting the Port Shutdown Mode ··········································································································1-10 Configuring DLDP Authentication ·········································································································1-11 Resetting DLDP State ···························································································································1-11 Resetting DLDP State in System View··························································································1-12...

  • Page 69: Dldp Configuration

    DLDP Configuration When performing DLDP configuration, go to these sections for information you are interested in: Overview DLDP Configuration Task List Enabling DLDP Setting DLDP Mode Setting the Interval for Sending Advertisement Packets Setting the DelayDown Timer Setting the Port Shutdown Mode Configuring DLDP Authentication Resetting DLDP State Displaying and Maintaining DLDP...

  • Page 70: Dldp Introduction

    Figure 1-2 Unidirectional fiber link: a fiber not connected or disconnected Device A GE1/0/50 GE1/0/51 GE1/0/50 GE1/0/51 Device B DLDP Introduction Device Link Detection Protocol (DLDP) can detect the link status of a fiber cable or twisted pair. On detecting a unidirectional link, DLDP can shut down the related port automatically or prompt users to take measures as configured to avoid network problems.
  • Page 71 State Indicates… A port enters this state when: A unidirectional link is detected. Disable The contact with the neighbor in enhanced mode gets lost. In this state, the port does not receive or send packets other than DLDPDUs. A port in the Active, Advertisement, or Probe DLDP link state transits to this state rather than removes the corresponding neighbor entry and transits to the DelayDown Inactive state when it detects a port-down event.
  • Page 72 DLDP timer Description A device in the Active, Advertisement, or Probe DLDP link state transits to DelayDown state rather than removes the corresponding neighbor entry and transits to the Inactive state when it detects a port-down event. When a device transits to this state, the DelayDown timer is triggered. A DelayDown timer device in DelayDown state only responds to port-up events.
  • Page 73 Figure 1-3 A case for Enhanced DLDP mode In normal DLDP mode, only fiber cross-connected unidirectional links (as shown in Figure 1-1 ) can be detected. In enhanced DLDP mode, two types of unidirectional links can be detected. One is fiber cross-connected links (as shown in Figure 1-1).
  • Page 74 Table 1-4 DLDP packet types and DLDP states DLDP state Type of DLDP packets sent Active Advertisement packet with RSY tag Advertisement Normal Advertisement packet Probe Probe packet Disable Disable packet and RecoverProbe packet When a device transits from a DLDP state other than Inactive state or Disable state to Initial state, it sends Flush packets.
  • Page 75 Packet type Processing procedure If the corresponding neighbor entry does not exist, creates the neighbor entry, triggers the Entry timer, and transits to Probe state. If the neighbor information it carries conflicts with the corresponding locally Retrieves the maintained neighbor entry, drops the Echo packet neighbor packet.

  • Page 76: Dldp Configuration Task List

    The DLDP down port sends out a RecoverProbe packet, which carries only information about the local port, every two seconds. Upon receiving the RecoverProbe packet, the remote end returns a RecoverEcho packet. Upon receiving the RecoverEcho packet, the local port checks whether neighbor information in the RecoverEcho packet is the same as the local port information.

  • Page 77: Enabling Dldp

    To ensure unidirectional links can be detected, make sure these settings are the same on the both sides: DLDP state (enabled/disabled), the interval for sending Advertisement packets, authentication mode, and password. Keep the interval for sending Advertisement packets adequate to enable unidirectional links to be detected in time.

  • Page 78: Setting The Interval For Sending Advertisement Packets

    Setting the Interval for Sending Advertisement Packets You can set the interval for sending Advertisement packets to enable unidirectional links to be detected in time. Follow these steps to set the interval for sending Advertisement packets: To do… Use the command… Remarks Enter system view system-view...

  • Page 79: Configuring Dldp Authentication

    Manual mode. This mode applies to networks with low performance, where normal links may be treated as unidirectional links. It protects service packet transmission against false unidirectional links. In this mode, DLDP only detects unidirectional links and generates log and traps. The operations to shut down unidirectional link ports are accomplished by the administrator.

  • Page 80: Resetting Dldp State In System View

    user-defined port shutdown mode. To enable the port to perform DLDP detect again, you can reset the DLDP state of the port in one of the following methods: If the port is shut down with the shutdown command manually, use the undo shutdown command on the port.

  • Page 81: Dldp Configuration Example

    To do… Use the command… Remarks Clear the statistics on reset dldp statistics [ interface-type DLDP packets passing Available in user view interface-number ] through a port DLDP Configuration Example DLDP Configuration Example Network requirements Device A and Device B are connected through two fiber pairs, in which two fibers are cross-connected, as shown in Figure 1-4.

  • Page 82: Troubleshooting

    [DeviceA] dldp work-mode enhance # Set the port shutdown mode as auto mode. [DeviceA] dldp unidirectional-shutdown auto # Enable DLDP globally. [DeviceA] dldp enable # Check the information about DLDP. [DeviceA] display dldp DLDP global status : enable DLDP interval : 6s DLDP work-mode : enhance DLDP authentication-mode : none...
  • Page 83 Analysis: The problem can be caused by the following. The intervals for sending Advertisement packets on Device A and Device B are not the same. DLDP authentication modes/passwords on Device A and Device B are not the same. Solution: Make sure the interval for sending Advertisement packets, the authentication mode, and the password on Device A and Device B are the same.
  • Page 84 Table of Contents 1 LLDP Configuration···································································································································1-1 Introduction to LLDP ·······························································································································1-1 Overview··········································································································································1-1 LLDP Fundamental··························································································································1-1 TLV Types ·······································································································································1-2 Protocols and Standards ·················································································································1-4 LLDP Configuration Task List ·················································································································1-4 Performing Basic LLDP Configuration ····································································································1-4 Enabling LLDP·································································································································1-4 Setting LLDP Operating Mode ········································································································1-5 Configuring LLDPDU TLVs ·············································································································1-6 Enable LLDP Polling························································································································1-7 Configuring the Parameters Concerning LLDPDU Sending ···························································1-7 Configuring the Encapsulation Format for LLDPDUs ·············································································1-8...

  • Page 85: Lldp Configuration

    LLDP Configuration When configuring LLDP, go to these sections for information you are interested in: Introduction to LLDP LLDP Configuration Task List Performing Basic LLDP Configuration Configuring the Encapsulation Format for LLDPDUs Configuring the Encapsulation Format of the Management Address Configuring CDP Compatibility Configuring LLDP Trapping Displaying and Maintaining LLDP...

  • Page 86: Tlv Types

    To enable the neighboring devices to be informed of the existence of a device or an LLDP operating mode change (from the disable mode to TxRx mode, or from the Rx mode to Tx mode) timely, a device can invoke the fast sending mechanism. In this case, the interval to send LLDPDUs changes to one second.
  • Page 87 VLAN name TLV, which carries port VLAN name. Protocol identity TLV, which carries types of the supported protocols. Currently, protocol identity TLVs can only be received on H3C devices. IEEE 802.3 defined LLDP TLVs include the following: MAC/PHY configuration/status TLV, which carries port configuration, such as port speed, duplex state, whether port speed auto-negotiation is supported, the state of auto-negotiation, current speed , and current duplex state.

  • Page 88: Protocols And Standards

    Extended power-via-MDI TLV, which carries the information about the power supply capability of the current device. Hardware revision TLV, which carries the hardware version of an MED device. Firmware revision TLV, which carries the firmware version of an MED device. Software revision TLV, which carries the software version of an MED device.

  • Page 89: Setting Lldp Operating Mode

    To do… Use the command… Remarks Enter system view system-view — Required Enable LLDP globally lldp enable By default, LLDP is enabled globally. Enter Ethernet interface interface-type Either of the two is required. interface view interface-number Enter Configuration performed in Ethernet Ethernet interface view applies to the current interface...

  • Page 90: Configuring Lldpdu Tlvs

    Configuring LLDPDU TLVs Follow these steps to configure LLDPDU TLVs: To do… Use the command… Remarks Enter system view system-view — Optional Set the TTL multiplier lldp hold-multiplier value 4 by default. Enter Either of the two is required. Ethernet interface interface-type Configuration performed in Enter...

  • Page 91: Enable Lldp Polling

    To enable MED related LLDP TLV sending, you need to enable LLDP-MED capabilities TLV sending first. Conversely, to disable LLDP-MED capabilities TLV sending, you need to disable the sending of other MED related LLDP TLVs. To disable MAC/PHY configuration/status TLV sending, you need to disable LLDP-MED capabilities TLV sending first.

  • Page 92: Configuring The Encapsulation Format For Lldpdus

    To do… Use the command… Remarks Optional Set the delay period to send lldp timer tx-delay value LLDPDUs 2 seconds by default To enable local device information to be updated on neighboring devices before being aged out, make sure the interval to send LLDPDUs is shorter than the TTL of the local device information. Setting the number of the LLDPDUs to be sent when a new neighboring device is detected Follow these steps to set the number of the LLDPDUs to be sent when a new neighboring device is detected...

  • Page 93: Configuring The Encapsulation Format Of The Management Address

    The configuration does not apply to LLDP-CDP packets, which use only SNAP encapsulation. Configuring the Encapsulation Format of the Management Address LLDP encapsulates the management address in the form of numbers or strings in management address TLVs and then advertises it. By default, management addresses are encapsulated in the form of numbers in TLVs.

  • Page 94: Configuration Prerequisites

    TLV for the IP phones to configure the voice VLAN automatically. Thus, the voice traffic is confined in the configured voice VLAN to be differentiated from other types of traffic. CDP-compatible LLDP operates in one of the follows two modes: TxRx where CDP packets can be transmitted and received.

  • Page 95: Displaying And Maintaining Lldp

    Follow these steps to configure LLDP trap: To do… Use the command… Remarks Enter system view system-view — Enter Ethernet interface interface-type Either of the two is required. interface view interface-number Configuration performed in Enter Ethernet interface view applies Ethernet to the current port only;...
  • Page 96 Figure 1-1 Network diagram for LLDP configuration GE1/0/1 GE1/0/2 Switch A GE1/0/1 MED设备 Switch B Configuration procedure Configure Switch A. # Enable LLDP globally. <SwitchA> system-view [SwitchA] lldp enable # Enable LLDP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, setting the LLDP operating mode to [SwitchA] interface gigabitethernet1/0/1 [SwitchA-GigabitEthernet1/0/1] lldp enable [SwitchA-GigabitEthernet1/0/1] lldp admin-status rx...
  • Page 97 Transmit interval : 30s Hold multiplier Reinit delay : 2s Transmit delay : 2s Trap interval : 5s Fast start times Port 1 [GigabitEthernet1/0/1] : Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors...

  • Page 98: Cdp-Compatible Lldp Configuration Example

    Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV Port 2 [GigabitEthernet1/0/2] : Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No...
  • Page 99 # Configure the link type of the ports to be trunk and enable the voice VLAN feature on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type trunk [SwitchA-GigabitEthernet1/0/1] voice vlan 2 enable [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type trunk [SwitchA-GigabitEthernet1/0/2] voice vlan 2 enable [SwitchA-GigabitEthernet1/0/2] quit...
  • Page 100 Table of Contents 1 MSTP Configuration ··································································································································1-1 MSTP Overview·······························································································································1-1 Introduction to STP··························································································································1-1 How STP works ·······························································································································1-3 Introduction to MSTP·······················································································································1-9 Protocols and Standards ···············································································································1-14 Configuration Task List ·························································································································1-14 Configuring the Root Bridge··················································································································1-16 Configuring an MST Region ··········································································································1-16 Specifying the Root Bridge or a Secondary Root Bridge ······························································1-17 Configuring the Work Mode of an MSTP Device ··········································································1-18 Configuring the Priority of the Current Device···············································································1-19 Configuring the Maximum Hops of an MST Region······································································1-19...
  • Page 101 Configuration Prerequisites ···········································································································1-35 Configuration Procedure················································································································1-36 Configuration Example ··················································································································1-36 Configuring Protection Functions··········································································································1-36 Configuration prerequisites ···········································································································1-37 Enabling BPDU Guard···················································································································1-37 Enabling Root Guard ·····················································································································1-38 Enabling Loop Guard·····················································································································1-38 Enabling TC-BPDU Attack Guard ·································································································1-39 Enabling BPDU Dropping ··············································································································1-40 Displaying and Maintaining MSTP ········································································································1-40 MSTP Configuration Example···············································································································1-41...

  • Page 102: Mstp Configuration

    MSTP Configuration When configuring MSTP, go to these sections for information you are interested in: MSTP Overview Configuration Task List Configuring the Root Bridge Configuring Leaf Nodes Performing mCheck Configuring Digest Snooping Configuring No Agreement Check Configuring Protection Functions Displaying and Maintaining MSTP MSTP Configuration Example MSTP Overview Introduction to STP...
  • Page 103 There is one and only one root bridge in the entire network, and the root bridge can change along with changes of the network topology. Therefore, the root bridge is not fixed. After network convergence, the root bridge generates and sends out configuration BPDUs at a certain interval, and other devices just forward the BPDUs.

  • Page 104: How Stp Works

    All the ports on the root bridge are designated ports. Path cost Path cost is a reference value used for link selection in STP. By calculating path costs, STP selects relatively robust links and blocks redundant links, and finally prunes the network into a loop-free tree. How STP works The devices on a network exchange BPDUs to identify the network topology.
  • Page 105 Table 1-2 Selection of the optimum configuration BPDU Step Actions Upon receiving a configuration BPDU on a port, the device performs the following: If the received configuration BPDU has a lower priority than that of the configuration BPDU generated by the port, the device discards the received configuration BPDU and does not process the configuration BPDU of this port.
  • Page 106 Step Description The device compares the calculated configuration BPDU with the configuration BPDU on the port of which the port role is to be defined, and acts depending on the comparison result: If the calculated configuration BPDU is superior, the device considers this port as the designated port, and replaces the configuration BPDU on the port with the calculated configuration BPDU, which will be sent out periodically.
  • Page 107 Device Port name BPDU of port {2, 0, 2, CP1} Device C {2, 0, 2, CP2} Comparison process and result on each device The following table shows the comparison process and result on each device. Table 1-5 Comparison process and result on each device BPDU of port after Device Comparison process...
  • Page 108 BPDU of port after Device Comparison process comparison Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and updates the configuration BPDU of CP1.
  • Page 109 Figure 1-3 The final calculated spanning tree The spanning tree calculation process in this example is only simplified process. The BPDU forwarding mechanism in STP Upon network initiation, every switch regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular hello interval. If it is the root port that received a configuration BPDU and the received configuration BPDU is superior to the configuration BPDU of the port, the device increases the message age carried in the configuration BPDU following a certain rule and starts a timer to time the configuration BPDU while...

  • Page 110: Introduction To Mstp

    For this reason, as a mechanism for state transition in STP, the newly elected root ports or designated ports require twice the forward delay time before transiting to the forwarding state to ensure that the new configuration BPDU has propagated throughout the network. Hello time is the time interval at which a device sends hello packets to the surrounding devices to ensure that the paths are fault-free.
  • Page 111 MSTP divides a switched network into multiple regions, each containing multiple spanning trees that are independent of one another. MSTP prunes a loop network into a loop-free tree, thus avoiding proliferation and endless cycling of packets in a loop network. In addition, it provides multiple redundant paths for data forwarding, thus supporting load balancing of VLAN data.
  • Page 112 Multiple MST regions can exist in a switched network. You can use an MSTP command to assign multiple devices to the same MST region. VLAN-to-MSTI mapping table As an attribute of an MST region, the VLAN-to-MSTI mapping table describes the mapping relationships between VLANs and MSTIs.
  • Page 113 During MSTP calculation, a boundary port’s role on an MSTI is consistent with its role on the CIST. But that is not true with master ports. A master port on MSTIs is a root port on the CIST. 11) Roles of ports MSTP calculation involves these port roles: root port, designated port, master port, alternate port, backup port, and so on.
  • Page 114 In MSTP, port states fall into the following three: Forwarding: the port learns MAC addresses and forwards user traffic; Learning: the port learns MAC addresses but does not forward user traffic; Discarding: the port neither learns MAC addresses nor forwards user traffic. When in different MSTIs, a port can be in different states.

  • Page 115: Protocols And Standards

    Implementation of MSTP on devices MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized by devices running MSTP and used for spanning tree calculation. In addition to basic MSTP functions, many special functions are provided for ease of management, as follows: Root bridge hold Root bridge backup...
  • Page 116 Task Remarks Configuring an MST Region Required Configuring the Work Mode of an MSTP Device Optional Configuring the Timeout Factor Optional Configuring the Maximum Port Rate Optional Configuring Ports as Edge Ports Optional Configuring Leaf Configuring Path Costs of Ports Optional NodesConfiguring Leaf Nodes...

  • Page 117: Configuring The Root Bridge

    Configuring the Root Bridge Configuring an MST Region Configuration procedure Follow these steps to configure an MST region: To do... Use the command... Remarks Enter system view — system-view Enter MST region view — stp region-configuration Optional Configure the MST region region-name name The MST region name is the name...

  • Page 118: Specifying The Root Bridge Or A Secondary Root Bridge

    Configuration example # Configure the MST region name to be “info”, the MSTP revision level to be 1, and VLAN 2 through VLAN 10 to be mapped to MSTI 1 and VLAN 20 through VLAN 30 to MSTI 2. <Sysname> system-view [Sysname] stp region-configuration [Sysname-mst-region] region-name info [Sysname-mst-region] instance 1 vlan 2 to 10...

  • Page 119: Configuring The Work Mode Of An Mstp Device

    There is one and only one root bridge in effect in a spanning tree instance. If two or more devices have been designated to be root bridges of the same spanning tree instance, MSTP will select the device with the lowest MAC address as the root bridge. You can specify multiple secondary root bridges for the same instance.

  • Page 120: Configuring The Priority Of The Current Device

    [Sysname] stp mode stp Configuring the Priority of the Current Device The priority of a device determines whether it can be elected as the root bridge of a spanning tree. A lower value indicates a higher priority. By setting the priority of a device to a low value, you can specify the device as the root bridge of the spanning tree.

  • Page 121: Configuring The Network Diameter Of A Switched Network

    To do... Use the command... Remarks Enter system view — system-view Optional Configure the maximum hops stp max-hops hops of the MST region 20 by default A larger maximum hops setting means a larger size of the MST region. Only the maximum hops configured on the regional root bridge can restrict the size of the MST region.

  • Page 122: Configuring Timers Of Mstp

    Configuring Timers of MSTP MSTP involves three timers: forward delay, hello time and max age. You can configure these three parameters for MSTP to calculate spanning trees. Configuration procedure Follow these steps to configure the timers of MSTP: To do... Use the command...

  • Page 123: Configuring The Timeout Factor

    We recommend that you specify the network diameter with the stp root primary command and let MSTP automatically calculate optimal settings of these three timers. Configuration example # Set the forward delay to 1,600 centiseconds, hello time to 300 centiseconds, and max age to 2,100 centiseconds.

  • Page 124: Configuring Ports As Edge Ports

    Configuration procedure Follow these steps to configure the maximum rate of a port or a group of ports: To do... Use the command... Remarks Enter system view — system-view Enter Ethernet Required interface view Use either command. interface interface-type or Layer-2 Enter interface-number Configurations made in interface...

  • Page 125: Setting The Link Type Of A Port To P2P

    Configuration procedure Follow these steps to specify a port or a group of ports as edge port(s): To do... Use the command... Remarks Enter system view — system-view Enter Ethernet Required interface view Use either command. interface interface-type Enter or Layer-2 interface-number Configurations made in interface interface view...

  • Page 126: Configuring The Mode A Port Uses To Recognize/Send Mstp Packets

    Configuration procedure Follow these steps to set the type of a connected link to P2P: To do... Use the command... Remarks Enter system view — system-view Enter Ethernet Required interface view or Use either command. interface interface-type Enter Layer-2 interface-number Configurations made in interface interface aggregate...

  • Page 127: Enabling The Output Of Port State Transition Information

    Configuration procedure Follow these steps to configure the MSTP packet format to be supported by a port or a group of ports: To do... Use the command... Remarks Enter system view — system-view Enter Ethernet Required interface view or interface interface-type Enter Use either command.

  • Page 128: Enabling The Mstp Feature

    Follow these steps to enable output of port state transition information: To do... Use the command... Remarks Enter system view — system-view Optional Enable output of port state stp port-log { all | instance transition information of all This function is enabled by instance-id } MSTIs or a particular MSTI default.

  • Page 129: Configuring Leaf Nodes

    [Sysname-GigabitEthernet1/0/1] undo stp enable Configuring Leaf Nodes Configuring an MST Region Refer to Configuring an MST Region in the section about root bridge configuration. Configuring the Work Mode of MSTP Refer to Configuring the Work Mode of an MSTP Device in the section about root bridge configuration.
  • Page 130 Table 1-7 Link speed vs. path cost Link speed Duplex state 802.1d-1998 802.1t Private standard — 65535 200,000,000 200,000 Single Port 2,000,000 2,000 Aggregate Link 2 Ports 1,000,000 1,800 10 Mbps Aggregate Link 3 Ports 666,666 1,600 Aggregate Link 4 Ports 500,000 1,400 Single Port...

  • Page 131: Configuring Port Priority

    If you change the standard that the device uses in calculating the default path cost, the port path cost value set through the stp cost command will be invalid. When the path cost of a port is changed, MSTP will re-calculate the role of the port and initiate a state transition.

  • Page 132: Setting The Link Type Of A Port To P2P

    Configuration example # Set the priority of port GigabitEthernet 1/0/1 to 16 in MSTI 1. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] stp instance 1 port priority 16 Setting the Link Type of a Port to P2P Refer to Setting the Link Type of a Port to P2P in the section about root bridge configuration.

  • Page 133: Configuration Example

    Performing mCheck in interface view Follow these steps to perform mCheck in interface view: To do... Use the command... Remarks Enter system view — system-view Enter Ethernet interface view or Layer-2 interface interface-type — aggregate interface view interface-number Perform mCheck Required stp mcheck Configuration Example...

  • Page 134: Configuration Procedure

    Configuration Procedure Follow these steps to configure Digest Snooping: To do... Use the command... Remarks Enter system view — system-view Enter Ethernet Required interface view Use either command. interface interface-type or Layer-2 interface-number Configurations made in Enter interface aggregate interface view will take effect on view or port interface view the current port only;...

  • Page 135: Configuring No Agreement Check

    Figure 1-6 Digest Snooping configuration Configuration procedure Enable Digest Snooping on Device A. # Enable Digest Snooping on GigabitEthernet1/0/1. <DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] stp config-digest-snooping [DeviceA-GigabitEthernet1/0/1] quit # Enable global Digest Snooping. [DeviceA] stp config-digest-snooping Enable Digest Snooping on Device B (the same as above, omitted) Configuring No Agreement Check In RSTP and MSTP, two types of messages are used for rapid state transition on designated ports: Proposal: sent by designated ports to request rapid transition...

  • Page 136: Configuration Prerequisites

    Figure 1-7 Rapid state transition of an MSTP designated port Upstream Switch Downstream switch Proposal for rapid transition Root port blocks other non-edge ports Root port changes to Agreement forwarding state and sends Agreement Designated port Root port changes to Designated port forwarding state Figure 1-8...

  • Page 137: Configuration Example

    Configuration Procedure Follow these steps to configure No Agreement Check: To do... Use the command... Remarks Enter system view — system-view Enter Ethernet Required interface view Use either command. interface interface-type or Layer-2 Enter interface-number Configurations made in aggregate interface or interface view will take effect interface view port group...

  • Page 138: Configuration Prerequisites

    Loop guard TC-BPDU attack guard BPDU dropping Among loop guard, root guard and edge port settings, only one function can take effect on a port at the same time. Configuration prerequisites MSTP has been correctly configured on the device. Enabling BPDU Guard We recommend that you enable BPDU guard on a device with edge ports configured.

  • Page 139: Enabling Root Guard

    Enabling Root Guard We recommend that you enable root guard on a designated port. The root bridge and secondary root bridge of a panning tree should be located in the same MST region. Especially for the CIST, the root bridge and secondary root bridge are generally put in a high-bandwidth core region during network design.

  • Page 140: Enabling Tc-Bpdu Attack Guard

    By keeping receiving BPDUs from the upstream device, a device can maintain the state of the root port and blocked ports. However, due to link congestion or unidirectional link failures, these ports may fail to receive BPDUs from the upstream devices. In this case, the downstream device will reselect the port roles: those ports in forwarding state that failed to receive upstream BPDUs will become designated ports, and the blocked ports will transition to the forwarding state, resulting in loops in the switched network.

  • Page 141: Enabling Bpdu Dropping

    We recommend that you keep this feature enabled. Enabling BPDU Dropping In a STP-enabled network, some users may send BPDU packets to the switch continuously in order to destroy the network. When a switch receives the BPDU packets, it will forward them to other switches. As a result, STP calculation is performed repeatedly, which may occupy too much CPU of the switches or cause errors in the protocol state of the BPDU packets.

  • Page 142: Mstp Configuration Example

    To do... Use the command... Remarks display stp [ instance View the status information and instance-id ] [ interface Available in any view statistics information of MSTP interface-list | slot slot-number ] [ brief ] View the MST region display stp configuration information that Available in any view region-configuration...
  • Page 143 <DeviceA> system-view [DeviceA] stp region-configuration # Configure the region name, VLAN-to-MSTI mappings and revision level of the MST region. [DeviceA-mst-region] region-name example [DeviceA-mst-region] instance 1 vlan 10 [DeviceA-mst-region] instance 3 vlan 30 [DeviceA-mst-region] instance 4 vlan 40 [DeviceA-mst-region] revision-level 0 # Activate MST region configuration manually.
  • Page 144 [DeviceB] stp enable # View the MST region configuration information that has taken effect. [DeviceB] display stp region-configuration Oper configuration Format selector Region name :example Revision level Instance Vlans Mapped 1 to 9, 11 to 29, 31 to 39, 41 to 4094 Configuration on Device C.
  • Page 145 <DeviceD> system-view [DeviceD] stp region-configuration [DeviceD-mst-region] region-name example # Configure the region name, VLAN-to-MSTI mappings and revision level of the MST region. [DeviceD-mst-region] instance 1 vlan 10 [DeviceD-mst-region] instance 3 vlan 30 [DeviceD-mst-region] instance 4 vlan 40 [DeviceD-mst-region] revision-level 0 # Activate MST region configuration manually.
  • Page 146 Table of Contents 1 Smart Link Configuration ·························································································································1-1 Smart Link Overview ·······························································································································1-1 Terminology·····································································································································1-1 Operating Mechanism of Smart Link ·······························································································1-2 Configuring a Smart Link Device ············································································································1-3 Configuration Prerequisites ·············································································································1-3 Configuring a Smart Link Device·····································································································1-3 Smart Link Device Configuration Example······················································································1-4 Configuring an Associated Device ··········································································································1-5 Configuring an Associated Device ··································································································1-5 Associated Device Configuration Example ·····················································································1-6 Displaying and Maintaining Smart Link···································································································1-6...

  • Page 147: Smart Link Configuration

    Smart Link Configuration When configuring Smart Link, go to these sections for information that you are interested in: Smart Link Overview Configuring a Smart Link Device Configuring an Associated Device Displaying and Maintaining Smart Link Smart Link Configuration Examples Smart Link Overview Smart Link is a feature developed to address the slow convergence issue with the Spanning Tree Protocol (STP).

  • Page 148: Operating Mechanism Of Smart Link

    Master port Master port is a port role in a smart link group. When both ports in a smart link group are up, the master port preferentially transits to the forwarding state. Once the master port fails, the slave port takes over to forward traffic.

  • Page 149: Configuring A Smart Link Device

    Uplink traffic-triggered MAC address learning, where update is triggered by uplink traffic. This mechanism is applicable to environments with devices not supporting smart link, including devices of other vendors’. Flush update where a Smart Link-enabled device updates its information by transmitting flush messages over the backup link to its upstream devices.

  • Page 150: Smart Link Device Configuration Example

    To do… Use the command… Remarks Required protected-vlan By default, no Configure protected VLANs for the reference-instance protected VLAN is smart link group instance-id-list configured for a smart link group. In smart link group port interface-type view interface-number master Specify the Required master port for In Ethernet...

  • Page 151: Configuring An Associated Device

    Configure VLAN 20 for flush update. Configuration procedure <Sysname> system-view [Sysname] vlan 20 [Sysname-vlan20] quit [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] undo stp enable [Sysname-GigabitEthernet1/0/1] port link-type trunk [Sysname-GigabitEthernet1/0/1] port trunk permit vlan 20 [Sysname-GigabitEthernet1/0/1] quit [Sysname] interface gigabitethernet 1/0/2 [Sysname-GigabitEthernet1/0/2] undo stp enable [Sysname-GigabitEthernet1/0/2] port link-type trunk [Sysname-GigabitEthernet1/0/2] port trunk permit vlan 20 [Sysname-GigabitEthernet1/0/2] quit...

  • Page 152: Associated Device Configuration Example

    Configure all the control VLANs to receive flush messages. If no control VLAN is specified for processing flush messages, the device forwards the received flush messages directly without processing them. Make sure that the receive control VLAN is the same as the transmit control VLAN configured on the Smart Link device.
  • Page 153 Figure 1-2 Network diagram for single smart link group configuration Device A GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/1 Device B Device D GE1/0/2 GE1/0/2 GE1/0/3 GE1/0/3 GE1/0/2 GE1/0/1 GE1/0/2 GE1/0/1 Device C Device E Configuration procedure Configuration on Device C # Create smart link group 1. <DeviceC>...

  • Page 154: Multiple Smart Link Groups Load Sharing Configuration Example

    [DeviceE-smlk-group1] port gigabitethernet1/0/2 master [DeviceE-smlk-group1] port gigabitethernet1/0/1 slave # Configure VLAN 1 as the transmit control VLAN. [DeviceE-smlk-group1] flush enable Configuration on Device B # Configure VLAN 1 as the receive control VLAN for GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3. <DeviceB>...
  • Page 155 The traffic of VLAN 1 through VLAN 200 on Device C are dually uplinked to Device A by Device B and Device D. Implement load sharing to uplink the traffic of VLAN 1 through VLAN 100 and the traffic of VLAN 101 through VLAN 200 over different links to Device A. Implement dual link backup on Device C: the traffic of VLANs 1 through 100 (mapped to MSTI 0) is uplinked to Device A by Device B;...
  • Page 156 # Configure protected VLANs for smart link group 1. [DeviceC-smlk-group1] protected-vlan reference-instance 0 # Configure GigabitEthernet 1/0/1 as the master port and GigabitEthernet 1/0/2 as the slave port. [DeviceC-smlk-group1] port gigabitethernet1/0/1 master [DeviceC-smlk-group1] port gigabitethernet1/0/2 slave # Enable role preemption. [DeviceC-smlk-group1] preemption mode role # Configure VLAN 10 as the transmit control VLAN of smart link group 1.
  • Page 157 [DeviceD-GigabitEthernet1/0/1] smart-link flush enable control-vlan 10 101 [DeviceD-GigabitEthernet1/0/1] quit [DeviceD] interface gigabitethernet 1/0/2 [DeviceD-GigabitEthernet1/0/2] port link-type trunk [DeviceD-GigabitEthernet1/0/2] port trunk permit vlan 1 to 200 [DeviceD-GigabitEthernet1/0/2] smart-link flush enable control-vlan 10 101 Configuration on Device A # Configure VLAN 10 and VLAN 101 as the receive control VLANs of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
  • Page 158 Table of Contents 1 Monitor Link Configuration ······················································································································1-1 Overview ·················································································································································1-1 Terminology·····································································································································1-1 How Monitor Link Works··················································································································1-1 Configuring Monitor Link ·························································································································1-2 Configuration Prerequisites ·············································································································1-2 Configuration Procedure··················································································································1-2 Monitor Link Configuration Example ·······························································································1-2 Displaying and Maintaining Monitor Link ································································································1-3 Monitor Link Configuration Example ·······································································································1-3...

  • Page 159: Monitor Link Configuration

    Monitor Link Configuration When configuring monitor link, go to these sections for information you are interested in: Overview Configuring Monitor Link Displaying and Maintaining Monitor Link Monitor Link Configuration Example Overview Monitor link is a port collaboration function used to enable a device to be aware of the up/down state change of the ports on an indirectly connected link.

  • Page 160: Configuring Monitor Link

    Do not manually shut down or bring up the downlink ports in a monitor link group. Configuring Monitor Link Configuration Prerequisites Before assigning a port to a monitor link group, make sure the port is not the member port of any aggregation group.

  • Page 161: Configuration Procedure

    Configuration procedure <Sysname> system-view [Sysname] monitor-link group 1 [Sysname-mtlk-group1] port gigabitethernet 1/0/1 uplink [Sysname-mtlk-group1] port gigabitethernet 1/0/2 downlink Displaying and Maintaining Monitor Link To do… Use the command… Remarks Display monitor link display monitor-link group Available in any view group information { group-id | all } Monitor Link Configuration Example Network requirements...
  • Page 162 [DeviceC] interface gigabitethernet 1/0/1 [DeviceC-GigabitEthernet1/0/1] undo stp enable [DeviceC-GigabitEthernet1/0/1] quit [DeviceC] interface gigabitethernet 1/0/2 [DeviceC-GigabitEthernet1/0/2] undo stp enable [DeviceC-GigabitEthernet1/0/2] quit [DeviceC] smart-link group 1 # Configure the smart link group to protect all the VLANs mapped to MSTIs 0 through 16. [DeviceC-smlk-group1] protected-vlan reference-instance 0 to 16 # Configure GigabitEthernet 1/0/1 as the master port and GigabitEthernet 1/0/2 as the slave port.
  • Page 163 [DeviceD-mtlk-group1] port gigabitethernet 1/0/1 uplink [DeviceD-mtlk-group1] port gigabitethernet 1/0/2 downlink # Configure VLAN 1 as the control VLAN for receiving flush messages on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. [DeviceD-mtlk-group1] quit [DeviceD] interface gigabitethernet 1/0/1 [DeviceD-GigabitEthernet1/0/1] smart-link flush enable [DeviceD-GigabitEthernet1/0/1] quit [DeviceD] interface gigabitethernet 1/0/2 [DeviceD-GigabitEthernet1/0/2] smart-link flush enable...
  • Page 164 Table of Contents 1 VLAN Configuration ··································································································································1-1 Introduction to VLAN ·······························································································································1-1 VLAN Overview ·······························································································································1-1 VLAN Fundamentals ·······················································································································1-2 Types of VLAN ································································································································1-3 Configuring Basic VLAN Settings ···········································································································1-3 Configuring Basic Settings of a VLAN Interface ·····················································································1-4 Port-Based VLAN Configuration ·············································································································1-5 Introduction to Port-Based VLAN ····································································································1-5 Assigning an Access Port to a VLAN ······························································································1-6 Assigning a Trunk Port to a VLAN···································································································1-7 Assigning a Hybrid Port to a VLAN ·································································································1-8...

  • Page 165: Vlan Configuration

    VLAN Configuration When configuring VLAN, go to these sections for information you are interested in: Introduction to VLAN Configuring Basic VLAN Settings Configuring Basic Settings of a VLAN Interface Port-Based VLAN Configuration MAC-Based VLAN Configuration Protocol-Based VLAN Configuration Displaying and Maintaining VLAN VLAN Configuration Example Introduction to VLAN VLAN Overview...
  • Page 166 Confining broadcast traffic within individual VLANs. This reduces bandwidth waste and improves network performance. Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2. To enable communication between VLANs, routers or Layer 3 switches are required. Flexible virtual workgroup creation.

  • Page 167: Types Of Vlan

    The Ethernet II encapsulation format is used here. Besides the Ethernet II encapsulation format, other encapsulation formats, including 802.2 LLC, 802.2 SNAP, and 802.3 raw, are also supported by Ethernet. The VLAN tag fields are also added to frames encapsulated in these formats for VLAN identification.

  • Page 168: Configuring Basic Settings Of A Vlan Interface

    As the default VLAN, VLAN 1 cannot be created or removed. You cannot manually create or remove VLANs reserved for special purposes. Dynamic VLANs cannot be removed with the undo vlan command. A VLAN with a QoS policy applied cannot be removed. For isolate-user-VLANs or secondary VLANs, if you have used the isolate-user-vlan command to create mappings between them, you cannot remove them until you remove the mappings between them first.

  • Page 169: Port-Based Vlan Configuration

    Before creating a VLAN interface for a VLAN, create the VLAN first. Port-Based VLAN Configuration Introduction to Port-Based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link type You can configure the link type of a port as access, trunk, or hybrid.

  • Page 170: Assigning An Access Port To A Vlan

    Do not set the voice VLAN as the default VLAN of a port in automatic voice VLAN assignment mode. Otherwise, the system prompts error information. For information about voice VLAN, refer to Voice VLAN Configuration. The local and remote ports must use the same default VLAN ID for the traffic of the default VLAN to be transmitted properly.

  • Page 171: Assigning A Trunk Port To A Vlan

    In VLAN view, only assign the Layer-2 Ethernet interface to the current VLAN. In interface or port group view Follow these steps to assign an access port (in interface view) or multiple access ports (in port group view) to a VLAN: To do…...

  • Page 172: Assigning A Hybrid Port To A Vlan

    Follow these steps to assign a trunk port to one or multiple VLANs: To do… Use the command… Remarks Enter system view system-view — Enter Required interface interface-type Ethernet Use either command. interface-number interface view In Ethernet interface view, the subsequent configurations Enter Layer-2...
  • Page 173 To do… Use the command… Remarks Enter system view system-view — Enter Ethernet interface interface-type Required interface view interface-number Use either command. In Ethernet interface view, Enter Layer-2 interface bridge-aggregation subsequent aggregate interface-number configurations apply to the interface view current port. Enter In port group view, the interface...

  • Page 174: Mac-Based Vlan Configuration

    MAC-Based VLAN Configuration Introduction to MAC-Based VLAN MAC-based VLANs group VLAN members by MAC address. They only apply to untagged frames. When receiving an untagged frame, the device looks up the list of MAC-to-VLAN mappings based on the MAC address of the frame for a match. If a match is found, the system forwards the frame in the corresponding VLAN.

  • Page 175: Protocol-Based Vlan Configuration

    To do... Use the command... Remarks Enter Use either command. interface interface-type Ethernet Enter In Ethernet interface view, the interface-number interface view Ethernet subsequent configurations interface apply only to the current port; view or in port group view, the Enter port port-group manual port group subsequent configurations...

  • Page 176: Configuring A Protocol-Based Vlan

    Configuring a Protocol-Based VLAN Follow these steps to configure a protocol-based VLAN: To do… Use the command… Remarks Enter system view system-view — Required If the specified VLAN does Enter VLAN view vlan vlan-id not exist, this command creates the VLAN first. protocol-vlan [ protocol-index ] { at | ipv4 | ipv6 | ipx { ethernetii | llc |...

  • Page 177: Ip Subnet-Based Vlan Configuration

    Do not configure both the dsap-id and ssap-id arguments in the protocol-vlan command as 0xe0 or 0xff when configuring the user-defined template for llc encapsulation. Otherwise, the encapsulation format of the matching packets will be the same as that of the ipx llc or ipx raw packets respectively.

  • Page 178: Displaying And Maintaining Vlan

    To do… Use the command… Remarks Required ip-subnet-vlan The IP network segment or IP address to Associate an IP subnet [ ip-subnet-index ] ip be associated with a VLAN cannot be a with the current VLAN ip-address [ mask ] multicast network segment or a multicast address.

  • Page 179: Vlan Configuration Example

    To do... Use the command… Remarks display mac-vlan { all | dynamic | Display MAC address-to-VLAN mac-address mac-address [ mask Available in any view entries mac-mask ] | static | vlan vlan-id } Display all interfaces with display mac-vlan interface Available in any view MAC-based VLAN enabled Display protocol information...
  • Page 180 [DeviceA] vlan 2 [DeviceA-vlan2] quit [DeviceA] vlan 100 [DeviceA-vlan100] vlan 6 to 50 Please wait... Done. # Enter GigabitEthernet 1/0/1 interface view. [DeviceA] interface GigabitEthernet 1/0/1 # Configure GigabitEthernet 1/0/1 as a trunk port and configure its default VLAN ID as 100. [DeviceA-GigabitEthernet1/0/1] port link-type trunk [DeviceA-GigabitEthernet1/0/1] port trunk pvid vlan 100 # Configure GigabitEthernet 1/0/1 to deny the packets of VLAN 1 (by default, the packets of VLAN 1 are...
  • Page 181 VLAN permitted: 2, 6-50, 100 Trunk port encapsulation: IEEE 802.1q Port priority: 0 Peak value of input: 0 bytes/sec, at 2000-04-26 12:01:40 Peak value of output: 0 bytes/sec, at 2000-04-26 12:01:40 Last 300 seconds input: 0 packets/sec 0 bytes/sec Last 300 seconds output: 0 packets/sec 0 bytes/sec Input (total): 0 packets, 0 bytes...

  • Page 182: Isolate-User-Vlan Configuration

    Isolate-User-VLAN Configuration When configuring an isolate-user VLAN, go to these sections for information you are interested in: Overview Configuring Isolate-User-VLAN Displaying and Maintaining Isolate-User-VLAN Isolate-User-VLAN Configuration Example Overview An isolate-user-VLAN adopts a two-tier VLAN structure. In this approach, two types of VLANs, isolate-user-VLAN and secondary VLAN, are configured on the same device.
  • Page 183 Assign non-trunk ports to the isolate-user-VLAN and ensure that at least one port takes the isolate-user-VLAN as its default VLAN; Assign non-trunk ports to each secondary VLAN and ensure that at least one port in a secondary VLAN takes the secondary VLAN as its default VLAN; Associate the isolate-user-VLAN with the specified secondary VLANs.

  • Page 184: Displaying And Maintaining Isolate-User-Vlan

    Displaying and Maintaining Isolate-User-VLAN To do... Use the command... Remarks Display the mapping between an display isolate-user-vlan isolate-user-VLAN and its secondary Available in any view [ isolate-user-vlan-id ] VLAN(s) Isolate-User-VLAN Configuration Example Network requirements Connect Device A to downstream devices Device B and Device C; Configure VLAN 5 on Device B as an isolate-user-VLAN, assign the uplink port GigabitEthernet 1/0/5 to VLAN 5, and associate VLAN 5 with secondary VLANs VLAN 2 and VLAN 3.
  • Page 185 [DeviceB] vlan 2 [DeviceB-vlan2] port gigabitethernet 1/0/2 [DeviceB-vlan2] quit # Associate the isolate-user-VLAN with the secondary VLANs. [DeviceB] isolate-user-vlan 5 secondary 2 to 3 Configure Device C # Configure the isolate-user-VLAN. <DeviceC> system-view [DeviceC] vlan 6 [DeviceC-vlan6] isolate-user-vlan enable [DeviceC-vlan6] port gigabitethernet 1/0/5 [DeviceC-vlan6] quit # Configure the secondary VLANs.
  • Page 186 gigabitethernet 1/0/2 gigabitethernet 1/0/5 VLAN ID: 3 VLAN Type: static Isolate-user-VLAN type : secondary Route Interface: not configured Description: VLAN 0003 Name: VLAN 0003 Tagged Ports: none Untagged Ports: gigabitethernet 1/0/1 gigabitethernet 1/0/5...

  • Page 187: Voice Vlan Configuration

    Voice VLAN Configuration When configuring a voice VLAN, go to these sections for information you are interested in: Overview Configuring a Voice VLAN Displaying and Maintaining Voice VLAN Voice VLAN Configuration Overview A voice VLAN is configured specially for voice traffic. After assigning the ports connecting to voice devices to a voice VLAN, you can configure quality of service (QoS) parameters for the voice traffic, thus improving transmission priority and ensuring voice quality.

  • Page 188: Voice Vlan Assignment Modes

    Voice VLAN Assignment Modes A port can be assigned to a voice VLAN in one of the following two modes: In automatic mode, the system matches the source MAC addresses in the untagged packets sent when the IP phone is powered on against the OUI addresses. If a match is found, the system automatically assigns the port to the voice VLAN, issues ACL rules and configures the packet precedence.

  • Page 189: Security Mode And Normal Mode Of Voice Vlans

    If an IP phone sends tagged voice traffic and its connecting port is configured with 802.1X authentication and guest VLAN, you should assign different VLAN IDs for the voice VLAN, the default VLAN of the connecting port, and the 802.1X guest VLAN. The default VLANs for all ports are VLAN 1.

  • Page 190: Setting A Port To Operate In Automatic Voice Vlan Assignment Mode

    Setting a Port to Operate in Automatic Voice VLAN Assignment Mode Follow these steps to set a port to operate in automatic voice VLAN assignment mode: To do... Use the command... Remarks Enter system view system-view — Optional 1440 minutes by default. Set the voice VLAN voice vlan aging minutes The voice VLAN aging time configuration is...

  • Page 191: Displaying And Maintaining Voice Vlan

    To do... Use the command... Remarks Optional By default, each voice VLAN voice vlan mac-address oui Add a recognizable OUI has default OUI addresses mask oui-mask [ description address configured. Refer to Table 3-1 text ] for the default OUI addresses of different vendors.

  • Page 192: Voice Vlan Configuration Examples

    Voice VLAN Configuration Examples Automatic Voice VLAN Mode Configuration Example Network requirements As shown in Figure 3-1, The MAC address of IP phone A is 0011-1100-0001. The phone connects to a downstream device named PC A whose MAC address is 0022-1100-0002 and to GigabitEthernet 1/0/1 on an upstream device named Device A.
  • Page 193 [DeviceA] voice vlan mac-address 0011-1100-0001 mask ffff-ff00-0000 description IP phone A [DeviceA] voice vlan mac-address 0011-2200-0001 mask ffff-ff00-0000 description IP phone B # Configure GigabitEthernet 1/0/1 to operate in automatic voice VLAN assignment mode. (Optional. By default, a port operates in automatic voice VLAN assignment mode.) [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] voice vlan mode auto # Configure GigabitEthernet 1/0/1 as a hybrid port.

  • Page 194: Manual Voice Vlan Assignment Mode Configuration Example

    Manual Voice VLAN Assignment Mode Configuration Example Network requirements Create VLAN 2 and configure it as a voice VLAN permitting only voice traffic to pass through. The IP phones send untagged voice traffic. Configure GigabitEthernet 1/0/1 as a hybrid port. Configure GigabitEthernet 1/0/1 to operate in manual voice VLAN assignment mode.
  • Page 195 Verification # Display the OUI addresses, OUI address masks, and description strings supported currently. <DeviceA> display voice vlan oui Oui Address Mask Description 0001-e300-0000 ffff-ff00-0000 Siemens phone 0003-6b00-0000 ffff-ff00-0000 Cisco phone 0004-0d00-0000 ffff-ff00-0000 Avaya phone 0011-2200-0000 ffff-ff00-0000 test 00d0-1e00-0000 ffff-ff00-0000 Pingtel phone 0060-b900-0000 ffff-ff00-0000...
  • Page 196 Table of Contents 1 GVRP Configuration ··································································································································1-1 Introduction to GVRP ······························································································································1-1 GARP···············································································································································1-1 GVRP···············································································································································1-3 Protocols and Standards ·················································································································1-4 GVRP Configuration Task List ················································································································1-4 Configuring GVRP Functions··················································································································1-4 Configuring GARP Timers·······················································································································1-5 Displaying and Maintaining GVRP··········································································································1-6 GVRP Configuration Examples···············································································································1-7 GVRP Configuration Example I·······································································································1-7 GVRP Configuration Example II······································································································1-8 GVRP Configuration Example III·····································································································1-9...

  • Page 197: Gvrp Configuration

    GVRP Configuration The GARP VLAN Registration Protocol (GVRP) is a GARP application. It functions based on the operating mechanism of GARP to maintain and propagate dynamic VLAN registration information for the GVRP devices on the network. When configuring GVRP, go to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Task List Configuring GVRP Functions...
  • Page 198 Hold timer –– When a GARP application entity receives the first registration request, it starts a Hold timer and collects succeeding requests. When the timer expires, the entity sends all these requests in one Join message. This helps you save bandwidth. Join timer ––...

  • Page 199: Gvrp

    GARP message format Figure 1-1 GARP message format Figure 1-1 illustrates the GARP message format. Table 1-1 describes the GARP message fields. Table 1-1 Description on the GARP message fields Field Description Value Protocol ID Protocol identifier for GARP One or multiple messages, each containing Message ––...

  • Page 200: Protocols And Standards

    about active VLAN members and through which port they can be reached. It thus ensures that all GVRP participants on a bridged LAN maintain the same VLAN registration information. The VLAN registration information propagated by GVRP includes both manually configured local static entries and dynamic entries from other devices.

  • Page 201: Configuring Garp Timers

    To do… Use the command… Remarks Enter Ethernet Enter Ethernet interface view, interface view or interface interface-type Required Layer 2 Layer 2 aggregate interface-number aggregate interface view Perform either of the interface view, commands. or port-group Enter port-group port-group manual view view port-group-name...

  • Page 202: Displaying And Maintaining Gvrp

    To do… Use the command… Remarks Enter Required Enter Ethernet or Ethernet Layer 2 interface interface-type Perform either of the interface aggregate interface-number commands. view, Layer interface view Depending on the view you 2 aggregate accessed, the subsequent interface configuration takes effect on a view, or Enter port-group port-group manual...

  • Page 203: Gvrp Configuration Examples

    To do… Use the command… Remarks display gvrp state interface Display the current GVRP state interface-type interface-number vlan Available in any view vlan-id display gvrp statistics [ interface Display statistics about GVRP Available in any view interface-list ] Display the global GVRP state display gvrp status Available in any view Display the information about...

  • Page 204: Gvrp Configuration Example Ii

    [DeviceB] gvrp # Configure port GigabitEthernet 1/0/1 as a trunk port, allowing all VLANs to pass through. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on trunk port GigabitEthernet 1/0/1. [DeviceB-GigabitEthernet1/0/1] gvrp [DeviceB-GigabitEthernet1/0/1] quit # Create VLAN 3 (a static VLAN).

  • Page 205: Gvrp Configuration Example Iii

    [DeviceA-GigabitEthernet1/0/1] quit # Create VLAN 2 (a static VLAN). [DeviceA] vlan 2 Configure Device B # Enable GVRP globally. <DeviceB> system-view [DeviceB] gvrp # Configure port GigabitEthernet 1/0/1 as a trunk port, allowing all VLANs to pass through. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet 1/0/1.
  • Page 206 [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port link-type trunk [DeviceA-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet 1/0/1 and set the GVRP registration type to forbidden on the port. [DeviceA-GigabitEthernet1/0/1] gvrp [DeviceA-GigabitEthernet1/0/1] gvrp registration forbidden [DeviceA-GigabitEthernet1/0/1] quit # Create VLAN 2 (a static VLAN). [DeviceA] vlan 2 Configure Device B # Enable GVRP globally.
  • Page 207 Table of Contents 1 QinQ Configuration ···································································································································1-1 Introduction to QinQ ································································································································1-1 Background ·····································································································································1-1 QinQ Mechanism and Benefits········································································································1-1 QinQ Frame Structure ·····················································································································1-2 Implementations of QinQ·················································································································1-3 Modifying the TPID in a VLAN Tag ·································································································1-3 QinQ Configuration Task List··················································································································1-5 Configuring Basic QinQ ··························································································································1-5 Enabling Basic QinQ ·······················································································································1-5 Configuring Selective QinQ·····················································································································1-5 Configuring an Outer VLAN Tagging Policy ····················································································1-5...

  • Page 208: Qinq Configuration

    QinQ Configuration When configuring QinQ, go to these sections for information you are interested in: Introduction to QinQ QinQ Configuration Task List Configuring Basic QinQ Configuring Selective QinQ Configuring the TPID Value in VLAN Tags QinQ Configuration Examples Throughout this document, customer network VLANs (CVLANs), also called inner VLANs, refer to the VLANs that a customer uses on the private network;...

  • Page 209: Qinq Frame Structure

    Figure 1-1 Schematic diagram of the QinQ feature Customer network A VLAN 1~10 Customer network A VLAN 1~10 VLAN 3 VLAN 3 Network VLAN 4 VLAN 4 Service provider network VLAN 1~20 VLAN 1~20 Customer network B Customer network B As shown in Figure 1-1, customer network A has CVLANs 1 through 10, while customer network B has...

  • Page 210: Implementations Of Qinq

    Figure 1-2 Single-tagged frame structure vs. double-tagged Ethernet frame structure The default maximum transmission unit (MTU) of an interface is 1500 bytes. The size of an outer VLAN tag is 4 bytes. Therefore, you are recommended to increase the MTU of each interface on the service provider network.
  • Page 211 Figure 1-3 VLAN tag structure of an Ethernet frame The device determines whether a received frame carries a SVLAN tag or a CVLAN tag by checking the corresponding TPID value. Upon receiving a frame, the device compares the configured TPID value with the value of the TPID field in the frame.

  • Page 212: Qinq Configuration Task List

    QinQ allows adding different outer VLAN tags based on different inner VLAN tags. H3C S5120-EI series switches support the configuration of basic QinQ and selective QinQ at the same time on a port and when the two features are both enabled on the port, frames that meet the selective...

  • Page 213: Configuring The Tpid Value In Vlan Tags

    QinQ condition are handled with selective QinQ on this port first, and the left frames are handled with basic QinQ. Follow these steps to configure an outer VLAN tagging policy: To do... Use the command... Remarks Enter system view system-view —...
  • Page 214 Customer A1, Customer A2, Customer B1 and Customer B2 are edge devices on the customer network. Third-party devices with a TPID value of 0x8200 are deployed between Provider A and Provider B. Make configuration to achieve the following: Frames of VLAN 200 through VLAN 299 can be exchanged between Customer A1and Customer A2 through VLAN 10 of the service provider network.
  • Page 215 [ProviderA] interface gigabitethernet 1/0/2 [ProviderA-GigabitEthernet1/0/2] port link-type hybrid [ProviderA-GigabitEthernet1/0/2] port hybrid pvid vlan 50 [ProviderA-GigabitEthernet1/0/2] port hybrid vlan 50 untagged # Enable basic QinQ on GigabitEthernet 1/0/2. [ProviderA-GigabitEthernet1/0/2] qinq enable [ProviderA-GigabitEthernet1/0/2] quit Configure GigabitEthernet 1/0/3 # Configure GigabitEthernet 1/0/3 as a trunk port to permit frames of VLAN 10 and 50 to pass through. [ProviderA] interface gigabitethernet 1/0/3 [ProviderA-GigabitEthernet1/0/3] port link-type trunk [ProviderA-GigabitEthernet1/0/3] port trunk permit vlan 10 50...

  • Page 216: Comprehensive Selective Qinq Configuration Example

    Configure the third-party devices between Provider A and Provider B as follows: configure the port connecting GigabitEthernet 1/0/3 of Provider A and that connecting GigabitEthernet 1/0/3 of Provider B to allow tagged frames of VLAN 10 and 50 to pass through. Comprehensive Selective QinQ Configuration Example Network requirements Provider A and Provider B are edge devices on the service provider network and are...
  • Page 217 [ProviderA] interface gigabitethernet 1/0/1 [ProviderA-GigabitEthernet1/0/1] port link-type hybrid [ProviderA-GigabitEthernet1/0/1] port hybrid vlan 1000 2000 untagged # Tag CVLAN 10 frames with SVLAN 1000. [ProviderA-GigabitEthernet1/0/1] qinq vid 1000 [ProviderA-GigabitEthernet1/0/1-vid-1000] raw-vlan-id inbound 10 [ProviderA-GigabitEthernet1/0/1-vid-1000] quit # Tag CVLAN 20 frames with SVLAN 2000. [ProviderA-GigabitEthernet1/0/1] qinq vid 2000 [ProviderA-GigabitEthernet1/0/1-vid-2000] raw-vlan-id inbound 20 [ProviderA-GigabitEthernet1/0/1-vid-2000] quit...
  • Page 218 [ProviderB-GigabitEthernet1/0/2] port link-type hybrid [ProviderB-GigabitEthernet1/0/2] port hybrid vlan 2000 untagged # Tag CVLAN 20 frames with SVLAN 2000. [ProviderB-GigabitEthernet1/0/2] qinq vid 2000 [ProviderB-GigabitEthernet1/0/2-vid-2000] raw-vlan-id inbound 20 # Set the TPID value in the outer tag to 0x8200. [ProviderA-GigabitEthernet1/0/3] quit [ProviderA] qinq ethernet-type 8200 Configuration on third-party devices Configure the third-party devices between Provider A and Provider B as follows: configure the port connecting GigabitEthernet 1/0/3 of Provider A and that connecting GigabitEthernet 1/0/1 of Provider B...
  • Page 219 Table of Contents 1 BPDU Tunneling Configuration················································································································1-1 Introduction to BPDU Tunneling ·············································································································1-1 Background ·····································································································································1-1 BPDU Tunneling Implementation ····································································································1-2 Configuring BPDU Tunneling··················································································································1-4 Configuration Prerequisites ·············································································································1-4 Enabling BPDU Tunneling···············································································································1-4 Configuring Destination Multicast MAC Address for BPDUs ··························································1-5 BPDU Tunneling Configuration Examples ······························································································1-5 BPDU Tunneling for STP Configuration Example···········································································1-5 BPDU Tunneling for PVST Configuration Example ········································································1-7...

  • Page 220: Bpdu Tunneling Configuration

    BPDU Tunneling Configuration When configuring BPDU tunneling, go to these sections for information you are interested in: Introduction to BPDU Tunneling Configuring BPDU Tunneling BPDU Tunneling Configuration Examples Introduction to BPDU Tunneling As a Layer 2 tunneling technology, BPDU tunneling enables Layer 2 protocol packets from geographically dispersed customer networks to be transparently transmitted over specific channels across a service provider network.

  • Page 221: Bpdu Tunneling Implementation

    The encapsulated Layer 2 protocol packet (called bridge protocol data unit, BPDU) is forwarded to PE 2 at the other end of the service provider network, which decapsulates the packet, restores the original destination MAC address of the packet, and then sends the packet to User A network 2. Depending on the device models, BPDU tunneling may support the transparent transmission of these types of Layer 2 protocol packets: Cisco Discovery Protocol (CDP)
  • Page 222 To allow each network to calculate an independent spanning tree with STP, BPDU tunneling was introduced. BPDU tunneling delivers the following benefits: BPDUs can be transparently transmitted. BPDUs of the same customer network can be broadcast in a specific VLAN across the service provider network, so that the geographically dispersed networks of the same customer can implement consistent spanning tree calculation across the service provider network.

  • Page 223: Configuring Bpdu Tunneling

    Configuring BPDU Tunneling Configuration Prerequisites Before configuring BPDU tunneling for a protocol, enable the protocol in the customer network first. Assign the port on which you want to enable BPDU tunneling on the PE device and the connected port on the CE device to the same VLAN. Configure all the ports in the service provider network as trunk ports allowing packets of any VLAN to pass through.

  • Page 224: Configuring Destination Multicast Mac Address For Bpdus

    Enabling BPDU tunneling for a protocol in Layer 2 aggregate interface view Follow these steps to enable BPDU tunneling for a protocol in Layer 2 aggregate interface view: To do… Use the command… Remarks Enter system view — system-view interface Enter Layer 2 aggregate interface bridge-aggregation —...
  • Page 225 It is required that, after the configuration, CE 1 and CE 2 implement consistent spanning tree calculation across the service provider network, and that the destination multicast MAC address carried in BPDUs be 0x0100-0CCD-CDD0. Figure 1-3 Network diagram for configuring BPDU tunneling for STP Configuration procedure Configuration on PE 1 # Configure the destination multicast MAC address for BPDUs as 0x0100-0CCD-CDD0.

  • Page 226: Bpdu Tunneling For Pvst Configuration Example

    BPDU Tunneling for PVST Configuration Example Network requirements As shown in Figure 1-4: CE 1 and CE 2 are edges devices on the geographically dispersed network of User A; PE 1 and PE 2 are edge devices on the service provider network. All ports used to connect devices in the service provider network are trunk ports and allow packets of any VLAN to pass through.
  • Page 227 [PE2] interface gigabitethernet 1/0/2 [PE2-GigabitEthernet1/0/2] port link-type trunk [PE2-GigabitEthernet1/0/2] port trunk permit vlan all # Disable STP on GigabitEthernet 1/0/2, and then enable BPDU tunneling for STP and PVST on it. [PE2-GigabitEthernet1/0/2] undo stp enable [PE2-GigabitEthernet1/0/2] bpdu-tunnel dot1q stp [PE2-GigabitEthernet1/0/2] bpdu-tunnel dot1q pvst...
  • Page 228 Table of Contents 1 Ethernet OAM Configuration ........................1-1 Ethernet OAM Overview .........................1-1 Types of Ethernet OAMPDUs ......................1-1 Ethernet OAM Implementation ......................1-2 Standards and Protocols .........................1-5 Ethernet OAM Configuration Task List ....................1-5 Configuring Basic Ethernet OAM Functions ...................1-5 Configuring Link Monitoring ........................1-6 Configuring Errored Symbol Event Detection .................1-6 Configuring Errored Frame Event Detection ...................1-6 Configuring Errored Frame Period Event Detection................1-7...

  • Page 229: Ethernet Oam Configuration

    Ethernet OAM Configuration When configuring the Ethernet OAM function, go to these sections for information you are interested in: Ethernet OAM Overview Ethernet OAM Configuration Task List Configuring Basic Ethernet OAM Functions Configuring Link Monitoring Enabling OAM Loopback Testing Displaying and Maintaining Ethernet OAM Configuration Ethernet OAM Configuration Example Ethernet OAM Overview Ethernet OAM (operation, administration, and maintenance) is a tool monitoring Layer-2 link status by...

  • Page 230: Ethernet Oam Implementation

    Figure 1-1 Formats of different types of Ethernet OAMPDUs The fields in an OAMPDU are described as follows: Table 1-1 Description of the fields in an OAMPDU Field Description Destination MAC address of the Ethernet OAMPDU. Dest addr It is a slow protocol multicast address 0180c2000002. Source MAC address of the Ethernet OAMPDU.
  • Page 231 Ethernet OAM connection establishment Ethernet OAM connection is the base of all the other Ethernet OAM functions. OAM connection establishment is also known as the Discovery phase, where an Ethernet OAM entity discovers remote OAM entities and establishes sessions with them. In this phase, interconnected OAM entities notify the peer of their OAM configuration information and the OAM capabilities of the local nodes by exchanging Information OAMPDUs and determine whether Ethernet OAM connections can be established.
  • Page 232 The interval to send Information OAMPDUs is determined by a timer. Up to ten Information OAMPDUs can be sent in a second. Link monitoring Error detection in an Ethernet is difficult, especially when the physical connection in the network is not disconnected but network performance is degrading gradually.

  • Page 233: Standards And Protocols

    Table 1-5 Critical link error events Ethernet OAM link events Description Link Fault Peer link signal is lost. Dying Gasp An unexpected fault, such as power failure, occurred. Critical event An undetermined critical event happened. As Information OAMPDUs are exchanged periodically across established OAM connections, an Ethernet OAM entity can inform one of its OAM peers of link faults through Information OAMPDUs.

  • Page 234: Configuring Link Monitoring

    Follow these steps to configure basic Ethernet OAM functions: To do… Use the command… Remarks Enter system view System-view — interface interface-type Enter Ethernet port view — interface-number Optional Set Ethernet OAM operating oam mode { active | passive } The default is active Ethernet mode OAM mode.

  • Page 235: Configuring Errored Frame Period Event Detection

    Follow these steps to configure errored frame event detection: To do… Use the command… Remarks Enter system view system-view — Optional Configure the errored frame oam errored-frame period period-value event detection interval 1 second by default Optional Configure the errored frame oam errored-frame threshold event triggering threshold threshold-value...

  • Page 236: Enabling Oam Loopback Testing

    Enabling OAM Loopback Testing Follow these steps to enable Ethernet OAM loopback testing: To do… Use the command… Remarks Enter system view System-view — interface interface-type Enter Ethernet port view — interface-number Required Enable Ethernet OAM loopback oam loopback testing Disabled by default.

  • Page 237: Ethernet Oam Configuration Example

    To do… Use the command… Remarks Available Clear statistics on Ethernet OAM packets reset oam [ interface interface-type in user and Ethernet OAM link error events interface-number ] view only Ethernet OAM Configuration Example Network requirements Enable Ethernet OAM on Device A and Device B to manage links on data link layer. Monitor link performance and collect statistics about the error frames received by Device A.
  • Page 238 -------------------------------------------------------------------------- Errored-symbol Event period(in seconds) Errored-symbol Event threshold Errored-frame Event period(in seconds) Errored-frame Event threshold Errored-frame-period Event period(in ms) 1000 Errored-frame-period Event threshold Errored-frame-seconds Event period(in seconds) Errored-frame-seconds Event threshold Use the display oam link-event command to display the statistics about Ethernet OAM link events. For example: # Display Ethernet OAM link event statistics of the remote end of Device B.
  • Page 239 Table of Contents 1 Connectivity Fault Detection Configuration ···························································································1-1 Overview ·················································································································································1-1 Basic Concepts in CFD ···················································································································1-1 Basic Functions of CFD···················································································································1-4 Protocols and Standards ·················································································································1-5 CFD Configuration Task List···················································································································1-5 Basic Configuration Tasks ······················································································································1-5 Configuring Service Instance ··········································································································1-6 Configuring MEP ·····························································································································1-6 Configuring MIP Generation Rules··································································································1-7 Configuring CC on MEPs························································································································1-7 Configuration Prerequisites ·············································································································1-8 Configuring Procedure·····················································································································1-8...

  • Page 240: Connectivity Fault Detection Configuration

    Connectivity Fault Detection Configuration When configuring CFD, go to these sections for information you are interested in: Overview CFD Configuration Task List Basic Configuration Tasks Configuring CC on MEPs Configuring LB on MEPs Configuring LT on MEPs Displaying and Maintaining CFD CFD Configuration Examples Overview Connectivity Fault Detection (CFD) is an end-to-end per-VLAN link layer Operations, Administration...
  • Page 241 Figure 1-1 Two nested MDs CFD exchanges messages and performs operations on a per-domain basis. By planning MDs properly in a network, you can use CFD to locate failure points rapidly. Maintenance association A maintenance association (MA) is a set of maintenance points (MPs) in a MD. An MA is identified by the “MD name + MA name”.
  • Page 242 Figure 1-2 Outward-facing MEP Figure 1-3 Inward-facing MEP A MIP is internal to an MD. It cannot send CFD packets actively; however, it can handle and respond to CFD packets. The MA and MD that a MIP belongs to define the VLAN attribute and level of the packets received.

  • Page 243: Basic Functions Of Cfd

    Figure 1-4 Levels of MPs Basic Functions of CFD CFD works effectively only in properly-configured networks. Its functions, which are implemented through the MPs, include: Continuity check (CC); Loopback (LB) Linktrace (LT) Continuity check Continuity check is responsible for checking the connectivity between MEPs. Connectivity faults are usually caused by device faults or configuration errors.

  • Page 244: Protocols And Standards

    source MEP can identify the path to the destination MEP. Note that LTMs are multicast frames while LTRs are unicast frames. Protocols and Standards The CFD function is implemented in accordance with IEEE P802.1ag. CFD Configuration Task List For CFD to work effectively, you should first design the network by performing the following tasks: Grade the MDs in the entire network, and define the boundary of each MD.

  • Page 245: Configuring Service Instance

    Based on the network design, you should configure MEPs or the rules for generating MIPs on each device. However, before doing this you must first configure the service instance. Configuring Service Instance A service instance is indicated by an integer to represent an MA in an MD. The MD and MA define the level and VLAN attribute of the messages handled by the MPs in a service instance.

  • Page 246: Configuring Mip Generation Rules

    To do... Use the command... Remarks cfd remote-mep Required Configure a remote MEP for a remote-mep-id MEP in the same service No remote MEP is configured service-instance instance-id instance for a MEP by default. mep mep-id cfd mep service-instance Required Enable the MEP instance-id mep mep-id Disabled by default...

  • Page 247: Configuration Prerequisites

    Configuration Prerequisites Before configuring this function, you should first complete the MEP configuration. Configuring Procedure Follow these steps to configure CC on a MEP: To do... Use the command... Remarks Enter system view system-view — Optional Configure the interval field cfd cc interval value in the CCM messages interval-field-value...

  • Page 248: Configuration Procedure

    Configuration Procedure Follow these steps to configure LB on MEP: To do... Use the command... Remarks Enter system view system-view — cfd loopback service-instance instance-id mep Required Enable LB mep-id { target-mep target-mep-id | target-mac Disabled by default mac-address } [ number loopback-number ] Configuring LT on MEPs LT can trace the path between the specified MEP and the target MEP, and can also locate link faults by sending LT messages automatically.

  • Page 249: Displaying And Maintaining Cfd

    Displaying and Maintaining CFD To do... Use the command... Remarks Display CFD status display cfd status Available in any view Display MD configuration display cfd md Available in any view information Display MA configuration display cfd ma [ [ ma-name ] Available in any view information md md-name ]...
  • Page 250 Figure 1-5 Network diagram for MD configuration Configuration procedure Configuration on Device A (configuration on Device E is the same as that on Device A) <DeviceA> system-view [DeviceA] cfd enable [DeviceA] cfd md MD_A level 5 [DeviceA] cfd ma MA_MD_A md MD_A vlan 100 [DeviceA] cfd service-instance 1 md MD_A ma MA_MD_A Configuration on Device C <DeviceC>...
  • Page 251 Decide the remote MEP for each MEP, and enable these MEPs. According to the network diagram as shown in Figure 1-6, perform the following configurations: In MD_A, there are three edge ports: GigabitEthernet 1/0/1 on Device A, GigabitEthernet 1/0/3 on Device D and GigabitEthernet 1/0/4 on Device E.

  • Page 252: Configuring The Rules For Generating Mips

    [DeviceD-GigabitEthernet1/0/3] cfd remote-mep 1001 service-instance 1 mep 4002 [DeviceD-GigabitEthernet1/0/3] cfd remote-mep 5001 service-instance 1 mep 4002 [DeviceD-GigabitEthernet1/0/3] cfd mep service-instance 1 mep 4002 enable [DeviceD-GigabitEthernet1/0/3] cfd cc service-instance 1 mep 4002 enable On Device E <DeviceE> system-view [DeviceE] interface gigabitethernet 1/0/4 [DeviceE-GigabitEthernet1/0/4] cfd mep 5001 service-instance 1 inbound [DeviceE-GigabitEthernet1/0/4] cfd remote-mep 1001 service-instance 1 mep 5001 [DeviceE-GigabitEthernet1/0/4] cfd remote-mep 4002 service-instance 1 mep 5001...

  • Page 253: Configuring Lb On Meps

    Configuration procedure Configure Device B <DeviceB> system-view [DeviceB] cfd mip-rule explicit service-instance 1 Configure Device C <DeviceC> system-view [DeviceC] cfd mip-rule default service-instance 2 After the above operation, you can use the display cfd mp command to verify your configuration. Configuring LB on MEPs Network requirements Use the LB function to trace the fault source after CC detects a link fault.
  • Page 254 Table of Contents 1 RRPP Configuration ··································································································································1-1 RRPP Overview ······································································································································1-1 Background ·····································································································································1-1 Basic Concepts in RRPP·················································································································1-2 RRPP Packets·································································································································1-4 Hello and Fail Timers·······················································································································1-4 How RRPP Works ···························································································································1-5 Typical RRPP Networking ···············································································································1-6 Protocols and Standards ···············································································································1-10 RRPP Configuration Task List ··············································································································1-10 Configuring Master Node ······················································································································1-11 Configuring Transit Node ······················································································································1-12 Configuring Edge Node·························································································································1-14 Configuring Assistant Edge Node ·········································································································1-15...

  • Page 255: Rrpp Configuration

    RRPP Configuration When configuring RRPP, go to these sections for information you are interested in: RRPP Overview RRPP Configuration Task List Configuring Master Node Configuring Transit Node Configuring Edge Node Configuring Assistant Edge Node Configuring Ring Group Displaying and Maintaining RRPP RRPP Typical Configuration Examples Troubleshooting RRPP Overview...

  • Page 256: Basic Concepts In Rrpp

    Basic Concepts in RRPP Figure 1-1 RRPP networking diagram RRPP domain The interconnected devices with the same domain ID and control VLANs constitute an RRPP domain. An RRPP domain contains the following elements: primary ring, subring, control VLAN, master node, transit node, primary port, secondary port, common port, and edge port.
  • Page 257 A data VLAN is a VLAN dedicated to transferring data packets. Both RRPP ports and non-RRPP ports can be assigned to a data VLAN. Node Each device on an RRPP ring is referred to as a node. The role of a node is configurable. There are the following node roles: Master node: Each ring has one and only one master node.

  • Page 258: Rrpp Packets

    As shown in Figure 1-1, Device B and Device C lie on Ring 1 and Ring 2. Device B’s Port 1 and Port 2 and Device C’s Port 1 and Port 2 access the primary ring, so they are common ports. Device B’s Port 3 and Device C’s Port 3 access only the subring, so they are edge ports.

  • Page 259: How Rrpp Works

    secondary port receives the Hello packets sent by the local master node before the Fail timer expires, the overall ring is in Health state. Otherwise, the ring transits into Disconnect state. In an RRPP domain, a transit node learns the Hello timer value and the Fail timer value on the master node through the received Hello packets, ensuring that all nodes in the ring network are consistent in the two timer settings.

  • Page 260: Typical Rrpp Networking

    Broadcast storm suppression mechanism in a multi-homed subring in case of SRPT failure As shown in Figure 1-5, Ring 1 is the primary ring, and Ring 2 and Ring 3 are subrings. When the two SRPTs between the edge node and the assistant-edge node are down, the master nodes of Ring 2 and Ring 3 will open their respective secondary ports, and thus a loop among Device B, Device C, Device E, and Device F is generated.
  • Page 261 Single ring Figure 1-2 Single ring There is only a single ring in the network topology. In this case, you only need to define an RRPP domain. Tangent rings Figure 1-3 Tangent rings There are two or more rings in the network topology and only one common node between rings. In this case, you need to define an RRPP domain for each ring.
  • Page 262 Intersecting rings Figure 1-4 Intersecting rings There are two or more rings in the network topology and two common nodes between rings. In this case, you only need to define an RRPP domain, and set one ring as the primary ring and the other rings as subrings.
  • Page 263 Single-ring load balancing Figure 1-6 Network diagram for single-ring load balancing Device A Device B Domain 1 Ring 1 Domain 2 Device D Device C In a single-ring network, you can achieve load balancing by configuring multiple domains. As shown in Figure 1-6, Ring 1 is configured as the primary ring of both Domain 1 and Domain 2.

  • Page 264: Protocols And Standards

    Protocols and Standards RFC 3619 Extreme Networks' Ethernet Automatic Protection Switching (EAPS) Version 1 is related to RRPP. RRPP Configuration Task List RRPP does not have an auto election mechanism, so you must configure each node in the ring network properly for RRPP to monitor and protect the ring network. Before configuring RRPP, you need to construct a ring-shaped Ethernet topology physically.

  • Page 265: Configuring Master Node

    The link type of these ports must be trunk. They must be Layer 2 GE ports. They must not be member ports of any aggregation group or smart link group. STP is disabled on them. The 802.1p priority of trusted packets on the ports is configured, so that RRPP packets take higher precedence than data packets when passing through the ports.

  • Page 266: Configuring Transit Node

    To do… Use the command… Remarks Optional Configure the timer for the timer hello-timer hello-value By default, the Hello timer RRPP domain fail-timer fail-value value is 1 second and the Fail timer value is 3 seconds. Required Enable the RRPP ring ring ring-id enable By default, the RRPP ring is disabled.
  • Page 267 To do… Use the command… Remarks Required protected-vlan Specify protected VLANs for No protected VLAN is specified reference-instance the RRPP domain for an RRPP domain by instance-id-list default. ring ring-id node-mode transit Specify the current device as [ primary-port interface-type the transit node of the ring, and interface-number ] Required...

  • Page 268: Configuring Edge Node

    Configuring Edge Node Follow these steps to configure edge node: To do… Use the command… Remarks Enter system view system-view — Create an RRPP domain and rrpp domain domain-id Required enter its view Specify a control VLAN for the control-vlan vlan-id Required RRPP domain Required...

  • Page 269: Configuring Assistant Edge Node

    Before specifying RRPP rings for an RRPP domain, you must specify protected VLANs for the domain. Before specifying rings for an RRPP domain, you can delete or modify the protected VLANs configured for the RRPP domain; after specifying rings for an RRPP domain, you can delete or modify the protected VLANs configured for the RRPP domain, however, you cannot delete all the protected VLANs configured for the domain.

  • Page 270: Configuring Ring Group

    To do… Use the command… Remarks Specify the current device as ring ring-id node-mode the assistant-edge node of the assistant-edge [ edge-port Required subring, and specify an edge interface-type port interface-number ] Required Enable the primary ring ring ring-id enable By default, the RRPP ring is disabled.

  • Page 271: Configuration Prerequisites

    You need to configure ring groups on both the edge node and the assistant-edge node at the same time. The two ring groups must be configured with the same subrings. Otherwise, the ring groups cannot operate properly. Configuration Prerequisites The RRPP domain, control VLANs, protected VLANs, the primary ring, and the subrings have been configured on the edge node device.

  • Page 272: Rrpp Typical Configuration Examples

    To do… Use the command… Remarks reset rrpp statistics domain Clear RRPP statistics Available in user view domain-id [ ring ring-id ] RRPP Typical Configuration Examples Configuring Single Ring Topology Networking requirements Device A, Device B, Device C, and Device D constitute RRPP domain 1, specify the primary control VLAN of RRPP domain 1 as VLAN 4092, and RPPP domain 1 protects all VLANs;...
  • Page 273 Configuration procedure Perform the following configuration on Device A: # Configure RRPP ports GigabitEthernet1/0/1 and GigabitEthernet1/0/2. <DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] undo stp enable [DeviceA-GigabitEthernet1/0/1] port link-type trunk [DeviceA-GigabitEthernet1/0/1] port trunk permit vlan all [DeviceA-GigabitEthernet1/0/1] qos trust dot1p [DeviceA-GigabitEthernet1/0/1] quit [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] undo stp enable...

  • Page 274: Configuring Single-Domain Intersecting Ring Topology

    # Create RRPP domain 1, configure VLAN 4092 as the primary control VLAN of RRPP domain 1, and configure the VLANs mapped to MSTIs 0 through 16 as the protected VLANs of RRPP domain 1. [DeviceB] rrpp domain 1 [DeviceB-rrpp-domain1] control-vlan 4092 [DeviceB-rrpp-domain1] protected-vlan reference-instance 0 to 16 # Configure Device B as the transit node of primary ring 1, with GigabitEthernet1/0/1 as the primary port and GigabitEthernet1/0/2 as the secondary port, and enable ring 1.
  • Page 275 Specify the control VLAN for the RRPP domain. Configure the protected VLANs to reference all MSTIs. The MSTI ID ranges from 0 to 16. Specify the node mode of a device on an RRPP ring and the ports accessing the RRPP ring on the device.
  • Page 276 [DeviceA-rrpp-domain1] ring 1 enable [DeviceA-rrpp-domain1] quit # Enable RRPP. [DeviceA] rrpp enable Configuration on Device B # Configure RRPP ports GigabitEthernet1/0/1, GigabitEthernet1/0/2 and GigabitEthernet1/0/3. <DeviceB> system-view [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] undo stp enable [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan all [DeviceB-GigabitEthernet1/0/1] qos trust dot1p [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2...
  • Page 277 <DeviceC> system-view [DeviceC] interface gigabitethernet 1/0/1 [DeviceC-GigabitEthernet1/0/1] undo stp enable [DeviceC-GigabitEthernet1/0/1] port link-type trunk [DeviceC-GigabitEthernet1/0/1] port trunk permit vlan all [DeviceC-GigabitEthernet1/0/1] qos trust dot1p [DeviceC-GigabitEthernet1/0/1] quit [DeviceC] interface gigabitethernet 1/0/2 [DeviceC-GigabitEthernet1/0/2] undo stp enable [DeviceC-GigabitEthernet1/0/2] port link-type trunk [DeviceC-GigabitEthernet1/0/2] port trunk permit vlan all [DeviceC-GigabitEthernet1/0/2] qos trust dot1p [DeviceC-GigabitEthernet1/0/2] quit [DeviceC] interface gigabitethernet 1/0/3...
  • Page 278 [DeviceD] interface gigabitethernet 1/0/2 [DeviceD-GigabitEthernet1/0/2] undo stp enable [DeviceD-GigabitEthernet1/0/2] port link-type trunk [DeviceD-GigabitEthernet1/0/2] port trunk permit vlan all [DeviceD-GigabitEthernet1/0/2] qos trust dot1p [DeviceD-GigabitEthernet1/0/2] quit # Create RRPP domain 1, configure VLAN 4092 as the primary control VLAN of RRPP domain 1, and configure VLANs mapped to MSTIs 0 through 16 as the protected VLANs of RRPP domain 1.

  • Page 279: Configuring Intersecting-Ring Load Balancing

    # Enable RRPP. [DeviceE] rrpp enable Verification After the configuration, you can use the display command to view RRPP configuration result on each device. Configuring Intersecting-Ring Load Balancing Networking requirements Device A, Device B, Device C, Device D, and Device F constitute RRPP domain 1, and VLAN 100 is the primary control VLAN of the RRPP domain.
  • Page 280 Figure 1-10 Network diagram for intersecting-ring load balancing configuration Configuration procedure Configure Device A as the master node of the primary ring # Create VLANs 10 and 20, and map VLAN 10 to MSTI 1 and VLAN 20 to MSTI 2. <DeviceA>...
  • Page 281 [DeviceA-GigabitEthernet1/0/2] quit # Create RRPP domain 1, configure VLAN 100 as the primary control VLAN of RRPP domain 1, and configure the VLAN mapped to MSTI 1 as the protected VLAN of RRPP domain 1. [DeviceA] rrpp domain 1 [DeviceA-rrpp-domain1] control-vlan 100 [DeviceA-rrpp-domain1] protected-vlan reference-instance 1 # Configure Device A as the master node of primary ring 1, with GigabitEthernet1/0/1 as the primary port and GigabitEthernet1/0/2 as the secondary port, and enable ring 1.
  • Page 282 [DeviceB-GigabitEthernet1/0/1] qos trust dot1p [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] undo stp enable [DeviceB-GigabitEthernet1/0/2] port link-type trunk [DeviceB-GigabitEthernet1/0/2] undo port trunk permit vlan 1 [DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 10 20 [DeviceB-GigabitEthernet1/0/2] qos trust dot1p [DeviceB-GigabitEthernet1/0/2] quit [DeviceB] interface gigabitethernet 1/0/3 [DeviceB-GigabitEthernet1/0/3] undo stp enable [DeviceB-GigabitEthernet1/0/3] port link-type trunk [DeviceB-GigabitEthernet1/0/3] undo port trunk permit vlan 1...
  • Page 283 [DeviceB-rrpp-domain2] ring node-mode transit primary-port gigabitethernet 1/0/1 secondary-port gigabitethernet 1/0/2 level 0 [DeviceB-rrpp-domain2] ring 1 enable # Configure Device B as the assistant-edge node of subring 2 in RRPP domain 2, with GigabitEthernet1/0/3 as the edge port, and enable subring 2. [DeviceB-rrpp-domain2] ring 2 node-mode assistant-edge edge-port gigabitethernet 1/0/3 [DeviceB-rrpp-domain2] ring 2 enable [DeviceB-rrpp-domain2] quit...
  • Page 284 [DeviceC-GigabitEthernet1/0/4] undo stp enable [DeviceC-GigabitEthernet1/0/4] port link-type trunk [DeviceC-GigabitEthernet1/0/4] undo port trunk permit vlan 1 [DeviceC-GigabitEthernet1/0/4] port trunk permit vlan 10 [DeviceC-GigabitEthernet1/0/4] qos trust dot1p [DeviceC-GigabitEthernet1/0/4] quit # Create RRPP domain 1, configure VLAN 10 as the primary control VLAN of RRPP domain 1, and configure the VLAN mapped to MSTI 1 as the protected VLAN of RRPP domain 1.
  • Page 285 [DeviceD-vlan20] quit [DeviceD] stp region-configuration [DeviceD-mst-region] instance 1 vlan 10 [DeviceD-mst-region] instance 2 vlan 20 [DeviceD-mst-region] active region-configuration [DeviceD-mst-region] quit # Configure RRPP ports GigabitEthernet1/0/1 and GigabitEthernet1/0/2. [DeviceD] interface gigabitethernet 1/0/1 [DeviceD-GigabitEthernet1/0/1] undo stp enable [DeviceD-GigabitEthernet1/0/1] port link-type trunk [DeviceD-GigabitEthernet1/0/1] undo port trunk permit vlan 1 [DeviceD-GigabitEthernet1/0/1] port trunk permit vlan 10 20 [DeviceD-GigabitEthernet1/0/1] qos trust dot1p [DeviceD-GigabitEthernet1/0/1] quit...
  • Page 286 Configure Device E as the master node of subring Ring 2 in domain 2 # Create VLAN 20, and map VLAN 20 to MSTI 2. <DeviceE> system-view [DeviceE] vlan 20 [DeviceE-vlan20] quit [DeviceE] stp region-configuration [DeviceE-mst-region] instance 2 vlan 20 [DeviceE-mst-region] active region-configuration [DeviceE-mst-region] quit # Configure RRPP ports GigabitEthernet1/0/1 and GigabitEthernet1/0/2.

  • Page 287: Troubleshooting

    [DeviceF-mst-region] quit # Configure RRPP ports GigabitEthernet1/0/1 and GigabitEthernet1/0/2. [DeviceF] interface gigabitethernet 1/0/1 [DeviceF-GigabitEthernet1/0/1] undo stp enable [DeviceF-GigabitEthernet1/0/1] port link-type trunk [DeviceF-GigabitEthernet1/0/1] undo port trunk permit vlan 1 [DeviceF-GigabitEthernet1/0/1] port trunk permit vlan 10 [DeviceF-GigabitEthernet1/0/1] qos trust dot1p [DeviceF-GigabitEthernet1/0/1] quit [DeviceF] interface gigabitethernet 1/0/2 [DeviceF-GigabitEthernet1/0/2] undo stp enable [DeviceF-GigabitEthernet1/0/2] port link-type trunk...
  • Page 288 When the link state is normal, the master node cannot receive Hello packets, and the master node unblocks the secondary port. Analysis: The reasons may be: RRPP is not enabled on some nodes in the RRPP ring. The domain ID or primary control VLAN ID is not the same for the nodes in the same RRPP ring. Some ports are abnormal.
  • Page 289 Table of Contents 1 Port Mirroring Configuration ····················································································································1-1 Introduction to Port Mirroring ··················································································································1-1 Classification of Port Mirroring ········································································································1-1 Implementing Port Mirroring ············································································································1-1 Configuring Local Port Mirroring ·············································································································1-3 Configuring Remote Port Mirroring ·········································································································1-4 Configuration Prerequisites ·············································································································1-4 Configuring a Remote Source Mirroring Group (on the Source Device)·········································1-4 Configuring a Remote Destination Mirroring Group (on the Destination Device) ···························1-6 Displaying and Maintaining Port Mirroring ······························································································1-7 Port Mirroring Configuration Examples ···································································································1-7...

  • Page 290: Port Mirroring Configuration

    Port Mirroring Configuration When configuring port mirroring, go to these sections for information you are interested in: Introduction to Port Mirroring Configuring Local Port Mirroring Configuring Remote Port Mirroring Displaying and Maintaining Port Mirroring Port Mirroring Configuration Examples Introduction to Port Mirroring Port mirroring is to copy the packets passing through a port (called a mirroring port) to another port (called the monitor port) connected with a monitoring device for packet analysis.
  • Page 291 Figure 1-1 Local port mirroring implementation How the device processes packets Traffic mirrored to Mirroring port Monitor port Monitor port Mirroring port Data monitoring device Remote port mirroring Remote port mirroring can mirror all packets but protocol packets. Remote port mirroring is implemented through the cooperation of a remote source mirroring group and a remote destination mirroring group as shown Figure 1-2.

  • Page 292: Configuring Local Port Mirroring

    Destination device The destination device is the device where the monitor port is located. On it, you must create the remote destination mirroring group. When receiving a packet, the destination device compares the VLAN ID carried in the packet with the ID of the probe VLAN configured in the remote destination mirroring group.

  • Page 293: Configuring Remote Port Mirroring

    A local port mirroring group takes effect only after its mirroring and monitor ports are configured. To ensure operation of your device, do not enable STP, MSTP, or RSTP on the monitor port. A port mirroring group can have multiple mirroring ports, but only one monitor port. A mirroring or monitor port to be configured cannot belong to an existing port mirroring group.
  • Page 294 To do… Use the command… Remarks mirroring-group groupid Required In system view mirroring-port mirroring-port-list You configure multiple { both | inbound | outbound } mirroring ports in a mirroring group. interface interface-type In system view, you can interface-number Configure assign a list of mirroring [ mirroring-group groupid ] mirroring ports to the mirroring...

  • Page 295: Configuring A Remote Destination Mirroring Group (On The Destination Device)

    To remove the VLAN configured as a remote probe VLAN, you must remove the remote probe VLAN with undo mirroring-group remote-probe vlan command first. Removing the probe VLAN can invalidate the remote source mirroring group. You are recommended to use a remote probe VLAN exclusively for the mirroring purpose. A port can belong to only one mirroring group.

  • Page 296: Displaying And Maintaining Port Mirroring

    When configuring the monitor port, use the following guidelines: The port can belong to only the current mirroring group. Disable these functions on the port: STP, MSTP, and RSTP. You are recommended to use a monitor port only for port mirroring. This is to ensure that the data monitoring device receives and analyzes only the mirrored traffic rather than a mix of mirrored traffic and normally forwarded traffic.

  • Page 297: Remote Port Mirroring Configuration Example

    Figure 1-3 Network diagram for local port mirroring configuration Switch A R&D department GE1/0/1 GE1/0/3 GE1/0/2 Switch C Data monitoring device Switch B Marketing department Configuration procedure Configure Switch C. # Create a local port mirroring group. <SwitchC> system-view [SwitchC] mirroring-group 1 local # Add port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to the port mirroring group as source ports.
  • Page 298 As shown in Figure 1-4, the administrator wants to monitor the packets sent from Department 1 and 2 through the data monitoring device. Use the remote port mirroring function to meet the requirement. Perform the following configurations: Use Switch A as the source device, Switch B as the intermediate device, and Switch C as the destination device.
  • Page 299 [SwitchA-GigabitEthernet1/0/3] port link-type trunk [SwitchA-GigabitEthernet1/0/3] port trunk permit vlan 2 Configure Switch B (the intermediate device). # Configure port GigabitEthernet 1/0/1 as a trunk port and configure the port to permit the packets of VLAN 2. <SwitchB> system-view [SwitchB] interface GigabitEthernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port link-type trunk [SwitchB-GigabitEthernet1/0/1] port trunk permit vlan 2 [SwitchB-GigabitEthernet1/0/1] quit...
  • Page 300 IP Services Volume Organization Manual Version 6W100-20090630 Product Version Release 2202 Organization The IP Services Volume is organized as follows: Features Description An IP address is a 32-bit address allocated to a network interface on a device that is attached to the Internet. This document describes: IP Address Introduction to IP addresses IP address configuration...
  • Page 301 Features Description UDP Helper functions as a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified server. This document describes: UDP Helper UDP Helper overview UDP Helper configuration Internet protocol version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet Engineering Task Force (IETF) as the successor to Internet protocol version 4 (IPv4).
  • Page 302 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special IP Addresses ······················································································································1-2 Subnetting and Masking ··················································································································1-2 Configuring IP Addresses ·······················································································································1-3 Assigning an IP Address to an Interface ·························································································1-3 IP Addressing Configuration Example·····························································································1-4 Displaying and Maintaining IP Addressing······························································································1-5...

  • Page 303: Ip Addressing Configuration

    IP Addressing Configuration When assigning IP addresses to interfaces on your device, go to these sections for information you are interested in: IP Addressing Overview Configuring IP Addresses Displaying and Maintaining IP Addressing IP Addressing Overview This section covers these topics: IP Address Classes Special IP Addresses IP Address Classes...

  • Page 304: Special Ip Addresses

    Table 1-1 IP address classes and ranges Class Address range Remarks The IP address 0.0.0.0 is used by a host at bootstrap for temporary communication. This address is never a valid destination address. 0.0.0.0 to 127.255.255.255 Addresses starting with 127 are reserved for loopback test. Packets destined to these addresses are processed locally as input packets rather than sent to the link.

  • Page 305: Configuring Ip Addresses

    IP Addressing Configuration Example Assigning an IP Address to an Interface You may assign an interface on the S5120-EI series switch multiple IP addresses, one primary and multiple secondaries, to connect multiple logical subnets on the same physical subnet. Follow these steps to assign an IP address to an interface: To do…...

  • Page 306: Ip Addressing Configuration Example

    The primary IP address you assigned to the interface can overwrite the old one if there is any. You cannot assign secondary IP addresses to an interface that has BOOTP or DHCP configured. The primary and secondary IP addresses you assign to the interface can be located on the same network segment.

  • Page 307: Displaying And Maintaining Ip Addressing

    <Switch> ping 172.16.1.2 PING 172.16.1.2: 56 data bytes, press CTRL_C to break Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=255 time=25 ms Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=255 time=27 ms Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.1.2 ping statistics --- 5 packet(s) transmitted...
  • Page 308 Table of Contents 1 ARP Configuration·····································································································································1-1 ARP Overview·········································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ·····················································································································1-1 ARP Address Resolution Process···································································································1-2 ARP Table ·······································································································································1-3 Configuring ARP ·····································································································································1-3 Configuring a Static ARP Entry ·······································································································1-3 Configuring the Maximum Number of ARP Entries for a Interface ·················································1-4 Setting the Aging Time for Dynamic ARP Entries ···········································································1-4 Enabling the ARP Entry Check ·······································································································1-5 ARP Configuration Example············································································································1-5...
  • Page 309 Introduction······································································································································3-4 Configuring ARP Packet Source MAC Address Consistency Check··············································3-5 Configuring ARP Packet Rate Limit ········································································································3-5 Introduction······································································································································3-5 Configuring the ARP Packet Rate Limit Function ···········································································3-5 Configuring ARP Detection ·····················································································································3-5 Introduction to ARP Detection ·········································································································3-5 Enabling ARP Detection Based on DHCP Snooping Entries/802.1X Security Entries/Static IP-to-MAC Bindings ·························································································································3-6 Configuring ARP Detection Based on Specified Objects ································································3-8 Displaying and Maintaining ARP Detection·····················································································3-9...

  • Page 310: Arp Configuration

    This document is organized as follows: ARP Configuration Proxy ARP Configuration ARP Attack Defense Configuration ARP Configuration When configuring ARP, go to these sections for information you are interested in: ARP Overview Configuring ARP Configuring Gratuitous ARP Displaying and Maintaining ARP ARP Overview ARP Function The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC address...

  • Page 311: Arp Address Resolution Process

    hardware address length field is "6”. For an IP(v4) address, the value of the protocol address length field is “4”. OP: Operation code. This field specifies the type of ARP message. The value “1” represents an ARP request and “2” represents an ARP reply. Sender hardware address: This field specifies the hardware address of the device sending the message.

  • Page 312: Arp Table

    which the target IP address is the IP address of Host B. After obtaining the MAC address of Host B, the gateway sends the packet to Host B. ARP Table After obtaining the MAC address for the destination host, the device puts the IP-to-MAC mapping into its own ARP table.

  • Page 313: Configuring The Maximum Number Of Arp Entries For A Interface

    To do… Use the command… Remarks Enter system view system-view — Required arp static ip-address mac-address Configure a permanent vlan-id interface-type No permanent static ARP entry static ARP entry interface-number is configured by default. Required Configure a non-permanent static ARP arp static ip-address mac-address No non-permanent static ARP entry...

  • Page 314: Enabling The Arp Entry Check

    Enabling the ARP Entry Check The ARP entry check function disables the device from learning multicast MAC addresses. With the ARP entry check enabled, the device cannot learn any ARP entry with a multicast MAC address, and configuring such a static ARP entry is not allowed; otherwise, the system displays error messages. After the ARP entry check is disabled, the device can learn the ARP entry with a multicast MAC address, and you can also configure such a static ARP entry on the device.

  • Page 315: Configuring Gratuitous Arp

    Determining whether its IP address is already used by another device. Informing other devices of its MAC address change so that they can update their ARP entries. A device receiving a gratuitous ARP packet adds the information carried in the packet to its own dynamic ARP table if it finds no corresponding ARP entry for the ARP packet in the cache.

  • Page 316: Proxy Arp Configuration

    Proxy ARP Configuration When configuring proxy ARP, go to these sections for information you are interested in: Proxy ARP Overview Enabling Proxy ARP Displaying and Maintaining Proxy ARP Proxy ARP Overview If a host sends an ARP request for the MAC address of another host that actually resides on another network (but the sending host considers the requested host is on the same network) or that is isolated from the sending host at Layer 2, the device in between must be able to respond to the request with the MAC address of the receiving interface to allow Layer 3 communication between the two hosts.

  • Page 317: Local Proxy Arp

    You can solve the problem by enabling proxy ARP on Switch. After that, Switch can reply to the ARP request from Host A with the MAC address of VLAN-interface 1, and forward packets sent from Host A to Host B. In this case, Switch seems to be a proxy of Host B. A main advantage of proxy ARP is that it is added on a single router without disturbing routing tables of other routers in the network.

  • Page 318: Displaying And Maintaining Proxy Arp

    To do… Use the command… Remarks Required Enable local proxy ARP local-proxy-arp enable Disabled by default. Displaying and Maintaining Proxy ARP To do… Use the command… Remarks Display whether proxy ARP is display proxy-arp [ interface Available in any view enabled vlan-interface vlan-id ] Display whether local proxy...

  • Page 319: Local Proxy Arp Configuration Example In Case Of Port Isolation

    [Switch-Vlan-interface1] quit [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.20.99 255.255.255.0 [Switch-Vlan-interface2] proxy-arp enable [Switch-Vlan-interface2] quit Local Proxy ARP Configuration Example in Case of Port Isolation Network requirements Host A and Host B belong to the same VLAN, and connect to Switch B via GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3, respectively.
  • Page 320 # Configure an IP address of VLAN-interface 2. <SwitchA> system-view [SwitchA] vlan 2 [SwitchA-vlan2] port gigabitethernet 1/0/2 [SwitchA-vlan2] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.10.100 255.255.0.0 The ping operation from Host A to Host B is unsuccessful because they are isolated at Layer 2. # Configure local proxy ARP to let Host A and Host B communicate at Layer 3.
  • Page 321 [SwitchB-vlan2] port gigabitethernet 1/0/2 [SwitchB-vlan2] quit [SwitchB] vlan 3 [SwitchB-vlan3] port gigabitethernet 1/0/3 [SwitchB-vlan3] quit [SwitchB] vlan 5 [SwitchB-vlan5] port gigabitethernet 1/0/1 [SwitchB-vlan5] isolate-user-vlan enable [SwitchB-vlan5] quit [SwitchB] isolate-user-vlan 5 secondary 2 3 Configure Switch A # Create VLAN 5 and add GigabitEthernet 1/0/1 to it. <SwitchA>...

  • Page 322: Arp Attack Defense Configuration

    ARP Attack Defense Configuration When configuring ARP attack defense, go to these sections for information you are interested in: Configuring ARP Source Suppression Configuring ARP Defense Against IP Packet Attacks Configuring ARP Active Acknowledgement Configuring Source MAC Address Based ARP Attack Detection Configuring ARP Packet Source MAC Address Consistency Check Configuring ARP Packet Rate Limit Configuring ARP Detection...

  • Page 323: Displaying And Maintaining Arp Source Suppression

    Displaying and Maintaining ARP Source Suppression To do… Use the command… Remarks Display the ARP source suppression Available in any view display arp source-suppression configuration information Configuring ARP Defense Against IP Packet Attacks Introduction to ARP Defense Against IP Packet Attacks When forwarding an IP packet, a device depends on ARP to resolve the MAC address of the next hop.

  • Page 324: Configuring The Arp Active Acknowledgement Function

    If an ARP reply is received within five seconds, the gateway updates the ARP entry; If not, the ARP entry is not updated. Configuring the ARP Active Acknowledgement Function Follow these steps to configure ARP active acknowledgement: To do… Use the command… Remarks Enter system view system-view...

  • Page 325: Displaying And Maintaining Source Mac Address Based Arp Attack Detection

    Follow these steps to configure protected MAC addresses: To do… Use the command… Remarks Enter system view system-view — Optional Configure protected MAC arp anti-attack source-mac addresses exclude-mac mac-address&<1-n> Not configured by default. Configuring the aging timer for protected MAC addresses Follow these steps to configure the aging timer for protected MAC addresses: To do…...

  • Page 326: Configuring Arp Packet Source Mac Address Consistency Check

    ARP detection also checks source MAC address consistency of ARP packets, but it is enabled on an access device to detect only ARP packets sent to it. Configuring ARP Packet Source MAC Address Consistency Check Follow these steps to enable ARP packet source MAC address consistency check: To do…...
  • Page 327 Enabling ARP Detection Based on DHCP Snooping Entries/802.1X Security Entries/Static IP-to-MAC Bindings With this feature enabled, the device compares the source IP and MAC addresses of an ARP packet received from the VLAN against the DHCP snooping entries, 802.1X security entries, or static IP-to-MAC binding entries.

  • Page 328: Ip-To-Mac Bindings

    To do… Use the command… Remarks Enter system view system-view — Enter VLAN view vlan vlan-id — Required Disabled by default. That is, ARP Enable ARP detection for the detection based on DHCP snooping arp detection enable VLAN entries/802.1X security entries/static IP-to-MAC bindings is not enabled by default.

  • Page 329: Configuring Arp Detection Based On Specified Objects

    During the DHCP assignment process, when the client receives the DHCP-ACK message from the DHCP server, it broadcasts a gratuitous ARP packet to detect address conflicts. If no response is received in a pre-defined time period, the client uses the assigned IP address. If the client is enabled with ARP detection based on 802.1X security entries, the IP address is not uploaded to the 802.1X device before the client uses the IP address.

  • Page 330: Displaying And Maintaining Arp Detection

    If both the ARP detection based on specified objects and the ARP detection based on snooping entries/802.1X security entries/static IP-to-MAC bindings are enabled, the former one applies first, and then the latter applies. Before enabling ARP detection based on DHCP snooping entries, make sure that DHCP snooping is enabled.
  • Page 331 Configuration procedure Add all the ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A (the configuration procedure is omitted). Configure a DHCP server (the configuration procedure is omitted). Configure Host A and Host B as DHCP clients (the configuration procedure is omitted). Configure Switch B # Enable DHCP snooping.
  • Page 332 Figure 3-2 Network diagram for ARP detection configuration Configuration procedure Add all the ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A (the configuration procedure is omitted). Configure a DHCP server (the configuration procedure is omitted). Configure Host A and Host B as 802.1x clients (the configuration procedure is omitted) and configure them to upload IP addresses for ARP detection.
  • Page 333 Table of Contents 1 DHCP Overview··········································································································································1-1 Introduction to DHCP ······························································································································1-1 DHCP Address Allocation ·······················································································································1-2 Allocation Mechanisms····················································································································1-2 Dynamic IP Address Allocation Process ·························································································1-2 IP Address Lease Extension ···········································································································1-3 DHCP Message Format ··························································································································1-3 DHCP Options·········································································································································1-4 DHCP Options Overview ·················································································································1-4 Introduction to DHCP Options ·········································································································1-4 Self-Defined Options ·······················································································································1-5 Protocols and Standards·························································································································1-8 2 DHCP Relay Agent Configuration ············································································································2-1...
  • Page 334 Prerequisites····································································································································4-5 Configuring DHCP Snooping to Support Option 82 ········································································4-5 Displaying and Maintaining DHCP Snooping ·························································································4-7 DHCP Snooping Configuration Examples ······························································································4-7 DHCP Snooping Configuration Example·························································································4-7 DHCP Snooping Option 82 Support Configuration Example ··························································4-8 5 BOOTP Client Configuration ····················································································································5-1 Introduction to BOOTP Client ·················································································································5-1 BOOTP Application ·························································································································5-1 Obtaining an IP Address Dynamically ·····························································································5-2 Protocols and Standards ·················································································································5-2...

  • Page 335: Dhcp Overview

    This document is organized as follows: DHCP Overview DHCP Relay Agent Configuration DHCP Client Configuration DHCP Snooping Configuration BOOTP Client Configuration DHCP Overview Introduction to DHCP The fast expansion and growing complexity of networks result in scarce IP addresses assignable to hosts.

  • Page 336: Dhcp Address Allocation

    DHCP Address Allocation Allocation Mechanisms DHCP supports three mechanisms for IP address allocation. Manual allocation: The network administrator assigns an IP address to a client like a WWW server, and DHCP conveys the assigned address to the client. Automatic allocation: DHCP assigns a permanent IP address to a client. Dynamic allocation: DHCP assigns an IP address to a client for a limited period of time, which is called a lease.

  • Page 337: Ip Address Lease Extension

    After receiving the DHCP-ACK message, the client probes whether the IP address assigned by the server is in use by broadcasting a gratuitous ARP packet. If the client receives no response within a specified time, the client can use this IP address. Otherwise, the client sends a DHCP-DECLINE message to the server and requests an IP address again.

  • Page 338: Dhcp Options

    secs: Filled in by the client, the number of seconds elapsed since the client began address acquisition or renewal process. Currently this field is reserved and set to 0. flags: The leftmost bit is defined as the BROADCAST (B) flag. If this flag is set to 0, the DHCP server sent a reply back by unicast;...

  • Page 339: Self-Defined Options

    Option 121: Classless route option. It specifies a list of classless static routes (the destination addresses in these static routes are classless) that the requesting client should add to its routing table. Option 33: Static route option. It specifies a list of classful static routes (the destination addresses in these static routes are classful) that a client should add to its routing table.
  • Page 340 Figure 1-6 Format of the value field of the ACS parameter sub-option The value field of the service provider identifier sub-option contains the service provider identifier. Figure 1-7 shows the format of the value field of the PXE server address sub-option. Currently, the value of the PXE server type can only be 0.
  • Page 341 Figure 1-8 Sub-option 1 in normal padding format Sub-option 2: Padded with the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device that received the client’s request. The following figure gives its format. The value of the sub-option type is 2, and that of the remote ID type is 0. Figure 1-9 Sub-option 2 in normal padding format Verbose padding format The padding contents for sub-options in the verbose padding format are as follows:...
  • Page 342 Sub-option 1: IP address of the primary network calling processor, which is a server serving as the network calling control source and providing program downloads. Sub-option 2: IP address of the backup network calling processor that DHCP clients will contact when the primary one is unreachable.

  • Page 343: Dhcp Relay Agent Configuration

    DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: Introduction to DHCP Relay Agent DHCP Relay Agent Configuration Task List Configuring the DHCP Relay Agent Displaying and Maintaining DHCP Relay Agent Configuration DHCP Relay Agent Configuration Examples Troubleshooting DHCP Relay Agent Configuration The DHCP relay agent configuration is supported only on VLAN interfaces.

  • Page 344: Dhcp Relay Agent Support For Option 82

    Figure 2-1 DHCP relay agent application DHCP client DHCP client IP network DHCP relay agent DHCP client DHCP client DHCP server No matter whether a relay agent exists or not, the DHCP server and client interact with each other in a similar way (see section Dynamic IP Address Allocation Process).

  • Page 345: Dhcp Relay Agent Configuration Task List

    If a client’s Handling requesting Padding format The DHCP relay agent will… strategy message has… Drop Random Drop the message. Forward the message without changing Keep Random Option 82. Forward the message after replacing normal the original Option 82 with the Option 82 padded in normal format.

  • Page 346: Enabling The Dhcp Relay Agent On An Interface

    Follow these steps to enable DHCP: To do… Use the command… Remarks Enter system view system-view — Required Enable DHCP dhcp enable Disabled by default. Enabling the DHCP Relay Agent on an Interface With this task completed, upon receiving a DHCP request from the enabled interface, the relay agent will forward the request to a DHCP server for address allocation.

  • Page 347: Configuring The Dhcp Relay Agent Security Functions

    To do… Use the command… Remarks Required Correlate the DHCP server dhcp relay server-select By default, no interface is group with the current interface group-id correlated with any DHCP server group. You can specify up to twenty DHCP server groups on the relay agent and eight DHCP server addresses for each DHCP server group.
  • Page 348 The dhcp relay address-check enable command is independent of other commands of the DHCP relay agent. That is, the invalid address check takes effect when this command is executed, regardless of whether other commands are used. The dhcp relay address-check enable command only checks IP and MAC addresses of clients. You are recommended to configure IP address check on the interface enabled with the DHCP relay agent;...

  • Page 349: Configuring The Dhcp Relay Agent To Send A Dhcp-Release Request

    Follow these steps to enable unauthorized DHCP server detection: To do… Use the command… Remarks Enter system view system-view — Required Enable unauthorized DHCP dhcp relay server-detect server detection Disabled by default. With the unauthorized DHCP server detection enabled, the device puts a record once for each DHCP server.
  • Page 350 Configuring the DHCP relay agent to support Option 82 Follow these steps to configure the DHCP relay agent to support Option 82: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Required Enable the relay agent to dhcp relay information...

  • Page 351: Displaying And Maintaining Dhcp Relay Agent Configuration

    Displaying and Maintaining DHCP Relay Agent Configuration To do… Use the command… Remarks Display information about DHCP display dhcp relay { all | server groups correlated to a specified interface interface-type or all interfaces interface-number } display dhcp relay information Display Option 82 configuration { all | interface interface-type information on the DHCP relay agent...

  • Page 352: Dhcp Relay Agent Option 82 Support Configuration Example

    Configuration procedure # Specify IP addresses for the interfaces (omitted). # Enable DHCP. <SwitchA> system-view [SwitchA] dhcp enable # Add DHCP server 10.1.1.1 into DHCP server group 1. [SwitchA] dhcp relay server-group 1 ip 10.1.1.1 # Enable the DHCP relay agent on VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] dhcp select relay # Correlate VLAN-interface 1 to DHCP server group 1.

  • Page 353: Troubleshooting Dhcp Relay Agent Configuration

    # Enable the DHCP relay agent to support Option 82, and perform Option 82-related configurations. [SwitchA-Vlan-interface1] dhcp relay information enable [SwitchA-Vlan-interface1] dhcp relay information strategy replace [SwitchA-Vlan-interface1] dhcp relay information circuit-id string company001 [SwitchA-Vlan-interface1] dhcp relay information remote-id string device001 You need to perform corresponding configurations on the DHCP server to make the Option 82 configurations function normally.

  • Page 354: Dhcp Client Configuration

    DHCP Client Configuration When configuring the DHCP client, go to these sections for information you are interested in: Introduction to DHCP Client Enabling the DHCP Client on an Interface Displaying and Maintaining the DHCP Client DHCP Client Configuration Example The DHCP client configuration is supported only on VLAN interfaces. When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition via a relay agent, the DHCP server cannot be a Windows 2000 Server or Windows 2003 Server.

  • Page 355: Displaying And Maintaining The Dhcp Client

    An interface can be configured to acquire an IP address in multiple ways, but these ways are mutually exclusive. The latest configuration will overwrite the previous one. After the DHCP client is enabled on an interface, no secondary IP address is configurable for the interface.
  • Page 356 <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address dhcp-alloc...

  • Page 357: Dhcp Snooping Configuration

    DHCP Snooping Configuration When configuring DHCP snooping, go to these sections for information you are interested in: DHCP Snooping Overview Configuring DHCP Snooping Basic Functions Configuring DHCP Snooping to Support Option 82 Displaying and Maintaining DHCP Snooping DHCP Snooping Configuration Examples The DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP server, and it can work when it is between the DHCP client and relay agent or between the DHCP client and server.

  • Page 358: Application Environment Of Trusted Ports

    Recording IP-to-MAC mappings of DHCP clients DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the clients, ports that connect to DHCP clients, and VLANs to which the ports belong. With DHCP snooping entries, DHCP snooping can implement the following: ARP detection: Whether ARP packets are sent from an authorized client is determined based on DHCP snooping entries.
  • Page 359 Figure 4-2 Configure trusted ports in a cascaded network Table 4-1 describes roles of the ports shown in Figure 4-2. Table 4-1 Roles of ports Trusted port disabled from Trusted port enabled to Device Untrusted port recording binding entries record binding entries Switch A GE1/0/1 GE1/0/3...

  • Page 360: Configuring Dhcp Snooping Basic Functions

    If a client’s Handling Padding requesting The DHCP snooping device will… strategy format message has… Drop Random Drop the message. Forward the message without changing Keep Random Option 82. Forward the message after replacing the normal original Option 82 with the Option 82 padded in normal format.

  • Page 361: Configuring Dhcp Snooping To Support Option 82

    You need to specify the ports connected to the valid DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP client must be in the same VLAN. You can specify Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces as trusted ports.
  • Page 362 To do… Use the command… Remarks dhcp-snooping information format Configure the Optional { normal | verbose padding format for [ node-identifier { mac | normal by default. Option 82 sysname | user-defined node-identifier } ] } Optional By default, the code type depends on the padding format of Option 82.

  • Page 363: Displaying And Maintaining Dhcp Snooping

    Displaying and Maintaining DHCP Snooping To do… Use the command… Remarks display dhcp-snooping [ ip Display DHCP snooping entries ip-address ] display dhcp-snooping Display Option 82 configuration information information { all | interface Available in any on the DHCP snooping device interface-type interface-number } view Display DHCP packet statistics on the...

  • Page 364: Dhcp Snooping Option 82 Support Configuration Example

    [SwitchB-GigabitEthernet1/0/1] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/1] quit DHCP Snooping Option 82 Support Configuration Example Network requirements As shown in Figure 4-3, enable DHCP snooping and Option 82 support on Switch B. Configure the handling strategy for DHCP requests containing Option 82 as replace. On GigabitEthernet 1/0/2, configure the padding content for the circuit ID sub-option as company001 and for the remote ID sub-option as device001.

  • Page 365: Bootp Client Configuration

    BOOTP Client Configuration While configuring a BOOTP client, go to these sections for information you are interested in: Introduction to BOOTP Client Configuring an Interface to Dynamically Obtain an IP Address Through BOOTP Displaying and Maintaining BOOTP Client Configuration BOOTP client configuration only applies to VLAN interfaces. If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows 2000 Server or Windows 2003 Server.

  • Page 366: Obtaining An Ip Address Dynamically

    Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to configure an IP address for the BOOTP client, without any BOOTP server. Obtaining an IP Address Dynamically A DHCP server can take the place of the BOOTP server in the following dynamic IP address acquisition.

  • Page 367: Displaying And Maintaining Bootp Client Configuration

    Displaying and Maintaining BOOTP Client Configuration To do… Use the command… Remarks Display related information on a display bootp client [ interface Available in any view BOOTP client interface-type interface-number ] BOOTP Client Configuration Example Network requirement As shown in Figure 5-1, Switch B’s port belonging to VLAN 1 is connected to the LAN.
  • Page 368 Table of Contents 1 DNS Configuration·····································································································································1-1 DNS Overview·········································································································································1-1 Static Domain Name Resolution ·····································································································1-1 Dynamic Domain Name Resolution ································································································1-1 DNS Proxy·······································································································································1-3 Configuring the DNS Client·····················································································································1-4 Configuring Static Domain Name Resolution ··················································································1-4 Configuring Dynamic Domain Name Resolution·············································································1-4 Configuring the DNS Proxy·····················································································································1-5 Displaying and Maintaining DNS ············································································································1-5 DNS Configuration Examples ·················································································································1-5 Static Domain Name Resolution Configuration Example································································1-5 Dynamic Domain Name Resolution Configuration Example···························································1-6...

  • Page 369: Dns Configuration

    DNS Configuration When configuring DNS, go to these sections for information you are interested in: DNS Overview Configuring the DNS Client Configuring the DNS Proxy Displaying and Maintaining DNS DNS Configuration Examples Troubleshooting DNS Configuration This document only covers IPv4 DNS configuration. For information about IPv6 DNS configuration, refer to IPv6 Basics Configuration in the IP Services Volume.
  • Page 370 The DNS server looks up the corresponding IP address of the domain name in its DNS database. If no match is found, it sends a query to a higher level DNS server. This process continues until a result, whether successful or not, is returned. The DNS client returns the resolution result to the application after receiving a response from the DNS server.

  • Page 371: Dns Proxy

    If an alias is configured for a domain name on the DNS server, the device can resolve the alias into the IP address of the host. DNS Proxy Introduction to DNS proxy A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server. As shown in Figure 1-2, a DNS client sends a DNS request to the DNS proxy, which forwards the...

  • Page 372: Configuring The Dns Client

    Configuring the DNS Client Configuring Static Domain Name Resolution Follow these steps to configure static domain name resolution: To do… Use the command… Remarks Enter system view system-view –– Configure a mapping between a host Required name and IP address in the static ip host hostname ip-address Not configured by default.

  • Page 373: Configuring The Dns Proxy

    Configuring the DNS Proxy Follow these steps to configure the DNS proxy: To do… Use the command… Remarks Enter system view system-view — Required Enable DNS proxy dns proxy enable Disabled by default. Displaying and Maintaining DNS To do… Use the command… Remarks Display the static domain name display ip host...

  • Page 374: Dynamic Domain Name Resolution Configuration Example

    data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=128 time=1 ms Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=128 time=4 ms Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=128 time=3 ms Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=128 time=2 ms Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=128 time=3 ms --- host.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received...
  • Page 375 Figure 1-5, right click Forward Lookup Zones, select New zone, and then follow the instructions to create a new zone named com. Figure 1-5 Create a zone # Create a mapping between the host name and IP address. Figure 1-6 Add a host Figure 1-6, right click zone com, and then select New Host to bring up a dialog box as shown in Figure...
  • Page 376 Figure 1-7 Add a mapping between domain name and IP address Configure the DNS client # Enable dynamic domain name resolution. <Sysname> system-view [Sysname] dns resolve # Specify the DNS server 2.1.1.2. [Sysname] dns server 2.1.1.2 # Configure com as the name suffix. [Sysname] dns domain com Configuration verification # Execute the ping host command on the Switch to verify that the communication between the Switch...

  • Page 377: Dns Proxy Configuration Example

    DNS Proxy Configuration Example Network requirements Specify Switch A as the DNS server of Switch B (the DNS client). Switch A acts as a DNS proxy. The IP address of the real DNS server is 4.1.1.1. Switch B implements domain name resolution through Switch A. Figure 1-8 Network diagram for DNS proxy Configuration procedure Before performing the following configuration, assume that Switch A, the DNS server, and the host are...

  • Page 378: Troubleshooting Dns Configuration

    # Specify the DNS server 2.1.1.2. [SwitchB] dns server 2.1.1.2 Configuration verification # Execute the ping host.com command on Switch B to verify that the communication between the Switch and the host is normal and that the corresponding destination IP address is 3.1.1.1. [SwitchB] ping host.com Trying DNS resolve, press CTRL_C to break Trying DNS server (2.1.1.2)
  • Page 379 Table of Contents 1 IP Performance Optimization Configuration···························································································1-1 IP Performance Overview ·······················································································································1-1 Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network ············1-1 Enabling Reception of Directed Broadcasts to a Directly Connected Network·······························1-1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network ·····························1-2 Configuration Example ····················································································································1-2 Configuring TCP Optional Parameters ···································································································1-3 Configuring ICMP to Send Error Packets ·······························································································1-4...

  • Page 380: Ip Performance Optimization Configuration

    IP Performance Optimization Configuration When optimizing IP performance, go to these sections for information you are interested in: IP Performance Overview Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network Configuring TCP Optional Parameters Configuring ICMP to Send Error Packets Displaying and Maintaining IP Performance Optimization IP Performance Overview In some network environments, you can adjust the IP parameters to achieve best network performance.

  • Page 381: Enabling Forwarding Of Directed Broadcasts To A Directly Connected Network

    Enabling Forwarding of Directed Broadcasts to a Directly Connected Network Follow these steps to enable the device to forward directed broadcasts: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Required Enable the interface to forward ip forward-broadcast [ acl By default, the device is...

  • Page 382: Configuring Tcp Optional Parameters

    [SwitchA-Vlan-interface3] ip address 1.1.1.2 24 [SwitchA-Vlan-interface3] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 2.2.2.2 24 # Enable VLAN-interface 2 to forward directed broadcasts. [SwitchA-Vlan-interface2] ip forward-broadcast Configure Switch B # Enable Switch B to receive directed broadcasts. <SwitchB> system-view [SwitchB] ip forward-broadcast # Configure a static route to the host.

  • Page 383: Configuring Icmp To Send Error Packets

    The actual length of the finwait timer is determined by the following formula: Actual length of the finwait timer = (Configured length of the finwait timer – 75) + configured length of the synwait timer Configuring ICMP to Send Error Packets Sending error packets is a major function of ICMP.
  • Page 384 When receiving a packet with the destination being local and transport layer protocol being UDP, if the packet’s port number does not match the running process, the device will send the source a “port unreachable” ICMP error packet. If the source uses “strict source routing" to send packets, but the intermediate device finds that the next hop specified by the source is not directly connected, the device will send the source a “source routing failure”...

  • Page 385: Displaying And Maintaining Ip Performance Optimization

    Displaying and Maintaining IP Performance Optimization To do… Use the command… Remarks Display current TCP connection state display tcp status Display TCP connection statistics display tcp statistics Display UDP statistics display udp statistics display ip statistics [ slot Display statistics of IP packets slot-number ] display icmp statistics [ slot Display statistics of ICMP flows...
  • Page 386 Table of Contents 1 UDP Helper Configuration ························································································································1-1 Introduction to UDP Helper ·····················································································································1-1 Configuring UDP Helper ·························································································································1-1 Displaying and Maintaining UDP Helper·································································································1-2 UDP Helper Configuration Examples······································································································1-2 UDP Helper Configuration Example································································································1-2...

  • Page 387: Udp Helper Configuration

    UDP Helper Configuration When configuring UDP Helper, go to these sections for information you are interested in: Introduction to UDP Helper Configuring UDP Helper Displaying and Maintaining UDP Helper UDP Helper Configuration Examples UDP Helper can be currently configured on VLAN interfaces only. Introduction to UDP Helper Sometimes, a host needs to forward broadcasts to obtain network configuration information or request the names of other devices on the network.

  • Page 388: Displaying And Maintaining Udp Helper

    To do… Use the command… Remarks interface interface-type Enter interface view — interface-number Required Specify the destination server to which UDP packets udp-helper server ip-address No destination server is specified are to be forwarded by default. The UDP Helper enabled device cannot forward DHCP broadcast packets. That is to say, the UDP port number cannot be set to 67 or 68.
  • Page 389 Figure 1-1 Network diagram for UDP Helper configuration Configuration procedure The following configuration assumes that a route from Switch A to the network segment 10.2.0.0/16 is available. # Enable UDP Helper. <SwitchA> system-view [SwitchA] udp-helper enable # Enable the forwarding broadcast packets with the UDP destination port 55. [SwitchA] udp-helper port 55 # Specify the destination server 10.2.1.1 on VLAN-interface 1.
  • Page 390 Table of Contents 1 IPv6 Basics Configuration ························································································································1-1 IPv6 Overview ·········································································································································1-1 IPv6 Features ··································································································································1-1 Introduction to IPv6 Address ···········································································································1-3 Introduction to IPv6 Neighbor Discovery Protocol···········································································1-6 IPv6 PMTU Discovery ·····················································································································1-8 Introduction to IPv6 DNS ·················································································································1-9 Protocols and Standards ·················································································································1-9 IPv6 Basics Configuration Task List ·····································································································1-10 Configuring Basic IPv6 Functions ·········································································································1-10 Enabling IPv6 ································································································································1-10 Configuring an IPv6 Unicast Address····························································································1-10...

  • Page 391: Ipv6 Basics Configuration

    IPv6 Basics Configuration When configuring IPv6 basics, go to these sections for information you are interested in: IPv6 Overview IPv6 Basics Configuration Task List Configuring Basic IPv6 Functions Configuring IPv6 NDP Configuring PMTU Discovery Configuring IPv6 TCP Properties Configuring ICMPv6 Packet Sending Configuring IPv6 DNS Client Displaying and Maintaining IPv6 Basics Configuration IPv6 Configuration Example...
  • Page 392 the IPv4 address size, the basic IPv6 header size is 40 bytes and is only twice the IPv4 header size (excluding the Options field). Figure 1-1 Comparison between IPv4 packet header format and basic IPv6 packet header format Adequate address space The source and destination IPv6 addresses are both 128 bits (16 bytes) long.

  • Page 393: Introduction To Ipv6 Address

    Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemented through a group of Internet Control Message Protocol Version 6 (ICMPv6) messages that manage the information exchange between neighbor nodes on the same link. The group of ICMPv6 messages takes the place of Address Resolution Protocol (ARP) messages, Internet Control Message Protocol version 4 (ICMPv4) router discovery messages, and ICMPv4 redirection messages and provides a series of other functions.
  • Page 394 Multicast address: An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address. Anycast address: An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the target interface is nearest to the source, according to a routing protocol’s measure of distance).
  • Page 395 Unassigned address: The unicast address "::” is called the unassigned address and may not be assigned to any node. Before acquiring a valid IPv6 address, a node may fill this address in the source address field of an IPv6 packet. It cannot be used as a destination IPv6 address. Multicast address IPv6 multicast addresses listed in Table 1-2...

  • Page 396: Introduction To Ipv6 Neighbor Discovery Protocol

    Introduction to IPv6 Neighbor Discovery Protocol The IPv6 Neighbor Discovery Protocol (NDP) uses five types of ICMPv6 messages to implement the following functions: Address resolution Neighbor reachability detection Duplicate address detection Router/prefix discovery and address autoconfiguration Redirection Table 1-3 lists the types and functions of ICMPv6 messages used by the NDP. Table 1-3 Types and functions of ICMPv6 messages ICMPv6 message Number...
  • Page 397 Figure 1-3 Address resolution The address resolution procedure is as follows: Node A multicasts an NS message. The source address of the NS message is the IPv6 address of the sending interface of node A and the destination address is the solicited-node multicast address of node B.

  • Page 398: Ipv6 Pmtu Discovery

    If node B uses this IPv6 address, node B returns an NA message. The NA message contains the IPv6 address of node B. Node A learns that the IPv6 address is being used by node B after receiving the NA message from node B.

  • Page 399: Introduction To Ipv6 Dns

    The path MTU (PMTU) discovery mechanism is to find the minimum MTU of all links in the path from the source to the destination. Figure 1-5 shows the working procedure of PMTU discovery. Figure 1-5 Working procedure of PMTU discovery The working procedure of the PMTU discovery is as follows: The source host uses its MTU to send packets to the destination host.

  • Page 400: Ipv6 Basics Configuration Task List

    RFC 2463: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification RFC 2464: Transmission of IPv6 Packets over Ethernet Networks RFC 2526: Reserved IPv6 Subnet Anycast Addresses RFC 3307: Allocation Guidelines for IPv6 Multicast Addresses RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture RFC 3596: DNS Extensions to Support IP Version 6 IPv6 Basics Configuration Task List Complete the following tasks to perform IPv6 basics configuration:...
  • Page 401 Manual assignment: IPv6 link-local addresses can be assigned manually. Follow these steps to configure an IPv6 unicast address: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number ipv6 address Configure { ipv6-address One of the two commands is an IPv6 Manually assign an...

  • Page 402: Configuring Ipv6 Ndp

    Configuring IPv6 NDP Configuring a Static Neighbor Entry The IPv6 address of a neighbor node can be resolved into a link-layer address dynamically through NS and NA messages or through a manually configured static neighbor entry. The device uniquely identifies a static neighbor entry according to the neighbor IPv6 address and the local Layer 3 interface ID.

  • Page 403: Configuring Parameters Related To Ra Messages

    Configuring Parameters Related to RA Messages You can enable an interface to send RA messages, and configure the interval for sending RA messages and parameters in RA messages. After receiving an RA message, a host can use these parameters to perform corresponding operations.
  • Page 404 To do… Use the command… Remarks Optional Configure the hop ipv6 nd hop-limit value limit 64 by default. interface interface-type Enter interface view — interface-number Disable the RA Required message undo ipv6 nd ra halt By default, RA messages are suppressed. suppression Optional By default, the maximum interval for...

  • Page 405: Configuring The Maximum Number Of Attempts To Send An Ns Message For Dad

    The maximum interval for sending RA messages should be less than or equal to the router lifetime in RA messages. Configuring the Maximum Number of Attempts to Send an NS Message for DAD An interface sends a neighbor solicitation (NS) message for duplicate address detection after acquiring an IPv6 address.

  • Page 406: Configuring Ipv6 Tcp Properties

    MTU. After the aging time expires, the dynamic PMTU is removed and the source host re-determines a dynamic path MTU through the PMTU mechanism. The aging time is invalid for a static PMTU. Follow these steps to configure the aging time for dynamic PMTUs: To do…...

  • Page 407: Enable Sending Of Multicast Echo Replies

    successively sent exceeds the capacity of the token bucket, the additional ICMPv6 error packets cannot be sent out until the capacity of the token bucket is restored. Follow these steps to configure the capacity and update interval of the token bucket: To do…...

  • Page 408: Configuring Ipv6 Dns Client

    Configuring IPv6 DNS Client Configuring Static IPv6 Domain Name Resolution Configuring static IPv6 domain name resolution is to establish the mapping between a host name and an IPv6 address. When using such applications as Telnet, you can directly input a host name and the system will resolve the host name into an IPv6 address.

  • Page 409: Displaying And Maintaining Ipv6 Basics Configuration

    Displaying and Maintaining IPv6 Basics Configuration To do… Use the command… Remarks Display DNS suffix information display dns domain [ dynamic ] Display IPv6 dynamic domain name display dns ipv6 dynamic-host cache information Display IPv6 DNS server information display dns ipv6 server [ dynamic ] display ipv6 fib [ slot-number ] Display the IPv6 FIB entries [ ipv6-address ]...

  • Page 410: Ipv6 Configuration Example

    The display dns domain command is the same as the one of IPv4 DNS. For details about the commands, refer to DNS Commands in the IP Services Volume. IPv6 Configuration Example Network requirements Host, Switch A and Switch B are directly connected through Ethernet ports. Add the Ethernet ports into corresponding VLANs, configure IPv6 addresses for the VLAN interfaces and verify the connectivity between them.
  • Page 411 [SwitchA-Vlan-interface1] ipv6 address 2001::1/64 [SwitchA-Vlan-interface1] undo ipv6 nd ra halt Configure Switch B # Enable IPv6. <SwitchB> system-view [SwitchB] ipv6 # Configure an aggregatable global unicast address for VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ipv6 address 3001::2/64 # Configure an IPv6 static route with destination IP address 2001::/64 and next hop address 3001::1. [SwitchB-Vlan-interface2] ipv6 route-static 2001:: 64 3001::1 Configure Host Enable IPv6 for Host to automatically get an IPv6 address through IPv6 NDP.
  • Page 412 InBadHeaders: InBadOptions: ReasmReqds: ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: 25747 OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: [SwitchA-Vlan-interface1] display ipv6 interface vlan-interface 1 verbose Vlan-interface1 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es):...
  • Page 413 InBadHeaders: InBadOptions: ReasmReqds: ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: 1012 OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Display the IPv6 interface settings on Switch B. [SwitchB-Vlan-interface2] display ipv6 interface vlan-interface 2 verbose Vlan-interface2 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1234 Global unicast address(es):...
  • Page 414 ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Ping Switch A and Switch B on Host, and ping Switch A and Host on Switch B to verify the connectivity between them.

  • Page 415: Troubleshooting Ipv6 Basics Configuration

    round-trip min/avg/max = 3/3/3 ms As shown in the output information, Host can ping Switch B and Switch A. Troubleshooting IPv6 Basics Configuration Symptom The peer IPv6 address cannot be pinged. Solution Use the display current-configuration command in any view or the display this command in system view to verify that IPv6 is enabled.
  • Page 416 Table of Contents 1 Dual Stack Configuration··························································································································1-1 Dual Stack Overview·······························································································································1-1 Configuring Dual Stack ···························································································································1-1...

  • Page 417: Dual Stack Overview

    Dual Stack Configuration When configuring dual stack, go to these sections for information you are interested in: Dual Stack Overview Configuring Dual Stack Dual Stack Overview Dual stack is the most direct approach to making IPv6 nodes compatible with IPv4 nodes. The best way for an IPv6 node to be compatible with an IPv4 node is to maintain a complete IPv4 stack.
  • Page 418 To do… Use the command… Remarks Required ip address ip-address By default, no IP Configure an IPv4 address for the interface { mask | mask-length } address is [ sub ] configured. ipv6 address Use either Manually specify { ipv6-address prefix-length command.
  • Page 419 Table of Contents 1 sFlow Configuration ··································································································································1-1 sFlow Overview·······································································································································1-1 Introduction to sFlow ·······················································································································1-1 Operation of sFlow ··························································································································1-1 Configuring sFlow ···································································································································1-2 Displaying and Maintaining sFlow···········································································································1-2 sFlow Configuration Example ·················································································································1-3 Troubleshooting sFlow Configuration ·····································································································1-4 The Remote sFlow Collector Cannot Receive sFlow Packets ························································1-4...

  • Page 420: Sflow Configuration

    sFlow Configuration When configuring sFlow, go to these sections for information you are interested in: sFlow Overview Configuring sFlow Displaying and Maintaining sFlow sFlow Configuration Example Troubleshooting sFlow Configuration sFlow Overview Introduction to sFlow Sampled Flow (sFlow) is a traffic monitoring technology mainly used to collect and analyze traffic statistics.

  • Page 421: Configuring Sflow

    When the sFlow packet buffer overflows or the one-second timer expires, the sFlow agent sends sFlow packets to the specified sFlow collector. Configuring sFlow The sFlow feature enables the remote sFlow collector to monitor the network and analyze sFlow packet statistics.

  • Page 422: Sflow Configuration Example

    sFlow Configuration Example Network requirements Host A and Server are connected to Switch through GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 respectively. Host B works as an sFlow collector with IP address 3.3.3.2 and port number 6343, and is connected to Switch through GigabitEthernet 1/0/3. GigabitEthernet 1/0/3 belongs to VLAN 1, having an IP address of 3.3.3.1.

  • Page 423: Troubleshooting Sflow Configuration

    Collector IP:3.3.3.2 Port:6343 Interval(s): 30 sFlow Port Information: Interface Direction Rate Mode Status GE1/0/1 In/Out 100000 Random Active Troubleshooting sFlow Configuration The Remote sFlow Collector Cannot Receive sFlow Packets Symptom The remote sFlow collector cannot receive sFlow packets. Analysis sFlow is not enabled globally because the sFlow agent or/and the sFlow collector is/are not specified.
  • Page 424 IP Routing Volume Organization Manual Version 6W100-20090630 Product Version Release 2202 Organization The IP Routing Volume is organized as follows: Features Description This document describes: IP Routing Overview Introduction to IP routing and routing table Routing protocol overview A static route is manually configured by the administrator. The proper configuration and usage of static routes can improve network performance and ensure bandwidth for important network applications.
  • Page 425 Table of Contents 1 IP Routing Overview··································································································································1-1 IP Routing and Routing Table·················································································································1-1 Routing ············································································································································1-1 Routing Table ··································································································································1-1 Routing Protocol Overview ·····················································································································1-3 Static Routing and Dynamic Routing·······························································································1-3 Routing Protocols and Routing Priority ···························································································1-3 Displaying and Maintaining a Routing Table···························································································1-4...

  • Page 426: Ip Routing Overview

    Static routes: Routes that are manually configured. Dynamic routes: Routes that are discovered dynamically by routing protocols. Dynamic routing protocol is not supported on the S5120-EI Series Ethernet Switches. Contents of a routing table A routing table includes the following key items:...
  • Page 427 Network mask: Specifies, in company with the destination address, the address of the destination network. A logical AND operation between the destination address and the network mask yields the address of the destination network. For example, if the destination address is 129.102.8.10 and the mask 255.255.0.0, the address of the destination network is 129.102.0.0.

  • Page 428: Routing Protocol Overview

    Figure 1-1 A sample routing table Router A Router F 17.0.0.1 17.0.0.0 17.0.0.3 16.0.0.2 11.0.0.2 17.0.0.2 Router D 16.0.0.0 11.0.0.0 14.0.0.3 11.0.0.1 16.0.0.1 14.0.0.2 14.0.0.4 Router B Router G 14.0.0.0 15.0.0.2 12.0.0.1 14.0.0.1 Router E 12.0.0.0 15.0.0.0 13.0.0.2 15.0.0.1 12.0.0.2 13.0.0.3 13.0.0.1 13.0.0.0...

  • Page 429: Displaying And Maintaining A Routing Table

    Routing approach Priority DIRECT STATIC UNKNOWN The smaller the priority value, the higher the priority. The priority for a direct route is always 0, which you cannot change. Any other type of routes can have their priorities manually configured. Each static route can be configured with a different priority. IPv4 and IPv6 routes have their own respective routing tables.
  • Page 430 To do… Use the command… Remarks Display IPv6 routing display ipv6 routing-table ipv6-address1 Available in any information for an IPv6 address prefix-length1 ipv6-address2 prefix-length2 view range [ verbose ] Clear specified IPv6 routing reset ipv6 routing-table statistics protocol Available in user table statistics { all | protocol } view...
  • Page 431 Table of Contents 1 Static Routing Configuration····················································································································1-1 Introduction ·············································································································································1-1 Static Route ·····································································································································1-1 Default Route···································································································································1-1 Application Environment of Static Routing ······················································································1-2 Configuring a Static Route ······················································································································1-2 Configuration Prerequisites ·············································································································1-2 Configuration Procedure··················································································································1-2 Detecting Reachability of the Static Route’s Nexthop ············································································1-3 Detecting Nexthop Reachability Through Track··············································································1-3 Displaying and Maintaining Static Routes·······························································································1-4 Static Route Configuration Example ·······································································································1-4 Basic Static Route Configuration Example······················································································1-4...

  • Page 432: Static Routing Configuration

    Static Routing Configuration When configuring a static route, go to these sections for information you are interested in: Introduction Configuring a Static Route Detecting Reachability of the Static Route’s Nexthop Displaying and Maintaining Static Routes Static Route Configuration Example The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. Introduction Static Route A static route is a manually configured.

  • Page 433: Application Environment Of Static Routing

    Application Environment of Static Routing Before configuring a static route, you need to know the following concepts: Destination address and mask In the ip route-static command, an IPv4 address is in dotted decimal format and a mask can be either in dotted decimal format or in the form of mask length (the digits of consecutive 1s in the mask).

  • Page 434: Detecting Reachability Of The Static Route's Nexthop

    When configuring a static route, the static route does not take effect if you specify the next hop address first and then configure it as the IP address of a local interface. If you do not specify the preference when configuring a static route, the default preference will be used.

  • Page 435: Displaying And Maintaining Static Routes

    To configure this feature for an existing static route, simply associate the static route with a track entry. For a non-existent static route, configure it and associate it with a Track entry. If a static route needs route recursion, the associated track entry must monitor the nexthop of the recursive route instead of that of the static route;...
  • Page 436 Configuration procedure Configuring IP addresses for interfaces (omitted) Configuring static routes # Configure a default route on Switch A. <SwitchA> system-view [SwitchA] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2 # Configure two static routes on Switch B. <SwitchB> system-view [SwitchB] ip route-static 1.1.2.0 255.255.255.0 1.1.4.1 [SwitchB] ip route-static 1.1.3.0 255.255.255.0 1.1.5.6 # Configure a default route on Switch C <SwitchC>...
  • Page 437 127.0.0.0/8 Direct 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 127.0.0.1 InLoop0 1.1.6.0/24 Direct 0 192.168.1.47 Vlan100 1.1.6.1/32 Direct 0 127.0.0.1 InLoop0 # Use the ping command on Host B to check reachability to Host A, assuming Windows XP runs on the two hosts.
  • Page 438 Table of Contents 1 IPv6 Static Routing Configuration ···········································································································1-1 Introduction to IPv6 Static Routing··········································································································1-1 Features of IPv6 Static Routes········································································································1-1 Default IPv6 Route ··························································································································1-1 Configuring an IPv6 Static Route············································································································1-1 Configuration prerequisites ·············································································································1-1 Configuring an IPv6 Static Route ····································································································1-2 Displaying and Maintaining IPv6 Static Routes ······················································································1-2 IPv6 Static Routing Configuration Example ····························································································1-2...

  • Page 439: Introduction To Ipv6 Static Routing

    IPv6 Static Routing Configuration When configuring IPv6 Static Routing, go to these sections for information you are interested in: Introduction to IPv6 Static Routing Configuring an IPv6 Static Route Displaying and Maintaining IPv6 Static Routes IPv6 Static Routing Configuration Example The term “router”...

  • Page 440: Displaying And Maintaining Ipv6 Static Routes

    Enabling IPv6 packet forwarding Ensuring that the neighboring nodes are IPv6 reachable Configuring an IPv6 Static Route Follow these steps to configure an IPv6 static route: To do… Use the commands… Remarks Enter system view system-view — Required ipv6 route-static ipv6-address prefix-length [ interface-type The default Configure an IPv6 static route...
  • Page 441 Configuration procedure Configure the IPv6 addresses of all VLAN interfaces (Omitted) Configure IPv6 static routes. # Configure the default IPv6 static route on SwitchA. <SwitchA> system-view [SwitchA] ipv6 route-static :: 0 4::2 # Configure two IPv6 static routes on SwitchB. <SwitchB>...
  • Page 442 Reply from 3::1 bytes=56 Sequence=1 hop limit=254 time = 63 ms Reply from 3::1 bytes=56 Sequence=2 hop limit=254 time = 62 ms Reply from 3::1 bytes=56 Sequence=3 hop limit=254 time = 62 ms Reply from 3::1 bytes=56 Sequence=4 hop limit=254 time = 63 ms Reply from 3::1 bytes=56 Sequence=5 hop limit=254...
  • Page 443 IP Multicast Volume Organization Manual Version 6W100-20090630 Product Version Release 2202 Organization The IP Multicast Volume is organized as follows: Features Description This document describes the main concepts in multicast: Introduction to Multicast Multicast Overview Multicast Models Multicast Architecture Multicast Packets Forwarding Mechanism Running at the data link layer, IGMP Snooping is a multicast control mechanism on the Layer 2 Ethernet switch and it is used for multicast group management and control.
  • Page 444 Table of Contents 1 Multicast Overview ····································································································································1-1 Introduction to Multicast ··························································································································1-1 Comparison of Information Transmission Techniques····································································1-1 Features of Multicast ·······················································································································1-4 Common Notations in Multicast·······································································································1-5 Advantages and Applications of Multicast·······················································································1-5 Multicast Models ·····································································································································1-5 Multicast Architecture······························································································································1-6 Multicast Addresses ························································································································1-7 Multicast Protocols ························································································································1-10 Multicast Packet Forwarding Mechanism ·····························································································1-12...

  • Page 445: Multicast Overview

    Multicast Overview This manual chiefly focuses on the IP multicast technology and device operations. Unless otherwise stated, the term “multicast” in this document refers to IP multicast. Introduction to Multicast As a technique coexisting with unicast and broadcast, the multicast technique effectively addresses the issue of point-to-multipoint data transmission.
  • Page 446 Figure 1-1 Unicast transmission Host A Receiver Host B Source Host C Receiver Host D IP network Receiver Packets for Host B Host E Packets for Host D Packets for Host E Assume that Host B, Host D and Host E need the information. A separate transmission channel needs to be established from the information source to each of these hosts.
  • Page 447 Figure 1-2 Broadcast transmission Assume that only Host B, Host D, and Host E need the information. If the information is broadcast to the subnet, Host A and Host C also receive it. In addition to information security issues, this also causes traffic flooding on the same subnet.

  • Page 448: Features Of Multicast

    Figure 1-3 Multicast transmission The multicast source (Source in the figure) sends only one copy of the information to a multicast group. Host B, Host D and Host E, which are receivers of the information, need to join the multicast group. The routers on the network duplicate and forward the information based on the distribution of the group members.

  • Page 449: Common Notations In Multicast

    For a better understanding of the multicast concept, you can assimilate multicast transmission to the transmission of TV programs, as shown in Table 1-1. Table 1-1 An analogy between TV transmission and multicast transmission TV transmission Multicast transmission A TV station transmits a TV program through A multicast source sends multicast data to a a channel.

  • Page 450: Multicast Architecture

    ASM model In the ASM model, any sender can send information to a multicast group as a multicast source, and numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group. In this model, receivers are not aware of the position of multicast sources in advance.

  • Page 451: Multicast Addresses

    Multicast Addresses To allow communication between multicast sources and multicast group members, network-layer multicast addresses, namely, multicast IP addresses must be provided. In addition, a technique must be available to map multicast IP addresses to link-layer multicast MAC addresses. IP multicast addresses IPv4 multicast addresses Internet Assigned Numbers Authority (IANA) assigned the Class D address space (224.0.0.0 to 239.255.255.255) for IPv4 multicast.
  • Page 452 Address Description 224.0.0.7 Shared Tree (ST) routers 224.0.0.8 ST hosts 224.0.0.9 Routing Information Protocol version 2 (RIPv2) routers 224.0.0.11 Mobile agents 224.0.0.12 Dynamic Host Configuration Protocol (DHCP) server/relay agent 224.0.0.13 All Protocol Independent Multicast (PIM) routers 224.0.0.14 Resource Reservation Protocol (RSVP) encapsulation 224.0.0.15 All Core-Based Tree (CBT) routers 224.0.0.16...
  • Page 453 Description When set to 0, it indicates that this address is an IPv6 multicast address permanently-assigned by IANA When set to 1, it indicates that this address is a transient, or dynamically assigned IPv6 multicast address Scope: 4 bits, indicating the scope of the IPv6 internetwork for which the multicast traffic is intended. Possible values of this field are given in Table 1-5.

  • Page 454: Multicast Protocols

    The high-order four bits of a multicast IPv4 address are 1110, indicating that this address is a multicast address, and only 23 bits of the remaining 28 bits are mapped to a MAC address, so five bits of the multicast IPv4 address are lost. As a result, 32 multicast IPv4 addresses map to the same MAC address. Therefore, in Layer 2 multicast forwarding, a device may receive some multicast data addressed for other IPv4 multicast groups, and such redundant data needs to be filtered by the upper layer.
  • Page 455 Figure 1-8 Positions of Layer 3 multicast protocols Multicast management protocols Typically, the internet group management protocol (IGMP) or multicast listener discovery protocol (MLD) is used between hosts and Layer 3 multicast devices directly connected with the hosts. These protocols define the mechanism of establishing and maintaining group memberships between hosts and Layer 3 multicast devices.

  • Page 456: Multicast Packet Forwarding Mechanism

    Figure 1-9 Position of Layer 2 multicast protocols Source Multicast VLAN /IPv6 Multicast VLAN IGMP Snooping /MLD Snooping Receiver Receiver IPv4/IPv6 multicast packets IGMP Snooping/MLD Snooping Running on Layer 2 devices, Internet Group Management Protocol Snooping (IGMP Snooping) and Multicast Listener Discovery Snooping (MLD Snooping) are multicast constraining mechanisms that manage and control multicast groups by listening to and analyzing IGMP or MLD messages exchanged between the hosts and Layer 3 multicast devices, thus effectively controlling the flooding of multicast data in a Layer 2 network.
  • Page 457 Table of Contents 1 IGMP Snooping Configuration ·················································································································1-1 IGMP Snooping Overview·······················································································································1-1 Principle of IGMP Snooping ············································································································1-1 Basic Concepts in IGMP Snooping ·································································································1-2 How IGMP Snooping Works············································································································1-3 Protocols and Standards ·················································································································1-5 IGMP Snooping Configuration Task List·································································································1-5 Configuring Basic Functions of IGMP Snooping·····················································································1-6 Configuration Prerequisites ·············································································································1-6 Enabling IGMP Snooping ················································································································1-6 Configuring the Version of IGMP Snooping ····················································································1-7...

  • Page 458: Igmp Snooping Configuration

    IGMP Snooping Configuration When configuring IGMP Snooping, go to the following sections for information you are interested in: IGMP Snooping Overview IGMP Snooping Configuration Task List Displaying and Maintaining IGMP Snooping IGMP Snooping Configuration Examples Troubleshooting IGMP Snooping Configuration IGMP Snooping Overview Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups.

  • Page 459: Basic Concepts In Igmp Snooping

    Reducing Layer 2 broadcast packets, thus saving network bandwidth. Enhancing the security of multicast traffic. Facilitating the implementation of per-host accounting. Basic Concepts in IGMP Snooping IGMP Snooping related ports As shown in Figure 1-2, Router A connects to the multicast source, IGMP Snooping runs on Switch A and Switch B, Host A and Host C are receiver hosts (namely, multicast group members).

  • Page 460: How Igmp Snooping Works

    Aging timers for dynamic ports in IGMP Snooping and related messages and actions Table 1-1 Aging timers for dynamic ports in IGMP Snooping and related messages and actions Message before Timer Description Action after expiry expiry For each dynamic IGMP general query of router port, the switch The switch removes Dynamic router port...
  • Page 461 When receiving a membership report A host sends an IGMP report to the IGMP querier in the following circumstances: Upon receiving an IGMP query, a multicast group member host responds with an IGMP report. When intended to join a multicast group, a host sends an IGMP report to the IGMP querier to announce that it is interested in the multicast information addressed to that group.

  • Page 462: Protocols And Standards

    Upon receiving the IGMP leave message from a host, the IGMP querier resolves the multicast group address in the message and sends an IGMP group-specific query to that multicast group through the port that received the leave message. Upon receiving the IGMP group-specific query, the switch forwards it through all its router ports in the VLAN and all member ports for that multicast group, and performs the following to the port on which it received the IGMP leave message: If any IGMP report in response to the group-specific query is received on the port (suppose it is a...

  • Page 463: Configuring Basic Functions Of Igmp Snooping

    Configurations made in IGMP Snooping view are effective for all VLANs, while configurations made in VLAN view are effective only for ports belonging to the current VLAN. For a given VLAN, a configuration made in IGMP Snooping view is effective only if the same configuration is not made in VLAN view.

  • Page 464: Configuring The Version Of Igmp Snooping

    IGMP Snooping must be enabled globally before it can be enabled in a VLAN. When you enable IGMP Snooping in a specified VLAN, this function takes effect for the ports in this VLAN only. Configuring the Version of IGMP Snooping By configuring an IGMP Snooping version, you actually configure the version of IGMP messages that IGMP Snooping can process.

  • Page 465: Configuring Aging Timers For Dynamic Ports

    Configuring Aging Timers for Dynamic Ports If the switch receives no IGMP general queries or PIM hello messages on a dynamic router port, the switch removes the port from the router port list when the aging timer of the port expires. If the switch receives no IGMP reports for a multicast group on a dynamic member port, the switch removes the port from the outgoing port list of the forwarding table entry for that multicast group when the aging timer of the port for that group expires.

  • Page 466: Configuring Simulated Joining

    Follow these steps to configure static ports: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 interface-number Required aggregate port view or port Use either approach port-group manual group view port-group-name Required igmp-snooping static-group Configure the port(s) as static group-address [ source-ip...

  • Page 467: Configuring Fast Leave Processing

    Follow these steps to configure simulated joining: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 Required interface-number aggregate port view or port Use either approach group view port-group manual port-group-name igmp-snooping host-join Required Configure simulated (*, G) or group-address [ source-ip...

  • Page 468: Configuring Igmp Snooping Querier

    Configuring fast leave processing on a port or a group of ports Follow these steps to configure fast leave processing on a port or a group of ports: To do... Use the command... Remarks Enter system view system-view — Enter Ethernet port/Layer 2 interface interface-type interface-number Required aggregate port view or port...

  • Page 469: Configuring Igmp Queries And Responses

    Follow these steps to enable IGMP Snooping querier: To do... Use the command... Remarks Enter system view system-view — Enter VLAN view vlan vlan-id — Required Enable IGMP Snooping querier igmp-snooping querier Disabled by default It is meaningless to configure an IGMP Snooping querier in a multicast network running IGMP. Although an IGMP Snooping querier does not take part in IGMP querier elections, it may affect IGMP querier elections because it sends IGMP general queries with a low source IP address.

  • Page 470: Configuring Source Ip Address Of Igmp Queries

    Configuring IGMP queries and responses in a VLAN Follow these steps to configure IGMP queries and responses in a VLAN: To do... Use the command... Remarks Enter system view system-view — Enter VLAN view vlan vlan-id — Optional Configure IGMP general query igmp-snooping query-interval interval interval...

  • Page 471: Configuring An Igmp Snooping Policy

    Configuring an IGMP Snooping Policy Configuration Prerequisites Before configuring an IGMP Snooping policy, complete the following task: Enable IGMP Snooping in the VLAN or enable IGMP on the desired VLAN interface Before configuring an IGMP Snooping policy, prepare the following data: ACL rule for multicast group filtering The maximum number of multicast groups that can pass the ports Configuring a Multicast Group Filter...

  • Page 472: Configuring Multicast Source Port Filtering

    Disabled by default S5120-EI series switches, when enabled to filter IPv4 multicast data based on the source ports, are automatically enabled to filter IPv6 multicast data based on the source ports. Configuring the Function of Dropping Unknown Multicast Data Unknown multicast data refers to multicast data for which no entries exist in the IGMP Snooping forwarding table.

  • Page 473: Configuring Igmp Report Suppression

    To do... Use the command... Remarks Enter system view — system-view Enter VLAN view vlan vlan-id — Required Enable the function of dropping igmp-snooping unknown multicast data drop-unknown Disabled by default Configuring IGMP Report Suppression When a Layer 2 device receives an IGMP report from a multicast group member, the device forwards the message to the Layer 3 device directly connected with it.

  • Page 474: Configuring Multicast Group Replacement

    When the number of multicast groups a port has joined reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the IGMP Snooping forwarding table, and the hosts on this port need to join the multicast groups again. If you have configured static or simulated joins on a port, however, when the number of multicast groups on the port exceeds the configured threshold, the system deletes all the forwarding entries persistent to that port from the IGMP Snooping forwarding table and applies the static or simulated...

  • Page 475: Displaying And Maintaining Igmp Snooping

    Configuring multicast group replacement on a port or a group of ports Follow these steps to configure multicast group replacement on a port or a group of ports: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 interface-number Required...

  • Page 476: Igmp Snooping Configuration Examples

    IGMP Snooping Configuration Examples Configuring Group Policy and Simulated Joining Network requirements As shown in Figure 1-3, Router A connects to the multicast source through GigabitEthernet 1/0/2 and to Switch A through GigabitEthernet 1/0/1. IGMPv2 is required on Router A, IGMP Snooping version 2 is required on Switch A, and Router A will act as the IGMP querier on the subnet.
  • Page 477 [RouterA-GigabitEthernet1/0/2] pim dm [RouterA-GigabitEthernet1/0/2] quit Configure Switch A # Enable IGMP Snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping [SwitchA-igmp-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 to this VLAN, and enable IGMP Snooping and the function of dropping unknown multicast traffic in the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 [SwitchA-vlan100] igmp-snooping enable...

  • Page 478: Static Port Configuration

    IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Attribute: Host Port Host port(s):total 2 port. GE1/0/3 (D) ( 00:03:23 ) GE1/0/4 (D) ( 00:04:10 ) MAC group(s): MAC group address:0100-5e01-0101 Host port(s):total 2 port. GE1/0/3 GE1/0/4 As shown above, GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 of Switch A has joined multicast...
  • Page 479 Network diagram Figure 1-4 Network diagram for static port configuration Source Switch A GE1/0/2 GE1/0/1 1.1.1.2/24 10.1.1.1/24 GE1/0/1 Router A 1.1.1.1/24 IGMP querier Switch C GE1/0/5 GE1/0/2 GE1/0/2 Host C Switch B Receiver Host B Host A Receiver Configuration procedure Configure IP addresses Configure an IP address and subnet mask for each interface as per Figure...
  • Page 480 [SwitchA-vlan100] quit # Configure GigabitEthernet 1/0/3 to be a static router port. [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] igmp-snooping static-router-port vlan 100 [SwitchA-GigabitEthernet1/0/3] quit Configure Switch B # Enable IGMP Snooping globally. <SwitchB> system-view [SwitchB] igmp-snooping [SwitchB-igmp-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to this VLAN, and enable IGMP Snooping in the VLAN.
  • Page 481 Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 2 port. GE1/0/1 (D) ( 00:01:30 ) GE1/0/3 IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Attribute: Host Port Host port(s):total 1 port.

  • Page 482: Igmp Snooping Querier Configuration

    IGMP Snooping Querier Configuration Network requirements As shown in Figure 1-5, in a Layer 2–only network environment, two multicast sources Source 1 and Source 2 send multicast data to multicast groups 224.1.1.1 and 225.1.1.1 respectively, Host A and Host C are receivers of multicast group 224.1.1.1, while Host B and Host D are receivers of multicast group 225.1.1.1.
  • Page 483 # Enable the IGMP-Snooping querier function in VLAN 100 [SwitchA-vlan100] igmp-snooping querier # Set the source IP address of IGMP general queries and group-specific queries to 192.168.1.1 in VLAN 100. [SwitchA-vlan100] igmp-snooping general-query source-ip 192.168.1.1 [SwitchA-vlan100] igmp-snooping special-query source-ip 192.168.1.1 [SwitchA-vlan100] quit Configure Switch B # Enable IGMP Snooping globally.

  • Page 484: Troubleshooting Igmp Snooping Configuration

    Troubleshooting IGMP Snooping Configuration Switch Fails in Layer 2 Multicast Forwarding Symptom A switch fails to implement Layer 2 multicast forwarding. Analysis IGMP Snooping is not enabled. Solution Enter the display current-configuration command to view the running status of IGMP Snooping. If IGMP Snooping is not enabled, use the igmp-snooping command to enable IGMP Snooping globally, and then use igmp-snooping enable command to enable IGMP Snooping in VLAN view.
  • Page 485 Table of Contents 1 Multicast VLAN Configuration··················································································································1-1 Introduction to Multicast VLAN················································································································1-1 Multicast VLAN Configuration Task List··································································································1-3 Configuring Sub-VLAN-Based Multicast VLAN ······················································································1-3 Configuration Prerequisites ·············································································································1-3 Configuring Sub-VLAN-Based Multicast VLAN···············································································1-3 Configuring Port-Based Multicast VLAN ·································································································1-4 Configuration Prerequisites ·············································································································1-4 Configuring User Port Attributes······································································································1-4 Configuring Multicast VLAN Ports ···································································································1-5 Displaying and Maintaining Multicast VLAN ···························································································1-6 Multicast VLAN Configuration Examples ································································································1-6...

  • Page 486: Multicast Vlan Configuration

    Multicast VLAN Configuration When configuring multicast VLAN, go to these sections for information you are interested in: Introduction to Multicast VLAN Multicast VLAN Configuration Task List Configuring Sub-VLAN-Based Multicast VLAN Configuring Port-Based Multicast VLAN Displaying and Maintaining Multicast VLAN Multicast VLAN Configuration Examples Introduction to Multicast VLAN As shown in Figure...
  • Page 487 Figure 1-2 Sub-VLAN-based multicast VLAN Multicast packets VLAN 10 (Multicast VLAN) VLAN 2 VLAN 2 Receiver VLAN 3 Host A VLAN 4 VLAN 3 Receiver Host B Source Router A Switch A IGMP querier VLAN 4 Receiver Host C After the configuration, IGMP Snooping manages router ports in the multicast VLAN and member ports in the sub-VLANs.

  • Page 488: Multicast Vlan Configuration Task List

    For information about IGMP Snooping, router ports, and member ports, refer to IGMP Snooping Configuration in the IP Multicast Volume. For information about VLAN tags, refer to VLAN Configuration in the Access Volume. Multicast VLAN Configuration Task List Complete the following tasks to configure multicast VLAN: Task Remarks Configuring Sub-VLAN-Based Multicast VLAN...

  • Page 489: Configuring Port-Based Multicast Vlan

    The VLAN to be configured as a multicast VLAN must exist. The VLANs to be configured as sub-VLANs of the multicast VLAN must exist and must not be sub-VLANs of another multicast VLAN. The total number of sub-VLANs of a multicast VLAN must not exceed 63. Configuring Port-Based Multicast VLAN When configuring port-based multicast VLAN, you need to configure the attributes of each user port and then assign the ports to the multicast VLAN.

  • Page 490: Configuring Multicast Vlan Ports

    Follow these steps to configure user port attributes: To do... Use the command... Remarks Enter system view system-view — interface interface-type interface-number Required Enter port view or port group port-group { manual view Use either command port-group-name | aggregation agg-id } Required Configure the user port link port link-type hybrid...

  • Page 491: Displaying And Maintaining Multicast Vlan

    Configuring multicast VLAN ports in port view or port group view Follow these steps to configure multicast VLAN ports in port view or port group view: To do… Use this command… Remarks Enter system view system-view — Required Configure the specified VLAN as a multicast VLAN and enter multicast-vlan vlan-id Not a multicast VLAN by...
  • Page 492 Configure the sub-VLAN-based multicast VLAN feature so that Router A just sends multicast data to Switch A through the multicast VLAN and Switch A forwards the traffic to the receivers that belong to different user VLANs. Network diagram Figure 1-4 Network diagram for sub-VLAN-based multicast VLAN configuration Source IGMP querier Router A...
  • Page 493 [SwitchA-vlan2] port gigabitethernet 1/0/2 [SwitchA-vlan2] quit The configuration for VLAN 3 and VLAN 4 is similar to the configuration for VLAN 2. # Create VLAN 10, assign GigabitEthernet 1/0/1 to this VLAN and enable IGMP Snooping in the VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] igmp-snooping enable [SwitchA-vlan10] quit...
  • Page 494 Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 0 port. IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Host port(s):total 1 port. GE1/0/3 MAC group(s): MAC group address:0100-5e01-0101 Host port(s):total 1 port.

  • Page 495: Port-Based Multicast Vlan Configuration

    Port-Based Multicast VLAN Configuration Network requirements As shown in Figure 1-5, Router A connects to a multicast source (Source) through GigabitEthernet 1/0/1, and to Switch A through GigabitEthernet 1/0/2. IGMPv2 is required on Router A. IGMPv2 Snooping is required on Switch A. Router A acts as the IGMP querier.
  • Page 496 [RouterA-GigabitEthernet1/0/1] quit [RouterA] interface gigabitethernet 1/0/2 [RouterA-GigabitEthernet1/0/2] pim dm [RouterA-GigabitEthernet1/0/2] igmp enable Configure Switch A # Enable IGMP Snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping [SwitchA-igmp-snooping] quit # Create VLAN 10, assign GigabitEthernet 1/0/1 to VLAN 10, and enable IGMP Snooping in this VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] igmp-snooping enable...
  • Page 497 Total 1 multicast-vlan(s) Multicast vlan 10 subvlan list: no subvlan port list: GE1/0/2 GE1/0/3 GE1/0/4 # View the IGMP Snooping multicast group information on Switch A. [SwitchA] display igmp-snooping group Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):10.
  • Page 498 Table of Contents 1 MLD Snooping Configuration···················································································································1-1 MLD Snooping Overview ························································································································1-1 Introduction to MLD Snooping·········································································································1-1 Basic Concepts in MLD Snooping···································································································1-2 How MLD Snooping Works ·············································································································1-3 Protocols and Standards ·················································································································1-5 MLD Snooping Configuration Task List ··································································································1-5 Configuring Basic Functions of MLD Snooping ······················································································1-6 Configuration Prerequisites ·············································································································1-6 Enabling MLD Snooping··················································································································1-6 Configuring the Version of MLD Snooping ······················································································1-7...

  • Page 499: Mld Snooping Configuration

    MLD Snooping Configuration When configuring MLD Snooping, go to these sections for information you are interested in: MLD Snooping Overview MLD Snooping Configuration Task List Displaying and Maintaining MLD Snooping MLD Snooping Configuration Examples Troubleshooting MLD Snooping MLD Snooping Overview Multicast Listener Discovery Snooping (MLD Snooping) is an IPv6 multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups.

  • Page 500: Basic Concepts In Mld Snooping

    Reducing Layer 2 broadcast packets, thus saving network bandwidth. Enhancing the security of multicast traffic. Facilitating the implementation of per-host accounting. Basic Concepts in MLD Snooping MLD Snooping related ports As shown in Figure 1-2, Router A connects to the multicast source, MLD Snooping runs on Switch A and Switch B, Host A and Host C are receiver hosts (namely, IPv6 multicast group members).

  • Page 501: How Mld Snooping Works

    Whenever mentioned in this document, a router port is a router-connecting port on the switch, rather than a port on a router. Unless otherwise specified, router/member ports mentioned in this document include static and dynamic ports. On an MLD Snooping-enabled switch, the ports that received MLD general queries with the source address other than 0::0 or IPv6 PIM hello messages are dynamic router ports.
  • Page 502 General queries The MLD querier periodically sends MLD general queries to all hosts and routers (FF02::1) on the local subnet to find out whether IPv6 multicast group members exist on the subnet. Upon receiving an MLD general query, the switch forwards it through all ports in the VLAN except the port on which it received the MLD query and performs the following: If the port on which it the switch received the MLD query is a dynamic router port in its router port list, the switch resets the aging timer for this dynamic router port.

  • Page 503: Protocols And Standards

    If the forwarding table entry does not exist or if the outgoing port list does not contain the port, the switch discards the MLD done message instead of forwarding it to any port. If the forwarding table entry exists and the outgoing port list contains the port, the switch forwards the MLD done message to all router ports in the native VLAN.

  • Page 504: Configuring Basic Functions Of Mld Snooping

    Task Remarks Configuring an IPv6 Multicast Group Filter Optional Configuring IPv6 Multicast Source Port Filtering Optional Configuring an MLD Configuring MLD Report Suppression Optional Snooping Policy Configuring Maximum Multicast Groups that Can Be Optional Joined on a Port Configuring IPv6 Multicast Group Replacement Optional Configurations made in MLD Snooping view are effective for all VLANs, while configurations made in VLAN view are effective only for ports belonging to the current VLAN.

  • Page 505: Configuring Mld Snooping Port Functions

    To do... Use the command... Remarks Enter VLAN view vlan vlan-id — Required Enable MLD Snooping in the mld-snooping enable VLAN Disabled by default MLD Snooping must be enabled globally before it can be enabled in a VLAN. When you enable MLD Snooping in a specified VLAN, this function takes effect for ports in this VLAN only.

  • Page 506: Configuring Aging Timers For Dynamic Ports

    Configure the corresponding port groups Before configuring MLD Snooping port functions, prepare the following data: Aging time of dynamic router ports, Aging timer of dynamic member ports, and IPv6 multicast group and IPv6 multicast source addresses Configuring Aging Timers for Dynamic Ports If the switch receives no MLD general queries or IPv6 PIM hello messages on a dynamic router port, the switch removes the port from the router port list when the aging timer of the port expires.

  • Page 507: Configuring Simulated Joining

    Follow these steps to configure static ports: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 interface-number Required aggregate port view or port Use either approach port-group manual group view port-group-name mld-snooping static-group Required Configure the port(s) as static ipv6-group-address [ source-ip...

  • Page 508: Configuring Fast Leave Processing

    Follow these steps to configure simulated joining: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 Required interface-number aggregate port view or port Use either approach group view port-group manual port-group-name mld-snooping host-join Required Configure simulated joining ipv6-group-address [ source-ip...

  • Page 509: Configuring Mld Snooping Querier

    Configuring fast leave processing on a port or a group of ports Follow these steps to configure fast leave processing on a port or a group of ports: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 Required interface-number...

  • Page 510: Configuring Mld Queries And Responses

    To do... Use the command... Remarks Enter system view system-view — Enter VLAN view — vlan vlan-id Required Enable the MLD Snooping mld-snooping querier querier Disabled by default It is meaningless to configure an MLD Snooping querier in an IPv6 multicast network running MLD. Although an MLD Snooping querier does not take part in MLD querier elections, it may affect MLD querier elections because it sends MLD general queries with a low source IPv6 address.

  • Page 511: Configuring Source Ipv6 Addresses Of Mld Queries

    Configuring MLD queries and responses in a VLAN Follow these steps to configure MLD queries and responses in a VLAN To do... Use the command... Remarks Enter system view system-view — Enter VLAN view vlan vlan-id — Optional mld-snooping query-interval Configure MLD query interval interval 125 seconds by default...

  • Page 512: Configuring An Mld Snooping Policy

    Configuring an MLD Snooping Policy Configuration Prerequisites Before configuring an MLD Snooping policy, complete the following tasks: Enable MLD Snooping in the VLAN or enable MLD on the desired VLAN interface Before configuring an MLD Snooping policy, prepare the following data: IPv6 ACL rule for IPv6 multicast group filtering The maximum number of IPv6 multicast groups that can pass the ports Configuring an IPv6 Multicast Group Filter...

  • Page 513: Configuring Ipv6 Multicast Source Port Filtering

    Configuring IPv6 Multicast Source Port Filtering With the IPv6 multicast source port filtering feature enabled on a port, the port can be connected with IPv6 multicast receivers only rather than with multicast sources, because the port will block all IPv6 multicast data packets while it permits multicast protocol packets to pass.

  • Page 514: Configuring Maximum Multicast Groups That Can Be Joined On A Port

    MLD reports from the same multicast group to the Layer 3 device. This helps reduce the number of packets being transmitted over the network. Follow these steps to configure MLD report suppression: To do... Use the command... Remarks Enter system view system-view —...

  • Page 515: Configuring Ipv6 Multicast Group Replacement

    When the number of IPv6 multicast groups that can be joined on a port reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the MLD Snooping forwarding table, and the hosts on this port need to join IPv6 multicast groups again.

  • Page 516: Displaying And Maintaining Mld Snooping

    Configuring IPv6 multicast group replacement on a port or a group of ports Follow these steps to configure IPv6 multicast group replacement on a port or a group of ports: To do... Use the command... Remarks Enter system view system-view —...

  • Page 517: Mld Snooping Configuration Examples

    MLD Snooping Configuration Examples Configuring IPv6 Group Policy and Simulated Joining Network requirements As shown in Figure 1-3, Router A connects to the IPv6 multicast source through GigabitEthernet 1/0/2 and to Switch A through GigabitEthernet 1/0/1. Router A is the MLD querier on the subnet. MLDv1 is required on Router A, MLD Snooping version 1 is required on Switch A, and Router A will act as the MLD querier on the subnet.
  • Page 518 [RouterA-GigabitEthernet1/0/2] pim ipv6 dm [RouterA-GigabitEthernet1/0/2] quit Configure Switch A # Enable MLD Snooping globally. <SwitchA> system-view [SwitchA] mld-snooping [SwitchA-mld-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 to this VLAN, and enable MLD Snooping in the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 [SwitchA-vlan100] mld-snooping enable...

  • Page 519: Static Port Configuration

    IP group address:FF1E::101 (::, FF1E::101): Attribute: Host Port Host port(s):total 2 port. GE1/0/3 (D) ( 00:03:23 ) GE1/0/4 (D) ( 00:04:10 ) MAC group(s): MAC group address:3333-0000-1001 Host port(s):total 2 port. GE1/0/3 GE1/0/4 As shown above, GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 of Switch A have joined IPv6 multicast group FF1E::101.
  • Page 520 Network diagram Figure 1-4 Network diagram for static port configuration Source Switch A GE1/0/2 GE1/0/1 1::2/64 GE1/0/1 2001::1/64 Router A 1::1/64 MLD querier Switch C GE1/0/5 GE1/0/2 GE1/0/2 Host C Switch B Receiver Host B Host A Receiver Configuration procedure Enable IPv6 forwarding and configure IPv6 addresses Enable IPv6 forwarding and configure an IPv6 address and prefix length for each interface as per Figure...
  • Page 521 [SwitchA-vlan100] quit # Configure GigabitEthernet 1/0/3 to be a static router port. [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] mld-snooping static-router-port vlan 100 [SwitchA-GigabitEthernet1/0/3] quit Configure Switch B # Enable MLD Snooping globally. <SwitchB> system-view [SwitchB] mld-snooping [SwitchB-mld-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to this VLAN, and enable MLD Snooping in the VLAN.
  • Page 522 Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 2 port. GE1/0/1 (D) ( 00:01:30 ) GE1/0/3 IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Attribute: Host Port Host port(s):total 1 port.

  • Page 523: Mld Snooping Querier Configuration

    MLD Snooping Querier Configuration Network requirements As shown in Figure 1-5, in a Layer-2-only network environment, two multicast sources Source 1 and Source 2 send IPv6 multicast data to multicast groups FF1E::101 and FF1E::102 respectively, Host A and Host C are receivers of multicast group FF1E::101, while Host B and Host D are receivers of multicast group FF1E::102.

  • Page 524: Troubleshooting Mld Snooping

    [SwitchB] ipv6 [SwitchB] mld-snooping [SwitchB-mld-snooping] quit # Create VLAN 100, add GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 into VLAN 100. [SwitchB] vlan 100 [SwitchB-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 # Enable the MLD Snooping feature in VLAN 100. [SwitchB-vlan100] mld-snooping enable [SwitchB-vlan100] quit Configurations of Switch C and Switch D are similar to the configuration of Switch B.

  • Page 525: Configured Ipv6 Multicast Group Policy Fails To Take Effect

    Configured IPv6 Multicast Group Policy Fails to Take Effect Symptom Although an IPv6 multicast group policy has been configured to allow hosts to join specific IPv6 multicast groups, the hosts can still receive IPv6 multicast data addressed to other groups. Analysis The IPv6 ACL rule is incorrectly configured.
  • Page 526 Table of Contents 1 IPv6 Multicast VLAN Configuration ·········································································································1-1 Introduction to IPv6 Multicast VLAN ·······································································································1-1 IPv6 Multicast VLAN Configuration Task List ·························································································1-3 Configuring IPv6 Sub-VLAN-Based IPv6 Multicast VLAN ······································································1-3 Configuration Prerequisites ·············································································································1-3 Configuring Sub-VLAN-Based IPv6 Multicast VLAN·······································································1-3 Configuring Port-Based IPv6 Multicast VLAN·························································································1-4 Configuration Prerequisites ·············································································································1-4 Configuring User Port Attributes······································································································1-4 Configuring IPv6 Multicast VLAN Ports···························································································1-5...

  • Page 527: Ipv6 Multicast Vlan Configuration

    IPv6 Multicast VLAN Configuration When configuring IPv6 multicast VLAN, go to these sections for information you are interested in: Introduction to IPv6 Multicast VLAN IPv6 Multicast VLAN Configuration Task List Configuring IPv6 Sub-VLAN-Based IPv6 Multicast VLAN Configuring Port-Based IPv6 Multicast VLAN Displaying and Maintaining IPv6 Multicast VLAN IPv6 Multicast VLAN Configuration Examples Introduction to IPv6 Multicast VLAN...
  • Page 528 Figure 1-2 Sub-VLAN-based IPv6 multicast VLAN IPv6 Multicast packets VLAN 10 (IPv6 Multicast VLAN) VLAN 2 VLAN 2 Receiver VLAN 3 Host A VLAN 4 VLAN 3 Receiver Host B Source Router A Switch A MLD querier VLAN 4 Receiver Host C After the configuration, MLD snooping manages router ports in the IPv6 multicast VLAN and member ports in the sub-VLANs.

  • Page 529: Ipv6 Multicast Vlan Configuration Task List

    For information about MLD Snooping, router ports, and member ports, refer to MLD Snooping Configuration in the IP Multicast Volume. For information about VLAN tags, refer to VLAN Configuration in the Access Volume. IPv6 Multicast VLAN Configuration Task List Complete the following tasks to configure IPv6 multicast VLAN: Configuration task Remarks Configuring IPv6 Sub-VLAN-Based IPv6 Multicast VLAN...

  • Page 530: Configuring Port-Based Ipv6 Multicast Vlan

    To do… Use the command… Remarks Required Configure the specified VLAN(s) as sub-VLAN(s) of the subvlan vlan-list By default, an IPv6 multicast IPv6 multicast VLAN VLAN has no sub-VLANs. The VLAN to be configured as an IPv6 multicast VLAN must exist. The VLANs to be configured as the sub-VLANs of the IPv6 multicast VLAN must exist and must not be sub-VLANs of another IPv6 multicast VLAN.

  • Page 531: Configuring Ipv6 Multicast Vlan Ports

    To do... Use the command... Remarks Enter system view system-view — interface interface-type interface-number Required Enter port view or port group view Use either approach. port-group manual port-group-name Required Configue the user port link type port link-type hybrid as hybrid Access by default Specify the user VLAN that Required...

  • Page 532: Displaying And Maintaining Ipv6 Multicast Vlan

    Configure IPv6 multicast VLAN ports in terface view or port group view Follow these steps to configure IPv6 multicast VLAN ports in port view or port group view: To do… Use this command… Remarks Enter system view system-view — Configure the specified Required VLAN as an IPv6 multicast multicast-vlan ipv6 vlan-id...
  • Page 533 Configure the sub-VLAN-based IPv6 multicast VLAN feature so that Router A just sends IPv6 multicast data to Switch A through the IPv6 multicast VLAN and Switch A forwards the traffic to the receivers that belong to different user VLANs. Figure 1-4 Network diagram for sub-VLAN-based IPv6 multicast VLAN configuration Source MLD querier Router A...
  • Page 534 The configuration for VLAN 3 and VLAN 4 is similar to the configuration for VLAN 2. # Create VLAN 10, assign GigabitEthernet 1/0/1 to this VLAN and enable MLD Snooping in the VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] mld-snooping enable [SwitchA-vlan10] quit # Configure VLAN 10 as an IPv6 multicast VLAN and configure VLAN 2 through VLAN 4 as its...

  • Page 535: Port-Based Multicast Vlan Configuration Example

    IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Host port(s):total 1 port. GE1/0/3 MAC group(s): MAC group address:3333-0000-0101 Host port(s):total 1 port. GE1/0/3 Vlan(id):4. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 0 port.
  • Page 536 Switch A’s GigabitEthernet 1/0/1 belongs to VLAN 10, GigabitEthernet 1/0/2 through GigabitEthernet 1/0/4 belong to VLAN 2 through VLAN 4 respectively, and Host A through Host C are attached to GigabitEthernet 1/0/2 through GigabitEthernet 1/0/4 of Switch A. The IPv6 multicast source sends IPv6 multicast data to IPv6 multicast group FF1E::101. Host A, Host B, and Host C are receivers of the IPv6 multicast group.
  • Page 537 # Create VLAN 10, assign GigabitEthernet 1/0/1 to VLAN 10, and enable MLD Snooping in this VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] mld-snooping enable [SwitchA-vlan10] quit # Create VLAN 2 and enable MLD Snooping in the VLAN. [SwitchA] vlan 2 [SwitchA-vlan2] mld-snooping enable [SwitchA-vlan2] quit...
  • Page 538 Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):10. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 1 port. GE1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Host port(s):total 3 port.
  • Page 539 QoS Volume Organization Manual Version 6W100-20090630 Product Version Release 2202 Organization The QoS Volume is organized as follows: Features Description This document describes: QoS overview QoS policy configuration Priority mapping configuration Traffic policing Configuration Traffic shaping Configuration Line rate configuration Congestion management Traffic mirroring configuration User profile provides a configuration template to save predefined...
  • Page 540 Table of Contents 1 QoS Overview ············································································································································1-1 Introduction ·············································································································································1-1 Traditional Packet Forwarding Service ···································································································1-1 New Requirements from Emerging Services ··························································································1-1 Congestion: Causes, Impacts, and Countermeasures ···········································································1-2 Causes ············································································································································1-2 Impacts ············································································································································1-2 Countermeasures ····························································································································1-2 Major Traffic Management Techniques ··································································································1-3 2 QoS Policy Configuration ·························································································································2-1 Overview ·················································································································································2-1 Configuring a QoS Policy························································································································2-1 Defining a Class ······························································································································2-1...
  • Page 541 5 Congestion Management··························································································································5-1 Overview ·················································································································································5-1 Congestion Management Policy ·············································································································5-1 Configuring an SP Queue ·······················································································································5-4 Configuration Procedure··················································································································5-4 Configuration Example ····················································································································5-5 Configuring a WRR Queue ·····················································································································5-5 Configuration Procedure··················································································································5-5 Configuration Example ····················································································································5-5 Configuring a WFQ Queue ·····················································································································5-6 Configuration Procedure··················································································································5-6 Configuration Example ····················································································································5-6 Configuring SP+WRR Queues················································································································5-7 Configuration Procedure··················································································································5-7 Configuration Example ····················································································································5-7 Displaying and Maintaining Congestion Management············································································5-8...

  • Page 542: Qos Overview

    QoS Overview This chapter covers these topics: Introduction Traditional Packet Forwarding Service New Requirements from Emerging Services Congestion: Causes, Impacts, and Countermeasures Major Traffic Management Techniques Introduction Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to meet customer needs.

  • Page 543: Congestion: Causes, Impacts, And Countermeasures

    The emerging applications demand higher service performance of IP networks. Better network services during packets forwarding are required, such as providing dedicated bandwidth, reducing packet loss ratio, managing and avoiding congestion, regulating network traffic, and setting the precedence of packets. To meet these requirements, a network must provide more improved services. Congestion: Causes, Impacts, and Countermeasures Network congestion is a major factor degrading the service quality of a traditional network.

  • Page 544: Major Traffic Management Techniques

    A more effective solution is to provide differentiated services for different applications through traffic control and resource allocation. In this way, resources can be used more properly. During resources allocation and traffic control, the direct or indirect factors that might cause network congestion should be controlled to reduce the probability of congestion.
  • Page 545 This section is focused on traffic classification, and the subsequent sections will introduce the other technologies in details. Traffic Classification Traffic classification organizes packets with different characteristics into different classes using match criteria. It is the basis for providing differentiated services. You can define match criteria based on the IP precedence bits in the type of service (ToS) field of the IP packet header, or based on other header information such as IP addresses, MAC addresses, IP protocol field, and port numbers.

  • Page 546: Qos Policy Configuration

    QoS Policy Configuration When configuring QoS policy, go to these sections for information that you are interested in: Overview Configuring a QoS Policy Displaying and Maintaining QoS Policies Overview QoS policy includes the following three elements: class, traffic behavior and policy. You can bind the specified class to the specified traffic behavior through QoS policies to facilitate the QoS configuration.
  • Page 547 Configuration procedure Follow these steps to define a class: To do… Use the command… Remarks Enter system view system-view — Required By default, the and keyword is traffic classifier specified. That is, the relation Create a class and enter the classifier-name [ operator between the rules in the class corresponding class view...
  • Page 548 Form Description Specifies to match packets by DSCP precedence. The dscp-list argument is a list of DSCP values in the range of 0 to 63. dscp dscp-list Even though you can provide up to eight space-separated DSCP values for this argument, the S5120-EI switch supports only one DSCP value in a rule.

  • Page 549: Defining A Traffic Behavior

    Configuration example Network requirements Configure a class named test to match the packets with their IP precedence being 6. Configuration procedure # Enter system view. <Sysname> system-view # Create the class. (This operation leads you to class view.) [Sysname] traffic classifier test # Define the classification rule.

  • Page 550: Defining A Policy

    To do… Use the command… Remarks Configure accounting action accounting car cir committed-information-rate [ cbs committed-burst-size [ ebs Configure traffic policing action excess-burst-size ] ] [ pir peak-information-rate ] [ green action ] [ red action ] [ yellow action ] Configure traffic filtering filter { deny | permit } behavior...

  • Page 551: Applying A Policy

    To do… Use the command… Remarks Enter system view system-view — Create a policy (This operation qos policy policy-name — leads you to policy view) Specify the traffic behavior for a classifier classifier-name behavior Required class behavior-name Applying a Policy You can apply a QoS policy in different views as follows: In port or port group view, the policy applies to the inbound or outbound direction of an interface or a group of interfaces;...
  • Page 552 To do… Use the command… Remarks Apply an associated qos apply policy policy-name Required policy inbound Applying a QoS policy to online users You can apply a QoS policy to traffic of multiple online users. You can apply only one policy in one direction (inbound or outbound) of the traffic of online users.

  • Page 553: Displaying And Maintaining Qos Policies

    QoS policies cannot be applied to dynamic VLANs, for example, VLANs created by GVRP. Do not apply a QoS policy to a VLAN and the ports in the VLAN at the same time. Configuration example Configuration example 1 Configure a QoS policy test_policy. Associate the traffic behavior test_behavior with the traffic class test_class in the policy, and apply the policy to: the inbound direction of GigabitEthernet 1/0/1.
  • Page 554 To do… Use the command… Remarks display qos policy interface Display information about the [ interface-type Available in any view policies applied on a port interface-number ] [ inbound ] display traffic behavior Display information about a user-defined Available in any view traffic behavior [ behavior-name ] display traffic classifier...

  • Page 555: Priority Mapping

    Priority Mapping When configuring priority mapping, go to these sections for information you are interested in: Priority Overview Priority Mapping Overview Configuring a Priority Mapping Table Configuring the Port Priority Configuring Port Priority Trust Mode Displaying and Maintaining Priority Mapping Priority Overview The following describes several types of precedence: IP precedence, ToS precedence, and DSCP precedence...
  • Page 556 IP Precedence (decimal) IP Precedence (binary) Description internet network In a network providing differentiated services, traffics are grouped into the following four classes, and packets are processed according to their DSCP values. Expedited Forwarding (EF) class: In this class, packets can be forwarded regardless of link share of other traffic.
  • Page 557 DSCP value (decimal) DSCP value (binary) Description 111000 000000 be (default) 802.1p priority 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where the Layer 3 packet header does not need analysis but QoS must be assured at Layer 2. Figure 3-2 An Ethernet frame with an 802.1Q tag header As shown in Figure...

  • Page 558: Priority Mapping Overview

    The precedence is called 802.1p priority because the related applications of this precedence are defined in detail in the 802.1p specifications. Priority Mapping Overview When a packet reaches a switch, the switch assigns the packet parameters according to it configuration, such as 802.1p precedence, DSCP precedence, IP precedence, local precedence, and drop precedence.
  • Page 559 When trusting packet priority, S5120-EI series Ethernet switches provide the following two priority trust modes:can trust one of the following two priority types: Trusting the DSCP precedence of received packets. In this mode, the switch searches the dscp-dot1p/dp/dscp mapping table based on the DSCP precedence of the received packet for the 802.1p precedence/drop precedence/DSCP precedence to be used to mark the packet.

  • Page 560: Configuring A Priority Mapping Table

    Table 3-5 The default values of dscp-dp mapping, dscp-dot1p mapping, and dscp-dscp mapping Imported priority dscp-dp mapping dscp-dot1p mapping dscp-dscp mapping value DSCP precedence 802.1p precedence DSCP precedence Drop precedence (dp) (dscp) (dot1p) (dscp) 0 to 7 0 to 7 8 to 15 8 to 15 16 to 23...

  • Page 561: Configuration Example

    You cannot configure to map any DSCP value to drop precedence 1. Configuration Example Network requirements Modify the dot1p-lp mapping table as those listed in Table 3-6. Table 3-6 The specified dot1p-lp mapping 802.1p precedence Local precedence Configuration procedure # Enter system view. <Sysname>...

  • Page 562: Configuration Prerequisites

    Configuration Prerequisites The port priority of the port is determined. Configuration Procedure Follow these steps to configure port priority: To do… Use the command… Remarks Enter system view system-view — Enter port interface interface-type Perform either of the two operations. view interface-number The configuration performed in Ethernet...

  • Page 563: Configuration Procedure

    Configuration Procedure Follow these steps to configure the port priority trust mode: To do… Use the command… Remarks Enter system view system-view — Enter port interface interface-type Perform either of the two operations. view interface-number Enter port The configuration performed in Ethernet view or interface view applies to the current port port group...

  • Page 564: Traffic Policing, Traffic Shaping, And Line Rate Overview

    Traffic Policing, Traffic Shaping,and Line Rate Configuration When configuring traffic classification, traffic policing, traffic shaping, and line rate, go to these section for information you are interested in: Traffic Policing, Traffic Shaping, and Line Rate Overview Traffic Evaluation and the Token Bucket CAR/GTS/Line Rate Configuration Displaying Line Rate Traffic Policing, Traffic Shaping, and Line Rate Overview...

  • Page 565: Traffic Policing

    packet forwarding authority must be taken out; otherwise, this means too many tokens have been used — the traffic is in excess of the specification. Complicated Evaluation You can set two token buckets (referred to as the C bucket and E bucket respectively) in order to evaluate more complicated conditions and implement more flexible regulation policies.

  • Page 566: Line Rate

    Dropping conforming or non-conforming packets. Marking a conforming packet or a non-conforming packet with a new DSCP precedence value and forwarding the packet. Traffic Shaping Traffic shaping provides measures to adjust the rate of outbound traffic actively. A typical traffic shaping application is to limit the local traffic output rate according to the downstream traffic policing parameters.

  • Page 567: Car/Gts/Line Rate Configuration

    IP layer. To limit the rate of all the packets on interfaces, using line rate is easier. CAR/GTS/Line Rate Configuration On the S5120-EI series switches, traffic policing is achieved mainly through QoS policies. For QoS policy configuration, refer to Configuring a QoS Policy.

  • Page 568: Line Rate Configuration Procedure

    To do… Use the command… Remarks port group settings in port group view Enter port view take effect on all ports in the group port-group manual port-group-name port group. view qos gts queue queue-number cir Configure GTS for a committed-information-rate [ cbs Required queue committed-burst-size]...

  • Page 569: Displaying Line Rate

    Displaying Line Rate To do… Use the command… Remarks Display the line rate configuration of display qos lr interface Available in any interfaces [ interface-type interface-number ] view...

  • Page 570: Congestion Management

    Each queuing algorithm is used to solve specific network traffic problems and affects the parameters such as bandwidth allocation, delay and delay jitter. The S5120-EI series support the following four queue scheduling methods: Scheduling all queues with the strict priority (SP) algorithm.
  • Page 571 Figure 5-1 Diagram for SP queuing SP queue-scheduling algorithm is specially designed for critical service applications. An important feature of critical services is that they demand preferential service in congestion in order to reduce the response delay. Assume that there are eight output queues on the port and the preferential queue classifies the eight output queues on the port into eight classes, which are queue7, queue6, queue5, queue4, queue3, queue2, queue1, and queue0.
  • Page 572 The higher precedence value a traffic flow has, the more bandwidth it gets. The S5120-EI series switches introduce the minimum guaranteed bandwidth mechanism, and use it in conjunction with WFQ as follows: The minimum guaranteed bandwidth configuration guarantees a certain amount of bandwidth for each WFQ queue.

  • Page 573: Configuring An Sp Queue

    The allocable bandwidth (allocable bandwidth = the total bandwidth – the sum of the minimum guaranteed bandwidth for each queue) is divided and allocated to each queue based on queue precedence. For example, assume that the total bandwidth of an interface is 10 Mbps and there are five flows on the interface, with the precedence being 0, 1, 2, 3, and 4 respectively and the minimum guaranteed bandwidth being 128 kbps, 128 kbps, 128 kbps, 64 kbps, and 64 kbps respectively.

  • Page 574: Configuration Example

    Configuration Example Network requirements Configure GigabitEthernet1/0/1 to adopt SP queue scheduling algorithm. Configuration procedure # Enter system view. <Sysname> system-view # Configure an SP queue for GigabitEthernet1/0/1 port. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos sp Configuring a WRR Queue Configuration Procedure Follow these steps to configure WRR queues: To do…...

  • Page 575: Configuring A Wfq Queue

    [Sysname-GigabitEthernet1/0/1] qos wrr 1 group 1 weight 2 [Sysname-GigabitEthernet1/0/1] qos wrr 2 group 1 weight 4 [Sysname-GigabitEthernet1/0/1] qos wrr 3 group 1 weight 6 [Sysname-GigabitEthernet1/0/1] qos wrr 4 group 1 weight 8 [Sysname-GigabitEthernet1/0/1] qos wrr 5 group 1 weight 10 [Sysname-GigabitEthernet1/0/1] qos wrr 6 group 1 weight 12 [Sysname-GigabitEthernet1/0/1] qos wrr 7 group 1 weight 14 Configuring a WFQ Queue...

  • Page 576: Configuring Sp+Wrr Queues

    [Sysname-GigabitEthernet1/0/1] qos wfq [Sysname-GigabitEthernet1/0/1] qos wfq 0 weight 1 [Sysname-GigabitEthernet1/0/1] qos wfq 1 weight 2 [Sysname-GigabitEthernet1/0/1] qos wfq 2 weight 4 [Sysname-GigabitEthernet1/0/1] qos wfq 3 weight 6 [Sysname-GigabitEthernet1/0/1] qos wfq 4 weight 8 [Sysname-GigabitEthernet1/0/1] qos wfq 5 weight 10 [Sysname-GigabitEthernet1/0/1] qos wfq 6 weight 12 [Sysname-GigabitEthernet1/0/1] qos wfq 7 weight 14 Configuring SP+WRR Queues By default, all ports adopt the WRR queue algorithm.

  • Page 577: Displaying And Maintaining Congestion Management

    Configuration procedure # Enter system view. <Sysname> system-view # Enable the SP+WRR queue scheduling algorithm on GigabitEthernet1/0/1. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos wrr [Sysname-GigabitEthernet1/0/1] qos wrr 0 group sp [Sysname-GigabitEthernet1/0/1] qos wrr 1 group sp [Sysname-GigabitEthernet1/0/1] qos wrr 2 group sp [Sysname-GigabitEthernet1/0/1] qos wrr 3 group sp [Sysname-GigabitEthernet1/0/1] qos wrr 4 group 1 weight 2 [Sysname-GigabitEthernet1/0/1] qos wrr 5 group 1 weight 4...

  • Page 578: Traffic Mirroring Configuration

    VLAN does not exist, you can still configure the function, and the function will automatically take effect after the VLAN is created and a port is added to it. On S5120-EI series Ethernet switches, traffic can only be mirrored to ports and to CPU. Configuring Traffic Mirroring To configure traffic mirroring, you must enter the view of an existing traffic behavior.

  • Page 579: Displaying And Maintaining Traffic Mirroring

    Displaying and Maintaining Traffic Mirroring To do… Use the command… Remarks Display the configuration information display traffic behavior about the user-defined traffic behavior user-defined behavior-name Available in any view Display the configuration information display qos policy user-defined about the user-defined policy policy-name Traffic Mirroring Configuration Example Network Requirements...
  • Page 580 [Sysname-behavior-1] quit # Configure a QoS policy and associate traffic behavior 1 with classification rule 1. [Sysname] qos policy 1 [Sysname-policy-1] classifier 1 behavior 1 [Sysname-policy-1] quit # Apply the policy in the inbound direction of GigabitEthernet1/0/1. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos apply policy 1 inbound After the configurations, you can monitor all packets sent from Host A on the data monitoring device.
  • Page 581 Table of Contents 1 User Profile Configuration························································································································1-1 User Profile Overview ·····························································································································1-1 User Profile Configuration·······················································································································1-1 User Profile Configuration Task List································································································1-1 Creating a User Profile ····················································································································1-2 Applying a QoS Policy to User Profile ·····························································································1-2 Enabling a User Profile····················································································································1-3 Displaying and Maintaining User Profile ·································································································1-3...

  • Page 582: User Profile Configuration

    User Profile Configuration When configuring user profile, go to these sections for information you are interested in: User Profile Overview User Profile Configuration Displaying and Maintaining User Profile User Profile Overview User profile provides a configuration template to save predefined configurations. Based on different application scenarios, you can configure different items for a user profile, such as Committed Access Rate (CAR), Quality of Service (QoS), and so on.

  • Page 583: Creating A User Profile

    Creating a User Profile Configuration Prerequisites Before creating a user profile, you need to configure authentication parameters. User profile supports 802.1X authentications. You need to perform the related configurations (for example, username, password, authentication scheme, domain and binding between a user profile and user) on the client, the device and authentication server.

  • Page 584: Displaying And Maintaining User Profile

    When a user profile is active, you cannot configure or remove the QoS policy applied to it. The QoS policies applied in user profile view support only the remark, car, and filter actions. Do not apply an empty QoS policy in user profile view, because even if you can do that, the user profile cannot be activated.
  • Page 585 Security Volume Organization Manual Version 6W100-20090630 Product Version Release 2202 Organization The Security Volume is organized as follows: Features Description Authentication, Authorization and Accounting (AAA) provide a uniform framework used for configuring these three security functions to implement the network security management. This document describes: Introduction to AAA, RADIUS and HWTACACS AAA configuration RADIUS configuration...
  • Page 586 Features Description Port security is a MAC address-based security mechanism for network access controlling. It is an extension to the existing 802.1X authentication and MAC authentication. This document describes: Enabling Port Security Setting the Maximum Number of Secure MAC Addresses Port Security Setting the Port Security Mode Configuring Port Security Features...
  • Page 587 Table of Contents 1 AAA Configuration ····································································································································1-1 Introduction to AAA ·································································································································1-1 Introduction to RADIUS···························································································································1-2 Client/Server Model ·························································································································1-2 Security and Authentication Mechanisms ·······················································································1-3 Basic Message Exchange Process of RADIUS ··············································································1-3 RADIUS Packet Format···················································································································1-4 Extended RADIUS Attributes ··········································································································1-7 Introduction to HWTACACS····················································································································1-7 Differences Between HWTACACS and RADIUS············································································1-7 Basic Message Exchange Process of HWTACACS ·······································································1-8 Protocols and Standards·······················································································································1-10 AAA Configuration Task List ·················································································································1-10...
  • Page 588 Specifying the HWTACACS Authorization Servers·······································································1-31 Specifying the HWTACACS Accounting Servers··········································································1-32 Setting the Shared Key for HWTACACS Packets·········································································1-33 Configuring Attributes Related to the Data Sent to HWTACACS Server······································1-33 Setting Timers Regarding HWTACACS Servers ··········································································1-34 Displaying and Maintaining HWTACACS······················································································1-34 AAA Configuration Examples················································································································1-35 AAA for Telnet Users by a HWTACACS Server ···········································································1-35 AAA for Telnet Users by Separate Servers···················································································1-36 AAA for SSH Users by a RADIUS Server ·····················································································1-38...

  • Page 589: Aaa Configuration

    AAA Configuration When configuring AAA, go to these sections for information you are interested in: Introduction to AAA Introduction to RADIUS Introduction to HWTACACS Protocols and Standards AAA Configuration Task List Configuring AAA Configuring RADIUS Configuring HWTACACS AAA Configuration Examples Troubleshooting AAA Introduction to AAA Authentication, Authorization, and Accounting (AAA) provides a uniform framework for configuring...

  • Page 590: Introduction To Radius

    requirements. For example, you can use the HWTACACS server for authentication and authorization, and the RADIUS server for accounting. The three security functions are described as follows: Authentication: Identifies remote users and judges whether a user is legal. Authorization: Grants different users different rights. For example, a user logging into the server can be granted the permission to access and print the files in the server.

  • Page 591: Security And Authentication Mechanisms

    Figure 1-2 RADIUS server components Users: Stores user information such as the usernames, passwords, applied protocols, and IP addresses. Clients: Stores information about RADIUS clients, such as the shared keys and IP addresses. Dictionary: Stores information about the meanings of RADIUS protocol attributes and their values. Security and Authentication Mechanisms Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared key, which is never transmitted over the network.

  • Page 592: Radius Packet Format

    The host initiates a connection request carrying the username and password to the RADIUS client. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key.
  • Page 593 Code Packet type Description From the server to the client. If any attribute value carried in the Access-Reject Access-Request is unacceptable, the server rejects the user and sends an Access-Reject response. From the client to the server. A packet of this type carries user information for the server to start/stop accounting for the user.
  • Page 594 Attribute Attribute Filter-ID Event-Timestamp Framed-MTU 56-59 (unassigned) Framed-Compression CHAP-Challenge Login-IP-Host NAS-Port-Type Login-Service Port-Limit Login-TCP-Port Login-LAT-Port (unassigned) Tunnel-Type Reply_Message Tunnel-Medium-Type Callback-Number Tunnel-Client-Endpoint Callback-ID Tunnel-Server-Endpoint (unassigned) Acct-Tunnel-Connection Framed-Route Tunnel-Password Framed-IPX-Network ARAP-Password State ARAP-Features Class ARAP-Zone-Access Vendor-Specific ARAP-Security Session-Timeout ARAP-Security-Data Idle-Timeout Password-Retry Termination-Action Prompt Called-Station-Id Connect-Info...

  • Page 595: Extended Radius Attributes

    Vendor-ID (four bytes): Indicates the ID of the vendor. Its most significant byte is 0 and the other three bytes contain a code complying with RFC 1700. The vendor ID of H3C is 2011. Vendor-Type: Indicates the type of the sub-attribute.

  • Page 596: Basic Message Exchange Process Of Hwtacacs

    Table 1-3 Primary differences between HWTACACS and RADIUS HWTACACS RADIUS Uses TCP, providing more reliable network Uses UDP, providing higher transport efficiency. transmission. Encrypts the entire packet except for the Encrypts only the user password field in an HWTACACS header. authentication packet.
  • Page 597 Figure 1-6 Basic message exchange process of HWTACACS for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login...

  • Page 598: Protocols And Standards

    12) The HWTACACS client sends the user authorization request packet to the HWTACACS server. 13) The HWTACACS server sends back the authorization response, indicating that the user is authorized now. 14) Knowing that the user is now authorized, the HWTACACS client pushes the configuration interface of the NAS to the user.

  • Page 599: Radius Configuration Task List

    AAA Configuration Task List Task Remarks Creating an ISP Domain Required Configuring ISP Domain Attributes Optional Required For local authentication, refer to Configuring Local User Attributes. Configuring AAA Authentication Methods for an For RADIUS authentication, refer to Configuring ISP Domain RADIUS.

  • Page 600: Hwtacacs Configuration Task List

    HWTACACS Configuration Task List Task Remarks Creating a HWTACACS scheme Required Specifying the HWTACACS Authentication Servers Required Specifying the HWTACACS Authorization Servers Optional Specifying the HWTACACS Accounting Servers Optional Setting the Shared Key for HWTACACS Packets Required Configuring Attributes Related to the Data Sent to HWTACACS Server Optional Setting Timers Regarding HWTACACS Servers Optional...

  • Page 601: Configuring Isp Domain Attributes

    Follow these steps to create an ISP domain: To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and domain isp-name Required enter ISP domain view Return to system view quit — Optional domain default enable Specify the default ISP domain By default, the system has a default isp-name...

  • Page 602: Configuring Aaa Authentication Methods For An Isp Domain

    A self-service RADIUS server, for example, comprehensive access management system (CAMS/iMC), is required for the self-service server localization function to work. With the self-service function, a user can manage and control his or her accounting information or card number. A server with self-service software is a self-service server.

  • Page 603: Configuring Aaa Authorization Methods For An Isp Domain

    To do… Use the command… Remarks authentication default { hwtacacs-scheme Specify the default Optional hwtacacs-scheme-name authentication method for all [ local ] | local | none | local by default types of users radius-scheme radius-scheme-name [ local ] } Optional authentication lan-access Specify the authentication { local | none | radius-scheme...
  • Page 604 authorization can work only after RADIUS authentication is successful, and the authorization information is carried in the Access-Accept message. HWTACACS authorization is separate from HWTACACS authentication, and the authorization information is carried in the authorization response after successful authentication. You can configure local authorization or no authorization as the backup method in case the remote server is not available.

  • Page 605: Configuring Aaa Accounting Methods For An Isp Domain

    The authorization method specified with the authorization default command is for all types of users and has a priority lower than that for a specific access mode. RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme.
  • Page 606 To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and domain isp-name Required enter ISP domain view Optional Enable the accounting optional accounting optional feature Disabled by default accounting default { hwtacacs-scheme Optional Specify the default accounting hwtacacs-scheme-name method for all types of users [ local ] | local | none |...

  • Page 607: Configuring Local User Attributes

    Configuring Local User Attributes For local authentication, you need to create local users and configure user attributes on the device as needed. A local user represents a set of user attributes configured on a device, and such a user set is uniquely identified by the username.

  • Page 608: Configuring User Group Attributes

    To do… Use the command… Remarks bind-attribute { call-number Optional call-number [ : subcall-number ] | Configure the binding attributes for ip ip-address | location port By default, no binding the local user slot-number subslot-number attribute is configured for a port-number | mac mac-address local user.

  • Page 609: Tearing Down User Connections Forcibly

    attributes for the local users in the group. Currently, you can configure password control attributes and authorization attributes for a user group. By default, every newly added local user belongs to the user group of system and bears all attributes of the group.

  • Page 610: Configuring Radius

    Configuring RADIUS The RADIUS protocol is configured on a per scheme basis. After creating a RADIUS scheme, you need to configure the IP addresses and UDP ports of the RADIUS servers for the scheme. The servers include authentication/authorization servers and accounting servers, or primary servers and secondary servers.

  • Page 611: Specifying The Radius Accounting Servers And Relevant Parameters

    To do… Use the command… Remarks Specify the primary RADIUS primary authentication Required authentication/authorization ip-address [ port-number ] Configure at least one of the server commands Specify the secondary RADIUS No authentication server by secondary authentication authentication/authorization default ip-address [ port-number ] server It is recommended to specify only the primary RADIUS authentication/authorization server if backup is not required.

  • Page 612: Setting The Shared Key For Radius Packets

    It is recommended to specify only the primary RADIUS accounting server if backup is not required. If both the primary and secondary accounting servers are specified, the secondary one is used when the primary one is not reachable. In practice, you can specify two RADIUS servers as the primary and secondary accounting servers respectively, or specify one server to function as the primary accounting server in a scheme and the secondary accounting server in another scheme.

  • Page 613: Setting The Supported Radius Server Type

    to retransmit the RADIUS request. If the number of transmission attempts exceeds the specified limit but it still receives no response, it considers that the authentication has failed. Follow these steps to set the upper limit of RADIUS request retransmission attempts: To do…...

  • Page 614: Configuring Attributes Related To Data To Be Sent To The Radius Server

    When both the primary and secondary servers are available, the device sends request packets to the primary server. Once the primary server fails, the primary server turns into the state of block, and the device turns to the secondary server. In this case: If the secondary server is available, the device triggers the primary server quiet timer.

  • Page 615: Setting Timers Regarding Radius Servers

    To do… Use the command… Remarks Enter system view system-view — radius trap Optional Enable the RADIUS trap { accounting-server-down | function Disabled by default authentication-server-down } Required Create a RADIUS scheme and radius scheme enter RADIUS scheme view radius-scheme-name Not defined by default Optional Specify the format of the...

  • Page 616: Specifying Security Policy Servers

    Primary server quiet timer (timer quiet): If the primary server is not reachable, its state changes to blocked, and the device will turn to the specified secondary server. If the secondary server is reachable, the device starts this timer and communicates with the secondary server. After this timer expires, the device turns the state of the primary server to active and tries to communicate with the primary server while keeping the state of the secondary server unchanged.

  • Page 617: Enabling The Listening Port Of The Radius Client

    Follow these steps to specify a security policy server: To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS radius scheme scheme and enter its By default, no RADIUS scheme is radius-scheme-name view present. Optional Specify a security policy security-policy-server server...

  • Page 618: Configuring Hwtacacs

    To do… Use the command… Remarks reset stop-accounting-buffer { radius-scheme radius-server-name | Clear buffered stop-accounting Available in user session-id session-id | time-range requests that get no responses view start-time stop-time | user-name user-name } [ slot slot-number ] Configuring HWTACACS Different from RADIUS, except for deleting HWTACACS schemes and changing the IP addresses of the HWTACACS servers, you can make any changes to HWTACACS parameters, whether there are users online or not.

  • Page 619: Specifying The Hwtacacs Authorization Servers

    To do… Use the command… Remarks Specify the primary primary authentication Required HWTACACS authentication ip-address [ port-number ] Configure at least one of the server commands Specify the secondary No authentication server by secondary authentication HWTACACS authentication default ip-address [ port-number ] server It is recommended to specify only the primary HWTACACS authentication server if backup is not required.

  • Page 620: Specifying The Hwtacacs Accounting Servers

    It is recommended to specify only the primary HWTACACS authorization server if backup is not required. If both the primary and secondary authorization servers are specified, the secondary one is used when the primary one is not reachable. The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.

  • Page 621: Setting The Shared Key For Hwtacacs Packets

    Setting the Shared Key for HWTACACS Packets When using a HWTACACS server as an AAA server, you can set a key to secure the communications between the device and the HWTACACS server. The HWTACACS client and HWTACACS server use the MD5 algorithm to encrypt packets exchanged between them and a shared key to verify the packets.

  • Page 622: Setting Timers Regarding Hwtacacs Servers

    If a HWTACACS server does not support a username with the domain name, you can configure the device to remove the domain name before sending the username to the server. The nas-ip command in HWTACACS scheme view is only for the current HWTACACS scheme, while the hwtacacs nas-ip command in system view is for all HWTACACS schemes.

  • Page 623: Aaa Configuration Examples

    To do… Use the command… Remarks display stop-accounting-buffer Display information about hwtacacs-scheme buffered stop-accounting Available in any view hwtacacs-scheme-name [ slot requests that get no responses slot-number ] reset hwtacacs statistics Clear HWTACACS statistics { accounting | all | authentication | Available in user view authorization } [ slot slot-number ] reset stop-accounting-buffer...

  • Page 624: Aaa For Telnet Users By Separate Servers

    [Switch-ui-vty0-4] quit # Configure the HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 [Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49 [Switch-hwtacacs-hwtac] key authentication expert [Switch-hwtacacs-hwtac] key authorization expert [Switch-hwtacacs-hwtac] key accounting expert [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Configure the AAA methods for the domain.
  • Page 625 Figure 1-8 Configure AAA by separate servers for Telnet users Configuration procedure # Configure the IP addresses of various interfaces (omitted). # Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme [Switch-ui-vty0-4] quit...

  • Page 626: Aaa For Ssh Users By A Radius Server

    [Switch-isp-bbb] quit # Configure the default AAA methods for all types of users. [Switch] domain bbb [Switch-isp-bbb] authentication default local [Switch-isp-bbb] authorization default hwtacacs-scheme hwtac [Switch-isp-bbb] accounting default radius-scheme cams When telneting into the switch, a user enters username telnet@bbb for authentication using domain bbb.
  • Page 627 Specify the IP address of the switch as 192.168.1.70 Set both the shared keys for authentication and accounting packets to expert Select LAN Access Service as the service type Specify the ports for authentication and accounting as 1812 and 1813 respectively Select Extensible Protocol as the protocol type Select Standard as the RADIUS packet type Figure 1-10 Add an access device...

  • Page 628: Troubleshooting Aaa

    <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Generate RSA and DSA key pairs and enable the SSH server. [Switch] public-key local create rsa [Switch] public-key local create dsa [Switch] ssh server enable # Configure the switch to use AAA for SSH users. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Configure the user interfaces to support SSH.

  • Page 629: Troubleshooting Hwtacacs

    The password of the user is incorrect. The RADIUS server and the NAS are configured with different shared key. Solution: Check that: The NAS and the RADIUS server can ping each other. The username is in the userid@isp-name format and a default ISP domain is specified on the NAS. The user is configured on the RADIUS server.
  • Page 630 Table of Contents 1 802.1X Configuration·································································································································1-1 802.1X Overview·····································································································································1-2 Architecture of 802.1X ·····················································································································1-3 Authentication Modes of 802.1X ·····································································································1-3 Basic Concepts of 802.1X ···············································································································1-3 EAP over LANs································································································································1-5 EAP over RADIUS···························································································································1-6 802.1X Authentication Triggering ····································································································1-7 Authentication Process of 802.1X ···································································································1-7 802.1X Timers ·······························································································································1-10 Extensions to 802.1X·····················································································································1-11 Features Working Together with 802.1X·······················································································1-11 Configuring 802.1X ·······························································································································1-14...
  • Page 631 802.1X Configuration When configuring 802.1X, go to these sections for information you are interested in: 802.1X Overview Configuring 802.1X Configuring a Guest VLAN Configuring an Auth-Fail VLAN Configuration prerequisites Create the VLAN to be specified as the Auth-Fail VLAN. To configure a port-based Auth-Fail VLAN, make sure that the port access control method is portbased, and the 802.1X multicast trigger function is enabled.

  • Page 632: 802.1X Overview

    Different ports can be configured with different Auth-Fail VLANs, but a port can be configured with only one Auth-Fail VLAN. The Auth-Fail VLAN function and the free IP function in EAD fast deployment are mutually exclusive on a port. If you configure both an MAFV for 802.1X authentication and an MGV for MAC authentication on a port, the newly generated MAFV entry for a user will overwrite the MGV entry for the user, if any;...

  • Page 633: Architecture

    EAP over LANs EAP over RADIUS 802.1X Authentication Triggering Authentication Process of 802.1X 802.1X Timers Features Working Together with 802.1X Architecture of 802.1X 802.1X operates in the typical client/server model and defines three entities: client, device, and server, as shown in Figure 1-1.
  • Page 634 The uncontrolled port is always open in both the inbound and outbound directions to allow EAPOL protocol frames to pass, guaranteeing that the client can always send and receive authentication frames. The controlled port is open to allow data traffic to pass only when it is in the authorized state. The controlled port and uncontrolled port are two parts of the same port.

  • Page 635: Eap Over Lans

    EAP over LANs EAPOL frame format EAPOL, defined in 802.1X, is intended to carry EAP protocol packets between clients and devices over LANs. Figure 1-3 shows the EAPOL frame format. Figure 1-3 EAPOL frame format PAE Ethernet type: Protocol type. It takes the value 0x888E. Protocol version: Version of the EAPOL protocol supported by the EAPOL frame sender.

  • Page 636: Eap Over Radius

    An EAP packet of the type of Success or Failure has no Data field, and has a length of 4. An EAP packet of the type of Request or Response has a Data field in the format shown in Figure 1-5.

  • Page 637: 802.1X Authentication Triggering

    To solve the problem, the device also supports EAPOL-Start frames whose destination address is a broadcast MAC address. In this case, the H3C iNode 802.1X client is required. Unsolicited triggering of the device The device can trigger authentication by sending EAP-Request/Identity packets to unauthenticated clients periodically (every 30 seconds by default).
  • Page 638 Figure 1-8 Message exchange in EAP relay mode Client Device Server EAPOR EAPOL EAPOL-Start EAP-Request / Identity EAP-Response / Identity RADIUS Access-Request (EAP-Response / Identity) RADIUS Access-Challenge (EAP-Request / MD5 challenge) EAP-Request / MD5 challenge EAP-Response / MD5 challenge RADIUS Access-Request (EAP-Response / MD5 challenge) RADIUS Access-Accept (EAP-Success)
  • Page 639 When receiving the RADIUS Access-Request packet, the RADIUS server compares the password information encapsulated in the packet with that generated by itself. If the two are identical, the authentication server considers the user valid and sends to the device a RADIUS Access-Accept packet.

  • Page 640: 802.1X Timers

    Figure 1-9 Message exchange in EAP termination mode Client Device Server EAPOR EAPOL EAPOL-Start EAP-Request / Identity EAP-Response / Identity EAP-Request / MD5 challenge EAP-Response / MD5 challenge RADIUS Access-Request (CHAP-Response / MD5 challenge) RADIUS Access-Accept (CHAP-Success) EAP-Success Port authorized Handshake timer Handshake request [ EAP-Request / Identity ]...

  • Page 641: Extensions

    Handshake timer (handshake-period): After a client passes authentication, the device sends to the client handshake requests at this interval to check whether the client is online. If the device receives no response after sending the allowed maximum number of handshake requests, it considers that the client is offline.
  • Page 642 The assigned VLAN neither changes nor affects the configuration of a port. However, as the assigned VLAN has higher priority than the initial VLAN of the port, it is the assigned VLAN that takes effect after a user passes authentication. After the user goes offline, the port returns to the initial VLAN of the port. For details about VLAN configuration, refer to VLAN Configuration in the Access Volume.
  • Page 643 If a user of a port in the guest VLAN initiates authentication process but fails the authentication, the device will add the user to the Auth-Fail VLAN of the port configured for the port, if any. If no Auth-Fail VLAN is configured, the device will keep the user in the guest VLAN. If a user of a port in the guest VLAN initiates authentication and passes the authentication, the device will add the user to the assigned VLAN or return the user to the initial VLAN of the port, depending on whether the authentication server assigns a VLAN.

  • Page 644: Configuring 802.1X

    authentication domain for authentication, authorization, and accounting of all 802.1X users on the port. In this way, users accessing the port cannot use any account in other domains. Meanwhile, for EAP relay mode 802.1X authentication that uses certificates, the certificate of a user determines the authentication domain of the user.

  • Page 645: Configuring 802.1X For A Port

    To do… Use the command… Remarks Set the maximum number of Optional attempts to send an dot1x retry max-retry-value authentication request to a 2 by default client Optional The defaults are as follows: dot1x timer { handshake-period 15 seconds for the handshake handshake-period-value | timer, quiet-period...
  • Page 646 Configuring 802.1X parameters for a port Follow these steps to configure 802.1X parameters for a port: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet interface view — interface-number dot1x port-control Optional Set the port access control { authorized-force | auto | mode for the port auto by default...

  • Page 647: Configuring A Guest Vlan

    Configuring a Guest VLAN Configuration prerequisites Enable 802.1X. Create the VLAN to be specified as the guest VLAN. To configure a port-based guest VLAN, make sure that the port access control method is portbased, and the 802.1X multicast trigger function is enabled. To configure a MAC-based guest VLAN, make sure that the port access control method is macbased and the MAC VLAN function is enabled on the port.

  • Page 648: Displaying And Maintaining 802.1X

    Configuration prerequisites Create the VLAN to be specified as the Auth-Fail VLAN. To configure a port-based Auth-Fail VLAN, make sure that the port access control method is portbased, and the 802.1X multicast trigger function is enabled. To configure a MAC-based Auth-Fail VLAN, make sure that the port access control method is macbased and the MAC VLAN function is enabled on the port.

  • Page 649: 802.1X Configuration Example

    To do… Use the command… Remarks reset dot1x statistics Clear 802.1X statistics Available in user view [ interface interface-list ] 802.1X Configuration Example Network requirements The access control method of macbased is required on the port GigabitEthernet 1/0/1 to control clients.
  • Page 650 The following configuration procedure covers most AAA/RADIUS configuration commands for the device, while configuration on the 802.1X client and RADIUS server are omitted. For information about AAA/RADIUS configuration commands, refer to AAA Configuration in the Security Volume. # Configure the IP addresses for each interface. (Omitted) # Add local access user localuser, enable the idle cut function, and set the idle cut interval.

  • Page 651: Guest Vlan And Vlan Assignment Configuration Example

    [Device-isp-aabbcc.net] authentication default radius-scheme radius1 local [Device-isp-aabbcc.net] authorization default radius-scheme radius1 local [Device-isp-aabbcc.net] accounting default radius-scheme radius1 local # Set the maximum number of users for the domain as 30. [Device-isp-aabbcc.net] access-limit enable 30 # Enable the idle cut function and set the idle cut interval. [Device-isp-aabbcc.net] idle-cut enable 20 [Device-isp-aabbcc.net] quit # Configure aabbcc.net as the default domain.
  • Page 652 Figure 1-11 Network diagram for guest VLAN configuration Update server Authenticator server VLAN 10 VLAN 2 GE1/0/1 GE1/0/4 VLAN 1 VLAN 5 GE1/0/2 GE1/0/3 Switch Internet Supplicant Figure 1-12 Network diagram with the port in the guest VLAN 1-22...
  • Page 653 Figure 1-13 Network diagram when the client passes authentication Configuration procedure The following configuration procedure uses many AAA/RADIUS commands. For detailed configuration of these commands, refer to AAA Configuration in the Security Volume. Configurations on the 802.1X client and RADIUS server are omitted. # Configure RADIUS scheme 2000.

  • Page 654: Acl Assignment Configuration Example

    [Device] interface GigabitEthernet 1/0/2 [Device-GigabitEthernet1/0/2] dot1x # Set the port access control method to portbased. [Device-GigabitEthernet1/0/2] dot1x port-method portbased # Set the port access control mode to auto. [Device-GigabitEthernet1/0/2] dot1x port-control auto [Device-GigabitEthernet1/0/2] quit # Create VLAN 10. [Device] vlan 10 [Device-vlan10] quit # Specify port GigabitEthernet 1/0/2 to use VLAN 10 as its guest VLAN.
  • Page 655 Configuration procedure # Configure the IP addresses of the interfaces. (Omitted) # Configure the RADIUS scheme. <Device> system-view [Device] radius scheme 2000 [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.1.2 1813 [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit # Create an ISP domain and specify the AAA schemes.

  • Page 656: Ead Fast Deployment Configuration

    EAD Fast Deployment Configuration When configuring EAD fast deployment, go to these sections for information you are interested in: EAD Fast Deployment Overview Configuring EAD Fast Deployment Displaying and Maintaining EAD Fast Deployment EAD Fast Deployment Configuration Example Troubleshooting EAD Fast Deployment EAD Fast Deployment Overview Overview Endpoint Admission Defense (EAD) is an integrated endpoint access control solution.

  • Page 657: Configuring Ead Fast Deployment

    Configuring EAD Fast Deployment Currently, MAC authentication and port security cannot work together with EAD fast deployment. Once MAC authentication or port security is enabled globally, the EAD fast deployment is disabled automatically. Configuration Prerequisites Enable 802.1X globally. Enable 802.1X on the specified port, and set the access control mode to auto. Configuration Procedure Configuring a freely accessible network segment A freely accessible network segment, also called a free IP, is a network segment that users can access...

  • Page 658: Displaying And Maintaining Ead Fast Deployment

    Configuring the IE redirect URL Follow these steps to configure the IE redirect URL: To do… Use the command… Remarks Enter system view system-view — Required Configure the IE redirect URL dot1x url url-string No redirect URL is configured by default. The redirect URL and the freely accessible network segment must belong to the same network segment.

  • Page 659: Ead Fast Deployment Configuration Example

    EAD Fast Deployment Configuration Example Network requirements As shown in Figure 2-1, the host is connected to the device, and the device is connected to the freely accessible network segment and outside network. It is required that: Before successful 802.1 authentication, the host using IE to access outside network will be redirected to the WEB server, and it can download and install 802.1X client software.

  • Page 660: Troubleshooting Ead Fast Deployment

    C:\>ping 192.168.2.3 Pinging 192.168.2.3 with 32 bytes of data: Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Besides, if the user uses IE to access any external website, the user will be taken to the WEB server,...
  • Page 661 Table of Contents 1 HABP Configuration ··································································································································1-1 Introduction to HABP·······························································································································1-1 Configuring HABP ···································································································································1-2 Configuring the HABP Server··········································································································1-2 Configuring an HABP Client ············································································································1-3 Displaying and Maintaining HABP ··········································································································1-3 HABP Configuration Example·················································································································1-3...

  • Page 662: Habp Configuration

    HABP Configuration When configuring HABP, go to these sections for the information you are interested in: Introduction to HABP Configuring HABP Displaying and Maintaining HABP HABP Configuration Example Introduction to HABP The HW Authentication Bypass Protocol (HABP) is used to enable the downstream network devices of an 802.1X or MAC authentication enabled access device to bypass 802.1X authentication and MAC authentication.

  • Page 663: Configuring Habp

    Figure 1-1 Network diagram for HABP application Internet Switch A Authentication server Authenticator Switch B Switch C Switch D Switch E Supplicant Supplicant Supplicant HABP is a link layer protocol that works above the MAC layer. It is built on the client-server model. Generally, the HABP server is assumed by the management device (such as Switch A in the above example), and the attached switches function as the HABP clients, such as Switch B through Switch E in the example.

  • Page 664: Displaying And Maintaining Habp

    To do… Use the command… Remarks Required Configure HABP to work in habp server vlan vlan-id server mode HABP works in client mode by default. Optional Set the interval to send habp timer interval HABP requests 20 seconds by default Configuring an HABP Client Configure the HABP client function on each device that is attached to the administrative device and needs to be managed.
  • Page 665 Figure 1-2 Network diagram for HABP configuration Configuration procedure Configure Switch A # Enable HABP. <SwitchA> system-view [SwitchA] habp enable # Configure HABP to work in server mode, allowing HABP packets to be transmitted in VLAN 2. [SwitchA] habp server vlan 2 # Set the interval to send HABP request packets to 50 seconds.
  • Page 666 Table of Contents 1 MAC Authentication Configuration··········································································································1-1 MAC Authentication Overview ················································································································1-1 RADIUS-Based MAC Authentication·······························································································1-1 Local MAC Authentication ···············································································································1-1 Related Concepts····································································································································1-2 MAC Authentication Timers·············································································································1-2 Quiet MAC Address·························································································································1-2 VLAN Assigning·······························································································································1-2 ACL Assigning ·································································································································1-2 Guest VLAN of MAC Authentication································································································1-2 Configuring MAC Authentication·············································································································1-3 Configuration Prerequisites ·············································································································1-3 Configuration Procedure··················································································································1-3 Configuring a Guest VLAN······················································································································1-4 Configuration Prerequisites ·············································································································1-4...

  • Page 667: Mac Authentication Configuration

    MAC Authentication Configuration When configuring MAC authentication, go to these sections for information you are interested in: MAC Authentication Overview Related Concepts Configuring MAC Authentication Configuring a Guest VLAN Displaying and Maintaining MAC Authentication MAC Authentication Configuration Examples MAC Authentication Overview MAC authentication provides a way for authenticating users based on ports and MAC addresses.

  • Page 668: Related Concepts

    Related Concepts MAC Authentication Timers The following timers function in the process of MAC authentication: Offline detect timer: At this interval, the device checks to see whether there is traffic from a user. Once detecting that there is no traffic from a user within this interval, the device logs the user out and sends to the RADIUS server a stop accounting request.

  • Page 669: Configuring Mac Authentication

    MAC authentication supports MAC-based guest VLAN (MGV). With MGV configured on a port, users failing the authentication on the port are authorized to access the resources in the guest VLAN. If a user in the guest VLAN initiates another authentication process but fails the authentication, the device will keep the user in the guest VLAN.

  • Page 670: Configuring A Guest Vlan

    To do… Use the command… Remarks mac-authentication timer Optional Set the server timeout server-timeout timer 100 seconds by default server-timeout-value mac-authentication Optional user-name-format { fixed Configure the username By default, the user’s source [ account name ] [ password and password for MAC MAC address serves as the { cipher | simple } password ] | authentication...

  • Page 671: Displaying And Maintaining Mac Authentication

    Different ports can be configured with different guest VLANs, but a port can be configured with only one guest VLAN. If you configure both the 802.1X authentication MGV and the MAC authentication MGV on a port, only the 802.1X authentication MGV will take effect. For description on 802.1X authentication MGV, refer to 802.1X Configuration in the Security Volume.
  • Page 672 Configuration procedure Configure MAC authentication on the device # Add a local user, setting the username and password as 00-e0-fc-12-34-56, the MAC address of the user. <Device> system-view [Device] local-user 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] service-type lan-access [Device-luser-00-e0-fc-12-34-56] quit # Configure ISP domain aabbcc.net, and specify that the users in the domain use local authentication.

  • Page 673: Radius-Based Mac Authentication Configuration Example

    Current online user number is 1 MAC ADDR Authenticate state AuthIndex 00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS RADIUS-Based MAC Authentication Configuration Example Network requirements As illustrated in Figure 1-2, a host is connected to the device through port GigabitEthernet 1/0/1. The device authenticates, authorizes and keeps accounting on the host through the RADIUS server. MAC authentication is required on every port to control user access to the Internet.

  • Page 674: Acl Assignment Configuration Example

    [Device] domain 2000 [Device-isp-2000] authentication default radius-scheme 2000 [Device-isp-2000] authorization default radius-scheme 2000 [Device-isp-2000] accounting default radius-scheme 2000 [Device-isp-2000] quit # Enable MAC authentication globally. [Device] mac-authentication # Enable MAC authentication for port GigabitEthernet 1/0/1. [Device] mac-authentication interface GigabitEthernet 1/0/1 # Specify the ISP domain for MAC authentication.
  • Page 675 Configure the RADIUS server to assign ACL 3000. On port GigabitEthernet 1/0/1 of the switch, enable MAC authentication and configure ACL 3000. After the host passes MAC authentication, the RADIUS server assigns ACL 3000 to port GigabitEthernet 1/0/1 of the switch. As a result, the host can access the Internet but cannot access the FTP server, whose IP address is 10.0.0.1.
  • Page 676 [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 [Sysname-acl-adv-3000] quit # Enable MAC authentication globally. [Sysname] mac-authentication # Specify the ISP domain for MAC authentication users. [Sysname] mac-authentication domain 2000 # Specify the MAC authentication username type as MAC address, that is, using the MAC address of a user as the username and password for MAC authentication of the user.
  • Page 677 Table of Contents 1 Portal Configuration ··································································································································1-1 Portal Overview·······································································································································1-1 Introduction to Portal ·······················································································································1-1 Introduction to Extended Portal Functions ······················································································1-1 Portal System Components·············································································································1-2 Portal Authentication Modes ···········································································································1-3 Portal Authentication Process ·········································································································1-4 Portal Configuration Task List·················································································································1-6 Basic Portal Configuration ······················································································································1-7 Configuration Prerequisites ·············································································································1-7 Configuration Procedure··················································································································1-7 Configuring a Portal-Free Rule ···············································································································1-8 Configuring an Authentication Subnet ····································································································1-9...

  • Page 678: Portal Configuration

    Portal Configuration When configuring portal, go to these sections for information you are interested in: Portal Overview Portal Configuration Task List Displaying and Maintaining Portal Portal Configuration Examples Troubleshooting Portal Portal Overview This section covers these topics: Introduction to Portal Introduction to Extended Portal Portal System Components Portal Authentication Modes...

  • Page 679: Portal System Components

    Resource access limit: A user passing identity authentication can access only network resources like the anti-virus server or OS patch server, which are called the restricted resources. Only users passing security authentication can access more network resources, which are called the unrestricted resources.

  • Page 680: Portal Authentication Modes

    Currently, only a RADIUS server can serve as the authentication/accounting server in a portal system. Currently, security authentication requires the cooperation of the H3C iNode client. Portal Authentication Modes Portal authentication supports two modes: non-Layer 3 authentication and Layer 3 authentication.

  • Page 681: Portal Authentication Process

    authentication. This solves the problem about IP address planning and allocation and proves to be useful. For example, a service provider can allocate public IP addresses to broadband users only when they access networks beyond the residential community network. Layer 3 authentication Layer 3 portal authentication is similar to direct authentication.
  • Page 682 Direct authentication/Layer 3 authentication process Figure 1-2 Direct authentication/Layer 3 authentication process The direct authentication/Layer 3 authentication process is as follows: A portal user initiates an authentication request through HTTP. When the HTTP packet arrives at the access device, the access device allows it to pass if it is destined for the portal server or a predefined free website, or redirects it to the portal server if it is destined for other websites.

  • Page 683: Portal Configuration Task List

    Re-DHCP authentication process Figure 1-3 Re-DHCP authentication process Authentication Authentication/ Security Portal server Access device client accounting server policy server 1) Initiate a connection 2) CHAP authentication 3) Authentication request 4) RADIUS authentication Timer 5) Authentication acknowledgement 6) Authentication succeeds 7) The user obtains a new IP address 8) Discover user IP change...

  • Page 684: Basic Portal Configuration

    Task Remarks Basic Portal Configuration Required Configuring a Portal-Free Rule Optional Configuring an Authentication Subnet Optional Logging out Users Optional Specifying a Mandatory Authentication Domain Optional Basic Portal Configuration Configuration Prerequisites The portal feature provides a solution for user authentication and security authentication. However, the portal feature cannot implement this solution by itself.

  • Page 685: Configuring A Portal-Free Rule

    Follow these steps to perform basic portal configuration: To do… Use the command… Remarks Enter system view system-view — Required portal server server-name ip Configure a portal server ip-address [ key key-string | By default, no portal server is port port-id | url url-string ] * configured.

  • Page 686: Configuring An Authentication Subnet

    If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the VLAN. You cannot configure two or more portal-free rules with the same filtering conditions. Otherwise, the system prompts that the rule already exists. No matter whether portal authentication is enabled, you can only add or remove a portal-free rule, rather than modifying it.

  • Page 687: Specifying A Mandatory Authentication Domain

    Specifying a Mandatory Authentication Domain After you specify a mandatory authentication domain for an interface, the device will use the mandatory authentication domain for authentication, authorization, and accounting (AAA) of the portal users on the interface, ignoring the domain names carried in the usernames. Thereby, you can specify different authentication domains for different interfaces as needed.

  • Page 688: Portal Configuration Examples

    To do… Use the command… Remarks Clear portal connection reset portal connection statistics statistics on a specified {all | interface interface-type Available in user view interface or all interfaces interface-number } Clear portal server statistics on reset portal server statistics { all | a specified interface or all interface interface-type Available in user view...
  • Page 689 # Set the server type to extended. [Switch-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Switch-radius-rs1] primary authentication 192.168.0.112 [Switch-radius-rs1] primary accounting 192.168.0.112 [Switch-radius-rs1] key authentication radius [Switch-radius-rs1] key accounting radius # Specify that the ISP domain name should not be included in the username sent to the RADIUS server.

  • Page 690: Configuring Re-Dhcp Portal Authentication

    Configuring Re-DHCP Portal Authentication Network requirements The host is directly connected to the switch and the switch is configured for re-DHCP authentication. The host is assigned with an IP address through the DHCP server. Before portal authentication, the host uses an assigned private IP address. After passing portal authentication, it can get a public IP address and then users using the host can access unrestricted Internet resources.
  • Page 691 # Set the server type to extended. [Switch-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Switch-radius-rs1] primary authentication 192.168.0.113 [Switch-radius-rs1] primary accounting 192.168.0.113 [Switch-radius-rs1] key authentication radius [Switch-radius-rs1] key accounting radius # Specify that the ISP domain name should not be included in the username sent to the RADIUS server.

  • Page 692: Configuring Layer 3 Portal Authentication

    # Configure the IP address of the interface connected with the portal server. [Switch] interface vlan-interface 2 [Switch–Vlan-interface2] ip address 192.168.0.100 255.255.255.0 [Switch–Vlan-interface2] quit Configuring Layer 3 Portal Authentication Network requirements Switch A is configured for Layer 3 portal authentication. Before portal authentication, users can access only the portal server.

  • Page 693: Configuring Direct Portal Authentication With Extended Functions

    [SwitchA-radius-rs1] primary accounting 192.168.0.112 [SwitchA-radius-rs1] key authentication radius [SwitchA-radius-rs1] key accounting radius # Specify that the ISP domain name should not be included in the username sent to the RADIUS server. [SwitchA-radius-rs1] user-name-format without-domain [SwitchA-radius-rs1] quit Configure an authentication domain # Create an ISP domain named dm1 and enter its view.
  • Page 694 passed security authentication, they can access only subnet 192.168.0.0/24. After passing security authentication, they can access unrestricted Internet resources. A RADIUS server serves as the authentication/accounting server. Figure 1-7 Configure direct portal authentication with extended functions Portal server 192.168.0.111/24 Vlan-int100 Vlan-int2 2.2.2.1/24 192.168.0.100/24...
  • Page 695 # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure the ISP domain to use RADIUS scheme rs1. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit # Configure dm1 as the default ISP domain, allowing all users to share the authentication and accounting methods of the default domain.

  • Page 696: Configuring Re-Dhcp Portal Authentication With Extended Functions

    Configuring Re-DHCP Portal Authentication with Extended Functions Network requirements The host is directly connected to the switch and the switch is configured for re-DHCP authentication. The host is assigned with an IP address through the DHCP server. Before portal authentication, the host uses an assigned private IP address. After passing portal authentication, it can get a public IP address.
  • Page 697 <Switch> system-view [Switch] radius scheme rs1 # Set the server type to extended. [Switch-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Switch-radius-rs1] primary authentication 192.168.0.113 [Switch-radius-rs1] primary accounting 192.168.0.113 [Switch-radius-rs1] key accounting radius [Switch-radius-rs1] key authentication radius [Switch-radius-rs1] user-name-format without-domain...

  • Page 698: Configuring Layer 3 Portal Authentication With Extended Functions

    IP address: 192.168.0.111 Key: portal Port number: 50100 URL: http://192.168.0.111/portal. [Switch] portal server newpt ip 192.168.0.111 key portal port 50100 url http://192.168.0.111/portal # Configure the switch as a DHCP relay agent, and enable the invalid address check function. [Switch] dhcp enable [Switch] dhcp relay server-group 0 ip 192.168.0.112 [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0...
  • Page 699 Configuration procedure You need to configure IP addresses for the devices as shown in Figure 1-9 and ensure that routes are available between devices. Configure Switch A: Configure a RADIUS scheme # Create a RADIUS scheme named rs1 and enter its view. <SwitchA>...

  • Page 700: Troubleshooting Portal

    On the security policy server, you need to specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL. [SwitchA] acl number 3000 [SwitchA-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255 [SwitchA-acl-adv-3000] quit [SwitchA] acl number 3001 [SwitchA-acl-adv-3001] rule permit ip [SwitchA-acl-adv-3001] quit Configure portal authentication # Configure the portal server as follows:...

  • Page 701: Incorrect Server Port Number On The Access Device

    Solution Use the display portal server command to display the key for the portal server on the access device and view the key for the access device on the portal server. Use the portal server command to modify the key on the access device or modify the key for the access device on the portal server to ensure that the keys are consistent.
  • Page 702 Table of Contents 1 Port Security Configuration······················································································································1-1 Introduction to Port Security····················································································································1-1 Port Security Overview ····················································································································1-1 Port Security Features·····················································································································1-2 Port Security Modes ························································································································1-2 Port Security Configuration Task List······································································································1-4 Enabling Port Security·····························································································································1-5 Configuration Prerequisites ·············································································································1-5 Configuration Procedure··················································································································1-5 Setting the Maximum Number of Secure MAC Addresses·····································································1-5 Setting the Port Security Mode ···············································································································1-6 Configuration Prerequisites ·············································································································1-6 Configuring Procedure·····················································································································1-7...

  • Page 703: Port Security Configuration

    Port Security Configuration When configuring port security, go to these sections for information you are interested in: Introduction to Port Security Port Security Configuration Task List Displaying and Maintaining Port Security Port Security Configuration Examples Troubleshooting Port Security Introduction to Port Security Port Security Overview Port security is a MAC address-based security mechanism for network access controlling.

  • Page 704: Port Security Features

    Port Security Features The need to know (NTK) feature checks the destination MAC addresses in outbound frames and allows frames to be sent to only devices passing authentication, thus preventing illegal devices from intercepting network traffic. Intrusion protection The intrusion protection feature checks the source MAC addresses in inbound frames and takes a pre-defined action accordingly upon detecting illegal frames.
  • Page 705 Security mode Description Features In this mode, a port performs 802.1X authentication of users in portbased mode and userLoginSecure services only one user passing 802.1X authentication. Similar to the userLoginSecure mode, a port in this mode performs 802.1X authentication of users and services only one user passing 802.1X authentication.

  • Page 706: Port Security Configuration Task List

    Currently, port security supports two authentication methods: 802.1X and MAC authentication. Different port security modes employ different authentication methods or different combinations of authentication methods. The maximum number of users a port supports is the lesser of the maximum number of secure MAC addresses or the maximum number of authenticated users the security mode supports.

  • Page 707: Enabling Port Security

    Enabling Port Security Configuration Prerequisites Before enabling port security, you need to disable 802.1X and MAC authentication globally. Configuration Procedure Follow these steps to enable port security: To do… Use the command… Remarks Enter system view system-view — Required Enable port security port-security enable Disabled by default Note that:...

  • Page 708: Setting The Port Security Mode

    Follow these steps to set the maximum number of secure MAC addresses allowed on a port: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Set the maximum number of Required port-security max-mac-count secure MAC addresses...

  • Page 709: Configuring Procedure

    Configuring Procedure Follow these steps to enable any other port security mode: To do… Use the command… Remarks Enter system view system-view — Optional Set an OUI value for port-security oui oui-value index Not configured by default. user authentication index-value The command is required for the userlogin-withoui mode.

  • Page 710: Configuring Intrusion Protection

    By default, NTK is disabled on a port and the port forwards all frames. With NTK configured, a port will discard any unicast packet with an unknown MAC address no matter in which mode it operates. Follow these steps to configure the NTK feature: To do…...

  • Page 711: Configuring Trapping

    port operating either macAddressElseUserLoginSecure mode macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC authentication and 802.1X authentication for the same frame fail. Configuring Trapping The trapping feature enables a device to send trap information in response to four types of events: addresslearned: A port learns a new address.

  • Page 712: Ignoring Authorization Information From The Server

    To do… Use the command… Remarks Enter system view system-view — port-security mac-address security In system Required mac-address interface interface-type view interface-number vlan vlan-id Configure a Use either approach secure MAC No secure MAC interface interface-type interface-number address In interface address is configured port-security mac-address security view...

  • Page 713: Port Security Configuration Examples

    To do… Use the command… Remarks display port-security mac-address block Display information about Available in any [ interface interface-type interface-number ] blocked MAC addresses view [ vlan vlan-id ] [ count ] Port Security Configuration Examples Configuring the autoLearn Mode Network requirements Restrict port GigabitEthernet 1/0/1 of the switch as follows: Allow up to 64 users to access the port without authentication and permit the port to learn and add...
  • Page 714 Equipment port-security is enabled Intrusion trap is enabled Disableport Timeout: 30s OUI value: GigabitEthernet1/0/1 is link-up Port mode is autoLearn NeedToKnow mode is disabled Intrusion Protection mode is DisablePortTemporarily Max MAC address number is 64 Stored MAC address number is 0 Authorization is permitted As shown in the output, the maximum number of secure MAC addresses allowed on the port is 64, the port security mode is autoLearn, the intrusion protection trap is enabled, and the intrusion protection...

  • Page 715: Configuring The Userloginwithoui Mode

    GigabitEthernet1/0/1 current state: Port Security Disabled IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558 Description: GigabitEthernet1/0/1 Interface ..The port should be re-enabled 30 seconds later. [Switch-GigabitEthernet1/0/1] display interface gigabitethernet 1/0/1 GigabitEthernet1/0/1 current state: UP IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558 Description: GigabitEthernet1/0/1 Interface ..
  • Page 716 Configuration procedure The following configuration steps cover some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Configuration in the Security Volume. Configurations on the host and RADIUS servers are omitted. Configure the RADIUS protocol # Configure a RADIUS scheme named radsun. <Switch>...
  • Page 717 After completing the above configurations, you can use the following command to view the configuration information of the RADIUS scheme named radsun: <Switch> display radius scheme radsun SchemeName : radsun Index : 1 Type : standard Primary Auth IP : 192.168.1.2 Port : 1812 State : active Primary Acct IP...
  • Page 718 NeedToKnow mode is disabled Intrusion Protection mode is NoAction Max MAC address number is not configured Stored MAC address number is 0 Authorization is permitted After an 802.1X user gets online, you can see that the number of secure MAC addresses stored is 1. You can also use the following command to view information about 802.1X users: <Switch>...

  • Page 719: Configuring The Macaddresselseuserloginsecure Mode

    1234-0300-0011 Learned GigabitEthernet1/0/1 AGING 1 mac address(es) found Configuring the macAddressElseUserLoginSecure Mode Network requirements The client is connected to the switch through GigabitEthernet 1/0/1. The switch authenticates the client by the RADIUS server. If the authentication succeeds, the client is authorized to access the Internet. Restrict port GigabitEthernet 1/0/1 of the switch as follows: Allow more than one MAC authenticated user to log on.

  • Page 720: Configuration Information

    After completing the above configurations, you can use the following command to view the port security configuration information: <Switch> display port-security interface gigabitethernet 1/0/1 Equipment port-security is enabled Trap is disabled Disableport Timeout: 20s OUI value: GigabitEthernet1/0/1 is link-up Port mode is macAddressElseUserLoginSecure NeedToKnow mode is NeedToKnowOnly Intrusion Protection mode is NoAction Max MAC address number is 64...

  • Page 721: Troubleshooting Port Security

    Authentication Mode is Auto Port Control Type is Mac-based Guest VLAN: 0 Max number of on-line users is 256 EAPOL Packet: Tx 16331, Rx 102 Sent EAP Request/Identity Packets : 16316 EAP Request/Challenge Packets: 6 EAP Success Packets: 4, Fail Packets: 5 Received EAPOL Start Packets : 6 EAPOL LogOff Packets: 2 EAP Response/Identity Packets : 80...

  • Page 722: Cannot Change Port Security Mode When A User Is Online

    Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn. Solution Set the port security mode to autoLearn. [Switch-GigabitEthernet1/0/1] undo port-security port-mode [Switch-GigabitEthernet1/0/1] port-security max-mac-count 64 [Switch-GigabitEthernet1/0/1] port-security port-mode autolearn [Switch-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1 Cannot Change Port Security Mode When a User Is Online Symptom...
  • Page 723 Table of Contents 1 IP Source Guard Configuration················································································································1-1 IP Source Guard Overview ·····················································································································1-1 Configuring a Static Binding Entry ··········································································································1-1 Configuring Dynamic Binding Function···································································································1-2 Displaying and Maintaining IP Source Guard ·························································································1-3 IP Source Guard Configuration Examples ······························································································1-3 Static Binding Entry Configuration Example····················································································1-3 Dynamic Binding Function Configuration Example ·········································································1-4 Troubleshooting IP Source Guard ··········································································································1-6 Failed to Configure Static Binding Entries and Dynamic Binding Function·····································1-6...

  • Page 724: Ip Source Guard Configuration

    IP Source Guard Configuration When configuring IP Source Guard, go to these sections for information you are interested in: IP Source Guard Overview Configuring a Static Binding Entry Configuring Dynamic Binding Function Displaying and Maintaining IP Source Guard IP Source Guard Configuration Examples Troubleshooting IP Source Guard IP Source Guard Overview By filtering packets on a per-port basis, IP source guard prevents illegal packets from traveling through,...

  • Page 725: Configuring Dynamic Binding Function

    To do… Use the command… Remarks user-bind { ip-address ip-address | Required ip-address ip-address mac-address Configure a static binding entry No static binding entry mac-address | mac-address exists by default. mac-address } [ vlan vlan-id ] The system does not support repeatedly binding a binding entry to one port. For products supporting multi-port binding, a binding entry can be configured to multiple ports;...

  • Page 726: Displaying And Maintaining Ip Source Guard

    Displaying and Maintaining IP Source Guard To do… Use the command… Remarks display user-bind [ interface Display information about static interface-type interface-number | Available in any binding entries ip-address ip-address | mac-address view mac-address ] display ip check source [ interface Display information about interface-type interface-number | Available in any...

  • Page 727: Dynamic Binding Function Configuration Example

    [SwitchA-GigabitEthernet1/0/2] user-bind ip-address 192.168.0.3 mac-address 0001-0203-0405 [SwitchA-GigabitEthernet1/0/2] quit # Configure port GigabitEthernet 1/0/1 of Switch A to allow only IP packets with the source MAC address of 00-01-02-03-04-06 and the source IP address of 192.168.0.1 to pass. [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] user-bind ip-address 192.168.0.1 mac-address 0001-0203-0406 Configure Switch B # Configure the IP addresses of various interfaces (omitted).
  • Page 728 For detailed configuration of a DHCP server, refer to DHCP Configuration in the IP Service Volume. Network diagram Figure 1-2 Network diagram for configuring dynamic binding function Configuration procedure Configure Switch A # Configure dynamic binding function on port GigabitEthernet 1/0/1. <SwitchA>...

  • Page 729: Troubleshooting Ip Source Guard

    [SwitchA-GigabitEthernet1/0/1] display dhcp-snooping DHCP Snooping is enabled. The client binding table for all untrusted ports. Type : D--Dynamic , S--Static Type IP Address MAC Address Lease VLAN Interface ==== =============== ============== ============ ==== ================= 192.168.0.1 0001-0203-0406 86335 GigabitEthernet1/0/1 As you see, port GigabitEthernet 1/0/1 has obtained the dynamic entries generated by DHCP snooping after it is configured with dynamic binding function.
  • Page 730 Table of Contents 1 SSH2.0 Configuration································································································································1-1 SSH2.0 Overview····································································································································1-1 Introduction to SSH2.0 ····················································································································1-1 Operation of SSH ····························································································································1-1 Configuring the Device as an SSH Server······························································································1-4 SSH Server Configuration Task List································································································1-4 Generating a DSA or RSA Key Pair ································································································1-4 Enabling SSH Server·······················································································································1-5 Configuring the User Interfaces for SSH Clients·············································································1-5 Configuring a Client Public Key·······································································································1-6 Configuring an SSH User ················································································································1-7 Setting the SSH Management Parameters ·····················································································1-8...

  • Page 731: Ssh2.0 Configuration

    SSH2.0 Configuration When configuring SSH2.0, go to these sections for information you are interested in: SSH2.0 Overview Configuring the Device as an SSH Server Configuring the Device as an SSH Client Displaying and Maintaining SSH SSH Server Configuration Examples SSH Client Configuration Examples SSH2.0 Overview Introduction to SSH2.0 Secure Shell (SSH) offers an approach to securely logging into a remote device.
  • Page 732 Stages Description After passing authentication, the client sends a session request Session request to the server. After the server grants the request, the client and server start to Interaction communicate with each other. Version negotiation The server opens port 22 to listen to connection requests from clients. The client sends a TCP connection request to the server.
  • Page 733 Before the negotiation, the server must have already generated a DSA or RSA key pair, which is not only used for generating the session key, but also used by the client to authenticate the identity of the server. For details about DSA and RSA key pairs, refer to Public Key Configuration in the Security Volume.

  • Page 734: Configuring The Device As An Ssh Server

    Session request After passing authentication, the client sends a session request to the server, while the server listens to and processes the request from the client. After successfully processing the request, the server sends back to the client an SSH_SMSG_SUCCESS packet and goes on to the interactive session stage with the client.

  • Page 735: Enabling Ssh Server

    To do… Use the command… Remarks Enter system view system-view — Required Generate the local DSA or RSA public-key local create { dsa | By default, there is neither DSA key pair rsa } key pair nor RSA key pair. For details about the public-key local create command, refer to Public Key Commands in the Security Volume.

  • Page 736: Configuring A Client Public Key

    To do… Use the command… Remarks Enter system view system-view — Enter user interface view of one user-interface vty number — or more user interfaces [ ending-number ] Required Set the login authentication authentication-mode scheme By default, the authentication mode to scheme [ command-authorization ] mode is password.

  • Page 737: Configuring An Ssh User

    You are recommended to configure a client public key by importing it from a public key file. You can configure at most 20 client pubic keys on an SSH server. Configuring a client public key manually Follow these steps to configure the client public key manually: To do…...

  • Page 738: Setting The Ssh Management Parameters

    To do… Use the command… Remarks Enter system view system-view — ssh user username service-type stelnet For Stelnet authentication-type { password | { any | Create an users password-publickey | publickey } assign SSH user, and publickey keyname } Required specify the service type Use either...

  • Page 739: Configuring The Device As An Ssh Client

    Enabling the SSH server to be compatible with SSH1 client Setting the server key pair update interval, applicable to users using SSH1 client Setting the SSH user authentication timeout period Setting the maximum number of SSH authentication attempts Setting the above parameters can help avoid malicious guess at and cracking of the keys and usernames, securing your SSH connections.

  • Page 740: Configuring Whether First-Time Authentication Is Supported

    To do… Use the command… Remarks Enter system view system-view — Specify a source ssh client source { ip ip-address | Required IPv4 address or Specify a interface interface-type interface for the By default, the source IP interface-number } SSH client address of the address or interface decided...

  • Page 741: Establishing A Connection Between The Ssh Client And The Server

    To do... Use the command… Remarks Required The method of configuring Refer to Configuring a Client Configure the server public key server public key on the client is Public Key similar to that of configuring client public key on the server. ssh client authentication Specify the host public key Required...

  • Page 742: Ssh Server Configuration Examples

    To do… Use the command… Remarks Display the public keys of the display public-key local { dsa Available in any view local key pairs | rsa } public Display the public keys of the display public-key peer Available in any view SSH peers [ brief | name publickey-name ] For information about the display public-key local and display public-key peer commands, refer to...
  • Page 743 [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Create local user client001, and set the user command privilege level to 3 [Switch] local-user client001 [Switch-luser-client001] password simple aabbcc [Switch-luser-client001] service-type ssh [Router-luser-client001] authorization-attribute level 3 [Switch-luser-client001] quit # Specify the service type for user client001 as Stelnet, and the authentication mode as password. This step is optional.

  • Page 744: When Switch Acts As Server For Publickey Authentication

    Figure 1-2 SSH client configuration interface In the window shown in Figure 1-2, click Open. If the connection is normal, you will be prompted to enter the username and password. After entering the correct username (client001) and password (aabbcc), you can enter the configuration interface. When Switch Acts as Server for Publickey Authentication Network requirements As shown in...
  • Page 745 [Switch] public-key local create dsa [Switch] ssh server enable # Configure an IP address for VLAN interface 1. This address will serve as the destination of the SSH connection. [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface1] quit # Set the authentication mode for the user interfaces to AAA.
  • Page 746 Figure 1-4 Generate a client key pair 1) While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1-5. Otherwise, the process bar stops moving and the key pair generating process will be stopped.
  • Page 747 Figure 1-5 Generate a client key pair 2) After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 1-6 Generate a client key pair 3) 1-17...
  • Page 748 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key (private in this case). Figure 1-7 Generate a client key pair 4) After generating a key pair on a client, you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the server done before continuing configuration of...

  • Page 749: Ssh Client Configuration Examples

    Select Connection/SSH/Auth from the navigation tree. The following window appears. Click Browse… to bring up the file selection window, navigate to the private key file and click OK. Figure 1-9 SSH client configuration interface 2) In the window shown in Figure 1-9, click Open.
  • Page 750 # Create RSA and DSA key pairs and enable the SSH server. <SwitchB> system-view [SwitchB] public-key local create rsa [SwitchB] public-key local create dsa [SwitchB] ssh server enable # Create an IP address for VLAN interface 1, which the SSH client will use as the destination for SSH connection.
  • Page 751 After you enter the correct username, you can log into Switch B successfully. If the client does not support first-time authentication, you need to perform the following configurations. # Disable first-time authentication. [SwitchA] undo ssh client first-time # Configure the host public key of the SSH server. You can get the server host public key by using the display public-key local dsa public command on the server.

  • Page 752: When Switch Acts As Client For Publickey Authentication

    When Switch Acts as Client for Publickey Authentication Network requirements As shown in Figure 1-11, Switch A (the SSH client) needs to log into Switch B (the SSH server) through the SSH protocol. Publickey authentication is used, and the public key algorithm is DSA. Figure 1-11 Switch acts as client for publickey authentication Configuration procedure Configure the SSH server...
  • Page 753 # Specify the authentication type for user client002 as publickey, and assign the public key Switch001 to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 Configure the SSH client # Configure an IP address for Vlan interface 1. <SwitchA>...

  • Page 754: Sftp Service

    SFTP Service When configuring SFTP, go to these sections for information you are interested in: SFTP Overview Configuring an SFTP Server Configuring an SFTP Client SFTP Client Configuration Example SFTP Server Configuration Example SFTP Overview The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer.

  • Page 755: Configuring The Sftp Connection Idle Timeout Period

    When the device functions as the SFTP server, only one client can access the SFTP server at a time. If the SFTP client uses WinSCP, a file on the server cannot be modified directly; it can only be downloaded to a local place, modified, and then uploaded to the server. Configuring the SFTP Connection Idle Timeout Period Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down, so that a user cannot occupy a connection for nothing.

  • Page 756: Working With The Sftp Directories

    To do… Use the command… Remarks sftp server [ port-number ] [ identity-key Establish a { dsa | rsa } | prefer-ctos-cipher { aes128 | connection to des } | prefer-ctos-hmac { md5 | md5-96 | the remote sha1 | sha1-96 } | prefer-kex IPv4 SFTP { dh-group-exchange | dh-group1 | server and...

  • Page 757: Working With Sftp Files

    To do… Use the command… Remarks Create a new directory on the mkdir remote-path Optional remote SFTP server Delete a directory from the rmdir remote-path&<1-10> Optional SFTP server Working with SFTP Files SFTP file operations include: Changing the name of a file Downloading a file Uploading a file Displaying a list of the files...

  • Page 758: Terminating The Connection To The Remote Sftp Server

    To do… Use the command… Remarks sftp [ ipv6 ] server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { aes128 | des } | Required prefer-ctos-hmac { md5 | md5-96 | sha1 | Execute the Enter SFTP client view sha1-96 } | prefer-kex command in user...
  • Page 759 # Generate RSA and DSA key pairs and enable the SSH server. <SwitchB> system-view [SwitchB] public-key local create rsa [SwitchB] public-key local create dsa [SwitchB] ssh server enable # Enable the SFTP server. [SwitchB] sftp server enable # Configure an IP address for VLAN interface 1, which the SSH client uses as the destination for SSH connection.
  • Page 760 [SwitchA] quit After generating key pairs on a client, you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the server done before continuing configuration of the client. # Establish a connection to the remote SFTP server and enter SFTP client view. <SwitchA>...

  • Page 761: Sftp Server Configuration Example

    sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx...
  • Page 762 authentication with the username being client002 and the password being aabbcc. The username and password are saved on the switch. Figure 2-2 Network diagram for SFTP server configuration Configuration procedure Configure the SFTP server # Generate RSA and DSA key pairs and enable the SSH server. <Switch>...
  • Page 763 There are many kinds of SSH client software. The following takes the PSFTP of Putty Version 0.58 as an example. The PSFTP supports only password authentication. # Establish a connection with the remote SFTP server. Run the psftp.exe to launch the client interface as shown in Figure 2-3, and enter the following command:...
  • Page 764 Table of Contents 1 PKI Configuration ······································································································································1-1 Introduction to PKI···································································································································1-1 PKI Overview···································································································································1-1 PKI Terms········································································································································1-1 Architecture of PKI···························································································································1-2 Applications of PKI ··························································································································1-3 Operation of PKI ······························································································································1-3 PKI Configuration Task List ····················································································································1-4 Configuring an Entity DN ························································································································1-4 Configuring a PKI Domain ······················································································································1-6 Submitting a PKI Certificate Request······································································································1-7 Submitting a Certificate Request in Auto Mode ··············································································1-7 Submitting a Certificate Request in Manual Mode ··········································································1-8...

  • Page 765: Pki Configuration

    PKI Configuration When configuring PKI, go to these sections for information you are interested in: Introduction to PKI PKI Configuration Task List Displaying and Maintaining PKI PKI Configuration Examples Troubleshooting PKI Introduction to PKI This section covers these topics: PKI Overview PKI Terms Architecture of PKI Applications of PKI...

  • Page 766: Architecture Of Pki

    level. The root CA has a CA certificate signed by itself while each lower level CA has a CA certificate signed by the CA at the next higher level. An existing certificate may need to be revoked when, for example, the user name changes, the private key leaks, or the user stops the business.

  • Page 767: Applications Of Pki

    A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs. A registration authority (RA) is an extended part of a CA or an independent authority. An RA can implement functions including identity authentication, CRL management, key pair generation and key pair backup.

  • Page 768: Pki Configuration Task List

    The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. The CA verifies the digital signature, approves the application, and issues a certificate. The RA receives the certificate from the CA, sends it to the LDAP server to provide directory navigation service, and notifies the entity that the certificate is successfully issued.
  • Page 769 The configuration of an entity DN must comply with the CA certificate issue policy. You need to determine, for example, which entity DN parameters are mandatory and which are optional. Otherwise, certificate request may be rejected. Follow these steps to configure an entity DN: To do…...

  • Page 770: Configuring A Pki Domain

    Configuring a PKI Domain Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance. A PKI domain is defined by these parameters: Trusted CA An entity requests a certificate from a trusted CA.

  • Page 771: Submitting A Pki Certificate Request

    To do… Use the command… Remarks Required Specify the entity for certificate certificate request entity No entity is specified by default. request entity-name The specified entity must exist. Required Specify the authority for certificate request from { ca | No authority is specified by certificate request ra } default.

  • Page 772: Submitting A Certificate Request In Manual Mode

    Follow these steps to configure an entity to submit a certificate request in auto mode: To do… Use the command… Remarks Enter system view system-view — Enter PKI domain view pki domain domain-name — certificate request mode auto Required Set the certificate request [ key-length key-length | password mode to auto Manual by default...

  • Page 773: Retrieving A Certificate Manually

    If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the local certificate and then issue the public-key local create command. For information about the public-key local create command, refer to Public Key Commands in the Security Volume.

  • Page 774: Configuring Pki Certificate Verification

    If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This is in order to avoid inconsistency between the certificate and registration information due to related configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and local certificate first.

  • Page 775: Destroying A Local Rsa Key Pair

    To do… Use the command… Remarks Enter system view system-view — Enter PKI domain view — pki domain domain-name Required Disable CRL checking crl check disable Enabled by default Return to system view quit — Refer to Retrieving a Certificate Retrieve the CA certificate Required Manually...

  • Page 776: Configuring An Access Control Policy

    To do… Use the command… Remarks Enter system view system-view — pki delete-certificate { ca | local } domain Delete certificates Required domain-name Configuring an Access Control Policy By configuring a certificate attribute-based access control policy, you can further control access to the server, providing additional security for the server.

  • Page 777: Pki Configuration Examples

    To do… Use the command… Remarks Display information about one display pki certificate or all certificate attribute-based access-control-policy Available in any view access control policies { policy-name | all } PKI Configuration Examples The SCEP plug-in is required when you use the Windows Server as the CA. In this case, when configuring the PKI domain, you need to use the certificate request from ra command to specify that the entity requests a certificate from an RA.
  • Page 778 Subject DN: DN information of the CA, including the Common Name (CN), Organization Unit (OU), Organization (O), and Country (C). The other attributes may be left using the default values. # Configure extended attributes. After configuring the basic attributes, you need to perform configuration on the jurisdiction configuration page of the CA server.
  • Page 779 Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ Apply for certificates # Retrieve the CA certificate and save it locally. [Switch] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..

  • Page 780: Requesting A Certificate From A Ca Running Windows 2003 Server

    Not After : Jan 8 09:26:53 2008 GMT Subject: CN=switch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61 D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F...
  • Page 781 Figure 1-3 Request a certificate from a CA running Windows 2003 server Configuration procedure Configure the CA server Install the certificate server suites From the start menu, select Control Panel > Add or Remove Programs, and then select Add/Remove Windows Components > Certificate Services and click Next to begin the installation. Install the SCEP plug-in As a CA server running the Windows 2003 server does not support SCEP by default, you need to install the SCEP plug-in so that the switch can register and obtain its certificate automatically.
  • Page 782 # Configure the URL of the registration server in the format of http://host:port/ certsrv/mscep/mscep.dll, where host:port indicates the IP address and port number of the CA server. [Switch-pki-domain-torsa] certificate request http://4.4.4.1:8080/certsrv/mscep/mscep.dll # Set the registration authority to RA. [Switch-pki-domain-torsa] certificate request from ra # Specify the entity for certificate request as aaa.
  • Page 783 Data: Version: 3 (0x2) Serial Number: 48FA0FD9 00000000 000C Signature Algorithm: sha1WithRSAEncryption Issuer: CN=CA server Validity Not Before: Nov 21 12:32:16 2007 GMT Not After : Nov 21 12:42:16 2008 GMT Subject: CN=switch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00A6637A 8CDEA1AC B2E04A59 F7F6A9FE...

  • Page 784: Configuring A Certificate Attribute-Based Access Control Policy

    Configuring a Certificate Attribute-Based Access Control Policy Network requirements The client accesses the remote HTTP Security (HTTPS) server through the HTTPS protocol. SSL is configured to ensure that only legal clients log into the HTTPS server. Create a certificate attribute-based access control policy to control access to the HTTPS server. Figure 1-4 Configure a certificate attribute-based access control policy Configuration procedure For detailed information about SSL configuration, refer to SSL Configuration in the Security...

  • Page 785: Troubleshooting Pki

    # Create certificate attribute group mygroup2 and add two attribute rules. The first rule defines that the FQDN of the alternative subject name does not include the string of apple, and the second rule defines that the DN of the certificate issuer name includes the string aabbcc. [Switch] pki certificate attribute-group mygroup2 [Switch-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn apple [Switch-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc...

  • Page 786: Failed To Request A Local Certificate

    Failed to Request a Local Certificate Symptom Failed to request a local certificate. Analysis Possible reasons include these: The network connection is not proper. For example, the network cable may be damaged or loose. No CA certificate has been retrieved. The current key pair has been bound to a certificate.
  • Page 787 Table of Contents 1 SSL Configuration ·····································································································································1-1 SSL Overview ·········································································································································1-1 SSL Security Mechanism ················································································································1-1 SSL Protocol Stack··························································································································1-2 SSL Configuration Task List ···················································································································1-2 Configuring an SSL Server Policy···········································································································1-3 Configuration Prerequisites ·············································································································1-3 Configuration Procedure··················································································································1-3 SSL Server Policy Configuration Example ······················································································1-4 Configuring an SSL Client Policy ············································································································1-5 Configuration Prerequisites ·············································································································1-6 Configuration Procedure··················································································································1-6 Displaying and Maintaining SSL ·············································································································1-6...

  • Page 788: Ssl Configuration

    SSL Configuration When configuring SSL, go to these sections for information you are interested in: SSL Overview SSL Configuration Task List Displaying and Maintaining SSL Troubleshooting SSL SSL Overview Secure Sockets Layer (SSL) is a security protocol providing secure connection service for TCP-based application layer protocols, for example, HTTP protocol.

  • Page 789: Ssl Configuration Task List

    For details about symmetric key algorithms, asymmetric key algorithm RSA and digital signature, refer to Public Key Configuration in the Security Volume. For details about PKI, certificate, and CA, refer to PKI Configuration in the Security Volume. SSL Protocol Stack As shown in Figure 1-2, the SSL protocol consists of two layers of protocols: the SSL record protocol at...

  • Page 790: Configuring An Ssl Server Policy

    Configuring an SSL Server Policy An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy takes effect only after it is associated with an application layer protocol, HTTP protocol, for example.

  • Page 791: Ssl Server Policy Configuration Example

    If you enable client authentication here, you must request a local certificate for the client. Currently, SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds to SSL 3.1. When the device acts as an SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify Hello packets from clients running SSL 2.0.

  • Page 792: Configuring An Ssl Client Policy

    [Device] pki domain 1 [Device-pki-domain-1] ca identifier ca1 [Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll [Device-pki-domain-1] certificate request from ra [Device-pki-domain-1] certificate request entity en [Device-pki-domain-1] quit # Create the local RSA key pairs. [Device] public-key local create rsa # Retrieve the CA certificate. [Device] pki retrieval-certificate ca domain 1 # Request a local certificate.

  • Page 793: Configuration Prerequisites

    Configuration Prerequisites If the SSL server is configured to authenticate the SSL client, when configuring the SSL client policy, you need to specify the PKI domain to be used for obtaining the certificate of the client. Therefore, before configuring an SSL client policy, you must configure a PKI domain. For details about PKI domain configuration, refer to PKI Configuration in the Security Volume.
  • Page 794 Analysis SSL handshake failure may result from the following causes: No SSL server certificate exists, or the certificate is not trusted. The server is expected to authenticate the client, but the SSL client has no certificate or the certificate is not trusted. The cipher suites used by the server and the client do not match.
  • Page 795 Table of Contents 1 Public Key Configuration··························································································································1-1 Public Key Algorithm Overview···············································································································1-1 Basic Concepts································································································································1-1 Key Algorithm Types ·······················································································································1-1 Asymmetric Key Algorithm Applications··························································································1-1 Configuring the Local Asymmetric Key Pair····························································································1-2 Creating an Asymmetric Key Pair ···································································································1-2 Displaying or Exporting the Local RSA or DSA Host Public Key ····················································1-3 Destroying an Asymmetric Key Pair································································································1-3 Configuring the Public Key of a Peer ······································································································1-3 Displaying and Maintaining Public Keys ·································································································1-4...

  • Page 796: Public Key Configuration

    Public Key Configuration When configuring public keys, go to these sections for information you are interested in: Public Key Algorithm Overview Configuring the Local Asymmetric Key Pair Configuring the Public Key of a Peer Displaying and Maintaining Public Keys Public Key Configuration Examples Public Key Algorithm Overview Basic Concepts Algorithm: A set of transformation rules for encryption and decryption.

  • Page 797: Configuring The Local Asymmetric Key Pair

    Encryption: The information encrypted with a receiver's public key can be decrypted by the receiver possessing the corresponding private key. This is used to ensure confidentiality. Digital signature: The information encrypted with a sender's private key can be decrypted by anyone who has access to the sender's public key, thereby proving that the information is from the sender and has not been tampered with.

  • Page 798: Displaying Or Exporting The Local Rsa Or Dsa Host Public Key

    Configuration of the public-key local create command can survive a reboot. The public-key local create rsa command generates two key pairs: one server key pair and one host key pair. Each key pair consists of a public key and a private key. The length of an RSA key modulus is in the range 512 to 2048 bits.

  • Page 799: Displaying And Maintaining Public Keys

    Configure it manually: You can input on or copy the public key of the peer to the local host. The copied public key must have not been converted and be in the distinguished encoding rules (DER) encoding format. Import it from the public key file: The system automatically converts the public key to a string coded using the PKCS (Public Key Cryptography Standards).

  • Page 800: Public Key Configuration Examples

    Public Key Configuration Examples Configuring the Public Key of a Peer Manually Network requirements Device A is authenticated by Device B when accessing Device B, so the public key of Device A should be configured on Device B in advance. In this example: RSA is used.

  • Page 801: Importing The Public Key Of A Peer From A Public Key File

    ===================================================== Time of Key pair created: 09:50:07 2007/08/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E 35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E8 4B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001 Configure Device B # Configure the host public key of Device A on Device B. In public key code view, input the host public key of Device A.
  • Page 802 Figure 1-3 Network diagram for importing the public key of a peer from a public key file Configurtion procedure Create key pairs on Device A and export the host public key # Create RSA key pairs on Device A. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key size is (512 ~ 2048).
  • Page 803 [DeviceA] quit Enable the FTP server function on Device B # Enable the FTP server function, create an FTP user with the username ftp and password 123. <DeviceB> system-view [DeviceB] ftp server enable [DeviceB] local-user ftp [DeviceB-luser-ftp] password simple 123 [DeviceB-luser-ftp] service-type ftp [DeviceB-luser-ftp] authorization-attribute level 3 [DeviceB-luser-ftp] quit...
  • Page 804 Table of Contents 1 ACL Overview ············································································································································1-1 Introduction to ACL ·································································································································1-1 Introduction······································································································································1-1 Application of ACLs on the Switch ··································································································1-1 Introduction to IPv4 ACL ·························································································································1-2 IPv4 ACL Classification ···················································································································1-2 IPv4 ACL Naming ····························································································································1-2 IPv4 ACL Match Order ····················································································································1-3 IPv4 ACL Step ·································································································································1-4 Effective Period of an IPv4 ACL ······································································································1-4 IP Fragments Filtering with IPv4 ACL ·····························································································1-4 Introduction to IPv6 ACL ·························································································································1-5...
  • Page 805 Configuring a Basic IPv6 ACL·················································································································3-1 Configuration Prerequisites ·············································································································3-1 Configuration Procedure··················································································································3-1 Configuration Example ····················································································································3-2 Configuring an Advanced IPv6 ACL ·······································································································3-2 Configuration Prerequisites ·············································································································3-3 Configuration Procedure··················································································································3-3 Configuration Example ····················································································································3-4 Copying an IPv6 ACL······························································································································3-4 Configuration Prerequisites ·············································································································3-4 Configuration Procedure··················································································································3-4 Displaying and Maintaining IPv6 ACLs ···································································································3-5 IPv6 ACL Configuration Example ···········································································································3-5 Network Requirements ····················································································································3-5 Configuration Procedure··················································································································3-5...

  • Page 806: Acl Overview

    ACL Overview In order to filter traffic, network devices use sets of rules, called access control lists (ACLs), to identify and handle packets. When configuring ACLs, go to these chapters for information you are interested in: ACL Overview IPv4 ACL Configuration IPv6 ACL Configuration ACL Application for Packet Filtering Unless otherwise stated, ACLs refer to both IPv4 ACLs and IPv6 ACLs throughout this document.

  • Page 807: Introduction To Ipv4 Acl

    When an ACL is assigned to a piece of hardware and referenced by a QoS policy for traffic classification, the switch does not take action according to the traffic behavior definition on a packet that does not match the ACL. When an ACL is referenced by a piece of software to control Telnet, SNMP, and Web login users, the switch denies all packets that do not match the ACL.

  • Page 808: Ipv4 Acl Match Order

    The name of an IPv4 ACL must be unique among IPv4 ACLs. However, an IPv4 ACL and an IPv6 ACL can share the same name. IPv4 ACL Match Order An ACL may consist of multiple rules, which specify different matching criteria. These criteria may have overlapping or conflicting parts.

  • Page 809: Ipv4 Acl Step

    Sort rules by source MAC address mask first and compare packets against the rule configured with more ones in the source MAC address mask. If two rules are present with the same number of ones in their source MAC address masks, look at the destination MAC address masks.

  • Page 810: Introduction To Ipv6 Acl

    Introduction to IPv6 ACL This section covers these topics: IPv6 ACL Classification IPv6 ACL Naming IPv6 ACL Match Order IPv6 ACL Step Effective Period of an IPv6 ACL IPv6 ACL Classification IPv6 ACLs, identified by ACL numbers, fall into three categories, as shown in Table 1-2.

  • Page 811: Ipv6 Acl Step

    Sort rules by source IPv6 address prefix first and compare packets against the rule configured with a longer prefix for the source IPv6 address. In case of a tie, compare packets against the rule configured first. Depth-first match for an advanced IPv6 ACL The following shows how your device performs depth-first match in an advanced IPv6 ACL: Look at the protocol type field in the rules first.

  • Page 812: Ipv4 Acl Configuration

    IPv4 ACL Configuration When configuring an IPv4 ACL, go to these sections for information you are interested in: Creating a Time Range Configuring a Basic IPv4 ACL Configuring an Advanced IPv4 ACL Configuring an Ethernet Frame Header ACL Copying an IPv4 ACL Displaying and Maintaining IPv4 ACLs IPv4 ACL Configuration Example Creating a Time Range...

  • Page 813: Configuration Example

    on the day or days of the week only within the specified period. For example, to create a time range that is active from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59 12/31/2004 command.

  • Page 814: Configuration Procedure

    Configuration Procedure Follow these steps to configure a basic IPv4 ACL: To do… Use the command… Remarks Enter system view system-view –– Required acl number acl-number The default match order is config. Create a basic IPv4 ACL [ name acl-name ] If you specify a name for an IPv4 ACL and enter its view [ match-order { auto |...

  • Page 815: Configuring An Advanced Ipv4 Acl

    <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 1.1.1.1 0 # Verify the configuration. [Sysname-acl-basic-2000] display acl 2000 Basic ACL 2000, named -none-, 1 rule, ACL's step is 5 rule 0 deny source 1.1.1.1 0 (5 times matched) Configuring an Advanced IPv4 ACL Advanced IPv4 ACLs match packets based on source IP address, destination IP address, protocol carried over IP, and other protocol header fields, such as the TCP/UDP source port number, TCP/UDP...

  • Page 816: Configuration Example

    To do… Use the command… Remarks rule [ rule-id ] { deny | permit } protocol [ { established | { ack ack-value | fin fin-value | psh Required psh-value | rst rst-value | syn To create or modify multiple rules, syn-value | urg urg-value } * } | repeat this step.

  • Page 817: Configuring An Ethernet Frame Header Acl

    <Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80 # Verify the configuration. [Sysname-acl-adv-3000] display acl 3000 Advanced ACL 3000, named -none-, 1 rule, ACL's step is 5 rule 0 permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq www (5 times matched) Configuring an Ethernet Frame Header ACL Ethernet frame header ACLs match packets based on Layer 2 protocol header fields such as source...

  • Page 818: Configuration Example

    Note that: You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same. You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.

  • Page 819: Displaying And Maintaining Ipv4 Acls

    The source IPv4 ACL and the destination IPv4 ACL must be of the same type. The destination ACL does not take the name of the source IPv4 ACL. Displaying and Maintaining IPv4 ACLs To do... Use the command… Remarks Display information about one or all IPv4 display acl { acl-number | all | Available in any ACLs...

  • Page 820: Configuration Procedure

    Configuration Procedure Create a time range for office hours # Create a periodic time range spanning 8:00 to 18:00 in working days. <Switch> system-view [Switch] time-range trname 8:00 to 18:00 working-day Define an ACL to control access to the salary query server # Configure a rule to control access of the R&D Department to the salary query server.
  • Page 821 [Switch] interface GigabitEthernet 1/0/2 [Switch-GigabitEthernet1/0/2] qos apply policy p_rd inbound [Switch-GigabitEthernet1/0/2] quit # Apply QoS policy p_market to interface GigabitEthernet 1/0/3. [Switch] interface GigabitEthernet 1/0/3 [Switch-GigabitEthernet1/0/3] qos apply policy p_market inbound 2-10...

  • Page 822: Ipv6 Acl Configuration

    IPv6 ACL Configuration When configuring IPv6 ACLs, go to these sections for information you are interested in: Creating a Time Range Configuring a Basic IPv6 ACL Configuring an Advanced IPv6 ACL Copying an IPv6 ACL Displaying and Maintaining IPv6 ACLs IPv6 ACL Configuration Example Creating a Time Range Refer to...

  • Page 823: Configuration Example

    To do… Use the command… Remarks Optional Configure a description description text By default, a basic IPv6 ACL has no ACL for the basic IPv6 ACL description. Optional Configure a rule rule rule-id comment text By default, an IPv6 ACL rule has no rule description description.

  • Page 824: Configuration Prerequisites

    Advanced IPv6 ACLs are numbered in the range 3000 to 3999. Compared with basic IPv6 ACLs, they allow of more flexible and accurate filtering. Configuration Prerequisites If you want to reference a time range in a rule, define it with the time-range command first. Configuration Procedure Follow these steps to configure an advanced IPv6 ACL: To do…...

  • Page 825: Configuration Example

    When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same. You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6-number [ name acl6-name ] match-order { auto | config } command, but only when the ACL does not contain any rules.

  • Page 826: Displaying And Maintaining Ipv6 Acls

    The source IPv6 ACL and the destination IPv6 ACL must be of the same type. The destination ACL does not take the name of the source IPv6 ACL. Displaying and Maintaining IPv6 ACLs To do… Use the command… Remarks Display information about one or all display acl ipv6 { acl6-number | all | Available in any IPv6 ACLs...
  • Page 827 [Switch] traffic classifier c_rd [Switch-classifier-c_rd] if-match acl ipv6 2000 [Switch-classifier-c_rd] quit # Configure traffic behavior b_rd to deny matching packets. [Switch] traffic behavior b_rd [Switch-behavior-b_rd] filter deny [Switch-behavior-b_rd] quit # Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd. [Switch] qos policy p_rd [Switch-qospolicy-p_rd] classifier c_rd behavior b_rd [Switch-qospolicy-p_rd] quit...

  • Page 828: Acl Application For Packet Filtering

    ACL Application for Packet Filtering When applying an ACL for packet filtering, go to these sections for information you are interested in: Filtering Ethernet Frames Filtering IPv4 Packets Filtering IPv6 Packets Configuring Packet Filtering Statistics Function ACL Application Examples You can apply an ACL to the inbound or outbound direction of an ethernet interface or VLAN interface to filter received or sent packets such as Ethernet frames, IPv4 packets, and IPv6 packets.

  • Page 829: Filtering Ipv6 Packets

    Configuring Packet Filtering Statistics Function The S5120-EI series provides the packet filtering statistics function so that the device can output packet filtering statistics information at a specified interval. With the output, you are able to know how many packets are filtered by which ACL rules.

  • Page 830: Acl Application Examples

    To do… Use the command… Remarks 0 by default, which means no Set the interval for IPv6 packet acl ipv6 logging frequence packet filtering statistics is filtering statistics frequence collected. If you execute the display acl command to display the information about the ACLs, the device outputs packet filtering statistics except those that have been displayed by the command during that interval.

  • Page 831: Acl Application To A Vlan Interface

    [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] packet-filter 2009 inbound [DeviceA-GigabitEthernet1/0/1] quit # Set the interval for packet filtering statistics to 10 minutes. [DeviceA] acl logging frequence 10 # Configure a system information output rule to output log information with severity being informational to the console.
  • Page 832 System Volume Organization Manual Version 6W100-20090630 Product Version Release 2202 Organization The System Volume is organized as follows: Features Description Upon logging into a device, you can configure user interface properties and manage the system conveniently. This document describes: How to log in to your Ethernet switch Introduction to the user interface and common configurations Logging In Through the Console Port Login...
  • Page 833 Features Description A major function of the file system is to manage storage devices, mainly including creating the file system, creating, deleting, modifying and renaming a file or a directory and opening a file. This document describes: File System File system management Management Configuration File Management FTP configuration...
  • Page 834 Features Description The Power over Ethernet (PoE) feature enables the power sourcing equipment (PSE) to feed powered devices (PDs) from Ethernet ports through twisted pair cables. This document describes: PoE overview Configuring the PoE Interface Configuring PoE power management Configuring the PoE monitoring function Online upgrading the PSE processing software Configuring a PD Disconnection Detection Mode Enabling the PSE to detect nonstandard PDs...
  • Page 835 Features Description A cluster is a group of network devices. Cluster management is to implement management of large numbers of distributed network devices. This document describes: Cluster Management Overview Configuring the Management Device Cluster Management Configuring the Member Devices Configuring Access Between the Management Device and Its Member Devices Adding a Candidate Device to a Cluster Configuring Advanced Cluster Functions...
  • Page 836 Table of Contents 1 Logging In to an Ethernet Switch ············································································································1-1 Logging In to an Ethernet Switch ············································································································1-1 Introduction to User Interface··················································································································1-1 Supported User Interfaces ··············································································································1-1 Users and User Interfaces···············································································································1-2 User Interface Number ····················································································································1-2 Common User Interface Configuration····························································································1-2 2 Logging In Through the Console Port·····································································································2-1 Introduction ·············································································································································2-1 Setting Up the Connection to the Console Port ······················································································2-1 Console Port Login Configuration ···········································································································2-3...
  • Page 837 Configuration procedure ··················································································································4-3 Command Accounting Configuration Example ·······················································································4-4 Network diagram ·····························································································································4-4 Configuration procedure ··················································································································4-4 5 Logging in Through Web-based Network Management System ··························································5-1 Introduction ·············································································································································5-1 Web Server Configuration·······················································································································5-1 Displaying Web Users·····························································································································5-2 Configuration Example····························································································································5-2 6 Logging In Through NMS··························································································································6-1 Introduction ·············································································································································6-1 Connection Establishment Using NMS ···································································································6-1 7 Specifying Source for Telnet Packets ·····································································································7-1 Introduction ·············································································································································7-1...

  • Page 838: Logging In To An Ethernet Switch

    Introduction to User Interface Supported User Interfaces As the AUX port and the Console port of a H3C series switch are the same one, you will be in the AUX user interface if you log in through this port. H3C S5120-EI series Ethernet switch supports two types of user interfaces: AUX and VTY.

  • Page 839: Users And User Interfaces

    Users and User Interfaces A device can support one AUX ports and multiple Ethernet interfaces, and thus multiple user interfaces are supported. These user interfaces do not associate with specific users. When the user initiates a connection request, based on the login type the system automatically assigns a type of idle user interface with the smallest number to the user.
  • Page 840 Optional login | shell | motd } text Optional Set a system name for the sysname string switch The default name is H3C Enter one or more user user-interface [ type ] — interface views first-number [ last-number ] Display the information about...

  • Page 841: Logging In Through The Console Port

    To log in through the Console port is the most common way to log in to a switch. It is also the prerequisite to configure other login methods. By default, you can log in to an H3C S5120-EI series Ethernet switch through its Console port only.
  • Page 842 If you use a PC to connect to the Console port, launch a terminal emulation utility (such as HyperTerminal in Windows 9X/Windows 2000/Windows XP) and perform the configuration shown Figure 2-2 through Figure 2-4 for the connection to be created. Normally, the parameters of a terminal are configured as those listed in Table 2-1.

  • Page 843: Console Port Login Configuration

    Figure 2-4 Set port parameters terminal window Turn on the switch. The user will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <H3C>) appears after the user presses the Enter key.

  • Page 844: Common Configuration

    Configuration Description Optional Data bits databits { 5 | 6 | 7 | 8 } The default data bits of a Console port is 8. Configure the Optional command level AUX user By default, commands of level 3 available to the interface user privilege level level are available to the users...

  • Page 845: Console Port Login Configuration With Authentication Mode Being None

    Authentication Console port login configuration Description mode Optional Perform Perform common common configuration for Refer to Common Configuration configuration Console port login details. AAA configuration Optional Specify to specifies whether perform local Local authentication is performed by to perform local authentication default.

  • Page 846: Configuration Example

    Configuration Example Network requirements Assume the switch is configured to allow you to login through Telnet, and your user level is set to the administrator level (level 3). After you telnet to the switch, you need to limit the console user at the following aspects.

  • Page 847: Console Port Login Configuration With Authentication Mode Being Password

    [Sysname-ui-aux0] idle-timeout 6 After the above configuration, to ensure a successful login, the console user needs to change the corresponding configuration of the terminal emulation program running on the PC, to make the configuration consistent with that on the switch. Refer to Setting Up the Connection to the Console Port for details.
  • Page 848 Network diagram Figure 2-6 Network diagram for AUX user interface configuration (with the authentication mode being password) Configuration procedure # Enter system view. <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify to authenticate the user logging in through the Console port using the local password. [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text).

  • Page 849: Console Port Login Configuration With Authentication Mode Being Scheme

    Console Port Login Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to perform Console port login configuration (with authentication mode being scheme): To do… Use the command… Remarks Enter system view system-view — Enter AUX user interface user-interface aux 0 —...

  • Page 850: Configuration Example

    Note that, when you log in to an Ethernet switch using the scheme authentication mode, your access rights depend on your user level defined in the AAA scheme. When the local authentication mode is used, the user levels are specified using the authorization-attribute level level command.

  • Page 851: Configuring Command Authorization

    # Create a local user named guest and enter local user view. [Sysname] local-user guest # Set the authentication password to 123456 (in plain text). [Sysname-luser-guest] password simple 123456 # Set the service type to Terminal. [Sysname-luser-guest] service-type terminal [Sysname-luser-guest] quit # Enter AUX user interface view.

  • Page 852: Configuring Command Accounting

    To do… Use the command… Remarks Enter AUX user interface view — user-interface aux Required Disabled by default, that is, Enable command authorization command authorization users can execute commands without authorization. Configuring Command Accounting Command accounting allows the HWTACACS server to record all commands executed on the device regardless of the command execution result.

  • Page 853: Logging In Through Telnet/Ssh

    Logging In Through Telnet/SSH Logging In Through Telnet When logging in through Telnet, go to these sections for information you are interested in: Introduction Telnet Connection Establishment Telnet Login Configuration with Authentication Mode Being None Telnet Login Configuration with Authentication Mode Being Password Telnet Login Configuration with Authentication Mode Being Scheme Configuring Command Authorization Configuring Command Accounting...
  • Page 854 Step 5: Enter the password when the Telnet window displays “Login authentication” and prompts for login password. The CLI prompt (such as <H3C>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.
  • Page 855 Step 4: Enter the password. If the password is correct, the CLI prompt (such as <H3C>) appears. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.

  • Page 856: Common Configuration

    Common Configuration Table 3-2 lists the common Telnet configuration. Table 3-2 Common Telnet configuration Configuration Remarks Enter system view system-view — By default, a switch does Make the switch to operate as a Telnet telnet server enable not operate as a Telnet Server server user-interface vty...

  • Page 857: Telnet Login Configuration With Authentication Mode Being None

    Table 3-3 Telnet login configuration tasks when different authentication modes are adopted Task Description Telnet Login Configuration with Authentication Configure not to authenticate users logging in user Mode Being None interfaces Configure to authenticate users logging in to user Telnet Login Configuration with Authentication interfaces using a local password and configure the Mode Being Password local password...

  • Page 858: Telnet Login Configuration With Authentication Mode Being Password

    Figure 3-4 Network diagram for Telnet configuration (with the authentication mode being none) Configuration procedure # Enter system view, and enable the Telnet service. <Sysname> system-view [Sysname] telnet server enable # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging in to VTY 0.
  • Page 859 Configuration Example Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in to VTY 0: Authenticate users logging in to VTY 0 using the local password. Set the local password to 123456 (in plain text). Commands of level 2 are available to users logging in to VTY 0.

  • Page 860: Telnet Login Configuration With Authentication Mode Being Scheme

    Telnet Login Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to perform Telnet configuration (with authentication mode being scheme): To do… Use the command… Remarks Enter system view system-view — Enter one or more VTY user user-interface vty —...
  • Page 861 When the RADIUS or HWTACACS authentication mode is used, the user levels are set on the corresponding RADIUS or HWTACACS servers. For more information about AAA, RADIUS, and HWTACACS, see AAA Configuration in the Security Volume. Configuration Example Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in to VTY 0: Configure the name of the local user to be “guest”.

  • Page 862: Logging In Through Ssh

    # Configure to authenticate users logging in to VTY 0 in the scheme mode. [Sysname-ui-vty0] authentication-mode scheme # Configure Telnet protocol is supported. [Sysname-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20.

  • Page 863: Configuring Command Accounting

    Configuring Command Accounting Command accounting allows the HWTACACS server to record all commands executed on the device regardless of the command execution result. This helps control and monitor the user operations on the device. If command accounting is enabled and command authorization is not enabled, every executed command will be recorded on the HWTACACS server.

  • Page 864: User Interface Configuration Examples

    User Interface Configuration Examples User Authentication Configuration Example Network diagram As shown in Figure 4-1, command levels should be configured for different users to secure Device: The device administrator accesses Device through the console port on Host A. When the administrator logs in to the device, username and password are not required.

  • Page 865: Command Authorization Configuration Example

    [Device-ui-vty0-4] quit # Create a RADIUS scheme and configure the IP address and UDP port for the primary authentication server for the scheme. Ensure that the port number be consistent with that on the RADIUS server. Set the shared key for authentication packets to expert for the scheme and the RADIUS server type of the scheme to extended.

  • Page 866: Configuration Procedure

    Configuration procedure # Assign an IP address to Device to make Device be reachable from Host A and HWTACACS server respectively. The configuration is omitted. # Enable the telnet service on Device. <Device> system-view [Device] telnet server enable # Set to use username and password authentication when users use VTY 0 to log in to Device. The command that the user can execute depends on the authentication result.

  • Page 867: Command Accounting Configuration Example

    Command Accounting Configuration Example Network diagram As shown in Figure 4-3, configure the commands that the login users execute to be recorded on the HWTACACS server to control and monitor user operations. Figure 4-3 Network diagram for configuring command accounting HWTACAS server 192.168.2.20/24 Console Connection...
  • Page 868 [Device-radius-rad] quit # Create ISP domain system, and configure the ISP domain system to use HWTACACS scheme tac for accounting of command line users [Device] domain system [Device-isp-system] accounting command hwtacacs-scheme tac [Device-isp-system] quit...

  • Page 869: Introduction

    Logging in Through Web-based Network Management System Introduction An S5120-EI series switch has a built-in Web server. You can log in to an S5120-EI series switch through a Web browser and manage and maintain the switch intuitively by interacting with the built-in Web server.

  • Page 870: Displaying Web Users

    To do… Use the command… Remarks Optional Specify the service types for service-type telnet By default, no service is the local user authorized to a user. Required Start the Web server ip http enable Execute this command in system view. Displaying Web Users After the above configurations, execute the display command in any view to display the information about Web users, and thus to verify the configuration effect.
  • Page 871 Step 4: Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch (here it is http://10.153.17.82). (Make sure the route between the Web-based network management terminal and the switch is available.) Step 5: When the login interface (shown in Figure...

  • Page 872: Logging In Through Nms

    Logging In Through NMS When logging in through NMS, go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through an NMS (network management station), and then configure and manage the switch through the agent module on the switch.

  • Page 873: Specifying Source For Telnet Packets

    Specifying Source for Telnet Packets When specifying source IP address/interface for Telnet packets, go to these sections for information you are interested in: Introduction Specifying Source IP address/Interface for Telnet Packets Displaying the source IP address/Interface Specified for Telnet Packets Introduction To improve security and make it easier to manage services, you can specify source IP addresses/interfaces for Telnet clients.

  • Page 874: Displaying The Source Ip Address/Interface Specified For Telnet Packets

    To do… Use the command… Remarks telnet client source { ip Optional Specify source IP ip-address | interface address/interface for Telnet By default, no source IP interface-type packets address/interface is specified. interface-number } The IP address specified must be a local IP address. When specifying the source interface for Telnet packets, make sure the interface already exists.

  • Page 875: Controlling Login Users

    Controlling Login Users When controlling login users, go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Introduction Multiple ways are available for controlling different types of login users, as listed in Table 8-1.

  • Page 876: Controlling Telnet Users By Source And Destination Ip Addresses

    To do… Use the command… Remarks rule [ rule-id ] { permit | deny } [ source { sour-addr Define rules for the ACL sour-wildcard | any } | Required time-range time-name | fragment | logging ]* Quit to system view quit —...

  • Page 877: Controlling Telnet Users By Source Mac Addresses

    Controlling Telnet Users by Source MAC Addresses This configuration needs to be implemented by Layer 2 ACL; a Layer 2 ACL ranges from 4000 to 4999. For the definition of ACL, refer to ACL Configuration in the Security Volume. Follow these steps to control Telnet users by source MAC addresses: To do…...

  • Page 878: Controlling Network Management Users By Source Ip Addresses

    [Sysname-ui-vty0-4] acl 2000 inbound Controlling Network Management Users by Source IP Addresses You can manage a H3C S5120-EI series Ethernet switch through network management software. Network management users can access switches through SNMP. You need to perform the following two operations to control network management users by source IP addresses.

  • Page 879: Configuration Example

    # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to access the switch. [Sysname] snmp-agent community read h3c acl 2000 [Sysname] snmp-agent group v2c h3cgroup acl 2000 [Sysname] snmp-agent usm-user v2c h3cuser h3cgroup acl 2000...

  • Page 880: Controlling Web Users By Source Ip Addresses

    Controlling Web Users by Source IP Addresses The S5120-EI series Ethernet switches support Web-based remote management, which allows Web users to access the switches using the HTTP protocol. By referencing access control lists (ACLs), you can control the access of Web users to the switches.
  • Page 881 Figure 8-3 Configure an ACL to control the access of HTTP users to the switch 10.110.100.46 Host A IP network Switch Host B 10.110.100.52 Configuration procedure # Create a basic ACL. <Sysname> system-view [Sysname] acl number 2030 match-order config [Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0 # Reference the ACL to allow only Web users using IP address 10.110.100.52 to access the switch.
  • Page 882 Table of Contents 1 Basic Configurations·································································································································1-1 Configuration Display ······························································································································1-1 Basic Configurations ·······························································································································1-1 Entering/Exiting System View ·········································································································1-2 Configuring the Device Name ·········································································································1-2 Configuring the System Clock ·········································································································1-2 Enabling/Disabling the Display of Copyright Information ································································1-5 Configuring a Banner·······················································································································1-6 Configuring CLI Hotkeys··················································································································1-7 Configuring Command Aliases········································································································1-8 Configuring User Privilege Levels and Command Levels ·······························································1-9 Displaying and Maintaining Basic Configurations ·········································································1-14 CLI Features ·········································································································································1-15...

  • Page 883: Basic Configurations

    Basic Configurations While performing basic configurations of the system, go to these sections for information you are interested in: Configuration Display Basic Configurations CLI Features Configuration Display To avoid duplicate configuration, you can use the display commands to view the current configuration of the device before configuring the device.

  • Page 884: Entering/Exiting System View

    Optional Configure the device name sysname sysname The device name is “H3C” by default. Configuring the System Clock Configuring the system clock The system clock, displayed by system time stamp, is decided by the configured relative time, time zone, and daylight saving time. You can view the system clock by using the display clock command.
  • Page 885 To do… Use the command… Remarks Enter system view system-view — clock timezone zone-name { add | minus } Set the time zone Optional zone-offset clock summer-time zone-name one-off start-time start-date end-time end-date add-time Optional Set a daylight saving time scheme Use either command clock summer-time zone-name repeating start-time start-date end-time end-date add-time...
  • Page 886 System clock displayed by the Configuration Example display clock command Configure: clock datetime 1:00 2007/1/1 If date-time is not in the daylight and clock summer-time ss one-off 1:00 saving time range, date-time is 2006/1/1 1:00 2006/8/8 2 displayed. Display: 01:00:00 UTC Mon 01/01/2007 1 and 3 Configure: clock datetime 8:00 2007/1/1 If date-time is in the daylight saving...

  • Page 887: Enabling/Disabling The Display Of Copyright Information

    The display format of copyright information is as shown below: **************************************************************************** * Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed.

  • Page 888: Configuring A Banner

    Configuring a Banner Introduction to banners Banners are prompt information displayed by the system when users are connected to the device, perform login authentication, and start interactive configuration. The administrator can set corresponding banners as needed. At present, the system supports the following five kinds of welcome information. shell banner, also called session banner, displayed when a non TTY Modem user enters user view.

  • Page 889: Configuring Cli Hotkeys

    To do… Use the command… Remarks Configure the banner to be displayed when a user header shell text Optional enters user view (non Modem login users) Configure the banner to be displayed before login header motd text Optional Configuring CLI Hotkeys Follow these steps to configure CLI hotkeys: To do…...

  • Page 890: Configuring Command Aliases

    Hotkey Function Ctrl+X Deletes all the characters to the left of the cursor. Ctrl+Y Deletes all the characters to the right of the cursor. Ctrl+Z Exits to user view. Terminates an incoming connection or a redirect connection. Ctrl+] Esc+B Moves the cursor to the leading character of the continuous string to the left. Deletes all the characters of the continuous string at the current cursor Esc+D position and to the right of the cursor.

  • Page 891: Configuring User Privilege Levels And Command Levels

    To do… Use the command… Remarks Enter system view system-view — Required Enable the command alias Disabled by default, that is, you command-alias enable function cannot configure command aliases. Required command-alias mapping Configure command aliases cmdkey alias Not configured by default. Configuring User Privilege Levels and Command Levels Introduction To restrict the different users’...
  • Page 892 Follow these steps to configure user privilege level by using AAA authentication parameters: To do… Use the command… Remarks Enter system view system-view — user-interface [ type ] Enter user interface view — first-number [ last-number ] Required Configure the authentication authentication-mode scheme By default, the authentication mode for logging in to the user...
  • Page 893 [Sysname-luser-test] password cipher 123 [Sysname-luser-test] service-type telnet After the above configuration, when users telnet to the device through VTY 1, they need to input username test and password 123. After passing the authentication, users can only use the commands of level 0. If the users need to use commands of levels 0, 1, 2 and 3, the following configuration is required: [Sysname-luser-test] authorization-attribute level 3 Configure the user privilege level under a user interface...
  • Page 894 To do… Use the command… Remarks Optional By default, the user privilege Configure the privilege level of level for users logging in from the user logging in from the user privilege level level the console user interface is 3, current user interface and that for users logging from the other user interfaces is 0.
  • Page 895 undo Cancel current setting Authenticate the usesr logging in to the device through Telnet, verify their passwords, and specify the user privilege levels as 2. <Sysname> system-view [Sysname] user-interface vty 0 4 [Sysname-ui-vty1] authentication-mode password [Sysname-ui-vty0-4] set authentication password cipher 123 [Sysname-ui-vty0-4] user privilege level 2 By default, when users log in to the device through Telnet, they can use the commands of level 0 after passing the authentication.

  • Page 896: Displaying And Maintaining Basic Configurations

    When you configure the password for switching user privilege level with the super password command, the user privilege level is 3 if no user privilege level is specified. The password for switching user privilege level can be displayed in both cipher text and simple text. You are recommended to adopt the former as the latter is easily cracked.

  • Page 897: Cli Features

    During daily maintenance or when the system is operating abnormally, you need to view each module’s running status to find the problem. Therefore, you are required to execute the corresponding display commands one by one. To collect more information one time, you can execute the display diagnostic-information command in any view to display or save statistics of each module’s running status.

  • Page 898: Online Help With Command Lines

    file for next startup, you need to input st s at least; to enter system view, you need to input sy at least. You can press Tab to complement the command, or you can input the complete command. Online Help with Command Lines The following are the types of online help available with the CLI: Full help Fuzzy help...

  • Page 899: Synchronous Information Output

    Enter a command followed by a character string and a ?. All the keywords starting with this string are listed. <Sysname> display ver? version Press Tab after entering the first several letters of a keyword to display the complete keyword, provided these letters can uniquely identify the keyword in this command.

  • Page 900: Cli Display

    Function Pressing Tab after entering part of a keyword enables the fuzzy help function. If finding a unique match, the system substitutes the complete keyword for the incomplete one and displays it in the next line; when there are several matches, if you repeatedly press Tab, all the keywords starting with the letter that you enter are displayed in cycles.
  • Page 901 Character Meaning Remarks For example, regular expression "user$” Ending sign, string appears only at the string$ only matches a string ending with “user”, end of a line. not “userA”. Full stop, a wildcard used in place of any For example, “.l” can match “vlan” or character, including single character, “mpls”.
  • Page 902 Character Meaning Remarks Used to match a character string starting For example, “\<do” can match word \<string with string. “domain” or string “doa”. Used to match a character string ending For example, “do\>” can match word string\> with string. “undo” or string “abcdo”. Used to match character1character2.

  • Page 903: Saving History Commands

    Table 1-6 Display functions Action Function Continues to display information of the next Press Space when information display pauses screen page. Press Enter when information display pauses Continues to display information of the next line. Press Ctrl+C when information display pauses Stops the display and the command execution.

  • Page 904: Command Line Error Information

    Command Line Error Information The commands are executed only if they have no syntax error. Otherwise, error information is reported. Table 1-7 lists some common errors. Table 1-7 Common command line errors Error information Cause The command was not found. The keyword was not found.
  • Page 905 Table of Contents 1 Device Management ··································································································································1-1 Device Management Overview ···············································································································1-1 Device Management Configuration Task List ·························································································1-1 Configuring the Exception Handling Method ··························································································1-1 Rebooting a Device·································································································································1-2 Configuring the Scheduled Automatic Execution Function·····································································1-3 Specifying a Boot File for the Next Device Boot ·····················································································1-4 Disabling Boot ROM Access···················································································································1-4 Upgrading Boot ROM······························································································································1-5 Configuring a Detection Interval··············································································································1-5...

  • Page 906: Device Management Overview

    Device Management When configuring device management, go to these sections for information you are interested in: Device Management Overview Device Management Configuration Task List Configuring the Exception Handling Method Rebooting a Device Configuring the Scheduled Automatic Execution Function Specifying a Boot File for the Next Device Boot Disabling Boot ROM Access Upgrading Boot ROM Configuring a Detection Interval...

  • Page 907: Rebooting A Device

    reboot: The system recovers itself through automatic reboot. maintain: The system maintains the current situation, and does not take any measure to recover itself. Therefore, you need to recover the system manually, such as reboot the system. Sometimes, it is difficult for the system to recover, or some prompts that are printed during the failure are lost after the reboot.

  • Page 908: Configuring The Scheduled Automatic Execution Function

    Use the save command to save the current configuration before you reboot the device to avoid configuration lost. (For details of the save command, refer to File System Management Configuration in the System Volume.) Use the display startup command and the display boot-loader command to verify the configuration files and the startup file to be used at the next system startup before you reboot the device.

  • Page 909: Specifying A Boot File For The Next Device Boot

    After the specified automatic execution time is reached, the system executes the specified command in the background without displaying any information except system information such as log, trap and debug. The system does not require any interactive information when it is executing the specified command.

  • Page 910: Upgrading Boot Rom

    In addition, you need to set the Boot ROM access password when you enter the Boot ROM menu for the first time to protect the Boot ROM against operations of illegal users. You can use the display startup command to view the status of the Boot ROM access function. For the detailed description of the display startup command, refer to File System Management in the System Volume.

  • Page 911: Clearing The 16-Bit Interface Indexes Not Used In The Current System

    To do… Use the command… Remarks Enter system view system-view — Optional Configure a detection interval shutdown-interval time The detection interval is 30 seconds by default. Clearing the 16-bit Interface Indexes Not Used in the Current System In practical networks, the network management software requires the device to provide a uniform, stable 16-bit interface index.

  • Page 912: Identifying Pluggable Transceivers

    H3C You can use the Vendor Name field in the prompt information of the display transceiver command to identify an anti-spoofing pluggable transceiver customized by H3C. If the field is H3C, it is considered an H3C-customized pluggable transceiver.

  • Page 913: Diagnosing Pluggable Transceivers

    The system outputs alarm information for you to diagnose and troubleshoot faults of pluggable transceivers. Optical transceivers customized by H3C also support the digital diagnosis function, which monitors the key parameters of a transceiver, such as temperature, voltage, laser bias current, TX power, and RX power.

  • Page 914: Device Management Configuration Examples

    To do… Use the command… Remarks Display detailed configurations Available in any of the scheduled automatic display schedule job view execution function Display the exception handling Available in any display system-failure methods view Device Management Configuration Examples Remote Scheduled Automatic Upgrade Configuration Example (Centralized Device) Network requirement As shown in Figure...

  • Page 915: Remote Scheduled Automatic Upgrade Configuration Example (Centralized Stacking Device)

    Use text editor on the FTP server to edit batch file auto-update.txt. The following is the content of the batch file: return startup saved-configuration new-config.cfg boot-loader file soft-version2.bin main reboot Configuration on Device # Log in to the FTP server (note that the prompt may vary with servers.) <Device>...
  • Page 916 Obtain the boot file and configuration file through legitimate channels, such as the official website of H3C, agents, and technical staff. Save these files under the working path of the TFTP server for the access of the TFTP clients.
  • Page 917 Please wait ... Setting the master board ..Done! Setting the slave board ... Slot 2: Set next configuration file successfully # Specify file soft-version2.bin as the boot file for the next boot for all members. <IRF> boot-loader file soft-version2.bin slot all main This command will set the boot file of the specified board.
  • Page 918 Table of Contents 1 File System Management Configuration ·································································································1-1 File System Management ·······················································································································1-1 File System Overview······················································································································1-1 Filename Formats····························································································································1-1 Directory Operations························································································································1-2 File Operations ································································································································1-3 Batch Operations·····························································································································1-5 Storage Medium Operations ···········································································································1-6 Setting File System Prompt Modes ·································································································1-6 File System Operations Example ····································································································1-7 Configuration File Management··············································································································1-7 Configuration File Overview ············································································································1-8 Saving the Current Configuration ····································································································1-9...
  • Page 919 Single Device Upgrade····················································································································3-4 Stacking System Upgrade···············································································································3-5...

  • Page 920: File System Management Configuration

    File System Management Configuration When configuring file system management, go to these sections for information you are interested in: File System Management Configuration File Management Displaying and Maintaining Device Configuration File System Management This section covers these topics: File System Overview Filename Formats Directory Operations File Operations...

  • Page 921: Directory Operations

    ID. For the S5120-EI series, when you specify a configuration file (.cfg file), startup file (.bin file), or Boot ROM file by inputting its name in the format of drive:/[path]/file-name), the total length of the name cannot exceed 63 characters.

  • Page 922: File Operations

    Changing the current working directory To do… Use the command… Remarks Required Change the current working cd { directory | .. | / } directory Available in user view Creating a directory To do… Use the command… Remarks Required Create a directory mkdir directory Available in user view Removing a directory...
  • Page 923 Displaying file information To do… Use the command… Remarks Required Display file or directory dir [ /all ] [ file-url ] information Available in user view Displaying the contents of a file To do… Use the command… Remarks Required Display the contents of more file-url Currently only a .txt file can be displayed.

  • Page 924: Batch Operations

    The files in the recycle bin still occupy storage space. To delete a file in the recycle bin, you need to execute the reset recycle-bin command in the directory that the file originally belongs. It is recommended to empty the recycle bin timely with the reset recycle-bin command to save storage space.

  • Page 925: Storage Medium Operations

    Execution of a batch file does not guarantee the successful execution of every command in the batch file. If a command has error settings or the conditions for executing the command are not satisfied, the system will skip the command to the next one. Storage Medium Operations Managing space of the storage medium When some space of a storage medium becomes inaccessible due to abnormal operations for example,...

  • Page 926: File System Operations Example

    To prevent undesirable consequence resulting from misoperations, the alert mode is preferred. To do… Use the command… Remarks Enter system view system-view — Optional Set the operation prompt mode file prompt { alert | quiet } of the file system The default is alert.

  • Page 927: Configuration File Overview

    Saving the Current Configuration Setting Configuration Rollback Specifying a Startup Configuration File for the Next System Startup Backing Up the Startup Configuration File Deleting the Startup Configuration File for the Next Startup Restoring the Startup Configuration File Displaying and Maintaining Device Configuration Configuration File Overview A configuration file saves the device configurations in command lines in text format.

  • Page 928: Saving The Current Configuration

    At a moment, there are at most one main startup configuration file and one backup startup configuration file. You can specify neither of the two files (displayed as NULL), or specify the two files as the same configuration file. You can specify the main and backup startup configuration files for the next boot of the device in the following two methods: Specify them when saving the current configuration.
  • Page 929 To do… Use the command… Remarks Enter system view system-view — Optional Enable configuration file slave auto-update config auto-save Enabled by default. Modes in saving the configuration Fast saving mode. This is the mode when you use the save command without the safely keyword. The mode saves the file more quickly but is likely to lose the existing configuration file if the device reboots or the power fails during the process.

  • Page 930: Setting Configuration Rollback

    Setting Configuration Rollback Configuration rollback allows you to revert to a previous configuration state based on a specified configuration file. The specified configuration file must be a valid .cfg file, namely, it can be generated by using either the backup function (manually or automatically) or the save command, and even the compatible configuration file of another device.
  • Page 931 Configuration task list Complete these tasks to configure the configuration rollback: Task Remarks Configuring parameters for saving the current running configuration Required Saving the current running configuration automatically Required Use at least one approach Saving the current running configuration manually Setting configuration rollback Required Configuring parameters for saving the current running configuration...
  • Page 932 The saving and rollback operations are executed only on the master. To make the configuration rollback take effect on the new master after an active/standby switchover, execute the archive configuration location command to specify the path and filename prefix of the saved configuration file on both the master and slaves.
  • Page 933 Saving the current running configuration manually Automatic saving of the current running configuration occupies system resources, and frequent saving greatly affects system performance. Therefore, if the system configuration does not change frequently, you are recommended to disable the automatic saving of the current running configuration and save it manually.

  • Page 934: Specifying A Startup Configuration File For The Next System Startup

    Specifying a Startup Configuration File for the Next System Startup A startup configuration file is the configuration file to be used at the next system startup. You can specify a configuration file as the startup configuration file to be used at the next system startup in the following two ways: Use the save command.

  • Page 935: Deleting The Startup Configuration File For The Next Startup

    Before the backup operation, you should: Ensure that the server is reachable, the server is enabled with TFTP service, and the client has permission to read and write. Use the display startup command (in user view) to see whether you have set the startup configuration file, and use the dir command to see whether this file exists.

  • Page 936: Displaying And Maintaining Device Configuration

    To do… Use the command… Remarks Restore the startup Required restore startup-configuration configuration file to be used at from src-addr src-filename Available in user view the next system startup The restore operation restores the main startup configuration file. Before restoring a configuration file, you should ensure that the server is reachable, the server is enabled with TFTP service, and the client has read and write permission.

  • Page 937: Ftp Configuration

    FTP Configuration When configuring FTP, go to these sections for information you are interested in: FTP Overview Configuring the FTP Client Configuring the FTP Server Displaying and Maintaining FTP FTP Overview Introduction to FTP The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client over a TCP/IP network.
  • Page 938 Table 2-1 Configuration when the device serves as the FTP client Device Configuration Remarks If the remote FTP server supports anonymous FTP, the device can Use the ftp command to establish the log in to it directly; if not, the Device (FTP client) connection to the remote FTP server device must obtain the FTP...

  • Page 939: Configuring The Ftp Client

    Configuring the FTP Client Establishing an FTP Connection To access an FTP server, an FTP client must establish a connection with the FTP server. Two ways are available to establish a connection: using the ftp command to establish the connection directly; using the open command in FTP client view.

  • Page 940: Establishing An Ftp Connection

    If no primary IP address is configured on the specified source interface, no FTP connection can be established. If you use the ftp client source command to first configure the source interface and then the source IP address of the transmitted packets, the newly configured source IP address will take effect instead of the current source interface, and vice versa.
  • Page 941 To do… Use the command… Remarks View the detailed information of the dir [ remotefile [ localfile ] ] Optional files/directories on the FTP server View the names of the files/directories on ls [ remotefile [ localfile ] ] Optional the FTP server Download a file from the FTP server get remotefile [ localfile ]...

  • Page 942: Ftp Client Configuration Example

    FTP Client Configuration Example Single Device Upgrade Network requirements As shown in Figure 2-2, use Device as an FTP client and PC as the FTP server. Their IP addresses are 10.2.1.1/16 and 10.1.1.1/16 respectively. An available route exists between Device and PC. Device downloads a startup file from PC for device upgrade, and uploads the configuration file to PC for backup.

  • Page 943: Stacking System Upgrade

    [ftp] put config.cfg back-config.cfg 227 Entering Passive Mode (10,1,1,1,4,2). 125 ASCII mode data connection already open, transfer starting for /config.cfg. 226 Transfer complete. FTP: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec. [ftp] bye # Specify newest.bin as the main startup file to be used at the next startup. <Sysname>...
  • Page 944 Configuration procedure If the available memory space of the device is not enough, use the fixdisk command to clear the memory or use the delete /unreserved file-url command to delete the files not in use and then perform the following operations. # Log in to the server through FTP.

  • Page 945: Configuring The Ftp Server

    <Sysname> reboot The startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to Device Management Commands in the System Volume.

  • Page 946: Configuring Authentication And Authorization On The Ftp Server

    To do… Use the command… Remarks Manually release the FTP Optional connection established with the free ftp user username Available in user view specified username Configuring Authentication and Authorization on the FTP Server To allow an FTP user to access certain directories on the FTP server, you need to create an account for the user, authorizing access to the directories and associating the username and password with the account.

  • Page 947: Ftp Server Configuration Example

    FTP Server Configuration Example Single Device Upgrade Network requirements As shown in Figure 2-4, use Device as an FTP server, and the PC as the FTP client. Their IP addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. An available route exists between Device and PC.
  • Page 948 -rw- 478164 Apr 26 2000 14:52:35 s5120ei_505.btm -rw- Apr 26 2000 12:04:04 patch_xxx.bin -rw- 2337 Apr 26 2000 14:16:48 sfp.cfg -rw- 2195 Apr 26 2000 14:10:41 5120ei.cfg 31496 KB total (11004 KB free) <Sysname> delete /unreserved flash:/sfp.cfg Configure the PC (FTP Client) # Log in to the FTP server through FTP.

  • Page 949: Stacking System Upgrade

    The startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to Device Management Commands in the System Volume. Stacking System Upgrade Network requirements As shown in...
  • Page 950 [Sysname] quit # Check files on your device. Remove those redundant to ensure adequate space for the startup file to be uploaded. <Sysname> dir Directory of flash:/ -rw- 10471471 Sep 18 2008 02:45:15 s5120eih3c-d501.bin -rw- 9989823 Jul 14 2008 19:30:46 s5120eih3cd_b57.bin -rw- Apr 26 2000 12:04:33...

  • Page 951: Displaying And Maintaining Ftp

    <Sysname> copy newest.bin slot2#flash:/ # Specify newest.bin as the main startup file to be used at the next startup for all the member devices. <Sysname> boot-loader file newest.bin slot all main This command will set the boot file of the specified board. Continue? [Y/N]:y The specified file will be used as the main boot file at the next reboot on slot 1! The specified file will be used as the main boot file at the next reboot on slot 2! # Reboot the device and the startup file is updated at the system reboot.

  • Page 952: Tftp Configuration

    TFTP Configuration When configuring TFTP, go to these sections for information you are interested in: TFTP Overview Configuring the TFTP Client Displaying and Maintaining the TFTP Client TFTP Client Configuration Example TFTP Overview Introduction to TFTP The Trivial File Transfer Protocol (TFTP) provides functions similar to those provided by FTP, but it is less complex than FTP in interactive access interface and authentication.

  • Page 953: Configuring The Tftp Client

    When the device serves as the TFTP client, you need to perform the following configuration: Table 3-1 Configuration when the device serves as the TFTP client Device Configuration Remarks Configure the IP address and routing function, and ensure that the route between the device and the TFTP server is available.

  • Page 954: Displaying And Maintaining The Tftp Client

    Follow these steps to configure the TFTP client: To do… Use the command… Remarks Enter system view system-view — Optional Control the access to the TFTP tftp-server [ ipv6 ] acl By default, the access to the servers from the device through acl-number TFTP servers from the device is not controlled.

  • Page 955: Tftp Client Configuration Example

    TFTP Client Configuration Example Single Device Upgrade Network requirements As shown in Figure 3-2, use a PC as the TFTP server and Device as the TFTP client. Their IP addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. An available route exists between Device and PC.
  • Page 956 The startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to Device Management Commands in the System Volume. Stacking System Upgrade Network requirements As shown in...
  • Page 957 Download application file newest.bin from PC to the root directory of the storage medium on the master. <Sysname> tftp 1.2.1.1 get newest.bin Download application file newest.bin from PC to the root directory of the storage medium on a slave (with the member ID 2). <Sysname>...
  • Page 958 Table of Contents 1 HTTP Configuration···································································································································1-1 HTTP Overview·······································································································································1-1 How HTTP Works····························································································································1-1 Logging In to the Device Through HTTP·························································································1-1 Protocols and Standards ·················································································································1-1 Enabling the HTTP Service·····················································································································1-1 Configuring the Port Number of the HTTP Service·················································································1-2 Associating the HTTP Service with an ACL····························································································1-2 Displaying and Maintaining HTTP···········································································································1-2 2 HTTPS Configuration ································································································································2-1 HTTPS Overview ····································································································································2-1...

  • Page 959: Http Overview

    HTTP Configuration When configuring HTTP, go to these sections for information you are interested in: HTTP Overview Enabling the HTTP Service HTTP Configuration Associating the HTTP Service with an ACL Displaying and Maintaining HTTP HTTP Overview The Hypertext Transfer Protocol (HTTP) is used for transferring web page information across the Internet.

  • Page 960: Configuring The Port Number Of The Http Service

    Follow these steps to enable the HTTP service: To do… Use the command… Remarks Enter system view system-view — Enable the HTTP service ip http enable Required Configuring the Port Number of the HTTP Service Configuration of the port number of the HTTP service can reduce the attacks from illegal users on the HTTP service.

  • Page 961: Https Configuration

    HTTPS Configuration When configuring HTTPS, go to these sections for information you are interested in: HTTPS Overview HTTPS Configuration Task List Associating the HTTPS Service with an SSL Server Policy Enabling the HTTPS Service Associating the HTTPS Service with a Certificate Attribute Access Control Policy Configuring the Port Number of the HTTPS Service Associating the HTTPS Service with an ACL Displaying and Maintaining HTTPS...

  • Page 962: Associating The Https Service With An Ssl Server Policy

    Configuration task Remarks Configuring the Port Number of the HTTPS Service Optional Associating the HTTPS Service with an ACL Optional Associating the HTTPS Service with an SSL Server Policy You need to associate the HTTPS service with a created SSL server policy before enabling the HTTPS service.

  • Page 963: Associating The Https Service With A Certificate Attribute Access Control Policy

    After the HTTPS service is enabled, you can use the display ip https command to view the state of the HTTPS service and verify the configuration. Enabling of the HTTPS service will trigger an SSL handshake negotiation process. During the process, if the local certificate of the device already exists, the SSL negotiation is successfully performed, and the HTTPS service can be started normally.

  • Page 964: Associating The Https Service With An Acl

    To do… Use the command… Remarks Enter system view system-view — Optional Configure the port number of ip https port port-number By default, the port number of the HTTPS service the HTTPS service is 443. If you execute the ip https port command for multiple times, the last configured port number is used. Associating the HTTPS Service with an ACL Associating the HTTPS service with an ACL can filter out requests from some clients to let pass only clients that pass the ACL filtering.
  • Page 965 Figure 2-1 Network diagram for HTTPS configuration Configuration procedure Perform the following configurations on Device: Apply for a certificate for Device # Configure a PKI entity. <Device> system-view [Device] pki entity en [Device-pki-entity-en] common-name http-server1 [Device-pki-entity-en] fqdn ssl.security.com [Device-pki-entity-en] quit # Configure a PKI domain.
  • Page 966 # Configure certificate access control policy myacp and create a control rule. [Device] pki certificate access-control-policy myacp [Device-pki-cert-acp-myacp] rule 1 permit mygroup1 [Device-pki-cert-acp-myacp] quit Reference an SSL server policy # Associate the HTTPS service with the SSL server policy myssl. [Device] ip https ssl-server-policy myssl Associate the HTTPS service with a certificate attribute access control policy # Associate the HTTPS service with certificate attribute access control policy myacp.
  • Page 967 Table of Contents 1 SNMP Configuration··································································································································1-1 SNMP Overview······································································································································1-1 SNMP Mechanism···························································································································1-1 SNMP Protocol Version···················································································································1-2 MIB Overview ··································································································································1-2 SNMP Configuration ·······························································································································1-3 Configuring SNMP Logging ····················································································································1-5 Introduction to SNMP Logging ········································································································1-5 Enabling SNMP Logging ·················································································································1-5 SNMP Trap Configuration·······················································································································1-6 Enabling the Trap Function ·············································································································1-6 Configuring Trap Parameters ··········································································································1-7 Displaying and Maintaining SNMP··········································································································1-8 SNMP Configuration Example ················································································································1-9...

  • Page 968: Snmp Configuration

    SNMP Configuration When configuring SNMP, go to these sections for information you are interested in: SNMP Overview SNMP Configuration Configuring SNMP Logging SNMP Trap Configuration Displaying and Maintaining SNMP SNMP Configuration Example SNMP Logging Configuration Example SNMP Overview Simple Network Management Protocol (SNMP) offers a framework to monitor network devices through TCP/IP protocol suite.

  • Page 969: Snmp Protocol Version

    SNMP Protocol Version Currently, SNMP agents support SNMPv3 and are compatible with SNMPv1 and SNMPv2c. SNMPv1 uses community name for authentication, which defines the relationship between an SNMP NMS and an SNMP agent. SNMP packets with community names that did not pass the authentication on the device will simply be discarded.

  • Page 970: Snmp Configuration

    Optional The defaults are as follows: snmp-agent sys-info Configure SNMP agent system { contact sys-contact | Hangzhou H3C Tech. Co., Ltd. information location sys-location | version for contact, { all | { v1 | v2c | v3 }* } } Hangzhou China for location, and SNMP v3 for the version.
  • Page 971 Required The defaults are as follows: snmp-agent sys-info Configure SNMP agent system { contact sys-contact | Hangzhou H3C Tech. Co., Ltd. information location sys-location | version for contact, { { v1 | v2c | v3 }* | all } } Hangzhou China for location and SNMP v3 for the version.

  • Page 972: Configuring Snmp Logging

    To do… Use the command… Remarks snmp-agent mib-view Optional Create or update MIB view { excluded | included } content for an SNMP agent view-name oid-tree [ mask ViewDefault by default mask-value ] The validity of a USM user depends on the engine ID of the SNMP agent. If the engine ID when the USM user is created is not identical to the current engine ID, the USM user is invalid.

  • Page 973: Snmp Trap Configuration

    Logs occupy storage space of the device, thus affecting the performance of the device. Therefore, it is recommended to disable SNMP logging. The size of SNMP logs cannot exceed that allowed by the information center, and the total length of the node field and value field of each log record cannot exceed 1K bytes;...

  • Page 974: Configuring Trap Parameters

    To enable an interface to send linkUp/linkDown traps when its state changes, you need to enable the trap function of interface state changes on an interface and globally. Use the enable snmp trap updown command to enable the trap function on an interface, and use the snmp-agent trap enable [ standard [ linkdown | linkup ] * ] command to enable this function globally.

  • Page 975: Displaying And Maintaining Snmp

    To do… Use the command… Remarks Optional Configure the holding time of snmp-agent trap life seconds the traps in the queue 120 seconds by default An extended linkUp/linkDown trap is the standard linkUp/linkDown trap (defined in RFC) appended with interface description and interface type information. If the extended messages are not supported on the NMS, disable this function to let the device send standard linkUp/linkDown traps.

  • Page 976: Snmp Configuration Example

    SNMP Configuration Example Network requirements The NMS connects to the agent, a switch, through an Ethernet. The IP address of the NMS is 1.1.1.2/24. The IP address of the VLAN interface on the switch is 1.1.1.1/24. The NMS monitors and manages the agent using SNMPv2c. The agent reports errors or faults to the NMS.

  • Page 977: Snmp Logging Configuration Example

    With SNMPv2c, the user needs to specify the read only community, the read and write community, the timeout time, and number of retries. The user can inquire and configure the device through the NMS. The configurations on the agent and the NMS must match. SNMP Logging Configuration Example Network requirements The NMS and the agent are connected through an Ethernet...
  • Page 978 # Enable SNMP logging on the agent to log the GET and SET operations of the NMS. [Sysname] snmp-agent log get-operation [Sysname] snmp-agent log set-operation The following log information is displayed on the terminal when the NMS performs the GET operation to the agent.

  • Page 979: Mib Style Configuration

    MIB style, the device sysOID is under the H3C’s enterprise ID 25506, and the private MIB is under the enterprise ID 2011. In the H3C new MIB style, both the device sysOID and the private MIB are under the H3C’s enterprise ID 25506. These two styles of MIBs implement the same management function except for their root nodes.
  • Page 980 Table of Contents 1 RMON Configuration ·································································································································1-1 RMON Overview ·····································································································································1-1 Introduction······································································································································1-1 Working Mechanism ························································································································1-1 RMON Groups·································································································································1-2 Configuring RMON··································································································································1-3 Configuration Prerequisites ·············································································································1-3 Configuration Procedure··················································································································1-3 Displaying and Maintaining RMON ·········································································································1-5 RMON Configuration Example················································································································1-5...

  • Page 981: Rmon Configuration

    RMON Configuration When configuring RMON, go to these sections for information you are interested in: RMON Overview Configuring RMON Displaying and Maintaining RMON RMON Configuration Example RMON Overview This section covers these topics: Introduction RMON Groups Introduction Remote Monitoring (RMON) is implemented based on the Simple Network Management Protocol (SNMP) and is fully compatible with the existing SNMP framework without the need of any modification on SNMP.

  • Page 982: Rmon Groups

    Among the ten RMON groups defined by RMON specifications (RFC 1757), the device supports the event group, alarm group, history group and statistics group. Besides, H3C also defines and implements the private alarm group, which enhances the functions of the alarm group. This section describes the five kinds of groups in general.

  • Page 983: Configuring Rmon

    If the count result overpasses the same threshold multiple times, only the first one can cause an alarm event. That is, the rising alarm and falling alarm are alternate. History group The history group periodically collects statistics on data at interfaces and saves the statistics in the history record table for query convenience.
  • Page 984 To do… Use the command… Remarks rmon alarm entry-number alarm-variable sampling-interval { absolute | delta } Create an entry in the alarm table rising-threshold threshold-value1 Optional event-entry1 falling-threshold threshold-value2 event-entry2 [ owner text ] rmon prialarm entry-number prialarm-formula prialarm-des sampling-interval { absolute | changeratio | delta } rising-threshold Create an entry in the private threshold-value1 event-entry1...

  • Page 985: Displaying And Maintaining Rmon

    Displaying and Maintaining RMON To do… Use the command… Remarks display rmon statistics Display RMON statistics Available in any view [ interface-type interface-number ] Display the RMON history display rmon history control entry and history Available in any view [ interface-type interface-number ] sampling information Display RMON alarm display rmon alarm...
  • Page 986 etherStatsBroadcastPkts : 56 , etherStatsMulticastPkts : 34 etherStatsUndersizePkts , etherStatsOversizePkts etherStatsFragments , etherStatsJabbers etherStatsCRCAlignErrors : 0 , etherStatsCollisions etherStatsDropEvents (insufficient resources): 0 Packets received according to length: : 235 65-127 : 67 128-255 256-511: 1 512-1023: 0 1024-1518: 0 # Create an event to start logging after the event is triggered. <Sysname>...
  • Page 987 Table of Contents 1 MAC Address Table Management Configuration···················································································1-1 Introduction to MAC Address Table ········································································································1-1 How a MAC Address Table Entry is Generated··············································································1-1 Types of MAC Address Table Entries ·····························································································1-2 MAC Address Table-Based Frame Forwarding ··············································································1-2 Configuring MAC Address Table Management ······················································································1-3 Configuring MAC Address Table Entries·························································································1-3 Configuring the Aging Timer for Dynamic MAC Address Entries····················································1-4 Configuring the MAC Learning Limit ·······························································································1-4...

  • Page 988: Mac Address Table Management Configuration

    MAC Address Table Management Configuration When configuring MAC address table management, go to these sections for information you are interested in: Configuring MAC Address Table Management MAC Address Table Management Configuration Example MAC Information Configuration MAC Information Configuration Example Interfaces that MAC address table management involves can only be Layer 2 Ethernet ports. This manual covers only the management of static, dynamic and blackhole MAC address table entries (source and destination).

  • Page 989: Types Of Mac Address Table Entries

    When receiving a frame destined for MAC-SOURCE, the device then looks up the MAC address table and forwards it from Port 1. To adapt to network changes, MAC address table entries need to be constantly updated. Each dynamically learned MAC address table entry has a life period, that is, an aging timer. If an entry is not updated before the aging timer expires, it will be deleted.

  • Page 990: Configuring Mac Address Table Management

    Figure 1-1 Forward frames using the MAC address table Configuring MAC Address Table Management The MAC address table management configuration tasks include: Configuring MAC Address Table Entries Configuring the Aging Timer for Dynamic MAC Address Entries Configuring the MAC Learning Limit These configuration tasks are all optional and randomly sorted.

  • Page 991: Configuring The Aging Timer For Dynamic Mac Address Entries

    Configuring the Aging Timer for Dynamic MAC Address Entries The MAC address table on your device is available with an aging mechanism for dynamic entries to prevent its resources from being exhausted. Set the aging timer appropriately: a long aging interval may cause the MAC address table to retain outdated entries and fail to accommodate the latest network changes;...

  • Page 992: Displaying And Maintaining Mac Address Table Management

    Displaying and Maintaining MAC Address Table Management To do… Use the command… Remarks display mac-address blackhole [ vlan vlan-id ] [ count ] display mac-address Display MAC address table [ mac-address [ vlan vlan-id ] | information [ dynamic | static ] [ interface interface-type Available in any view interface-number ] [ vlan...

  • Page 993: Mac Information Configuration

    MAC Information Configuration When configuring MAC Information, go to these sections for information you are interested in: Overview Configuring MAC Information MAC Information Configuration Example Overview Introduction to MAC Information To monitor a network, you need to monitor users joining and leaving the network. Because a MAC address uniquely identifies a network user, you can monitor users joining and leaving a network by monitoring their MAC addresses.

  • Page 994: Enabling Mac Information On An Interface

    Enabling MAC Information on an Interface Follow these steps to enable MAC Information on an interface: To do… Use the command… Remarks — Enter system view system-view interface interface-type — Enter interface view interface-number Enable MAC Required mac-address information enable Information on the { added | deleted } Disabled by default...

  • Page 995: Mac Information Configuration Example

    To do… Use the command… Remarks Enter system view system-view — Optional Configure the MAC mac-address information Information queue length queue-length value 50 by default Setting the MAC Information queue length to 0 indicates that the device sends a Syslog or Trap message to the network management device as soon as a new MAC address is learned or an existing MAC address is deleted.
  • Page 996 [Device] mac-address information mode syslog # Enable MAC Information on GigabitEthernet 1/0/1 [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] mac-address information enable added [Device-GigabitEthernet1/0/1] mac-address information enable deleted [Device-GigabitEthernet1/0/1] quit # Set the MAC Information queue length to 100. [Device] mac-address information queue-length 100 # Set the interval for sending Syslog or Trap messages to 20 seconds.
  • Page 997 Table of Contents 1 System Maintaining and Debugging········································································································1-1 System Maintaining and Debugging Overview ·······················································································1-1 Introduction to System Maintaining ·································································································1-1 Introduction to System Debugging ··································································································1-2 System Maintaining and Debugging ·······································································································1-3 System Maintaining ·························································································································1-3 System Debugging ··························································································································1-3 System Maintaining Example··················································································································1-4...

  • Page 998: System Maintaining And Debugging

    System Maintaining and Debugging When maintaining and debugging the system, go to these sections for information you are interested in: System Maintaining and Debugging Overview System Maintaining and Debugging System Maintaining Example System Maintaining and Debugging Overview Introduction to System Maintaining You can use the ping command and the tracert command to verify the current network connectivity.

  • Page 999: Introduction To System Debugging

    The first hop (the Layer 3 device that first receives the packet) responds by sending a TTL-expired ICMP message to the source, with its IP address encapsulated. In this way, the source device can get the address of the first Layer 3 device. The source device sends a packet with a TTL value of 2 to the destination device.

  • Page 1000: System Maintaining And Debugging

    System Maintaining and Debugging System Maintaining To do… Use the command… Remarks ping [ ip ] [ -a source-ip | -c count | -f | -h ttl | -i Optional interface-type interface-number Used in IPv4 network | -m interval | -n | -p pad | -q | -r Available in any view | -s packet-size | -t timeout | -tos tos | -v ] * remote-system...

Table of Contents