FoxGate S95 SERIES Configuration Manual

Duak stack ethernet switch

Table of Contents

Quick Links

Download this manual

Configuration Guide

S95xx

Duak Stack Ethernet Switch

Manual version:

2.0.04

Firmware version:

6.2.98.0

FoxGate

2012

Table of Contents

Troubleshooting

Need help?

Do you have a question about the S95 SERIES and is the answer not in the manual?

Questions and answers

Summary of Contents for FoxGate S95 SERIES

Page 1 Configuration Guide S95xx Duak Stack Ethernet Switch Manual version: 2.0.04 Firmware version: 6.2.98.0 FoxGate 2012...
Page 2: Table Of Contents
Content Content CONTENT ....................... 1 SWITCH MANAGEMENT ..............19 1.1 M ............... 19 ANAGEMENT PTIONS 1.1.1 Out-Of-Band Management ..............19 1.1.2 In-band Management ................22 1.2 CLI I ..................28 NTERFACE 1.2.1 Configuration Modes ................29 1.2.2 Configuration Syntax ................31 1.2.3 Shortcut Key Support ................
Page 3 Content 2.5.2 BootROM Upgrade ................... 50 2.5.3 FTP/TFTP Upgrade ................... 53 FILE SYSTEM OPERATIONS .............. 62 3.1 I ..........62 NTRODUCTION TO TORAGE EVICES 3.2 F ......62 YSTEM PERATION ONFIGURATION ASK LIST 3.3 T ................ 64 YPICAL PPLICATIONS 3.4 T ................
Page 4 Content 8.3 ULDP F ........... 87 UNCTION YPICAL XAMPLES 8.4 ULDP T ..............88 ROUBLESHOOTING LLDP FUNCTION OPERATION CONFIGURATION ......90 9.1 I LLDP F ............90 NTRODUCTION TO UNCTION 9.2 LLDP F ....... 91 UNCTION ONFIGURATION EQUENCE 9.3 LLDP F .............
Page 5 Content 13.4 ............ 116 BPDU TUNNEL ROUBLESHOOTING LLDP-MED ..................117 14.1 I LLDP-MED ............117 NTRODUCTION TO 14.2 LLDP-MED C ......... 117 ONFIGURATION EQUENCE 14.3 LLDP-MED E ..............120 XAMPLE 14.4 LLDP-MED T ............122 ROUBLESHOOTING PORT SECURITY ................124 15.1 I PORT SECURITY ..........
Page 6 Content 17.3.2 Dot1q-tunnel Configuration ..............149 17.3.3 Typical Applications of the Dot1q-tunnel .......... 150 17.3.4 Dot1q-tunnel Troubleshooting ............151 17.4 VLAN- ..........151 TRANSLATION ONFIGURATION 17.4.1 Introduction to VLAN-translation ............151 17.4.2 VLAN-translation Configuration ............151 17.4.3 Typical application of VLAN-translation ..........152 17.4.4 VLAN-translation Troubleshooting ............
Page 7 Content 18.3 T ..........173 YPICAL ONFIGURATION XAMPLES 18.4 MAC T ............174 ABLE ROUBLESHOOTING 18.5 MAC A ..........174 DDRESS UNCTION XTENSION 18.5.1 MAC Address Binding ................. 174 18.6 MAC N ..........177 OTIFICATION ONFIGURATION 18.6.1 Introduction to MAC Notification ............177 18.6.2 MAC Notification Configuration ............
Page 8 Content 22.1 I Q ............ 209 NTRODUCTION TO LEXIBLE 22.1.1 QinQ Technique ..................209 22.1.2 Basic QinQ .................... 209 22.1.3 Flexible QinQ ..................209 22.2 F ........209 LEXIBLE ONFIGURATION 22.3 F ..............212 LEXIBLE XAMPLE 22.4 F ..........214 LEXIBLE ROUBLESHOOTING EGRESS QOS CONFIGURATION .............
Page 9 Content 24.5.2 ARP Configuration Task List ............... 238 24.5.3 ARP Troubleshooting ................239 24.6 ..............239 STATION MOVEMENT 24.6.1 Introduction to l3 station movement ..........239 24.6.2 l3 station movement Configuration Task List ........239 ARP SCANNING PREVENTION FUNCTION CONFIGURATION ..241 25.1 I ARP S ....
Page 10 Content KEEPALIVE GATEWAY CONFIGURATION........258 30.1 I ..........258 NTRODUCTION TO EEPALIVE ATEWAY 30.2 K ......258 EEPALIVE ATEWAY ONFIGURATION 30.3 K ............259 EEPALIVE ATEWAY XAMPLE 30.4 K ..........260 EPALIVE TEWAY ROUBLESHOOTING DHCP CONFIGURATION ..............261 31.1 I DHCP ..............
Page 11 Content 34.3 DHCP 37, 38 E ........... 296 OPTION XAMPLES 34.3.1 DHCPv6 Snooping option37, 38 Example ......... 296 34.3.2 DHCPv6 Relay option37, 38 Example ..........299 34.4 DHCP 37, 38 T ........300 OPTION ROUBLESHOOTING DHCP SNOOPING CONFIGURATION ..........301 35.1 I DHCP S ..........
Page 12 Content 39.2 RIP C ............327 ONFIGURATION 39.3 RIP E ................334 XAMPLES 39.3.1 Typical RIP Examples ................334 39.3.2 Typical Examples of RIP aggregation function ........ 335 39.4 RIP T ..............336 ROUBLESHOOTING RIPNG ....................338 40.1 I ..............338 NTRODUCTION TO 40.2 RIP ............
Page 13 Content 43.1.3 IP Multicast Packet Transmission ............361 43.1.4 IP Multicast Application ............... 362 43.2 DCSCM ..................362 43.2.1 Introduction to DCSCM ............... 362 43.2.2 DCSCM Configuration Task List ............363 43.2.3 DCSCM Configuration Examples ............366 43.2.4 DCSCM Troubleshooting ..............367 43.3 IGMP S ................
Page 14 Content 46.3 ACL E ................. 407 XAMPLE 46.4 ACL T ..............411 ROUBLESHOOTING 802.1X CONFIGURATION ..............412 47.1 I 802.1 ..............412 NTRODUCTION TO 47.1.1 The Authentication Structure of 802.1x ..........412 47.1.2 The Work Mechanism of 802.1x ............414 47.1.3 The Encapsulation of EAPOL Messages ...........
Page 15 Content TACACS+ CONFIGURATION ............445 50.1 I TACACS+ ............445 NTRODUCTION TO 50.2 TACACS+ C ..........445 ONFIGURATION 50.3 TACACS+ S ........446 CENARIOS YPICAL XAMPLES 50.4 TACACS+ T ............447 ROUBLESHOOTING RADIUS CONFIGURATION ............... 448 51.1 I RADIUS .............. 448 NTRODUCTION TO 51.1.1 AAA and RADIUS Introduction ............
Page 16 Content 54.4 VLAN-ACL T ............465 ROUBLESHOOTING MAB CONFIGURATION ..............466 55.1 I MAB ..............466 NTRODUCTION TO 55.2 MAB C ............466 ONFIGURATION 55.3 MAB E ................468 XAMPLE 55.4 MAB T ..............471 ROUBLESHOOTING PPPOE INTERMEDIATE AGENT CONFIGURATION ......472 56.1 I .......
Page 17 Content 60.1 I VRRP 3 .............. 496 NTRODUCTION TO 60.1.1 The Format of VRRPv3 Message ............497 60.1.2 VRRPv3 Working Mechanism ............. 498 60.2 VRRP ..............499 ONFIGURATION 60.2.1 Configuration Task Sequence ............499 60.3 VRRP ............501 YPICAL XAMPLES 60.4 VRRP ............
Page 18 Content 64.3 M ................525 IRROR XAMPLES 64.4 D ..........526 EVICE IRROR ROUBLESHOOTING RSPAN CONFIGURATION ..............527 65.1 I RSPAN ............... 527 NTRODUCTION TO 65.2 RSPAN C ..........529 ONFIGURATION 65.3 T RSPAN ............530 YPICAL XAMPLES OF 65.4 RSPAN T .............
Page 19 Content 70.4 S ............ 553 UMMER ROUBLESHOOTING MONITOR AND DEBUG..............554 71.1 P ....................554 71.2 P 6 ..................... 554 71.3 T ................... 554 RACEROUTE 71.4 T 6 ................. 555 RACEROUTE 71.5 S ..................... 555 71.6 D .................... 556 EBUG 71.7 S ..................
Page 20: Switch Management
Switch Management 1. Switch Management 1.1 Management Options After purchasing the switch, the user needs to configure the switch for network management. Switch provides two management options: in-band management and out-of-band management. 1.1.1 Out-Of-Band Management Out-of-band management is the management through Console interface. Generally, the user will use out-of-band management for the initial switch configuration, or when in-band management is not available.
Page 21 Switch Management Serial port cable One end attach to the RS-232 serial port, the other end to the Console port. Switch Functional Console port required. Step 2： Entering the HyperTerminal Open the HyperTerminal included in Windows after the connection established. The example below is based on the HyperTerminal included in Windows XP.
Page 22 Switch Management Fig 1-4 Opening HyperTerminal 4) COM1 property appears, select ―9600‖ for ―Baud rate‖, ―8‖ for ―Data bits‖, ―none‖ for ―Parity checksum‖, ―1‖ for stop bit and ―none‖ for traffic control; or, you can also click ―Restore default‖ and click ―OK‖. Fig 1-5 Opening HyperTerminal Step 3: Entering switch CLI interface Power on the switch, the following appears in the HyperTerminal windows, that is the...
Page 23: In-Band Management
Switch Management Loading nos.img ... done. Booting..Starting at 0x10000... Attaching to file system ... …… --- Performing Power-On Self Tests (POST) --- DRAM Test....PASS! PCI Device 1 Test....PASS! FLASH Test....PASS! FAN Test.....PASS! Done All Pass. ------------------ DONE --------------------- Current time is SUN JAN 01 00:00:00 2006 ……...
Page 24 Switch Management assumes the shipment status of the switch where only VLAN1 exists in the system. The following describes the steps for a Telnet client to connect to the switch‘s VLAN1 interface by Telnet(IPV4 address example): Connected with cable Fig 1-6 Manage the switch by Telnet Step 1: Configure the IP addresses for the switch and start the Telnet Server function on the switch.
Page 25 Switch Management Step 2: Run Telnet Client program. Run Telnet client program included in Windows with the specified Telnet target. Fig 1-7 Run telnet client program included in Windows Step 3: Login to the switch. Login to the Telnet configuration interface. Valid login name and password are required, otherwise the switch will reject Telnet access.
Page 26: Management Via Http
Switch Management Fig 1-8 Telnet Configuration Interface 1.1.2.2 Management via HTTP To manage the switch via HTTP, the following conditions should be met: Switch has an IPv4/IPv6 address configured; The host IPv4/IPv6 address (HTTP client) and the switch‘s VLAN interface IPv4/IPv6 address are in the same network segment;...
Page 27 Switch Management Switch(config)#ip http server Step 2: Run HTTP protocol on the host. Open the Web browser on the host and type the IP address of the switch, or run directly the HTTP protocol on the Windows. For example, the IP address of the switch is ―192.168.200.1‖;...
Page 28 Switch Management Fig 1-10 Web Login Interface Input the right username and password, and then the main Web configuration interface is shown as below. Fig 1-11 Main Web Configuration Interface Notice: When configure the switch, the name of the switch is composed with English letters.
Page 29: Cli Interface
Switch Management 1.1.2.3 Manage the Switch via SNMP Network Management Software The necessities required by SNMP network management software to manage switches: 1) IP addresses are configured on the switch; 2) The IP address of the client host and that of the VLAN interface on the switch it subordinates to should be in the same segment;...
Page 30: Configuration Modes
Switch Management 1.2.1 Configuration Modes Fig 1-12 Shell Configuration Modes 1.2.1.1 User Mode On entering the CLI interface, entering user entry system first. If as common user, it is defaulted to User Mode. The prompt shown is ―Switch>―, the symbol ―>― is the prompt for User Mode.
Page 31 Switch Management connection status and traffic statistics of all ports; and the user can further enter the Global Mode from Admin Mode to modify all configurations of the switch. For this reason, a password must be set for entering Admin mode to prevent unauthorized access and malicious modification to the switch.
Page 32: Configuration Syntax
Switch Management DHCP Address Pool Mode Type the ip dhcp pool <name> command under Global Mode will enter the DHCP Address Pool Mode prompt ―Switch(Config-<name>-dhcp)#‖. DHCP address pool properties can be configured under DHCP Address Pool Mode. Run the exit command to exit the DHCP Address Pool Mode to Global Mode.
Page 33: Shortcut Key Support
Switch Management ―< >―, ―{ }‖ and ―[ ]‖ in the command line, such as [<variable>], {enum1 <variable>| enum2}, [option1 [option2]], etc. Here are examples for some actual configuration commands:  show version, no parameters required. This is a command with only a keyword and no parameter, just type in the command to run.
Page 34: Help Function
Switch Management When a string for a command or keyword is entered, the Tab can be used to complete the command or keyword if there is no conflict. 1.2.4 Help Function There are two ways in Switch for the user to access help information: the ―help‖ command and the ―?‖.
Page 35: Fuzzy Match Support
Switch Management parameter record is found. This command is not exist in current The command is recognized, but this command mode can not be used under current mode. Please configure precursor command recognized, command "*" at first! prerequisite command has not been configured. syntax error : missing '"' before the Quotation marks are not used in pairs.
Page 36: Basic Switch Configuration
Basic Switch Configuration 2. Basic Switch Configuration 2.1 Basic Configuration Basic switch configuration includes commands for entering and exiting the admin mode, commands for entering and exiting interface mode, for configuring and displaying the switch clock, for displaying the version information of the switch system, etc. Command Explanation Normal User Mode/ Admin Mode...
Page 37: Telnet Management
Basic Switch Configuration Global Mode Configure the information displayed when the banner motd <LINE> login authentication of a telnet or console user no banner motd is successful. 2.2 Telnet Management 2.2.1 Telnet 2.2.1.1 Introduction to Telnet Telnet is a simple remote terminal protocol for remote login. Using Telnet, the user can login to a remote host with its IP address of hostname from his own workstation.
Page 38 Basic Switch Configuration username <user-name> [privilege Configure user name and password of <privilege>] [password the telnet. The no form command <password>] deletes the telnet user authorization. no username <username> Configure the secure IP address to authentication securityip <ip-addr> login to the switch through Telnet: the no authentication securityip <ip-addr>...
Page 39: Ssh
Basic Switch Configuration information. 2. Telnet to a remote host from the switch Command Explanation Admin Mode telnet [vrf <vrf-name>] {<ip-addr> Login to a remote host with the Telnet <ipv6-addr> | host <hostname>} [<port>] client included in the switch. 2.2.2 SSH 2.2.2.1 Introduction to SSH SSH (Secure Shell) is a protocol which ensures a secure remote access connection to network devices.
Page 40: Configure Switch Ip Addresses
Basic Switch Configuration Configure timeout value ssh-server timeout <timeout> authentication; the no command restores no ssh-server timeout the default timeout value for SSH authentication. Configure the number of times for retrying ssh-server authentication-retires SSH authentication; the no command <authentication-retires> restores the default number of times for no ssh-server authentication-retries retrying SSH authentication.
Page 41: Switch Ip Addresses Configuration Task List
Basic Switch Configuration an IP address, which is also the IP address of the switch. All VLAN interface related configuration commands can be configured under VLAN Mode. Switch provides three IP address configuration methods:  Manual  BOOTP  DHCP Manual configuration of IP address is assign an IP address manually for the switch.
Page 42: Snmp Configuration
Basic Switch Configuration prefix-length> command deletes IPv6 address. 3. BOOTP configuration Command Explanation VLAN Interface Mode Enable the switch to be a BootP client and obtain IP address and gateway address ip bootp-client enable through BootP negotiation; no ip bootp-client enable command disables BootP...
Page 43: Introduction To Mib
Basic Switch Configuration NMS (Network Management Station) and Agent. NMS is the workstation on which SNMP client program is running. It is the core on the SNMP network management. Agent is the server software runs on the devices which need to be managed. NMS manages all the managed objects through Agents.
Page 44: Introduction To Rmon
Basic Switch Configuration information with this tree structure. And each node on this tree contains an OID (Object Identifier) and a brief description about the node. OID is a set of integers divided by periods. It identifies the node and can be used to locate the node in a MID tree structure, shown in the figure below: Fig 2-1 ASN.1 Tree Instance In this figure, the OID of the object A is 1.2.1.1.
Page 45: Snmp Configuration
Basic Switch Configuration communication between SNMP management terminals and remote monitors. RMON provides a highly efficient method to monitor actions inside the subnets. MID of RMON consists of 10 groups. The switch supports the most frequently used group 1, 2, 3 and 9: Statistics: Maintain basic usage and error statistics for each subnet monitored by the Agent.
Page 46 Basic Switch Configuration no snmp-server enabled switch; the no command disables the SNMP Agent function on the switch. 2. Configure SNMP community string Command Explanation Global Mode snmp-server community {ro | rw} {0 | 7} Configure the community string for the <string>...
Page 47 Basic Switch Configuration {<num-std>|<name>}] [ipv6-access {<ipv6-num-std>|<ipv6-name>}] snmp-server user <user-string> [access {<num-std>|<name>}] [ipv6-access {<ipv6-num-std>|<ipv6-name>}] 6. Configure group Command Explanation Global Mode snmp-server group <group-string> {noauthnopriv|authnopriv|authpriv} [[read <read-string>] [write <write-string>] [notify <notify-string>]] [access {<num-std>|<name>}] Set the group information on the switch. [ipv6-access This command is used to configure VACM {<ipv6-num-std>|<ipv6-name>}] for SNMP v3.
Page 48: Typical Snmp Configuration Examples
Basic Switch Configuration | <host-ipv6-address> } {v1 | v2c | {v3 used to receive SNMP Trap information. {noauthnopriv | authnopriv | authpriv}}} For SNMP v1/v2, this command also <user-string> configures Trap community string; for snmp-server host SNMP v3, this command also configures <host-ipv4-address>...
Page 49: Snmp Troubleshooting
Basic Switch Configuration Switch(config)#snmp-server host 1.1.1.5 v1 usertrap Switch(config)#snmp-server enable traps Scenario 3: NMS uses SNMP v3 to obtain information from the switch. The configuration on the switch is listed below: Switch(config)#snmp-server Switch(config)#snmp-server user tester UserGroup authPriv auth md5 hellotst Switch(config)#snmp-server group UserGroup AuthPriv read max write max notify max Switch(config)#snmp-server view max 1 include Scenario 4: NMS wants to receive the v3Trap messages sent by the switch.
Page 50: Switch Upgrade
Basic Switch Configuration problems by following the guide below:  Good condition of the physical connection.  Interface and datalink layer protocol is Up (use the ―show interface‖ command), and the connection between the switch and host can be verified by ping (use ―ping‖ command).
Page 51: Bootrom Upgrade
Basic Switch Configuration be flash:/boot.rom and flash:/config.rom. The update method of the system image file and the boot file is the same. The switch supplies the user with two modes of updating: 1. BootROM mode; 2. TFTP and FTP update at Shell mode. This two update method will be explained in details in following two sections.
Page 52 Basic Switch Configuration the switch address is 192.168.1.2, and PC address is 192.168.1.66, and select TFTP upgrade, the configuration should like: [Boot]: setconfig Host IP Address: [10.1.1.1] 192.168.1.2 Server IP Address: [10.1.1.2] 192.168.1.66 FTP(1) or TFTP(2): [1] 2 Network interface configure OK. [Boot] Step 4: Enable FTP/TFTP server in the PC.
Page 53 Basic Switch Configuration Step 7: Execute write boot.rom in BootROM mode. The following saves the update file. [Boot]: write boot.rom File boot.rom exists, overwrite? (Y/N)?[N] y Writing boot.rom……………………………………… Write boot.rom OK. [Boot]: Step 8: The following update file config.rom, the basic environment is the same as Step 4. [Boot]: load config.rom Loading...
Page 54: Ftp/Tftp Upgrade
Basic Switch Configuration boot.conf 256 1980-01-01 00:00:00 ---- nos.img 8,071,910 1980-01-01 00:00:00 ---- startup.cfg 1,590 1980-01-01 00:00:00 ---- 2.5.3 FTP/TFTP Upgrade 2.5.3.1 Introduction to FTP/TFTP FTP(File Transfer Protocol)/TFTP(Trivial File Transfer Protocol) are both file transfer protocols that belonging to fourth layer(application layer) of the TCP/IP protocol stack, used for transferring files between hosts, hosts and switches.
Page 55 Basic Switch Configuration authentication or permission-based file access authorization. It ensures correct data transmission by sending and acknowledging mechanism and retransmission of time-out packets. The advantage of TFTP over FTP is that it is a simple and low overhead file transfer service.
Page 56 Basic Switch Configuration Running configuration file: refers to the running configuration sequence use in the switch. In switch, the running configuration file stores in the RAM. In the current version, the running configuration sequence running-config can be saved from the RAM to FLASH by write command or copy running-config startup-config command, so that the running configuration sequence becomes the start up configuration file, which is called configuration save.
Page 57 Basic Switch Configuration （2）For FTP client, server file list can be checked. Admin Mode For FTP client, server file list can be ftp-dir <ftpServerUrl> checked. FtpServerUrl format looks like: ftp: //user: password@IPv4|IPv6 Address. 2. FTP server configuration （1）Start FTP server Command Explanation Global Mode...
Page 58 Basic Switch Configuration （3）Modify TFTP server connection retransmission time Command Explanation Global Mode tftp-server retransmission-number Set the retransmission time for TFTP server. <number> 2.5.3.3 FTP/TFTP Configuration Examples The configuration is same for IPv4 address or IPv6 address. The example only for IPv4 address.
Page 59 Basic Switch Configuration Switch(config)#exit Switch#copy ftp: //Switch:switch@10.1.1.1/12_30_nos.img nos.img With the above commands, the switch will have the ―nos.img‖ file in the computer downloaded to the FLASH.  TFTP Configuration Computer side configuration: Start TFTP server software on the computer and place the ―12_30_nos.img‖ file to the appropriate TFTP server directory on the computer.
Page 60 Basic Switch Configuration Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#no shut Switch(Config-if-Vlan1)#exit Switch(config)#tftp-server enable Computer side configuration: Login to the switch with any TFTP client software, use the ―tftp‖ command to download ―nos.img‖ file from the switch to the computer. Scenario 4: Switch acts as FTP client to view file list on the FTP server. Synchronization conditions: The switch connects to a computer by an Ethernet port, the computer is a FTP server with an IP address of 10.1.1.1;...
Page 61 Basic Switch Configuration 226 Transfer complete. 2.5.3.4 FTP/TFTP Troubleshooting 2.5.3.4.1 FTP Troubleshooting When upload/download system file with FTP protocol, the connectivity of the link must be ensured, i.e., use the ―Ping‖ command to verify the connectivity between the FTP client and server before running the FTP program. If ping fails, you will need to check for appropriate troubleshooting information to recover the link connectivity.
Page 62 Basic Switch Configuration 2.5.3.4.2 TFTP Troubleshooting When upload/download system file with TFTP protocol, the connectivity of the link must be ensured, i.e., use the ―Ping‖ command to verify the connectivity between the TFTP client and server before running the TFTP program. If ping fails, you will need to check for appropriate troubleshooting information to recover the link connectivity.
Page 63: File System Operations
File System Operations 3. File System Operations 3.1 Introduction to File Storage Devices File storage devices used in switches mainly include FLASH cards. As the most common storage device, FLASH is usually used to store system image files (IMG files), system boot files (ROM files) and system configuration files (CFG files).
Page 64 File System Operations 3. The deletion of sub-directory Command Explanation Admin Configuration Mode rmdir <directory> Delete a sub-directory in a designated directory on a certain device. 4. Changing the current working directory of the storage device Command Explanation Admin Configuration Mode cd <directory>...
Page 65: Typical Applications
File System Operations 3.3 Typical Applications Copy an IMG file flash:/nos.img stored in the FLASH on the boardcard, to cf:/nos-6.1.11.0.img. The configuration of the switch is as follows: Switch#copy flash:/nos.img flash:/nos-6.1.11.0.img Copy flash:/nos.img to flash:/nos-6.1.11.0.img? [Y:N] y Copyed file flash:/nos.img to flash:/nos-6.1.11.0.img. 3.4 Troubleshooting If errors occur when users try to implement file system operations, please check whether they are caused by the following reasons...
Page 66: Cluster Configuration
Cluster Configuration 4. Cluster Configuration 4.1 Introduction to cluster network management Cluster network management is an in-band configuration management. Unlike CLI, SNMP and Web Config which implement a direct management of the target switches through a management workstation, cluster network management implements a direct management of the target switches (member switches) through an intermediate switch (commander switch).
Page 67 Cluster Configuration 1． Enable or disable cluster function 2． Create cluster 1) Configure private IP address pool for member switches of the cluster 2) Create or delete cluster 3) Add or remove a member switch 3． Configure attributes of the cluster in the commander switch 1) Enable or disable automatically adding cluster members 2) Set automatically added members to manually added ones 3) Set or modify the time interval of keep-alive messages on switches in the cluster.
Page 68 Cluster Configuration cluster member {candidate-sn <candidate-sn> | mac-address <mac-addr> [id <member-id> ]} Add or remove a member switch. no cluster member {id <member-id> | mac-address <mac-addr>} 3. Configure attributes of the cluster in the commander switch Command Explanation Global Mode Enable or disable adding newly cluster auto-add discovered candidate switch to the...
Page 69 Cluster Configuration 5. Remote cluster network management Command Explanation Admin Mode In the commander switch, this rcommand member <member-id> command is used to configure and manage member switches. member switch, this rcommand commander command is used to configure the commander switch. In the commander switch, this cluster reset member [id <member-id>...
Page 70: Examples Of Cluster Administration
Cluster Configuration 7. Manage cluster network with snmp Command Explanation Global Mode Enable snmp server function in commander switch and member switch. Notice: must insure the snmp server function be enabled in member switch when commander snmp-server enable switch visiting member switch by snmp.
Page 71: Cluster Administration Troubleshooting
Cluster Configuration 2. Configure the member switch Configuration of SW2-SW4 Switch(config)#cluster run 4.4 Cluster Administration Troubleshooting When encountering problems in applying the cluster admin, please check the following possible causes:  If the command switch is correctly configured and the auto adding function (cluster auto-add) is enabled.
Page 72: Port Configuration
Port Configuration 5. Port Configuration 5.1 Introduction to Port Switch contains Cable ports and Combo ports. The Combo ports can be configured as either 1000GX-TX ports or SFP Gigabit fiber ports. If the user needs to configure some network ports, he/she can use the interface ethernet <interface-list>...
Page 73 Port Configuration 1. Enter the Ethernet port configuration mode Command Explanation Global Mode Enters the network port configuration interface ethernet <interface-list> mode. 2. Configure the properties for the Ethernet ports Command Explanation Port Mode Sets the combo port mode (combo ports media-type {copper | fiber} only).
Page 74 Port Configuration loopback Enables/Disables loopback test function for no loopback specified ports. Enables the storm control function for broadcasts, multicasts and unicasts with unknown destinations (short storm-control {unicast | broadcast | broadcast), and sets the allowed broadcast multicast} <packets> packet number; the no format of this command disables the broadcast storm control function.
Page 75: Port Configuration Example
Port Configuration 5.3 Port Configuration Example Switch 1 1/0/7 1/0/9 1/0/10 1/0/12 1/0/8 Switch 2 Switch 3 Fig 5-1 Port Configuration Example No VLAN has been configured in the switches, default VLAN1 is used. Switch Port Property Switch1 1/0/7 Ingress bandwidth limit: 50 M Switch2 1/0/8 Mirror source port...
Page 76: Port Troubleshooting
Port Configuration Switch3(Config-If-Ethernet1/0/12)#exit 5.4 Port Troubleshooting Here are some situations that frequently occurs in port configuration and the advised solutions:  Two connected fiber interfaces won‘t link up if one interface is set to auto-negotiation but the other to forced speed/duplex. This is determined by IEEE 802.3. ...
Page 77: Port Isolation Function Configuration
Port Isolation Function Configuration 6. Port Isolation Function Configuration 6.1 Introduction to Port Isolation Function Port isolation is an independent port-based function working in an inter-port way, which isolates flows of different ports from each other. With the help of port isolation, users can isolate ports within a VLAN to save VLAN resources and enhance network security.
Page 78: Port Isolation Function Typical Examples
Port Isolation Function Configuration 3. Specify the flow to be isolated Command Explanation Global Mode Apply the port isolation configuration to isolate-port apply [<l2|l3|all>] isolate layer-2 flows, layer-3 flows or all flows. 4. Display the configuration of port isolation Command Explanation Admin Mode and global Mode Display the configuration of port isolation,...
Page 79 Port Isolation Function Configuration isolation is enabled on switch S1, e1/0/1 and e1/0/10 on switch S1 can not communicate with each other, while both of them can communicate with the uplink port e1/0/15. That is, the communication between any pair of downlink ports is disabled while that between any downlink port and a specified uplink port is normal.
Page 80: Port Loopback Detection Function Configuration
Port Loopback Detection Function Configuration 7. Port Loopback Detection Function Configuration 7.1 Introduction to Port Loopback Detection Function With the development of switches, more and more users begin to access the network through Ethernet switches. In enterprise network, users access the network through layer-2 switches, which means urgent demands for both internet and the internal layer 2 Interworking.
Page 81: Port Loopback Detection Function Configuration Task List
Port Loopback Detection Function Configuration 7.2 Port Loopback Detection Function Configuration Task List 1． Configure the time interval of loopback detection 2． Enable the function of port loopback detection 3． Configure the control method of port loopback detection 4． Display and debug the relevant information of port loopback detection 5．...
Page 82: Port Loopback Detection Function Example
Port Loopback Detection Function Configuration Enable the debug information of the function module port loopback debug loopback-detection detection. The no operation of this no debug loopback-detection command will disable debug information. Display the state and result of the loopback detection of all ports, if no show loopback-detection [interface...
Page 83: Port Loopback Detection Troubleshooting
Port Loopback Detection Function Configuration connecting the switch with the outside network, the switch will notify the connected network about the existence of a loopback, and control the port on the switch to guarantee the normal operation of the whole network. The configuration task sequence of SWITCH: Switch(config)#loopback-detection interval-time 35 15 Switch(config)#interface ethernet 1/0/1...
Page 84: Uldp Function Configuration
ULDP Function Configuration 8. ULDP Function Configuration 8.1 Introduction to ULDP Function Unidirectional link is a common error state of link in networks, especially in fiber links. Unidirectional link means that only one port of the link can receive messages from the other port, while the latter one can not receive messages from the former one.
Page 85: Uldp Configuration Task Sequence
ULDP Function Configuration Interface Converter) or interfaces have problems, software problems, hardware becomes unavailable or operates abnormally. Unidirectional link will cause a series of problems, such as spinning tree topological loop, broadcast black hole. ULDP (Unidirectional Link Detection Protocol) can help avoid disasters that could happen in the situations mentioned above.
Page 86 ULDP Function Configuration uldp enable Globally enable disable ULDP uldp disable function. 2. Enable ULDP function on a port Command Explanation Port configuration mode uldp enable Enable or disable ULDP function on a uldp disable port. 3. Configure aggressive mode globally Command Explanation Global configuration mode...
Page 87 ULDP Function Configuration Configure the interval of Recovery reset, uldp recovery-time <integer> ranging from 30 to 86400 seconds. The no uldp recovery-time <integer> value is 0 second by default. 8. Reset the port shut down by ULDP Command Explanation Global configuration mode port...
Page 88: Uldp Function Typical Examples
ULDP Function Configuration 8.3 ULDP Function Typical Examples Switch A g1/0/1 g1/0/2 g1/0/3 g1/0/4 Switch B Fig 8-2 Fiber Cross Connection In the network topology in Graph, port g1/0/1 and port g1/0/2 of SWITCH A as well as port g1/0/3 and port g1/0/4 of SWITCH B are all fiber ports. And the connection is cross connection.
Page 89: Uldp Troubleshooting
ULDP Function Configuration notification information on the CRT terminal of PC1. %Oct 29 11:09:50 2007 A unidirectional link is detected! Port Ethernet1/0/1 need to be shutted down! %Oct 29 11:09:50 2007 Unidirectional port Ethernet1/0/1 shut down! %Oct 29 11:09:50 2007 A unidirectional link is detected! Port Ethernet1/0/2 need to be shutted down! %Oct 29 11:09:50 2007 Unidirectional port Ethernet1/0/2 shutted down! Port g1/0/3, and port g1/0/4 of SWITCH B are all shut down by ULDP, and there is...
Page 90 ULDP Function Configuration  ULDP does not compact with similar protocols of other vendors, which means users can not use ULDP on one end and use other similar protocols on the other end.  ULDP function is disabled by default. After globally enabling ULDP function, the debug switch can be enabled simultaneously to check the debug information.
Page 91: Lldp Function Operation Configuration
LLDP Function Operation Configuration 9. LLDP Function Operation Configuration 9.1 Introduction to LLDP Function Link Layer Discovery Protocol (LLDP) is a new protocol defined in 802.1ab. It enables neighbor devices to send notices of their own state to other devices, and enables all ports of every device to store information about them.
Page 92: Lldp Function Configuration Task Sequence
LLDP Function Operation Configuration trace the change and condition of topology, but most of them can reach layer-three and classify the devices into all IP subnets at best. This kind of data are very primitive, only referring to basic events like the adding and removing of relative devices instead of details about where and how these devices operate with the network.
Page 93 LLDP Function Operation Configuration Port Mode Configure operating state lldp mode (send|receive|both|disable) port LLDP. 4. Configure the intervals of LLDP updating messages Command Explanation Global Mode Configure intervals LLDP lldp tx-interval <integer> updating messages as the specified no lldp tx-interval value or default value.
Page 94 LLDP Function Operation Configuration Configure optional lldp transmit optional tlv [portDesc] information-sending attribute of the [sysName] [sysDesc] [sysCap] port as the option value of default no lldp transmit optional tlv values. 10. Configure the size of space to store Remote Table of the port Command Explanation Port Configuration Mode...
Page 95: Lldp Function Typical Example
LLDP Function Operation Configuration Port configuration mode clear lldp remote-table Clear Remote-table of the port. 9.3 LLDP Function Typical Example Fig 9-1 LLDP Function Typical Configuration Example In the network topology graph above, the port 1,3 of SWITCH B are connected to port 2,4 of SWITCH A.
Page 96 LLDP Function Operation Configuration  Using ―show‖ function of LLDP function can display the configuration information in global or port configuration mode.
Page 97: Port Channel Configuration
Port Channel Configuration 10. Port Channel Configuration 10.1 Introduction to Port Channel To understand Port Channel, Port Group should be introduced first. Port Group is a group of physical ports in the configuration level; only physical ports in the Port Group can take part in link aggregation and become a member port of a Port Channel.
Page 98: Brief Introduction To Lacp
Port Channel Configuration Port aggregation can only be performed on ports in full-duplex mode. For Port Channel to work properly, member ports of the Port Channel must have the same properties as follows:  All ports are in full-duplex mode. ...
Page 99: Static Lacp Aggregation
Port Channel Configuration For the dynamic aggregation group, the members of the same group have the same operation Key, for the static aggregation group, the ports of Active have the same operation Key. The port aggregation is that multi-ports are aggregated to form an aggregation group, so as to implement the out/in load balance in each member port of the aggregation group and provides the better reliability.
Page 100: Port Channel Configuration Task List
Port Channel Configuration state will be the master port, the other ports at the selected state will be the member port. 10.3 Port Channel Configuration Task List 1. Create a port group in Global Mode 2. Add ports to the specified group from the Port Mode of respective ports 3.
Page 101: Port Channel Examples
Port Channel Configuration function at the same time. 5. Set the system priority of LACP protocol Command Explanation Global mode Set the system priority of LACP lacp system-priority <system-priority> protocol, the no command restores no lacp system-priority the default value. 6.
Page 102 Port Channel Configuration Fig 10-2 Configure Port Channel in LACP The switches in the description below are all switch and as shown in the figure, ports 1, 2, 3, 4 of S1 are access ports and add them to group1 with active mode. Ports 6, 8, 9, 10 of S2 are access ports and add them to group2 with passive mode.
Page 103 Port Channel Configuration form an aggregated port named ―Port-Channel1‖, ports 6, 8, 9, 10 of S2 form an aggregated port named ―Port-Channel2‖; can be configured in their respective aggregated port mode. Scenario 2: Configuring Port Channel in ON mode. Fig 10-3 Configure Port Channel in ON mode As shown in the figure, ports 1, 2, 3, 4 of S1 are access ports and add them to group1 with ―on‖...
Page 104: Port Channel Troubleshooting
Port Channel Configuration Switch2 (Config-If-Ethernet1/0/6)#port-group 2 mode on Switch2 (Config-If-Ethernet1/0/6)#exit Switch2 (config)#interface ethernet 1/0/8-10 Switch2(Config-If-Port-Range)#port-group 2 mode on Switch2(Config-If-Port-Range)#exit Configuration result: Add ports 1, 2, 3, 4 of S1 to port-group1 in order, and we can see a group in ―on‖ mode is completely joined forcedly, switch in other ends won‘t exchange LACP PDU to complete aggregation.
Page 105: Mtu Configuration
MTU Configuration 11. MTU Configuration 11.1 Introduction to MTU So far the Jumbo (Jumbo Frame) has not reach a determined standard in the industry (including the format and length of the frame). Normally frames sized within 1519-9000 should be considered jumbo frame. Networks with jumbo frames will increase the speed of the whole network by 2% to 5%.
Page 106: Efm Oam Configuration
EFM OAM Configuration 12. EFM OAM Configuration 12.1 Introduction to EFM OAM Ethernet is designed for Local Area Network at the beginning, but link length and network scope is extended rapidly while Ethernet is also applied to Metropolitan Area Network and Wide Area Network along with development. Due to lack the effectively management mechanism, it affects Ethernet application to Metropolitan Area Network and Wide Area Network, implementing OAM on Ethernet becomes a necessary development trend.
Page 107 EFM OAM Configuration 01-80-c2-00-00-02 of protocol, the max transmission rate is 10Pkt/s. EFM OAM is established on the basis of OAM connection, it provides a link operation management mechanism such as link monitoring, remote fault detection and remote loopback testing, the simple introduction for EFM OAM in the following: 1.
Page 108 EFM OAM Configuration errored frame at least in a second.) 3. Remote Fault Detection In a network where traffic is interrupted due to device failures or unavailability, the flag field defined in Ethernet OAMPDUs allows an Ethernet OAM entity to send fault information to its peer.
Page 109: Efm Oam Configuration
EFM OAM Configuration Customer Service Provider Customer 802.3ah Ethernet in the First Mile 802.1ah OAMPDU Fig 12-2 Typical OAM application topology 12.2 EFM OAM Configuration EFM OAM configuration task list 1. Enable EFM OAM function of port 2. Configure link monitor 3.
Page 110 EFM OAM Configuration Configure timeout of EFM OAM ethernet-oam timeout <seconds> connection, no command restores no ethernet-oam timeout the default value. 2. Configure link monitor Command Explanation Port mode ethernet-oam link-monitor Enable link monitor of EFM OAM, no ethernet-oam link-monitor no command disables link monitor.
Page 111: Efm Oam Example
EFM OAM Configuration ethernet-oam errored-symbol-period Configure the high threshold of threshold high {high-symbols | none} errored symbol period event, no ethernet-oam errored-symbol-period command restores the default threshold high value. (optional) ethernet-oam errored-frame-period Configure the high threshold of threshold high {high-frames | none} errored frame period event, no ethernet-oam errored-frame-period...
Page 112: Efm Oam Troubleshooting
EFM OAM Configuration instance Ethernet Ethernet 1/0/1 1/0/1 802.1ah OAMPDU Fig 12-3 Typical OAM application topology Configuration procedure: (Omitting SNMP and Log configuration in the following) Configuration on CE: CE(config)#interface ethernet1/0/1 CE (config-if-ethernet1/0/1)#ethernet-oam mode passive CE (config-if-ethernet1/0/1)#ethernet-oam CE (config-if-ethernet1/0/1)#ethernet-oam remote-loopback supported Other parameters use the default configuration.
Page 113 EFM OAM Configuration Ensuring the used board supports remote loopback function. Port should not configure STP, MRPP, ULPP, Flow Control, loopback detection functions after it enables OAM loopback function, because OAM remote loopback function and these functions are mutually exclusive. When enabling OAM, the negotiation of the port will be disabled automatically.
Page 114: Bpdu-Tunnel Configuration
bpdu-tunnel Configuration 13. bpdu-tunnel Configuration 13.1 Introduction to bpdu-tunnel BPDU Tunnel is a Layer 2 tunnel technology. It allows Layer 2 protocol packets of geographically dispersed private network users to be transparently transmitted over specific tunnels across a service provider network. 13.1.1 bpdu-tunnel function In MAN application, multi-branches of a corporation may connect with each other by the service provider network.
Page 115: Bpdu-Tunnel Configuration Task List
bpdu-tunnel Configuration Fig 13-1 BPDU Tunnel application 13.2 bpdu-tunnel Configuration Task List bpdu-tunnel configuration task list: 1. Configure tunnel MAC address globally 2. Configure the port to support the tunnel 1. Configure tunnel MAC address globally Command Explanation Global mode bpdu-tunnel dmac <mac>...
Page 116 bpdu-tunnel Configuration network 2, which are connected by the service provider network. When Layer 2 protocol packets cannot implement the passthrough across the service provider network, the user‘s network cannot process independent Layer 2 protocol calculation (for example, spanning tree calculation), so they affect each other. Fig 13-2 BPDU Tunnel application environment With BPDU Tunnel, Layer 2 protocol packets from user‘s networks can be passed through over the service provider network in the following work flow:...
Page 117: Bpdu-Tunnel Troubleshooting
bpdu-tunnel Configuration PE2(config-if-ethernet1/0/1)# bpdu-tunnel dot1x 13.4 bpdu-tunnel Troubleshooting After port disables stp, gvrp, uldp, lacp and dot1x functions, it is able to configure bpdu-tunnel function.
Page 118: Lldp-Med
LLDP-MED 14. LLDP-MED 14.1 Introduction to LLDP-MED LLDP-MED (Link Layer Discovery Protocol-Media Endpoint Discovery) based on 802.1AB LLDP (Link Layer Discovery Protocol) of IEEE. LLDP provides a standard link layer discovery mode, it sends local device information (including its major capability, management IP address, device ID and port ID) as TLV (type/length/value) triplets in LLDPDU (Link Layer Discovery Protocol Data Unit) to the direct connection neighbors.
Page 119 LLDP-MED no lldp transmit med tlv extendPoe send LLDP-MED Extended Power-Via-MDI TLV. command disables the capability. Configure the port to send LLDP-MED Inventory lldp transmit med tlv inventory Management TLVs. The no no lldp transmit med tlv inventory command disables capability.
Page 120 LLDP-MED room | postal | otherInfo} <address> Address LCI address mode no {description-language | province-state | city | of the port. county | street | locationNum | location | floor | room | postal | otherInfo} Global mode When the fast LLDP-MED startup mechanism enabled, it needs to fast send...
Page 121: Lldp-Med Example
LLDP-MED 14.3 LLDP-MED Example Fig 14-1 Basic LLDP-MED configuration topology 1) Configure Switch A SwitchA(config)#interface ethernet1/0/1 SwitchA (Config-If-Ethernet1/0/1)# lldp enable SwitchA (Config-If-Ethernet1/0/1)# lldp mode both（this configuration can be omitted, the default mode is RxTx） SwitchA (Config-If-Ethernet1/0/1)# lldp transmit med tlv capability SwitchA (Config-If-Ethernet1/0/1)# lldp transmit med tlv network policy SwitchA (Config-If-Ethernet1/0/1)# lldp transmit med tlv inventory SwitchB (Config-If-Ethernet1/0/1)# network policy voice tag tagged vid 10 cos 5 dscp 15...
Page 122 LLDP-MED SwitchA# show lldp neighbors interface ethernet 1/0/1 Port name : Ethernet1/0/1 Port Remote Counter : 1 TimeMark :20 ChassisIdSubtype :4 ChassisId :00-03-0f-00-00-02 PortIdSubtype :Local PortId :1 PortDesc :**** SysName :**** SysDesc :***** SysCapSupported :4 SysCapEnabled :4 LLDP MED Information : MED Codes: (CAP)Capabilities, (NP) Network Policy (LI) Location Identification, (PSE)Power Source Entity...
Page 123: Lldp-Med Troubleshooting
LLDP-MED IEEE 802.3 Information : auto-negotiation support: Supported auto-negotiation support: Not Enabled PMD auto-negotiation advertised capability: 1 operational MAU type: 1 SwitchA# show lldp neighbors interface ethernet 1/0/2 Port name : interface ethernet 1/0/2 Port Remote Counter：1 Neighbor Index: 1 Port name : Ethernet1/0/2 Port Remote Counter : 1 TimeMark :20...
Page 124 LLDP-MED  Only network connection device received LLDP packets with LLDP-MED TLV from the near MED device, it sends LLDP-MED TLV. If network connection device configured the command for sending LLDP-MED TLV, the packets also without LLDP-MED TLV sent by the port, that means no MED information is received and the port does not enable the function for sending LLDP-MED information.
Page 125: Port Security
PORT SECURITY 15. PORT SECURITY 15.1 Introduction to PORT SECURITY Port security is a MAC address-based security mechanism for network access controlling. It is an extension to the existing 802.1x authentication and MAC authentication. It controls the access of unauthorized devices to the network by checking the source MAC address of the received frame and the access to unauthorized devices by checking the destination MAC address of the sent frame.
Page 126: Example Of Port Security
PORT SECURITY table or a MAC address is configured several interfaces in same VLAN, both of them will violate the security of the MAC address. switchport port-security aging {static | time Enable port-security aging <value> | type {absolute | inactivity}} entry of the interface, specify no switchport port-security violation aging {static aging time or aging type.
Page 127: Port Security Troubleshooting
PORT SECURITY Switch(config-if-ethernet1/0/1)#switchport port-security Switch(config-if- ethernet1/0/1)#switchport port-security maximum 10 Switch(config-if- ethernet1/0/1)#exit Switch(config)# 15.4 PORT SECURITY Troubleshooting If problems occur when configuring PORT SECURITY, please check whether the problem is caused by the following reasons:  Check whether PORT SECURITY is enabled normally ...
Page 128: Ddm Configuration
DDM Configuration 16. DDM Configuration 16.1 Introduction to DDM 16.1.1 Brief Introduction to DDM DDM (Digital Diagnostic Monitor) makes the detailed digital diagnostic function standard in SFF-8472 MSA. It set that the parameter signal is monitored and make it to digitize on the circuit board of the inner module.
Page 129: Ddm Function
DDM Configuration function. Besides, the state of Tx Fault and Rx LOS is important for analyzing the fault. 3. Compatibility verification Compatibility verification is used to analyze whether the environment of the module accords the data manual or it is compatible with the corresponding standard, because the module capability is able to be ensured only in the compatible environment.
Page 130: Ddm Configuration Task List
DDM Configuration Besides checking the real-time working state of the transceiver, the user needs to monitor the detailed status, such as the former abnormity time and the abnormity type. Transceiver monitoring helps the user to find the former abnormity status through checking the log and query the last abnormity status through executing the commands.
Page 131 DDM Configuration Set the interval of the transceiver transceiver-monitoring interval <minutes> monitor. The no command sets the no transceiver-monitoring interval interval to be the default interval of 15 minutes. （2）Configure the enable state of the transceiver monitoring Command Explanation Port mode whether transceiver monitoring is enabled.
Page 132: Examples Of Ddm
DDM Configuration 16.3 Examples of DDM Example1: Ethernet 21 and Ethernet 23 are inserted the fiber module with DDM, Ethernet 24 is inserted the fiber module without DDM, Ethernet 22 does not insert any fiber module, show the DDM information of the fiber module. a、Show the information of all interfaces which can read the real-time parameters normally,(No fiber module is inserted or the fiber module is not supported, the information will not be shown), for example:...
Page 133 DDM Configuration Temperature（℃） Voltage（V） 7.31(A+) 5.00 0.00 5.00 0.00 Bias current（mA） 6.11(W+) 10.30 0.00 5.00 0.00 RX Power （ dBM） -30.54(A-) 9.00 -25.00 9.00 -25.00 TX Power （ dBM） -6.01 9.00 -25.00 9.00 -25.00 Ethernet 1/0/22 transceiver detail information: N/A Ethernet 1/0/24 transceiver detail information: Base information: SFP found in this port, manufactured by company, on Sep 29 2010.
Page 134 DDM Configuration Step2: Configure the tx-power threshold of the fiber module, the low-warning threshold is -12, the low-alarm threshold is -10.00. Switch#config Switch(config)#interface ethernet 1/0/21 Switch(config-if-ethernet1/0/21)#transceiver threshold tx-power low-warning -12 Switch(config-if-ethernet1/0/21)#transceiver threshold tx-power low-alarm -10.00 Step3: Show the detailed DDM information of the fiber module. The alarm uses the threshold configured by the user, the threshold configured by the manufacturer is labeled with the bracket.
Page 135 DDM Configuration The last threshold-violation doesn‘t exist. Ethernet 1/0/22 transceiver threshold-violation information: Transceiver monitor is disabled. Monitor interval is set to 30 minutes. The last threshold-violation doesn‘t exist. Step2: Enable the transceiver monitoring of ethernet 21. Switch(config)#interface ethernet 1/0/21 Switch(config-if-ethernet1/0/21)#transceiver-monitoring enable Step3: Show the transceiver monitoring of the fiber module.
Page 136: Ddm Troubleshooting
DDM Configuration 16.4 DDM Troubleshooting If problems occur when configuring DDM, please check whether the problem is caused by the following reasons:  Ensure that the transceiver of the fiber module has been inserted fast on the port, or else DDM configuration will not be shown. ...
Page 137: Vlan Configuration
VLAN Configuration 17. VLAN Configuration 17.1 VLAN Configuration 17.1.1 Introduction to VLAN VLAN (Virtual Local Area Network) is a technology that divides the logical addresses of devices within the network to separate network segments basing on functions, applications or management requirements. By this way, virtual workgroups can be formed regardless of the physical location of the devices.
Page 138: Vlan Configuration Task List
VLAN Configuration  Improving network performance  Saving network resources  Simplifying network management  Lowering network cost  Enhancing network security Switch Ethernet Ports can works in three kinds of modes: Access, Hybrid and Trunk, each mode has a different processing method in forwarding the packets with tagged or untagged.
Page 139 VLAN Configuration 1. Create or delete VLAN Command Explanation Global Mode vlan WORD Create/delete VLAN or enter VLAN no vlan WORD Mode 2. Set or delete VLAN name Command Explanation VLAN Mode name <vlan-name> Set or delete VLAN name. no name 3.
Page 140 VLAN Configuration 7. Set Hybrid port Command Explanation Port Mode switchport hybrid allowed vlan {WORD | all | add WORD | except WORD | remove Set/delete the VLAN which is allowed WORD} {tag | untag} by Hybrid port with tag or untag mode. no switchport hybrid allowed vlan switchport hybrid native vlan <vlan-id>...
Page 141: Typical Vlan Application
VLAN Configuration 17.1.3 Typical VLAN Application Scenario: VLAN100 VLAN2 VLAN200 Workstation Workstation Switch A Trunk Link Switch B VLAN2 VLAN200 Workstation VLAN100 Workstation Fig 17-2 Typical VLAN Application Topology The existing LAN is required to be partitioned to 3 VLANs due to security and application requirements.
Page 142: Typical Application Of Hybrid Port
VLAN Configuration Switch A: Switch(config)#vlan 2 Switch(Config-Vlan2)#switchport interface ethernet 1/0/2-4 Switch (Config-Vlan2)#exit Switch (config)#vlan 100 Switch (Config-Vlan100)#switchport interface ethernet 1/0/5-7 Switch (Config-Vlan100)#exit Switch (config)#vlan 200 Switch (Config-Vlan200)#switchport interface ethernet 1/0/8-10 Switch (Config-Vlan200)#exit Switch (config)#interface ethernet 1/0/11 Switch (Config-If-Ethernet1/0/11)#switchport mode trunk Switch(Config-If-Ethernet1/0/11)#exit Switch(config)# Switch B:...
Page 143 VLAN Configuration internet Switch A Switch B Fig 17-3 Typical Application of Hybrid Port PC1 connects to the interface Ethernet 1/0/7 of SwitchB, PC2 connects to the interface Ethernet 1/0/9 of SwitchB, Ethernet 1/0/10 of SwitchA connect to Ethernet 1/0/10 of SwitchB.
Page 144: Gvrp Configuration
VLAN Configuration The configuration steps are listed below: Switch A: Switch(config)#vlan 10 Switch(Config-Vlan10)#switchport interface ethernet 1/0/10 Switch B: Switch(config)#vlan 7;9;10 Switch(config)#interface ethernet 1/0/7 Switch(Config-If-Ethernet1/0/7)#switchport mode hybrid Switch(Config-If-Ethernet1/0/7)#switchport hybrid native vlan 7 Switch(Config-If-Ethernet1/0/7)#switchport hybrid allowed vlan 7;10 untag Switch(Config-If-Ethernet1/0/7)#exit Switch(Config)#interface Ethernet 1/0/9 Switch(Config-If-Ethernet1/0/9)#switchport mode hybrid Switch(Config-If-Ethernet1/0/9)#switchport hybrid native vlan 9 Switch(Config-If-Ethernet1/0/9)#switchport hybrid allowed vlan 9;10 untag...
Page 145: Gvrp Configuration Task List
VLAN Configuration Fig 17-4 a typical application scene A and G switches are not directly connected in layer 2 network; BCDEF are intermediate switches connecting A and G. Switch A and G configure VLAN100-1000 manually while BCDEF switches do not. When GVRP is not enabled, A and G cannot communicate with each other, because intermediate switches without relevant VLANs.
Page 146: Example Of Gvrp
VLAN Configuration 1. Configure GVRP timer Command Explanation Global mode garp timer join <200-500> garp timer leave <500-1200> Configure leaveall, join and leave garp timer leaveall <5000-60000> timer for GVRP. no garp timer (join | leave | leaveAll) 2. Configure port type Command Explanation Port mode...
Page 147 VLAN Configuration Switch A Switch B Switch C Fig 17-5 Typical GVRP Application Topology To enable dynamic VLAN information register and update among switches, GVRP protocol is to be configured in the switch. Configure GVRP in Switch A, B and C, enable Switch B to learn VLAN100 dynamically so that two workstations connected to VLAN100 in Switch A and C can communicate with each other through Switch B without static VLAN100 entries.
Page 148: Gvrp Troubleshooting
VLAN Configuration Switch(config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 1/0/2-6 Switch(Config-Vlan100)#exit Switch(config)#interface ethernet 1/0/11 Switch(Config-If-Ethernet1/0/11)#switchport mode trunk Switch(Config-If-Ethernet1/0/11)# gvrp Switch(Config-If-Ethernet1/0/11)#exit Switch B: Switch(config)#gvrp Switch(config)#interface ethernet 1/0/10 Switch(Config-If-Ethernet1/0/10)#switchport mode trunk Switch(Config-If-Ethernet1/0/10)# gvrp Switch(Config-If-Ethernet1/0/10)#exit Switch(config)#interface ethernet 1/0/11 Switch(Config-If-Ethernet1/0/11)#switchport mode trunk Switch(Config-If-Ethernet1/0/11)# gvrp Switch(Config-If-Ethernet1/0/11)#exit Switch C: Switch(config)# gvrp Switch(config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 1/0/2-6...
Page 149: Dot1Q-Tunnel Configuration
VLAN Configuration 17.3 Dot1q-tunnel Configuration 17.3.1 Introduction to Dot1q-tunnel Dot1q-tunnel is also called QinQ (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its dominating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider VLAN tag (SPVLAN tag). Carrying the two VLAN tags the packet is transmitted through the backbone network of the ISP internet, so to provide a simple layer-2 tunnel for the users.
Page 150: Dot1Q-Tunnel Configuration
VLAN Configuration The technology of Dot1q-tuunel provides the ISP internet the ability of supporting many client VLANs by only one VLAN of theirselves. Both the ISP internet and the clients can configure their own VLAN independently. It is obvious that, the dot1q-tunnel function has got following characteristics: ...
Page 151: Typical Applications Of The Dot1Q-Tunnel
VLAN Configuration 17.3.3 Typical Applications of the Dot1q-tunnel Scenario: Edge switch PE1 and PE2 of the ISP internet forward the VLAN200~300 data between CE1 and CE2 of the client network with VLAN3. The port1 of PE1 is connected to CE1, port10 is connected to public network, the TPID of the connected equipment is 9100; port1 of PE2 is connected to CE2, port10 is connected to public network.
Page 152: Dot1Q-Tunnel Troubleshooting
VLAN Configuration Switch(Config)# 17.3.4 Dot1q-tunnel Troubleshooting  Enabling dot1q-tunnel on Trunk port will make the tag of the data packet unpredictable which is not required in the application. So it is not recommended to enable dot1q-tunnel on Trunk port.  Enabled with STP/MSTP is not supported. Enabled with PVLAN is not supported.
Page 153: Typical Application Of Vlan-Translation
VLAN Configuration Port mode vlan-translation <old-vlan-id> <new-vlan-id> in Add/delete a VLAN-translation relation. no vlan-translation old-vlan-id in 3. Configure whether the packet is dropped when checking VLAN-translation is failing Command Explanation Port mode vlan-translation miss drop in Configure the VLAN-translation packet no vlan-translation miss drop in dropped on port if there is any failure.
Page 154: Vlan-Translation Troubleshooting
VLAN Configuration On the customer port Trunk VLAN 200-300 ingress port Trunk connection translates VLAN20 to VLAN3, the egress translates VLAN3 to SP networks VLAN20 on PE Customer Trunk connection networks1 Trunk connection ingress port translates VLAN20 to VLAN3, the egress translates VLAN3 to Trunk VLAN20 on PE Customer...
Page 155: Dynamic Vlan Configuration
VLAN Configuration Priority of vlan translation and vlan ingress filtering for processing packets is: vlan translation > vlan ingress filtering 17.5 Dynamic VLAN Configuration 17.5.1 Introduction to Dynamic VLAN The dynamic VLAN is named corresponding to the static VLAN (namely the port based VLAN).
Page 156 VLAN Configuration 3. Configure the correspondence between the MAC address and the VLAN 4. Configure the IP-subnet-based VLAN function on the port 5. Configure the correspondence between the IP subnet and the VLAN 6. Configure the correspondence between the Protocols and the VLAN 7.
Page 157: Typical Application Of The Dynamic Vlan
VLAN Configuration mask <subnet-mask> vlan <vlan-id> between the IP subnet and the VLAN, priority <priority-id> namely specified subnet subnet-vlan {ip-address joins/leaves specified VLAN. <ipv4-addrss> mask <subnet-mask>|all} 6. Configure the correspondence between the Protocols and the VLAN Command Explanation Global Mode protocol-vlan mode {ethernetii etype <etype-id>|llc {dsap <dsap-id>...
Page 158: Dynamic Vlan Troubleshooting
VLAN Configuration SwitchA SwitchB SwitchC VLAN100 VLAN200 VLAN300 Fig 17-8 Typical topology application of dynamic VLAN Configuration Configuration Explanation Items MAC-based Global configuration on Switch A, Switch B, Switch C. VLAN For example, M at E1/0/1 of SwitchA, then the configuration procedures are as follows: Switch A, Switch B, Switch C: SwitchA (Config)#mac-vlan mac 00-03 -0f-11-22-33 vlan 100 priority 0 SwitchA (Config)#interface ethernet 1/0/1...
Page 159: Voice Vlan Configuration
VLAN Configuration PC) are both belongs to the same dynamic VLAN, first communication between the two equipments may not go through. The solution will be letting the two equipments positively send data packet to the switch (such as ping), to let the switch learn their source MAC, then the two equipments will be able to communicate freely within the dynamic VLAN.
Page 160: Voice Vlan Configuration
VLAN Configuration VLAN according to its voice traffic which will be transmitted at specified priority. Meanwhile, when voice equipment is physically relocated, it still belongs to the Voice VLAN without any further configuration modification, which is because it is based on voice equipment other than switch port.
Page 161: Typical Applications Of The Voice Vlan
VLAN Configuration 17.6.3 Typical Applications of the Voice VLAN Scenario: A company realizes voice communication through configuring Voice VLAN. IP-phone1 and IP-phone2 can be connected to any port of the switch, namely normal communication and interconnected with other switches through the uplink port. IP-phone1 MAC address is 00-03-0f-11-22-33, connect port 1/0/1 of the switch, IP-phone2 MAC address is 00-03-0f-11-22-55, connect port 1/0/2 of the switch.
Page 162: Voice Vlan Troubleshooting
VLAN Configuration switch(Config-If-Ethernet1/0/1)#switchport hybrid allowed vlan 100 untag switch(Config-If-Ethernet1/0/1)#exit switch(Config)#interface ethernet 1/0/2 switch(Config-If-Ethernet1/0/2)#switchport mode hybrid switch(Config-If-Ethernet1/0/2)#switchport hybrid allowed vlan 100 untag switch(Config-If-Ethernet1/0/2)#exit 17.6.4 Voice VLAN Troubleshooting Voice VLAN can not be applied concurrently with MAC-base VLAN.  The Voice VLAN on the port is enabled by default. If the configured data can no longer enter the Voice VLAN during operation, please check if the Voice VLAN function has been disabled on the port.
Page 163: Typical Application Of Multi-To-One Vlan Translation
VLAN Configuration 2. Show the related configuration of Multi-to-One VLAN translation Command Explanation Admin mode Show the related configuration of show vlan-translation n-to-1 Multi-to-One VLAN translation. 17.7.3 Typical application of Multi-to-One VLAN Translation Scenario: UserA, userB and userC belong to VLAN1, VLAN2, VLAN3 respectively. Before entering the network layer, data traffic of userA, userB and userC is translated into VLAN 100 by Ethernet1/0/1 of edge switch1.
Page 164: Multi-To-One Vlan Translation Troubleshooting
VLAN Configuration Configuration Item Configuration Explanation Switch1、Switch2 VLAN Trunk Port Downlink port 1/0/1 and uplink port 1/0/5 of Switch1 and Switch Multi-to-One Downlink port 1/0/1 of Switch1 and Switch2 VLAN-translation Configuration procedure is as follows: Switch1、Switch2: switch(Config)# vlan 1-3;100 switch(Config-Ethernet1/0/1)#switchport mode trunk switch(Config-Ethernet1/0/1)# vlan-translation n-to-1 1-3 to 100 switch(Config)#interface ethernet 1/0/5 switch(Config-Ethernet1/0/5)#switchport mode trunk...
Page 165 VLAN Configuration control of broadcast domain and deploy convenience). However, in generic layer-3 switch, it implements communication between broadcast domains through a method that a VLAN correspond to a layer-3 interface, it results in IP address waste. For example, VLAN division of device is shown in the figure. Fig 17-12 generic VLAN network Gateway Usable...
Page 166 VLAN Configuration 10 hosts, and a subnet with mask of 28 bits is assigned to VLAN 21 before, here, the redundant addresses are wasted because they can not be used by other VLAN. The above division is difficult to network update. If client of VLAN23 needs to add 2 hosts and client does not want to change the assigned IP address, but the addresses after 1.1.1.24 are assigned to others, so we should assign a subnet with mask of 29 bits and a new VLAN to this client.
Page 167: Super Vlan Configuration
VLAN Configuration 17.8.2 Super VLAN Configuration 1. Create or delete supervlan 2. Specify or delete subvlan 3. Enable or disable arp-proxy function of subvlan 4. Specify or delete ip-addr-range of interface 5. Specify or delete ip-addr-range of subvlan 1. Create or delete supervlan Command Explanation VLAN configuration mode...
Page 168: Typical Application Of Super Vlan
VLAN Configuration ip-addr-range subvlan <vlan-id> <ipv4-addrss> Specify delete address to <ipv4-addrss> range of subvlan. no ip-addr-range subvlan <vlan-id> 17.8.3 Typical Application of Super VLAN Switch A VLAN VLAN Fig 17-14 typical of super vlan topology Terminals of two VLANs needs to configure their addresses in the same network segment due to requirement of LAN application.
Page 169: Super Vlan Troubleshooting
VLAN Configuration switch(Config-Vlan2)#exit switch(Config)#interface vlan 2 switch(config-if-vlan2)#ip address 1.1.1.254 255.255.255.0 switch(config-if-vlan2)#arp-proxy subvlan all switch(config-if-vlan2)#ip-addr-range subvlan 3 1.1.1.1 to 1.1.1.10 switch(config-if-vlan2)#ip-addr-range subvlan 4 1.1.1.20 to 1.1.1.30 switch(config-if-vlan2)#exit 17.8.4 Super VLAN Troubleshooting  Supervlan and these functions (VRRP, dynamic VLAN, private VLAN, multicast VLAN, etc.) are mutually exclusive, so they should not be used at the same time.
Page 170: Mac Table Configuration
MAC Table Configuration 18. MAC Table Configuration 18.1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and switch ports. MAC addresses can be categorized as static MAC addresses and dynamic MAC addresses. Static MAC addresses are manually configured by the user, have the highest priority and are permanently effective (will not be overwritten by dynamic MAC addresses);...
Page 171 MAC Table Configuration Fig 18-1 MAC Table dynamic learning The topology of the figure above: 4 PCs connected to switch, where PC1 and PC2 belongs to a same physical segment (same collision domain), the physical segment connects to port 1/0/5 of switch; PC3 and PC4 belongs to the same physical segment that connects to port 1/0/12 of switch.
Page 172: Forward Or Filter
MAC Table Configuration seconds here is the default aging time for MAC address entry in switch. Aging time can be modified in switch. 18.1.2 Forward or Filter The switch will forward or filter received data frames according to the MAC table. Take the above figure as an example, assuming switch have learnt the MAC address of PC1 and PC3, and the user manually configured the mapping relationship for PC2 and PC4 to ports.
Page 173: Mac Address Table Configuration Task List
MAC Table Configuration are in the switch MAC table, the switch will directly forward the frames to the associated ports; when the destination MAC address in a unicast frame is not found in the MAC table, the switch will broadcast the unicast frame. When VLANs are configured, the switch will forward unicast frame within the same VLAN.
Page 174: Typical Configuration Examples
MAC Table Configuration Clear dynamic address table Command Explanation Admin Mode clear mac-address-table dynamic Clear the dynamic address table. [address <mac-addr>] [vlan <vlan-id>] [interface [ethernet portchannel] <interface-name>] Configure MAC learning through CPU control Command Explanation Global Mode mac-address-learning cpu-control Enable MAC learning through CPU no mac-address-learning cpu-control control, the no command restores that the chip automatically learn MAC...
Page 175: Mac Table Troubleshooting
MAC Table Configuration The configuration steps are listed below: 1. Set the MAC address 00-01-11-11-11-11 of PC1 as a filter address. Switch(config)#mac-address-table static 00-01-11-11-11-11 discard vlan 1. 2.Set the static mapping relationship for PC2 and PC3 to port 1/0/7 and port 1/0/9, respectively.
Page 176 MAC Table Configuration stream destined for the other MAC addresses that not bound to the port will not be allowed to pass through the port. 18.5.1.2 MAC Address Binding Configuration Task List 1. Enable MAC address binding function for the ports 2.
Page 177 MAC Table Configuration Admin Mode clear port-security dynamic [address Clear dynamic MAC addresses learned <mac-addr> | interface <interface-id>] by the specified port. 3. MAC address binding property configuration Command Explanation Port Mode switchport port-security maximum Set the maximum number of secure MAC addresses for a port;...
Page 178: Mac Notification Configuration
MAC Table Configuration 18.6 MAC Notification Configuration 18.6.1 Introduction to MAC Notification MAC Notification function depends on the notification. Add or remove the MAC address, namely, when the device is added or removed, it will notify administrator about the changing by the trap function of snmp. 18.6.2 MAC Notification Configuration Mac notification configuration task list: 1.
Page 179: Mac Notification Example
MAC Table Configuration 4. Configure the size of history table Command Explanation Global mode mac-address-table notification history-size Configure the history table size, the <0-500> no command restores the default mac-address-table notification value. history-size 5. Configure the trap type of MAC notification supported by the port Command Explanation Port mode...
Page 180: Mac Notification Troubleshooting
MAC Table Configuration Switch(config)# mac-address-table notification history-size 100 Switch(Config-If-Ethernet1/0/4)# mac-notification both 18.6.4 MAC Notification Troubleshooting Check whether trap message is sent successfully by show command and debug command of snmp.
Page 181: Mstp Configuration
MSTP Configuration 19. MSTP Configuration 19.1 Introduction to MSTP The MSTP (Multiple STP) is a new spanning-tree protocol which is based on the STP and the RSTP. It runs on all the bridges of a bridged-LAN. It calculates a common and internal spanning tree (CIST) for the bridge-LAN which consists of the bridges running the MSTP, the RSTP and the STP.
Page 182 MSTP Configuration Root Root REGION Fig 19-1 Example of CIST and MST Region In the above network, if the bridges are running the STP or the RSTP, one port between Bridge M and Bridge B should be blocked. But if the bridges in the yellow range run the MSTP and are configured in the same MST region, MSTP will treat this region as a bridge.
Page 183: Operations Between Mst Regions
MSTP Configuration 19.1.1.2 Operations between MST Regions If there are multiple regions or legacy 802.1D bridges within the network, MSTP establishes and maintains the CST, which includes all MST regions and all legacy STP bridges in the network. The MST instances combine with the IST at the boundary of the region to become the CST.
Page 184 MSTP Configuration 1. Enable MSTP and set the running mode Command Explanation Global Mode and Port Mode spanning-tree Enable/Disable MSTP. no spanning-tree Global Mode spanning-tree mode {mstp|stp|rstp} Set MSTP running mode. no spanning-tree mode Port Mode spanning-tree mcheck Force port migrate to run under MSTP. 2.
Page 185 MSTP Configuration rootguard port can‘t turn to root port. spanning-tree [mst <instance-id>] Enable loopguard function on specified loopguard instance, the no command disables this no spanning-tree [mst <instance-id>] function. loopguard 3. Configure MSTP region parameters Command Explanation Global Mode Enter MSTP region mode. The no spanning-tree mst configuration command restores...
Page 186 MSTP Configuration 4. Configure MSTP time parameters Command Explanation Global Mode spanning-tree forward-time <time> Set the value for switch forward delay no spanning-tree forward-time time. spanning-tree hello-time <time> Set the Hello time for sending BPDU no spanning-tree hello-time messages. spanning-tree maxage <time> Set Aging time for BPDU messages.
Page 187 MSTP Configuration 7. Configure the spanning-tree attribute of port Command Explanation Port Mode spanning-tree cost Set the port path cost. no spanning-tree cost spanning-tree port-priority Set the port priority. no spanning-tree port-priority spanning-tree rootguard Set the port is root port. no spanning-tree rootguard Global Mode spanning-tree...
Page 188: Mstp Example
MSTP Configuration Port Mode spanning-tree tcflush {enable| disable| Configure the port flush mode. protect} The no command restores to use the no spanning-tree tcflush global configured flush mode. 19.3 MSTP Example The following is a typical MSTP application example: Fig 19-2 Typical MSTP Application Scenario The connections among the switches are shown in the above figure.
Page 189 MSTP Configuration port 2 200000 200000 200000 port 3 200000 200000 port 4 200000 200000 port 5 200000 200000 port 6 200000 200000 port 7 200000 200000 By default, the MSTP establishes a tree topology (in blue lines) rooted with SwitchA. The ports marked with ―x‖...
Page 190 MSTP Configuration Switch2(Config-Mstp-Region)#instance 4 vlan 40;50 Switch2(Config-Mstp-Region)#exit Switch2(config)#interface e1/0/1-7 Switch2(Config-Port-Range)#switchport mode trunk Switch2(Config-Port-Range)#exit Switch2(config)#spanning-tree Switch3: Switch3(config)#vlan 20 Switch3(Config-Vlan20)#exit Switch3(config)#vlan 30 Switch3(Config-Vlan30)#exit Switch3(config)#vlan 40 Switch3(Config-Vlan40)#exit Switch3(config)#vlan 50 Switch3(Config-Vlan50)#exit Switch3(config)#spanning-tree mst configuration Switch3(Config-Mstp-Region)#name mstp Switch3(Config-Mstp-Region)#instance 3 vlan 20;30 Switch3(Config-Mstp-Region)#instance 4 vlan 40;50 Switch3(Config-Mstp-Region)#exit Switch3(config)#interface e1/0/1-7 Switch3(Config-Port-Range)#switchport mode trunk...
Page 191 MSTP Configuration Switch4(Config-Mstp-Region)#instance 3 vlan 20;30 Switch4(Config-Mstp-Region)#instance 4 vlan 40;50 Switch4(Config-Mstp-Region)#exit Switch4(config)#interface e1/0/1-7 Switch4(Config-Port-Range)#switchport mode trunk Switch4(Config-Port-Range)#exit Switch4(config)#spanning-tree Switch4(config)#spanning-tree mst 4 priority 0 After the above configuration, Switch1 is the root bridge of the instance 0 of the entire network. In the MSTP region which Switch2, Switch3 and Switch4 belong to, Switch2 is the region root of the instance 0, Switch3 is the region root of the instance 3 and Switch4 is the region root of the instance 4.
Page 192: Mstp Troubleshooting
MSTP Configuration Fig 19-4 The Topology Of the Instance 3 after the MSTP Calculation Fig 19-5 The Topology Of the Instance 4 after the MSTP Calculation 19.4 MSTP Troubleshooting  In order to run the MSTP on the switch port, the MSTP has to be enabled globally. If the MSTP is not enabled globally, it can‘t be enabled on the port.
Page 193: Qos Configuration
QoS Configuration 20. QoS Configuration 20.1 Introduction to QoS QoS (Quality of Service) is a set of capabilities that allow you to create differentiated services for network traffic, thereby providing better service for selected network traffic. QoS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements.
Page 194: Qos Implementation
QoS Configuration Fig 20-2 ToS priority IP Precedence: IP priority. Classification information carried in Layer 3 IP packet header, occupying 3 bits, in the range of 0 to 7. DSCP: Differentiated Services Code Point, classification information carried in Layer 3 IP packet header, occupying 6 bits, in the range of 0 to 63, and is downward compatible with IP Precedence.
Page 195: Basic Qos Model
QoS Configuration bandwidth and low-lag requirement. Based on differentiated service, QoS specifies a priority for each packet at the ingress. The classification information is carried in Layer 3 IP packet header or Layer 2 802.1Q frame header. QoS provides same service to packets of the same priority, while offers different operations for packets of different priority.
Page 196 QoS Configuration Start tag packet L2 COS value L2 COS value of the obtained by the packet is its own L2 packet as the default COS(*1) Trust DSCP IP packet (*2) Trust COS (*2) tag packet Set Int-Prio as the DSCP-to-Int-Prio default ingress Int- conversion according to...
Page 197 QoS Configuration Note 2: Allow Trust DSCP and Trust COS to be configured at the same time, the priority is as follows: DSCP>COS. Policing and remark: Each packet in classified ingress traffic is assigned an internal priority value, and can be policed and remarked. Policing can be performed based on the flow to configure different policies that allocate bandwidth to classified traffic, the assigned bandwidth policy may be single bucket dual color or dual bucket three color.
Page 198 QoS Configuration Start Whether configure the policy Unrelated action Drop with the color Pass The option is as follows: Set Int-Prio: Set the internal priority of the packets Decide the packet color and action according to the policing policy The specific Drop color action Pass...
Page 199 QoS Configuration Queuing and scheduling: There are the internal priority for the egress packets, the scheduling operation assigns the packets to different priority queues according to the internal priority, and then forward the packets according to the priority queue weight and the drop precedence.
Page 200: Qos Configuration Task List
QoS Configuration 20.2 QoS Configuration Task List Configure class map Set up a classification rule according to ACL, CoS, VLAN ID, IPv4 Precedent, DSCP, IPV6 FL to classify the data stream. Different classes of data streams will be processed with different policies. Configure a policy map After data steam classification, a policy map can be created to associate with the class map created earlier and enter class mode.
Page 201 QoS Configuration no match {access-group | ip dscp | ip precedence | ipv6 access-group | ipv6 dscp | ipv6 flowlabel | vlan | cos} 2. Configure a policy map Command Explanation Global Mode Create a policy map and enter policy policy-map <policy-map-name>...
Page 202 QoS Configuration the policy class map mode, add statistic function to the traffic of the policy class map. In single bucket mode, the messages can only red or green when passing policy. In the print information, there colors(green and red) of the packets. In dual bucket mode, there are three colors(green, red and yellow) of the packets.
Page 203 QoS Configuration pass-through-dscp Forbid the packet to rewrite dscp no pass-through-dscp value at the egress, the no command allows the packet to rewrite dscp value. Global Mode service-policy input <policy-map-name> Apply a policy map to the specified vlan <vlan-list> VLAN interface; the no command service-policy input deletes the specified policy map...
Page 204: Qos Example
QoS Configuration If there are no parameters, clear accounting data of all policy map. 7. Show configuration of QoS Command Explanation Admin Mode show mls qos maps [cos-intp | dscp-intp Display configuration | intp-intp | intp-cos | intp-dscp | intp-dp | mapping.
Page 205 QoS Configuration ethernet1/0/1, it will be map to the internal priority according to the CoS value, CoS value 0 to 7 correspond to queue out 1, 2, 3, 4, 5, 6, 7, 8 respectively. If the incoming packet has no CoS value, it is default to 5 and will be put in queue6. All passing packets would not have their DSCP values changed Example 2: In port ethernet1/0/2, set the bandwidth for packets from segment 192.168.1.0 to 10 Mb/s,...
Page 206 QoS Configuration Example 3: Server QoS area Switch3 Switch2 Trunk Switch1 Fig 20-7 Typical QoS topology As shown in the figure, inside the block is a QoS domain, Switch1 classifies different traffics and assigns different IP precedences. For example, set CoS precedence for packets from segment 192.168.1.0 to 5 on port ethernet1/0/1(set the internal priority to 40, set the default intp-dscp mapping to 40-40, the corresponding IP precedence to 5).
Page 207: Qos Troubleshooting
QoS Configuration QoS configuration in Switch2: Switch#config Switch(config)#interface ethernet 1/0/1 Switch(Config-If-Ethernet1/0/1)#mls qos trust dscp 20.4 QoS Troubleshooting  trust cos and EXP can be used with other trust or Policy Map.  trust dscp can be used with other trust or Policy Map. This configuration takes effect to IPv4 and IPv6 packets.
Page 208: Flow-Based Redirection
Flow-based Redirection 21. Flow-based Redirection 21.1 Introduction to Flow-based Redirection Flow-based redirection function enables the switch to transmit the data frames meeting some special condition (specified by ACL) to another specified port. The fames meeting a same special condition are called a class of flow, the ingress port of the data frame is called the source port of redirection, and the specified egress port is called the destination port of redirection.
Page 209: Flow-Based Redirection Examples
Flow-based Redirection 2. Check the current flow-based redirection configuration Command Explanation Global Mode/Admin Mode Display the information of show flow-based-redirect {interface [ethernet current flow-based <IFNAME> |<IFNAME>]} redirection system/port. 21.3 Flow-based Redirection Examples Example: User‘s request of configuration is listed as follows: redirecting the frames whose source IP is 192.168.1.111 received from port 1 to port 6, that is sending the frames whose source IP is 192.168.1.111 received from port 1 through port6.
Page 210: Flexible Qinq Configuration
Flexible QinQ Configuration 22. Flexible QinQ Configuration 22.1 Introduction to Flexible QinQ 22.1.1 QinQ Technique Dot1q-tunnel is also called QinQ (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its dominating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider VLAN tag (SPVLAN tag).
Page 211 Flexible QinQ Configuration 2. Create flexible QinQ policy-map to relate with the class-map and set the corresponding operation 3. Bind flexible QinQ policy-map to port 1. Configure class map Command Explanation Global mode class-map <class-map-name> Create class-map enter no class-map <class-map-name> class-map mode, the no command deletes the specified class-map.
Page 212 Flexible QinQ Configuration cancels the operation. 3. Bind flexible QinQ policy-map to port Command Explanation Port mode service-policy input<policy-map-name> Apply a policy-map to a port, the no no service-policy input<policy-map-name> command deletes specified policy-map applied to the port. Global mode service-policy input<policy-map-name>...
Page 213: Flexible Qinq Example
Flexible QinQ Configuration 22.3 Flexible QinQ Example Fig 22-1 Flexible QinQ application topology As shown in the figure, the first user is assigned three VLANs that the tag values are 1001, 2001, 3001 respectively in DSLAM1. VLAN1001 corresponds to Broad Band Network, VLAN2001 corresponds to VOIP, VLAN3001 corresponds to VOD.
Page 214 Flexible QinQ Configuration Switch(config-classmap-c2)#exit Switch(config)#class-map c3 Switch(config-classmap-c3)#match vlan 3001 Switch(config-classmap-c3)#exit Switch(config)#policy-map p1 Switch(config-policymap-p1)#class c1 Switch(config-policymap-p1-class-c1)# set s-vid 1001 Switch(config-policymap-p1)#class c2 Switch(config-policymap-p1-class-c2)# set s-vid 2001 Switch(config-policymap-p1)#class c3 Switch(config-policymap-p1-class-c3)# set s-vid 3001 Switch(config-policymap-p1-class-c3)#exit Switch(config-policymap-p1)#exit Switch(config)#interface ethernet 1/0/1 Switch(config-if-ethernet1/0/1)#service-policy input p1 If the data flow of DSLAM2 enters the switch‘s downlink port1, the configuration is as follows: Switch(config)#class-map c1 Switch(config-classmap-c1)#match vlan 1001...
Page 215: Flexible Qinq Troubleshooting
Flexible QinQ Configuration 22.4 Flexible QinQ Troubleshooting If flexible QinQ policy can not be bound to the port, please check whether the problem is caused by the following reasons:  Make sure flexible QinQ whether supports the configured class-map and policy-map ...
Page 216: Egress Qos Configuration
Egress QoS Configuration 23. Egress QoS Configuration 23.1 Introduction to Egress QoS In traditional IP networks, all packets are treated in the same way. All network equipments treat them by the first-in-first-out policy and try best effort to send them to the destination.
Page 217: Basic Egress Qos Model
Egress QoS Configuration 23.1.2 Basic Egress QoS Model Ingress Egress Generate internal Policing and priority color Classification Policing Remark scheduling remark of Egress Sort packet traffic Decide whether traffic Place packets into priority Set the color of packet according to the color is single bucket Degrade or discard queues according to...
Page 218: Egress Qos Configuration
Egress QoS Configuration Description of action that modify QoS attribute according to egress remark table: cos-cos：for cos value of packets, modify cos value of packets according to cos table of QoS remarking cos-dscp：for cos value of packets, modify dscp value of packets according to cos table of QoS remarking dscp-cos：for dscp value of packets, modify cos value of packets according to dscp table of QoS remarking...
Page 219 Egress QoS Configuration IPV6 DSCP to classify the data stream. Different classes of data streams will be processed with different policies. Configure policy map After data steam classification, a policy map can be created to associate with a class map created earlier and enter policy class mode. Then different policies (such as bandwidth limit, assigning new DSCP value) can be applied to different data streams.
Page 220 Egress QoS Configuration class <class-map-name> Create a policy map to associate with a [insert-before <class-map-name>] class map and enter policy class map no class <class-map-name> mode, then different data streams can apply different policies and be assigned a new DSCP value. No command deletes the specified policy class map.
Page 221 Egress QoS Configuration the print information, in-profile means green and out-profile means red. In dual bucket mode, there are three colors of packets in-profile means green and out-profile means red and yellow. 3. Apply policy to port or VLAN Command Explanation Interface Mode service-policy...
Page 222: Egress Qos Examples
Egress QoS Configuration If there are no parameters, clear accounting data of all policy map. 6. Show QoS configuration Command Explanation Admin Mode show mls qos {interface [<interface-id>] Show QoS configuration of the port. [policy | queuing] | vlan <vlan-id>} Show the class map information of QoS.
Page 223 Egress QoS Configuration Example2: On the egress of vlan10, change cos value as 4 for the packet with ipv6 dscp value of Create a class map: switch(config)#class-map 1 switch(config-classmap-1)#match ipv6 dscp 7 switch(config-classmap-1)#exit Create a policy map: switch(config)#policy-map 1 switch(config-policymap-1)#class 1 switch(config-policymap-1-class-1)#set cos 4 switch(config-policymap-1-class-1)#exit switch(config-policymap-1)#exit...
Page 224: Egress Qos Troubleshooting Help
Egress QoS Configuration Set trust dscp mode on ingress switch(config-if-port-range)#mls qos trust dscp Bind policy to egress of port1 switch(config-if-ethernet1/0/1)#service-policy output p1 23.4 Egress QoS Troubleshooting Help  Not all equipments support Egress QoS presently, so please make sure the current device supports this function.
Page 225: Layer 3 Forward Configuration
Layer 3 Forward Configuration 24. Layer 3 Forward Configuration Switch supports Layer 3 forwarding which forwards Layer 3 protocol packets (IP packets) across VLANs. Such forwarding uses IP addresses, when a interface receives an IP packet, it will perform a lookup in its own routing table and decide the operation according to the lookup result.
Page 226 Layer 3 Forward Configuration 1. Create Layer 3 Interface Command Explanation Global Mode Creates a VLAN interface (VLAN interface is a Layer 3 interface vlan <vlan-id> interface); the no command deletes the VLAN interface no interface vlan <vlan-id> (Layer 3 interface) created in the switch. interface loopback Creates a Loopback interface then enter the loopback...
Page 227: Layer 3 Function
Layer 3 Forward Configuration 24.2 Layer 3 function 24.2.1 Layer 3 function introduction The switch disable L3 function default, enable it can use the command below, and can configure the L3 list number. 24.2.2 Layer 3 function configuration Layer 3 function configuration task list: 1.
Page 228: Ip Configuration
Layer 3 Forward Configuration 24.3 IP Configuration 24.3.1 Introduction to IPv4, IPv6 IPv4 is the current version of global universal Internet protocol. The practice has proved that IPv4 is simple, flexible, open, stable, strong and easy to implement while collaborating well with various protocols of upper and lower layers. Although IPv4 almost has not been changed since it was established in 1980‘s, it has kept growing to the current global scale with the promotion of Internet.
Page 229 Layer 3 Forward Configuration essential designs of IPv4. Hierarchical addressing scheme facilitates Route Aggregation, effectively reduces route table entries and enhances the efficiency and expansibility of routing and data packet processing. The header design of IPv6 is more efficient compared with IPv4. It has less data fields and takes out header checksum, thus expedites the processing speed of basic IPv6 header.
Page 230: Ip Configuration
Layer 3 Forward Configuration Protocols (EGP for short). For example, IPv6 Routing Protocol such as RIPng, OSPFv3, IS-ISv6 and MBGP4+, etc. Multicast addresses increased and the support for multicast has enhanced. By dealing with IPv4 broadcast functions such as Router Discovery and Router Query, IPv6 multicast has completely replaced IPv4 broadcast in the sense of function.
Page 231 Layer 3 Forward Configuration (7) Configure prefix advertisement parameters (8) Configure static IPv6 neighbor entries (9) Delete all entries in IPv6 neighbor table (10) Set the hoplimit of sending router advertisement (11) Set the mtu of sending router advertisement (12) Set the reachable-time of sending router advertisement (13) Set the retrans-timer of sending router advertisement (14) Set the flag representing whether information other than the address information will be obtained via DHCPv6...
Page 232 Layer 3 Forward Configuration 2. IPv6 Neighbor Discovery Configuration (1) Configure DAD Neighbor solicitation Message number Command Explanation Interface Configuration Mode Set the neighbor query message number sent ipv6 nd dad attempts <value> in sequence when the interface makes no ipv6 nd dad attempts duplicate address detection.
Page 233 Layer 3 Forward Configuration Interface Configuration Mode ipv6 max-ra-interval Configure the maximum interval for router <seconds> advertisement. The NO command resumes no ipv6 nd max-ra-interval default value (600 seconds). (7) Configure prefix advertisement parameters Command Explanation Interface Configuration Mode ipv6 nd prefix <ipv6-address/prefix-length>...
Page 234 Layer 3 Forward Configuration (11) Set the mtu of sending router advertisement Command Explanation Interface Configuration Mode ipv6 nd ra-mtu <value> Set the mtu of sending router advertisement. (12) Set the reachable-time of sending router advertisement Command Explanation Interface Configuration Mode ipv6 reachable-time Set the reachable-time of sending router...
Page 235: Ip Configuration Examples
Layer 3 Forward Configuration 24.3.3 IP Configuration Examples 24.3.3.1 Configuration Examples of IPv4 Switch2 Switch1 Fig 24-1 IPv4 configuration example The user‘s configuration requirements are: Configure IP address of different network segments on Switch1 and Switch2, configure static routing and validate accessibility using ping function.
Page 236 Layer 3 Forward Configuration Switch2(config)#interface vlan 2 Switch2(Config-if-Vlan2)#ip address 192.168.2.2 255.255.255.0 Switch2(config)#interface vlan 3 Switch2(Config-if-Vlan3)#ip address 192.168.3.1 255.255.255.0 Switch2(Config-if-Vlan3)#exit Switch2(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1 24.3.3.2 Configuration Examples of IPv6 Example 1: Switch2 Switch1 Fig 24-2 IPv6 configuration example The user‘s configuration requirements are: Configure IPv6 address of different network segments on Switch1 and Switch2, configure static routing and validate reachability using ping6 function.
Page 237 Layer 3 Forward Configuration Switch1(Config-if-Vlan1)#ipv6 address 2001::1/64 Switch1(Config)#interface vlan 2 Switch1(Config-if-Vlan2)#ipv6 address 2002::1/64 Switch1(Config-if-Vlan2)#exit Switch1(Config)#ipv6 route 2003::33/64 2002::2 Switch2(Config)#interface vlan 2 Switch2(Config-if-Vlan2)#ipv6 address 2002::2/64 Switch2(Config)#interface vlan 3 Switch2(Config-if-Vlan3)#ipv6 address 2003::1/64 Switch2(Config-if-Vlan3)#exit Switch2(Config)#ipv6 route 2001::33/64 2002::1 Switch1#ping6 2003::33 Configuration result: Switch1#show run interface Vlan1 ipv6 address 2001::1/64 interface Vlan2...
Page 238: Ipv6 Troubleshooting
Layer 3 Forward Configuration interface Loopback mtu 3924 ipv6 route 2001::/64 2002::1 no login 24.3.4 IPv6 Troubleshooting  The router lifespan configured should not be smaller than the Send Router advertisement Interval. If the connected PC has not obtained IPv6 address, you should check RA announcement switch (the default is turned off).
Page 239: Arp
Layer 3 Forward Configuration 24.5 ARP 24.5.1 Introduction to ARP ARP (Address Resolution Protocol) is mainly used to resolve IP address to Ethernet address. Switch supports both dynamic static configuration.Furthermore, switch supports the configuration of proxy ARP for some applications. For instance, when an ARP request is received on the port, requesting an IP address in the same IP segment of the port but not the same physical network, if the port has enabled proxy ARP, the port would reply to the ARP with its own MAC address and forward the actual packets received.
Page 240: Arp Troubleshooting
Layer 3 Forward Configuration 3. Clear dynamic ARP Command Explanation Admin mode Clear the dynamic ARP learnt by the clear arp-cache switch. 4. Clear the statistic information of ARP message Command Explanation Admin mode Clear the statistic information of ARP clear arp traffic messages of the switch.
Page 241 Layer 3 Forward Configuration Command Explanation Global Mode l3-station-move Enable or disable l3 station move. no l3-station-move...
Page 242: Arp Scanning Prevention Function Configuration
ARP Scanning Prevention Function Configuration 25. ARP Scanning Prevention Function Configuration 25.1 Introduction to ARP Scanning Prevention Function ARP scanning is a common method of network attack. In order to detect all the active hosts in a network segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large part of the bandwidth of the network.
Page 243 ARP Scanning Prevention Function Configuration 2． Configure the threshold of the port-based and IP-based ARP Scanning Prevention 3． Configure trusted ports 4． Configure trusted IP 5． Configure automatic recovery time 6． Display relative information of debug information and ARP scanning 1.
Page 244 ARP Scanning Prevention Function Configuration anti-arpscan trust ip <ip-address> [<netmask>] Set the trust attributes of IP. no anti-arpscan trust ip <ip-address> [<netmask>] 5. Configure automatic recovery time Command Explanation Global configuration mode anti-arpscan recovery enable Enable disable automatic no anti-arpscan recovery enable recovery function.
Page 245: Arp Scanning Prevention Typical Examples
ARP Scanning Prevention Function Configuration 25.3 ARP Scanning Prevention Typical Examples SWITCH B E1/0/1 E1/0/19 SWITCH A E1/0/2 Server 192.168.1.100/24 Fig 25-1 ARP scanning prevention typical configuration example In the network topology above, port E1/0/1 of SWITCH B is connected to port E1/0/19 of SWITCH A, the port E1/0/2 of SWITCH A is connected to file server (IP address is 192.168.1.100/24), and all the other ports of SWITCH A are connected to common PC.
Page 246: Arp Scanning Prevention Troubleshooting Help
ARP Scanning Prevention Function Configuration 25.4 ARP Scanning Prevention Troubleshooting Help  ARP scanning prevention is disabled by default. After enabling ARP scanning prevention, users can enable the debug switch, ―debug anti-arpscan‖, to view debug information.
Page 247: Prevent Arp, Nd Spoofing Configuration
Prevent ARP, ND Spoofing Configuration 26. Prevent ARP, ND Spoofing Configuration 26.1 Overview 26.1.1 ARP (Address Resolution Protocol) Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is 00-03-0F-FD-1D-2B.
Page 248: Prevent Arp, Nd Spoofing Configuration
Prevent ARP, ND Spoofing Configuration counterfeiting legal IP address firstly, and sends a great deal of counterfeited ARP application packets to switches, after switches learn these packets, they will cover previously corrected IP, mapping of MAC address, and then some corrected IP, MAC address mapping are modified to correspondence relationship configured by attack packets so that the switch makes mistake on transfer packets, and takes an effect on the whole network.
Page 249: Prevent Arp, Nd Spoofing Example
Prevent ARP, ND Spoofing Configuration 3. Function on changing dynamic ARP, ND to static ARP, ND Command Explanation Global Mode and Port Mode ip arp-security convert Change dynamic ARP, ND to static ARP, ND. ipv6 nd-security convert 26.3 Prevent ARP, ND Spoofing Example Switch Equipment Explanation Equipment...
Page 250 Prevent ARP, ND Spoofing Configuration will not be refreshed, and protect for users. Switch#config Switch(config)#interface vlan 1 Switch(Config-If-Vlan1)#arp 192.168.2.1 00-00-00-00-00-01 interface eth 1/0/2 Switch(Config-If-Vlan1)#interface vlan 2 Switch(Config-If-Vlan2)#arp 192.168.1.2 00-00-00-00-00-02 interface eth 1/0/2 Switch(Config-If-Vlan2#interface vlan 3 Switch(Config-If-Vlan3)#arp 192.168.2.3 00-00-00-00-00-03 interface eth 1/0/2 Switch(Config-If-Vlan3)#exit Switch(Config)#ip arp-security learnprotect Switch(Config)#...
Page 251: Arp Guard Configuration
ARP GUARD Configuration 27. ARP GUARD Configuration 27.1 Introduction to ARP GUARD There is serious security vulnerability in the design of ARP protocol, which is any network device, can send ARP messages to advertise the mapping relationship between IP address and MAC address. This provides a chance for ARP cheating. Attackers can send ARP REQUEST messages or ARP REPLY messages to advertise a wrong mapping relationship between IP address and MAC address, causing problems in network communication.
Page 252: Arp Guard Configuration Task List
ARP GUARD Configuration scheme. Please refer to relative documents for details. 27.2 ARP GUARD Configuration Task List 1. Configure the protected IP address Command Explanation Port configuration mode arp-guard ip <addr> Configure/delete ARP GUARD address no arp-guard ip <addr>...
Page 253: Arp Local Proxy Configuration
ARP Local Proxy Configuration 28. ARP Local Proxy Configuration 28.1 Introduction to ARP Local Proxy function In a real application environment, the switches in the aggregation layer are required to implement local ARP proxy function to avoid ARP cheating. This function will restrict the forwarding of ARP messages in the same vlan and thus direct the L3 forwarding of the data flow through the switch.
Page 254: Arp Local Proxy Function Configuration Task List
ARP Local Proxy Configuration local ARP proxy on an aggregation switch while configuring interface isolation function on the layer-2 switch connected to it, all ip flow will be forwarded on layer 3 via the aggregation switch. And due to the interface isolation, ARP messages will not be forwarded within the vlan, which means other PCs will not receive it.
Page 255: Arp Local Proxy Function Troubleshooting
ARP Local Proxy Configuration We can configure as follows: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 192.168.1.1 255.255.255.0 Switch(Config-if-Vlan1)#ip local proxy-arp Switch(Config-if-Vlan1)#exit 28.4 ARP Local Proxy Function Troubleshooting ARP local proxy function is disabled by default. Users can view the current configuration with display command. With correct configuration, by enabling debug of ARP, users can check whether the ARP proxy is normal and send proxy ARP messages.
Page 256: Gratuitous Arp Configuration
Gratuitous ARP Configuration 29. Gratuitous ARP Configuration 29.1 Introduction to Gratuitous ARP Gratuitous ARP is a kind of ARP request that is sent by the host with its IP address as the destination of the ARP request. The basic working mode for the switch is as below: The Layer 3 interfaces of the switch can be configured to advertise gratuitous ARP packets period or the switch can be configured to enable to send gratuitous ARP packets in all the interfaces globally.
Page 257: Gratuitous Arp Configuration Example
Gratuitous ARP Configuration 2. Display configurations about gratuitous ARP Command Explanation Admin Mode and Configuration Mode show ip gratuitous-arp [interface vlan To display configurations about gratuitous <1-4094>] ARP. 29.3 Gratuitous ARP Configuration Example Switch Interface vlan10 Interface vlan1 192.168.15.254 192.168.14.254 255.255.255.0 255.255.255.0 Fig 29-1 Gratuitous ARP Configuration Example...
Page 258: Gratuitous Arp Troubleshooting
Gratuitous ARP Configuration 29.4 Gratuitous ARP Troubleshooting Gratuitous ARP is disabled by default. And when gratuitous ARP is enabled, the debugging information about ARP packets can be retrieved through the command debug ARP send. If gratuitous ARP is enabled in global configuration mode, it can be disabled only in global configuration mode.
Page 259: Keepalive Gateway Configuration
Keepalive Gateway Configuration 30. Keepalive Gateway Configuration 30.1 Introduction to Keepalive Gateway Ethernet port is used to process backup or load balance, for the reason that it is a broadcast channel, it may not detect the change of physical signal and fails to get to down when the gateway is down.
Page 260: Keepalive Gateway Example
Keepalive Gateway Configuration [interface-name] specified interface, if there is no interface is specified, show keepalive running status of all interfaces. Show IPv4 running status of the specified show ip interface [interface-name] interface, if there is no interface is specified, show IPv4 running status of all interfaces. 30.3 Keepalive Gateway Example Fig 30-1 keepalive gateway typical example In above network topology, interface address of interface vlan10 is 1.1.1.1...
Page 261: Kepalive Gteway Troubleshooting
Keepalive Gateway Configuration Send ARP detection once 3 seconds to detect whether gateway A is reachable, after 3 times detection is failing, gateway A is considered to be unreachable. 30.4 Kepalive Gteway Troubleshooting If there is any problem happens when using keepalive gateway function, please check whether the problem is caused by the following reasons: ...
Page 262: Dhcp Configuration
DHCP Configuration 31. DHCP Configuration 31.1 Introduction to DHCP DHCP [RFC2131] is the acronym for Dynamic Host Configuration Protocol. It is a protocol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway, DNS server, and default route and host image file position within the network.
Page 263: Dhcp Server Configuration
DHCP Configuration However, if the DHCP server and the DHCP client are not in the same network, the server will not receive the DHCP broadcast packets sent by the client, therefore no DHCP packets will be sent to the client by the server. In this case, a DHCP relay is required to forward such DHCP packets so that the DHCP packets exchange can be completed between the DHCP client and server.
Page 264 DHCP Configuration Configure DHCP Address pool. The no ip dhcp pool <name> operation cancels the DHCP Address no ip dhcp pool <name> pool. (2) Configure DHCP address pool parameters Command Explanation DHCP Address Pool Mode Configure the address scope that can be network-address <network-number>...
Page 265 DHCP Configuration Configure network parameter option <code> {ascii <string> | hex specified by the option code. The no <hex> | ipaddress <ipaddress>} command deletes the network parameter no option <code> specified by the option code. Configure the lease period allocated to lease days [hours][minutes]...
Page 266: Dhcp Relay Configuration
DHCP Configuration 31.3 DHCP Relay Configuration When the DHCP client and server are in different segments, DHCP relay is required to transfer DHCP packets. Adding a DHCP relay makes it unnecessary to configure a DHCP server for each segment, one DHCP server can provide the network configuration parameter for clients from multiple segments, which is not only cost-effective but also management-effective.
Page 267: Dhcp Configuration Examples
DHCP Configuration 2. Configure DHCP relay to forward DHCP broadcast packet. Command Explanation Global Mode ip forward-protocol udp bootps The UDP port 67 is used for DHCP broadcast forward-protocol packet forwarding. bootps Interface Configuration Mode Set the destination IP address for DHCP relay ip helper-address <ipaddress>...
Page 268 DHCP Configuration Switch(dhcp-A-config)#netbios-node-type H-node Switch(dhcp-A-config)#exit Switch(config)#ip dhcp excluded-address 10.16.1.200 10.16.1.201 Switch(config)#ip dhcp pool B Switch(dhcp-B-config)#network 10.16.2.0 24 Switch(dhcp-B-config)#lease 1 Switch(dhcp-B-config)#default-route 10.16.2.200 10.16.2.201 Switch(dhcp-B-config)#dns-server 10.16.2.202 Switch(dhcp-B-config)#option 72 ip 10.16.2.209 Switch(dhcp-config)#exit Switch(config)#ip dhcp excluded-address 10.16.2.200 10.16.2.201 Switch(config)#ip dhcp pool A1 Switch(dhcp-A1-config)#host 10.16.1.210 Switch(dhcp-A1-config)#hardware-address 00-03-22-23-dc-ab Switch(dhcp-A1-config)#exit Usage Guide: When a DHCP/BOOTP client is connected to a VLAN1 port of the switch,...
Page 269 DHCP Configuration E1/0/1 E1/0/2 DHCP Client 192.168.1.1 10.1.1.1 DHCP Relay DHCP Client DHCP Server 10.1.1.10 DHCP Client Fig 31-3 DHCP Relay Configuration As shown in the above figure, route switch is configured as a DHCP relay. The DHCP server address is 10.1.1.10, the configuration steps is as follows: Switch(config)#service dhcp Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 192.168.1.1 255.255.255.0...
Page 270: Dhcp Troubleshooting
DHCP Configuration 31.5 DHCP Troubleshooting If the DHCP clients cannot obtain IP addresses and other network parameters, the following procedures can be followed when DHCP client hardware and cables have been verified ok.  Verify the DHCP server is running, start the related DHCP server if not running. If the DHCP clients and servers are not in the same physical network, verify the router responsible for DHCP packet forwarding has DHCP relay function.
Page 271: Dhcpv6 Configuration
DHCPv6 Configuration 32. DHCPv6 Configuration 32.1 Introduction to DHCPv6 DHCPv6 [RFC3315] is the IPv6 version for Dynamic Host Configuration Protocol (DHCP). It is a protocol that assigns IPv6 address as well as other network configuration parameters such as DNS address, and domain name to DHCPv6 client, DHCPv6 is a conditional auto address configuration protocol relative to IPv6.
Page 272: Server Configuration
DHCPv6 Configuration request configurations from the DHCP server. In the time of located server, the DHCP client tries to find a DHCPv6 server by broadcasting a SOLICIT packet to all the DHCP delay delegation and server with broadcast address as FF02::1:2. Any DHCP server which receives the request, will reply the client with an ADVERTISE message, which includes the identity of the server –DUID, and its priority.
Page 273 DHCPv6 Configuration To configure DHCPv6 address pool （1） To achieve/delete DHCPv6 address pool （2） To configure parameter of DHCPv6 address pool To enable DHCPv6 server function on port 1. To enable/disable DHCPv6 service Command Explanation Global Mode service dhcpv6 To enable DHCPv6 service. no service dhcpv6 2.
Page 274: Relay Delegation Configuration
DHCPv6 Configuration 3. To enable DHCPv6 server function on port. Command Explanation Interface Configuration Mode ipv6 dhcp server <poolname> To enable DHCPv6 server function on [preference <value>] [rapid-commit] specified port, and binding the used [allow-hint] DHCPv6 address pool. no ipv6 dhcp server <poolname> 32.3 DHCPv6 Relay Delegation Configuration DHCPv6 relay delegation configuration task list as below: 1．...
Page 275 DHCPv6 Configuration （2） To configure prefix delegation pool used by DHCPv6 address pool （3） To configure static prefix delegation binding （4） To configure other parameters of DHCPv6 address pool To enable DHCPv6 prefix delegation server function on port 1. To enable/delete DHCPv6 service Command Explanation Global Mode...
Page 276: Prefix Delegation Client Configuration
DHCPv6 Configuration prefix-delegation <ipv6-prefix/prefix-length> <client-DUID> [iaid <iaid>] [lifetime {<valid-time> infinity} To specify IPv6 prefix and any prefix {<preferred-time> | infinity}] required static binding by client. prefix-delegation <ipv6-prefix/prefix-length> <client-DUID> [iaid <iaid>] （4） To configure other parameter of DHCPv6 address pool Command Explanation DHCPv6 address pool Configuration Mode...
Page 277: Dhcpv6 Configuration Examples
DHCPv6 Configuration 2. To enable DHCPv6 prefix delegation client function on port Command Explanation Interface Configuration Mode To enable client prefix delegation request ipv6 dhcp client pd <prefix-name> function on specified port, and the prefix [rapid-commit] obtained associate with universal prefix no ipv6 dhcp client pd configured.
Page 278 DHCPv6 Configuration Usage guide: Switch3 configuration： Switch3>enable Switch3#config Switch3(config)#service dhcpv6 Switch3(config)#ipv6 dhcp pool EastDormPool Switch3(dhcpv6-EastDormPool-config)#network-address 2001:da8:100:1::1 2001:da8:100:1::100 Switch3(dhcpv6-EastDormPool-config)#excluded-address 2001:da8:100:1::1 Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::20 Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::21 Switch3(dhcpv6-EastDormPool-config)#domain-name dhcpv6.com Switch3(dhcpv6-EastDormPool-config)#lifetime 1000 600 Switch3(dhcpv6-EastDormPool-config)#exit Switch3(config)#interface vlan 1 Switch3(Config-if-Vlan1)#ipv6 address 2001:da8:1:1::1/64 Switch3(Config-if-Vlan1)#exit Switch3(config)#interface vlan 10 Switch3(Config-if-Vlan10)#ipv6 address 2001:da8:10:1::1/64 Switch3(Config-if-Vlan10)#ipv6 dhcp server EastDormPool preference 80 Switch3(Config-if-Vlan10)#exit Switch3(config)#...
Page 279 DHCPv6 Configuration Switch2(Config-if-Vlan100)#ipv6 dhcp relay destination 2001:da8:10:1::1 Switch2(Config-if-Vlan100)#exit Switch2(config)# Example2: When the network operator is deploying IPv6 networks, network automatically configuration can be achieved through the prefix delegation allocation of IPv6 addresses, in stead of configuring manually for each switch: To configure the switching or routing device which is connected to the client switch as DHCPv6 prefix delegation server, that is to setup a local database for the relationship between the allocated prefix and the DUID of the client switch.
Page 280 DHCPv6 Configuration Usage guide: Switch2 configuration Switch2>enable Switch2#config Switch2(config)#interface vlan 2 Switch2(Config-if-Vlan2)#ipv6 address 2001:da8:1100::1/64 Switch2(Config-if-Vlan2)#exit Switch2(config)#service dhcpv6 Switch2(config)#ipv6 local pool client-prefix-pool 2001:da8:1800::/40 48 Switch2(config)#ipv6 dhcp pool dhcp-pool Switch2(dhcpv6-dhcp-pool-config)#prefix-delegation pool client-prefix-pool 1800 600 Switch2(dhcpv6-dhcp-pool-config)#exit Switch2(config)#interface vlan 2 Switch2(Config-if-Vlan2)#ipv6 dhcp server dhcp-pool Switch2(Config-if-Vlan2)#exit Switch1 configuration Switch1>enable...
Page 281: Troubleshooting
DHCPv6 Configuration Switch1(Config-if-Vlan3)#ipv6 address prefix-from-provider 0:0:0:1::1/64 Switch1(Config-if-Vlan3)#exit Switch1(config)#ipv6 dhcp pool foo Switch1(dhcpv6-foo-config)#dns-server 2001:4::1 Switch1(dhcpv6-foo-config)#domain-name www.ipv6.org Switch1(dhcpv6-foo-config)#exit Switch1(config)#interface vlan 3 Switch1(Config-if-Vlan3)#ipv6 dhcp server foo Switch1(Config-if-Vlan3)#ipv6 nd other-config-flag Switch1(Config-if-Vlan3)#no ipv6 nd suppress-ra Switch1(Config-if-Vlan3)#exit 32.7 DHCPv6 Troubleshooting If the DHCPv6 clients cannot obtain IPv6 addresses and other network parameters, the following procedures can be followed when DHCPv6 client hardware and cables have been verified ok: ...
Page 282: Dhcp Option 82 Configuration
DHCP option 82 Configuration 33. DHCP option 82 Configuration 33.1 Introduction to DHCP option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy.
Page 283: Option 82 Working Mechanism
DHCP option 82 Configuration SubOpt: the sequence number of sub-option, the sequence number of Circuit ID sub-option is 1, the sequence number of Remote ID sub-option is 2. Len: the number of bytes in Sub-option Value, not including the two bytes in SubOpt segment and Len segment.
Page 284: Dhcp Option 82 Configuration Task List
DHCP option 82 Configuration in the option segment of the message. Then it will forward the reply message with DHCP configuration information and option 82 information to DHCP Relay Agent. 4）DHCP Relay Agent will peel the option 82 information from the replay message sent by DHCP server, and then forward the message with DHCP configuration information to the DHCP client.
Page 285 DHCP option 82 Configuration This command is used to set the retransmitting policy of the system for the received DHCP request message which contains option 82. The drop mode means that if the message has option82, then the system will drop it without processing;...
Page 286 DHCP option 82 Configuration Set the suboption2 (remote ID option) ip dhcp relay information option content of option 82 added by DHCP remote-id {standard | <remote-id>} request packets (They are received by no ip dhcp relay information option the interface). The no command sets the remote-id additive suboption2 (remote ID option) format of option 82 as standard.
Page 287: Dhcp Option 82 Application Examples
DHCP option 82 Configuration ip dhcp relay information option Set self-defined format of remote-id for self-defined remote-id format [ascii | relay option82. hex] ip dhcp relay information option self-defined subscriber-id {vlan | port | Set creation method for option82, users (switch-id (mac hostname)|...
Page 288 DHCP option 82 Configuration In the above example, layer 2 switches Switch1 and Switch2 are both connected to layer 3 switch Switch3, Switch 3 will transmit the request message from DHCP client to DHCP serer as DHCP Relay Agent. It will also transmit the reply message from the server to DHCP client to finish the DHCP protocol procedure.
Page 289: Dhcp Option 82 Troubleshooting
DHCP option 82 Configuration option domain-name "example.com.cn"; option domain-name-servers 192.168.10.3; authoritative; pool { range 192.168.102.21 192.168.102.50; default-lease-time 86400; #24 Hours max-lease-time 172800; #48 Hours allow members of "Switch3Vlan2Class1"; pool { range 192.168.102.51 192.168.102.80; default-lease-time 43200; #12 Hours max-lease-time 86400; #24 Hours allow members of "Switch3Vlan2Class2";...
Page 290 DHCP option 82 Configuration troubleshooting.  To implement the option 82 function of DHCP server, the ―debug ip dhcp server packet‖ command can be used during the operating procedure to display the procedure of data packets processing of the server, including displaying the identified option 82 information of the request message and the option 82 information returned by the reply message.
Page 291: Dhcpv6 Option37, 38
DHCPv6 option37, 38 34. DHCPv6 option37, 38 34.1 Introduction to DHCPv6 option37, 38 DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is designed for IPv6 address scheme and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to hosts. When DHCPv6 client wants to request address and configure parameter of DHCPv6 server from different link, it needs to communicate with server through DHCPv6 relay agent.
Page 292 DHCPv6 option37, 38 34.2 DHCPv6 option37, 38 Configuration Task List 1. Dhcpv6 snooping option basic functions configuration 2. Dhcpv6 relay option basic functions configuration 3. Dhcpv6 server option basic functions configuration 1.DHCPv6 snooping option basic functions configuration Command Description Global mode This command enables...
Page 293 DHCPv6 option37, 38 no ipv6 dhcp snooping subscriber-id policy system when receiving DHCPv6 packets with option 38, which can be: drop, the system simply discards it with option 38; keep, system keeps option 38 unchanged and forwards the packet to the server;...
Page 294 DHCPv6 option37, 38 option 37 and it is a string with a length of less than 128. operation restores remote-id in option enterprise-number together with vlan address. This command is used to set the form of adding option 38 in received DHCPv6 request packets, which <subscriber-id>...
Page 295 DHCPv6 option37, 38 number together with vlan MAC. Configures user configuration options generate ipv6 dhcp relay subscriber-id select (sp | sv | pv | subscriber-id. spv) delimiter WORD (delimiter WORD |) command restores to its no ipv6 dhcp relay subscriber-id select delimiter original default configuration, i.e.
Page 296: Dhcpv
DHCPv6 option37, 38 3. Dhcpv6 server option basic functions configuration Command Description Global mode This command enables DHCPv6 server to support ipv6 dhcp server remote-id option the identification of option 37, no ipv6 dhcp server remote-id option the no form of this command disables it.
Page 297: Option 37, 38 Examples
DHCPv6 option37, 38 selecting option option 38 of the original packets. IPv6 DHCP Class configuration mode {remote-id [*] <remote-id> [*] | subscriber-id [*] This command configures <subscriber-id> [*]} option 37 and option 38 that no {remote-id [*] <remote-id> [*] | subscriber-id [*] match the class in ipv6 dhcp <subscriber-id>...
Page 298 DHCPv6 option37, 38 Switch B Interface E1/0/1 Switch A Interface Interface E1/0/3 Interface E1/0/4 E1/0/2 MAC-AA MAC-BB MAC-CC Fig 34-1 DHCPv6 Snooping option schematic As is shown in the figure above, Mac-AA, Mac-BB and Mac-CC are normal users, connected to untrusted interface 1/0/2, 1/0/3 and 1/0/4 respectively, and they get IP 2010:2, 2010:3 and 2010:4 through DHCPv6 Client;...
Page 299 DHCPv6 option37, 38 SwitchA(config-if-port-range)#exit SwitchA(config)# Switch B configuration: SwitchB(config)#service dhcpv6 SwitchB(config)#ipv6 dhcp server remote-id option SwitchB(config)#ipv6 dhcp server subscriber-id option SwitchB(config)#ipv6 dhcp pool EastDormPool SwitchB(dhcpv6-eastdormpool-config)#network-address 2001:da8:100:1::2 2001:da8:100:1::1000 SwitchB(dhcpv6-eastdormpool-config)#dns-server 2001::1 SwitchB(dhcpv6-eastdormpool-config)#domain-name dhcpv6.com SwitchB(dhcpv6-eastdormpool-config)# excluded-address 2001:da8:100:1::2 SwitchB(dhcpv6-eastdormpool-config)#exit SwitchB(config)# SwitchB(config)#ipv6 dhcp class CLASS1 SwitchB(dhcpv6-class-class1-config)#remote-id 00-03-0f-00-00-01 subscriber-id vlan1+Ethernet1/0/1 SwitchB(dhcpv6-class-class1-config)#exit...
Page 300: Dhcpv6 Relay Option37, 38 Example
DHCPv6 option37, 38 SwitchB(dhcpv6-pool-eastdormpool-class-class3-config)#exit SwitchB(dhcpv6-eastdormpool-config)#exit SwitchB(config)#interface vlan 1 SwitchB(config-if-vlan1)#ipv6 address 2001:da8:100:1::2/64 SwitchB(config-if-vlan1)#ipv6 dhcp server EastDormPool SwitchB(config-if-vlan1)#exit SwitchB(config)# 34.3.2 DHCPv6 Relay option37, 38 Example Example 1： When deploying IPv6 campus network, DHCPv6 server function of routing device can be used for IPv6 address allocation if special server is used for uniform allocation and management for IPv6 address.
Page 301 DHCPv6 option37, 38 Switch2 configuration: S2(config)#service dhcpv6 S2(config)#ipv6 dhcp relay remote-id option S2(config)#ipv6 dhcp relay subscriber-id option S2(config)#vlan 10 S2(config-vlan10)#int vlan 10 S2(config-if-vlan10)#ipv6 address 2001:da8:1:::2/64 S2(config-if-vlan10)#ipv6 dhcp relay destination 2001:da8:10:1::1 S2(config-if-vlan10)#exit S2(config)# 34.4 DHCPv6 option37, 38 Troubleshooting  Request packets sent by DHCPv6 client are multicast packets received by the device within its VLAN, if DHCPv6 server wants to receive the packets from client, DHCPv6 client and DHCPv6 server must be in the same VLAN, otherwise it needs to use DHCPv6 relay.
Page 302: Dhcp Snooping Configuration
DHCP Snooping Configuration 35. DHCP Snooping Configuration 35.1 Introduction to DHCP Snooping DHCP Snooping means that the switch monitors the IP-getting process of DHCP CLIENT via DHCP protocol. It prevents DHCP attacks and illegal DHCP SERVER by setting trust ports and untrust ports. And the DHCP messages from trust ports can be forwarded without being verified.
Page 303: Dhcp Snooping Configuration Task Sequence
DHCP Snooping Configuration information to Log Server via syslog. LOG Function: When the switch discovers abnormal received packets or automatically recovers, it should send syslog information to Log Server. The Encryption of Private Messages: The communication between the switch and the inner network security management system TrustView uses private messages.
Page 304 DHCP Snooping Configuration 2. Enable DHCP Snooping binding Command Explanation Globe mode ip dhcp snooping binding enable Enable or disable the DHCP snooping binding no ip dhcp snooping binding function. enable 3. Enable DHCP Snooping binding ARP function Command Explanation Globe mode ip dhcp snooping binding arp Enable or disable the dhcp snooping binding...
Page 305 DHCP Snooping Configuration 7. Set helper server address Command Explanation Globe mode ip user helper-address A.B.C.D [port <udpport>] source <ipAddr> (secondary|) Set or delete helper server address. user helper-address (secondary|) 8. Set trusted ports Command Explanation Port mode ip dhcp snooping trust Set or delete the DHCP snooping trust no ip dhcp snooping trust attributes of ports.
Page 306 DHCP Snooping Configuration 12. Set defense actions Command Explanation Port mode dhcp snooping action {shutdown|blackhole} [recovery Set or delete the DHCP snooping automatic <second>] defense actions of ports. no ip dhcp snooping action 13. Set rate limitation of data transmission Command Explanation Globe mode...
Page 307 DHCP Snooping Configuration This command is used to set that allow ip dhcp snooping information untrusted ports of DHCP snooping to receive option allow-untrusted DHCP packets with option82 option. When no ip dhcp snooping information disabling this command, all untrusted ports option allow-untrusted will drop DHCP packets with option82 option.
Page 308: Dhcp Snooping Typical Application
DHCP Snooping Configuration 35.3 DHCP Snooping Typical Application Fig 35-1 Sketch Map of TRUNK As showed in the above chart, Mac-AA device is the normal user, connected to the non-trusted port 1/0/1 of the switch. It operates via DHCP Client, IP 1.1.1.5; DHCP Server and GateWay are connected to the trusted ports 1/0/11 and 1/0/12 of the switch;...
Page 309: Dhcp Snooping Troubleshooting Help
DHCP Snooping Configuration 35.4 DHCP Snooping Troubleshooting Help 35.4.1 Monitor and Debug Information The ―debug ip dhcp snooping‖ command can be used to monitor the debug information. 35.4.2 DHCP Snooping Troubleshooting Help If there is any problem happens when using DHCP Snooping function, please check if the problem is caused by the following reasons: ...
Page 310: Dhcp Option 60 And Option 43
DHCP option 60 and option 43 36. DHCP option 60 and option 43 36.1 Introduction to DHCP option 60 and option 43 DHCP server analyzes DHCP packets from DHCP client. If packets with option 60, it will decide whether option 43 is returned to DHCP client according to option 60 of packets and configuration of option 60 and option 43 in DHCP server address pool.
Page 311: Option 60 And Option 43 Example
DHCP option 60 and option 43 Configure option option 60 ip A.B.C.D character string with format in ip dhcp pool mode. Configure option option 43 ip A.B.C.D character string with format in ip dhcp pool mode. Delete the configured option no option 60 60 in the address pool mode.
Page 312 DHCP option 60 and option 43  Check whether service dhcp function is enabled  If the address pool configured option 60, check whether it matches with the option 60 of the packets...
Page 313: Routing Protocol Overview
Routing Protocol Overview 37. Routing Protocol Overview To communicate with a remote host over the Internet, a host must choose a proper route via a set of routers or Layer3 switches. Both routers and layer3 switches calculate the route using CPU, the difference is that layer3 switch adds the calculated route to the switch chip and forward by the chip at wire speed, while the router always store the calculated route in the route table or route buffer, and data forwarding is performed by the CPU.
Page 314: Routing Table
Routing Protocol Overview 37.1 Routing Table As mentioned before, layer3 switch is mainly used to establish the route from the current layer3 switch to a network or a host, and to forward packets according to the route. Each layer3 switch has its own route table containing all routes used by that switch. Each route entry in the route table specifies the physical port should be used for forwarding packet to reach a destination host or the next hop layer3 switch to the host.
Page 315: Ip Routing Policy
Routing Protocol Overview EBGP Unknown route 37.2 IP Routing Policy 37.2.1 Introduction to Routing Policy Some policies have to be applied when the router publishing and receiving routing messages so to filter routing messages, such as only receiving or publishing routing messages meets the specified conditions.
Page 316: Ip Routing Policy Configuration Task List
Routing Protocol Overview node of the route-map in turn and once certain node test is passed the route-map test will be passed without taking the next node test. 2. access control list(acl) ACL (Access Control Lists) is a data packet filter mechanism in the switch. The switch controls the network access and secure the network service by permitting or denying certain data packet transmtting out from or into the network.
Page 317 Routing Protocol Overview 3． Define the set clause in route-map 4． Define address prefix list 1. Define route-map Command Explanation Global mode Configure route-map; the route-map route-map <map_name> {deny permit} <map_name> [{deny | <sequence_num> permit} route-map <map_name> [{deny | permit} <sequence_num>] <sequence_num>] command...
Page 318 Routing Protocol Overview Match address next-hop; The no match match ip <address | next-hop> <ip-acl-name | ip <address | next-hop> ip-acl-num | prefix-list list-name> [<ip-acl-name no match ip <address | next-hop> [<ip-acl-name | ip-acl-num | prefix-list ip-acl-num | prefix-list [list-name]>] [list-name]>] command deletes match condition.
Page 319 Routing Protocol Overview set as-path prepend <as-num> Add a specified AS No. no set as-path prepend [ <as-num> ] before the BGP routing messages as-path series; The no command deletes the configuration set atomic-aggregate Configure the BGP atomic no set atomic-aggregate aggregate property;...
Page 320: Configuration Examples
Routing Protocol Overview set originator-id <ip_addr> Set routing originator ID; no set originator-id [ <ip_addr> ] The no command deletes the configuration set tag <tag_val> Set OSPF routing tag no set tag [ <tag_val> ] value; The no command deletes the configuration set vpnv4 next-hop <ip_addr>...
Page 321: Troubleshooting
Routing Protocol Overview the other one is AS-PATH 2 by EBGP (going through SwitchB). BGP selects the shortest path, so AS-PATH 1 is the preferred path. If the path 2 is wished, which is through EBGP path, we can add two extra AS path numbers into the AS-PATH messages from SwitchA to SwitchD so as to change the determination SwitchC take to 192.68.11.0/24.
Page 322 Routing Protocol Overview considered not pass the routing messages filtering if certain routing messages does not pass the filtering of any nodes. When all nodes are set to deny mode, all routing messages will not pass the filtering in this route-map. ...
Page 323: Static Route
Static Route 38. Static Route 38.1 Introduction to Static Route As mentioned earlier, the static route is the manually specified path to a network or a host. Static route is simple and consistent, and can prevent illegal route modification, and is convenient for load balance and route backup.
Page 324: Static Route Configuration Examples
Static Route 1. Static route configuration Command Explanation Global mode Set static routing; the no ip route {<ip-prefix> <mask> route {<ip-prefix> <mask> | <ip-prefix>/<prefix-length>} {<gateway-address> <ip-prefix>/<prefix-length>} | <gateway-interface>} [<distance>] [<gateway-address> route {<ip-prefix> <mask> <gateway-interface>] <ip-prefix>/<prefix-length>} [<gateway-address> [<distance>] command | <gateway-interface>] [<distance>] deletes a static route entry 38.4 Static Route Configuration Examples The figure shown below is a simple network consisting of three layer3 switches, the...
Page 325 Static Route Switch#config Next hop use the partner IP address Switch(config)#ip route 10.1.1.0 255.255.255.0 10.1.2.1 Next hop use the partner IP address Switch(config)#ip route 10.1.4.0 255.255.255.0 10.1.3.1 Configuration of layer3 SwitchB Switch#config Switch(config)#ip route 0.0.0.0 0.0.0.0 10.1.3.2 In this way, ping connectivity can be established between PC-A and PC-C, and PC-B and PC-C.
Page 326: Rip
39. RIP 39.1 Introduction to RIP RIP is first introduced in ARPANET, this is a protocol dedicated to small, simple networks. RIP is a distance vector routing protocol based on the Bellman-Ford algorithm. Network devices running vector routing protocol send two kind of information to the neighboring devices regularly: •...
Page 327 route to be sent to the neighbor gateways the routes learnt from the neighbor gateways; poison reverse split horizon not only deletes the abovementioned routes, but set the costs of those routes to infinite. ―Triggering update‖ mechanism defines whenever route metric changed by the gateway, the gateway advertise the update packets immediately, regardless of the 30 second update timer status.
Page 328: Rip Configuration Task List
neighbor devices, so that the updated routes are globally valid. Moreover, RIP uses a timeout mechanism for outdated route, that is, if a switch does not receive regular update packets from a neighbor within a certain interval (invalid timer interval), it considers the route from that neighbor invalid, after holding the route fro a certain interval (holddown timer interval), it will delete that route.
Page 329 (1) Enable Redistribution of OSPF routing to RIP (2) Display and debug the information about configuration of redistribution of OSPF routing to RIP 1. Enable RIP protocol Applying RIP route protocol with basic configuration in switch is simple. Normally you only have to open the RIP switch and configure the segments running RIP, namely send and receive the RIP data packet by default RIP configuration.
Page 330 （2）Configure RIP route parameters 1 ）Configure route introduction (default route metric, configure routes of the other protocols to be introduced in RIP) Command Explanation Router Configuration Mode Sets the default route metric for route to be default-metric <value> introduced; the no default-metric command no default-metric restores the default setting.
Page 331 Global mode Enter keychain mode, and configure a key key chain <name-of-chain> chain, the no key chain < name-of-chain > no key chain < name-of-chain > command deletes the key chain. Keychain mode Enter the keychain-key mode and configure a key <keyid>...
Page 332 4）Configure and apply the route filtering Command Explanation Router configuration mode distribute-list {< access-list-number Configure and apply the access table and |access-list-name >|prefix<prefix-list- prefix table to filter the routes. The no name>}{in|out} [<ifname>] distribute-list {< access-list-number distribute-list {< |access-list-name>|prefix<prefix-list-name access-list-number >}{in|out} [<ifname>] command means do |access-list-name >|prefix<prefix-list- not use the access table and prefix table.
Page 333 The command configures the UDP receiving recv-buffer-size <size> buffer size of the RIP; the no recv-buffer-size no recv-buffer-size command restores the system default values. 3. Configure RIP-I/RIP-II toggling （1）Configure the RIP version to be used in all ports Command Explanation RIP configuration mode Configure the versions of all the RIP data packets transmitted/received by the Layer 3...
Page 334 5. Configure the RIP routing aggregation （1） Configure IPv4 aggregation route globally Command Explanation Router Configuration Mode ip rip aggregate-address A.B.C.D/M To configure or delete IPv4 aggregation route aggregate-address globally. A.B.C.D/M （2） Configure IPv4 aggregation route on interface Command Explanation Interface Configuration Mode ip rip aggregate-address A.B.C.D/M To configure or delete IPv4 aggregation...
Page 335: Rip Examples
39.3 RIP Examples 39.3.1 Typical RIP Examples Interface Interface SWITCHB vlan1:10.1.1.1/24 vlan1:10.1.1.2/24 SWITCHC SWITCHA Interface Interface vlan2:20.1.1.1/24 vlan1:20.1.1.2/24 Fig 39-1 RIP example In the figure shown above, a network consists of three Layer 3 switches, in which SwitchA connected with SwitchB and SwitchC, and RIP routing protocol is running in all of the three switches.
Page 336: Typical Examples Of Rip Aggregation Function
Configure that the interface vlan 2 do not transmit RIP messages to SwitchC SwitchA(config)#router rip SwitchA(config-router)#passive-interface vlan 2 SwitchA(config-router)#exit SwitchA(config) # Layer 3 SwitchB Configure the IP address of interface vlan 1 SwitchB#config SwitchB(config)# interface vlan 1 SwitchB(Config-if-Vlan1)# ip address 10.1.1.2 255.255.255.0 SwitchB(Config-if-Vlan1)exit Initiate RIP protocol and configure the RIP segments SwitchB(config)#router rip...
Page 337: Rip Troubleshooting
vlan1:192.168.10.1 192.168.20.0/22 192.168.21.0/24 vlan1:192.168.10.2 192.168.22.0/24 192.168.23.0/24 192.168.24.0/24 Fig 39-2 Typical application of RIP aggregation As the above network topology, S2 is connected to S1 through interface vlan1, there are other 4 subnet routers of S2, which are 192.168.21.0/24, 192.168.22.0/24, 192.168.23.0/24, 192.168.24.0/24. S2 supports route aggregation, and to configure aggregation route 192.168.20.0/22 in interface vlan1 of S2, after that, sending router messages to S1 through vlan1, and put the four subnet routers aggregated to one router as 192.168.20.0/22, and send to S1, and not send subnet to neighbor.
Page 338  Then initiate the RIP protocol (use router rip command) and configure the segment (use network command) and set RIP protocol parameter on corresponding interfaces, such as the option between RIP-I and RIP-II  After that, one feature of RIP protocol should be noticed ---the Layer 3 switch running RIP protocol sending route updating messages to all neighboring Layer 3 switches every 30 seconds.
Page 339: Ripng
RIPng 40. RIPng 40.1 Introduction to RIPng RIPng is first introduced in ARPANET, this is a protocol dedicated to small, simple networks. RIPng is a distance vector routing protocol based on the Bellman-Ford algorithm. Network devices running vector routing protocol send 2 kind of information to the neighboring devices regularly: •...
Page 340 RIPng route to be sent to the neighbor gateways the routes learnt from the neighbor gateways; poison reverse split horizon not only deletes the abovementioned routes, but set the costs of those routes to infinite. ―Triggering update‖ mechanism defines whenever route metric changed by the gateway, the gateway advertise the update packets immediately other than wait for the 30 sec timer.
Page 341: Ripng Configuration Task List
RIPng 40.2 RIPng Configuration Task List RIPng Configuration Task List: Enable RIPng protocol (required) （1） Enable/disable RIPng protocol （2） Configure the interfaces running RIPng protocol Configure RIPng protocol parameters (optional) （1） Configure RIPng sending mechanism Configure specified RIPng packets transmission address （2）...
Page 342 RIPng Configure the interface to run RIPng protocol; [no] IPv6 router rip the no IPv6 router rip command set the interface not run RIPng protocol. 2. Configure RIPng protocol parameters （1）Configure RIPng sending mechanism 1）Configure the RIPng data packets point-transmitting Command Explanation Router configuration mode...
Page 343 RIPng 2）Configure the route offset Command Explanation Router configuration mode Configure that provide a deviation value to the [no] offset-list route metric value when the port sends or <access-list-number receives RIPng data packet; the no offset-list |access-list-name> {in|out} <access-list-number |access-list-name> <number >...
Page 344 RIPng 4. Delete the specified route in RIPng route table Command Explanation Admin Mode clear IPv6 route The command deletes a specified route from {<IPv6-address>|kernel|static|con the RIP route table. nected|rip|ospf|isis|bgp|all} 5. Configure RIPng route aggregation (1) Configure IPv6 aggregation route globally Command Explanation Router Configuration Mode...
Page 345: Ripng Configuration Examples
RIPng (2) Display and debug the information about configuration of redistribution of OSPFv3 routing to RIPng Command Explanation Admin Configuration Mode display RIPng routing which show ipv6 rip redistribute redistributed from other routing protocols. Admin Mode debug ipv6 rip redistribute message send To enable or disable debugging messages debug...
Page 346 RIPng SwitchA(config)#router IPv6 rip SwitchA(config-router)#exit Configure the IPv6 address in vlan1 and configure vlan1 to run RIPng SwitchA#config SwitchA(config)# interface Vlan1 SwitchA(config-if-Vlan1)# IPv6 address 2000:1:1::1/64 SwitchA(config-if-Vlan1)#IPv6 router rip SwitchA(config-if-Vlan1)#exit Configure the IPv6 address in vlan2 and configure vlan2 to run RIPng SwitchA(config)# interface Vlan2 SwitchA(config-if-Vlan2)#IPv6 address 2001:1:1::1/64 SwitchA(config-if-Vlan2)#IPv6 router rip...
Page 347: Ripng Aggregation Route Function Typical Examples
RIPng SwitchC(config-if)exit 40.3.2 RIPng Aggregation Route Function Typical Examples The application topology as follows: VLAN1 2001:1::1:1 2001:1::20:0/110 VLAN1 2001:1::20:0/112 2001:1::1:2 2001:1::21:0/112 2001:1::22:0/112 2001:1::23:0/112 Fig 40-2 Typical application of RIPng aggregation As the above network topology, S2 is connected to S1 through interface vlan1, there are other 4 subnet routers of S2, which are 2001:1::20:0/112, 2001:1::21:0/112, 2001:1::22:0/112, 2001:1::23:0/112.
Page 348: Ripng Troubleshooting
RIPng 40.4 RIPng Troubleshooting The RIPng protocol may not be working properly due to errors such as physic connection, configuration error when configuring and using the RIPng protocol. So users should pay attention to the following:  First ensure the physic connection is correct and the IP Forwarding command is open ...
Page 349: Black Hole Routing Manual
Black Hole Routing Manual 41. Black Hole Routing Manual 41.1 Introduction to Black Hole Routing Black Hole Routing is a special kind of static routing which drops all the datagrams that match the routing rule. 41.2 IPv4 Black Hole Routing Configuration Task Configure IPv4 Black Hole Routing 1.
Page 350: Black Hole Routing Configuration Exmaples
Black Hole Routing Manual [<precedence>] specified configuration. ipv6 route <ipv6-prefix/prefix-length> null0 41.4 Black Hole Routing Configuration Exmaples Example 1: IPv4 Black Hole Routing function. 192.168.0.1/21 SWITCH1 192.168.0.2/21 SWITCH2 ……… 192.168.1.0/24 192.168.7.0/24 Fig 41-1 IPv4 Black Hole Routing Configuration Example As it is shown in the figure, in Switch 2, eight in all interfaces are configured as Layer 3 VLAN interfaces for access interfaces.
Page 351: Black Hole Routing Troubleshooting
Black Hole Routing Manual Switch(config)#ip route 192.168.0.0/21 null0 50 Example 2: IPv6 Black Hole Routing function. 2004:1:2:3::1/64 SWITCH1 2004:1:2:3::2/64 SWITCH2 ……… 2004:1:2:3:1::/80 2004:1:2:3:7::/80 Fig 41-2 IPv6 Black Hole Routing Configuration Example As it is shown in the figure, in Switch 2, eight in all interfaces are configured as Layer VLAN interfaces access...
Page 352 Black Hole Routing Manual due to some reasons such as incorrect network address mask, and incorrect management distance. Attention should be paid to the following items:  IPv6 should be enabled before IPv6 Black Hole Routing can work.  It is suggested that the length of the network address mask should be longer than that of normal routing configuration, in order to prevent the Black Hole Routing from intervening other routing configuration.
Page 353: Bfd
42. BFD 42.1 Introduction to BFD BFD (Bidirectional Forwarding Detection) provides a detection mechanism to quickly detect and monitor the connectivity of links in networks. To improve network performance, between protocol neighbors must quickly detect communication failures to restore communication through backup paths as soon as possible. provides general-purpose, standard,...
Page 354 string encrypted with text for BFD, no command deletes the configured key. Configure authentication character bfd authentication key <1-255> md5 <WORD> string encrypted with md5 for no bfd authentication key BFD, no command deletes the configured key. Interface Mode Configure minimum transmission interval and the bfd interval <value1>...
Page 355 disables BFD authentication. 2. Configure BFD for RIP (ng) Command Explanation Interface Mode Configure protocol specific rip bfd enable interface, command no rip bfd enable disables protocol. Configure BFD for RIPng ipv6 rip bfd enable protocol specific no ipv6 rip bfd enable interface, command cancels the configuration.
Page 356: Examples Of Bfd
42.3 Examples of BFD 42.3.1 Example for Linkage of BFD and Static Route Example: Configure a static route to 14.1.1.0/24 on Switch A and configure a static route to 15.1.1.0/24 on Switch B. Both switches enable BFD detection. When the link between Switch A and Switch B is failing, BFD can detect it immediately.
Page 357: Example For Linkage Of Bfd And Vrrp
Configuration procedure: Switch A: Switch#config Switch(config)#bfd mode active Switch(config)#interface vlan 100 Switch(config-if-vlan100)#ip address 10.1.1.1 255.255.255.0 Switch(config)#interface vlan 200 Switch(config-if-vlan200)#ip address 20.1.1.1 255.255.255.0 Switch(config)#router rip Switch (config-router)#network vlan 100 Switch (config-router)#network vlan 200 Switch(config)#interface vlan 100 Switch(config-if-vlan100) #rip bfd enable Switch B: Switch#config Switch(config)#bfd mode passive Switch(config)#interface vlan 100...
Page 358 switchover is slow. To solve this problem, VRRP uses BFD to probe the state of the master. Once the master fails, the backup can become the new master within 100 ms. Configuration procedure: # Configure Switch A Switch#config Switch(config)#bfd mode active Switch(config)#interface vlan 2 Switch(config-ip-vlan2)#ip address 192.16.0.101 255.255.255.0 Switch(config)#router vrrp 1...
Page 359: Bfd Troubleshooting
Switch(config-router)#interface vlan 1 Switch(config-router)#enable Switch(config-router)#bfd enable 42.4 BFD Troubleshooting When the problem of BFD function happens, please check whether the problem is resulted by the following reasons:  Check whether the route protocol neighbor is established successfully. If no route protocol neighbor is established successfully, here BFD can not process the detection.
Page 360: Ipv4 Multicast Protocol
IPv4 Multicast Protocol 43. IPv4 Multicast Protocol 43.1 IPv4 Multicast Protocol Overview This chapter will give an introduction to the configuration of IPv4 Multicast Protocol. 43.1.1 Introduction to Multicast Various transmission modes can be adopted when the destination of packet (including data, sound and video) transmission is the minority users in the network.
Page 361: Multicast Address
IPv4 Multicast Protocol Optimize performance: reduce redundant traffic Distributed application: Enable Multipoint Application 43.1.2 Multicast Address The destination address of Multicast message uses class D IP address with range from 224.0.0.0 to 239.255.255.255. D class address can not appear in the source IP address field of an IP message.
Page 362: Ip Multicast Packet Transmission
IPv4 Multicast Protocol 224.0.0.12 DHCP Server/Relay Agent 224.0.0.13 All PIM Routers 224.0.0.14 RSVP Encapsulation 224.0.0.15 All CBT Routers 224.0.0.16 Specified SBM 224.0.0.17 All SBMS 224.0.0.18 VRRP 224.0.0.22 IGMP When Ethernet transmits Unicast IP messages, the destination MAC address it uses is the receiver‘s MAC address.
Page 363: Ip Multicast Application
IPv4 Multicast Protocol 43.1.4 IP Multicast Application IP Multicast technology has effectively solved the problem of sending in single point and receiving in multipoint. It has achieved the effective data transmission from a point to multiple points, saved a great deal of network bandwidth and reduced network load. Making use of the Multicast property of network, some new value-added operations can be supplied conveniently.
Page 364: Dcscm Configuration Task List
IPv4 Multicast Protocol The Service-Oriented Priority Strategy Multicast of Security Controllable technology adopts the following mode: for multicast data in limit range, set the priority specified by the user at the join-in end so that data can be sent in a higher priority on TRUNK port, consequently guarantee the transmission is processed in user-specified priority in the entire network.
Page 365 IPv4 Multicast Protocol [no] access-list <5000-5099> {deny|permit} {{<source> <source-wildcard>}|{host-source The rule used to configure source control. <source-host-ip>}|any-source} This rule does not take effect until it is applied {{<destination> to specified port. Using the NO form of it can <destination-wildcard>}|{host-de delete specified rule. stination <destination-host-ip>}|any-destin ation}...
Page 366 IPv4 Multicast Protocol Next is to configure destination control rule. It is similar to source control, except to use ACL No. of 6000-7999. Command Explanation Global Configuration Mode [no] access-list <6000-7999> {deny|permit} rule used configure {{<source> destination control. This rule does <source-wildcard>}|{host-source not take effect until it is applied to <source-host-ip>}|any-source}...
Page 367: Dcscm Configuration Examples
IPv4 Multicast Protocol Command Explanation Global Configuration Mode Configure multicast strategy, specify [no] ip multicast policy <IPADDRESS/M> priority for sources and groups in <IPADDRESS/M> cos <priority> specific range, and the range is <0-7>. 43.2.3 DCSCM Configuration Examples 1． Source Control In order to prevent an Edge Switch from putting out multicast data ad asbitsium, we configure Edge Switch so that only the switch at port Ethernet1/0/5 is allowed to transmit multicast, and the data group must be 225.1.2.3.
Page 368: Dcscm Troubleshooting
IPv4 Multicast Protocol configure on its join-in switch as follows: Switch(config)#ip multicast policy 210.1.1.1/32 239.1.2.3/32 cos 4 In this way, the multicast stream will have a priority of value 4 (Usually this is pretty higher, the higher possible one is protocol data; if higher priority is set, when there is too many multicast data, it might cause abnormal behavior of the switch protocol) when it gets to other switches through this switch.
Page 369: Igmp Snooping Configuration Task List
IPv4 Multicast Protocol 43.3.2 IGMP Snooping Configuration Task List 1. Enable IGMP Snooping 2. Configure IGMP Snooping 1. Enable IGMP Snooping Command Explanation Global Mode ip igmp snooping Enables IGMP Snooping. The no operation no ip igmp snooping disables IGMP Snooping function. 2.
Page 370 IPv4 Multicast Protocol igmp snooping vlan <vlan-id> mrouter-port interface <interface – Configure static mrouter port of vlan. The name> no form of the command cancels this no ip igmp snooping vlan <vlan-id> configuration. mrouter-port interface <interface – name> igmp snooping vlan <vlan-id>...
Page 371: Igmp Snooping Examples
IPv4 Multicast Protocol igmp snooping vlan <vlan-id> static-group <A.B.C.D> [source <A.B.C.D>] interface [ethernet Configure static-group on specified port of port-channel] <IFNAME> the VLAN. The no form of the command no ip igmp snooping vlan <vlan-id> cancels this configuration. static-group <A.B.C.D> [source <A.B.C.D>] interface...
Page 372 IPv4 Multicast Protocol includes ports 1, 2, 6, 10 and 12. Four hosts are connected to port 2, 6, 10 and 12 respectively and the multicast router is connected to port 1. As IGMP Snooping is disabled by default either in the switch or in the VLANs, If IGMP Snooping should be enabled in VLAN 100, the IGMP Snooping should be first enabled for the switch in Global Mode and in VLAN 100 and set port 1 of VLAN 100 to be the mrouter port.
Page 373 IPv4 Multicast Protocol The configuration of Switch2 is the same as the switch in scenario 1, SwitchA takes the place of Multicast Router in scenario 1. Let‘s assume VLAN 60 is configured in SwitchA, including ports 1, 2, 10 and 12. Port 1 connects to the multicast server, and port 2 connects to Switch2.
Page 374: Igmp Snooping Troubleshooting
IPv4 Multicast Protocol  When layer 3 IGMP is disabled, re-enable distributing layer 2 multicast entries. By looking up the layer 3 IPMC entries, it can be found that ports can be indicated by the layer 3 multicast entries. This ensures the IGMP snooping can work in cooperation with the layer 3 multicast protocols.
Page 375: Ipv6 Multicast Protocol
IPv6 Multicast Protocol 44. IPv6 Multicast Protocol 44.1 IPv6 DCSCM 44.1.1 Introduction to IPv6 DCSCM The technology of IPv6 DCSCM (Destination Control and Source Control Multicast) includes three aspects: the multicast source control, the multicast user control and the service-priority-oriented policy multicast. IPv6 DCSCM Controllable Multicast technology proceeds as the following way: 1.
Page 376 IPv6 Multicast Protocol 1． The source control configuration The source control configuration has three steps, first is globally enabling the source control, the following is the command of globally enabling the source control: Command Explanation Global Configuration Mode Globally enable the source control, the no operation of this command will globally disable the source control.
Page 377 IPv6 Multicast Protocol Command Explanation Port Configuration Mode Used to configure the source control rule to a [no] ipv6 multicast source-control port, he no operation will cancel this access-group <8000-8099> configuration. 2． The configuration of destination control The configuration of destination control is similar to that of source control, and also has three steps: First, globally enable the destination control, since destination control needs to avoid the unauthorized users from receiving multicast data, once it is enabled globally, the...
Page 378: Ipv6 Dcscm Typical Examples
IPv6 Multicast Protocol Command Explanation Port Mode Used to configure the destination [no] ipv6 multicast destination-control control rule to a port, the no operation access-group <9000-10099> of this command will cancel the configuration. Global Configuration Mode Used to configure the destination [no] ipv6 multicast destination-control control rules...
Page 379: Ipv6 Dcscm Troubleshooting
IPv6 Multicast Protocol Switch(config)#ipv6 access-list 8000 permit any-source ff1e::1 Switch(config)#ipv6 access-list 8001 permit any any Switch(config)#ipv6 multicast source-control Switch(config)#interface Ethernet1/0/4 Switch(Config-If-Ethernet1/0/4)#ipv6 multicast source-control access-group 8000 Switch(config)#interface Ethernet1/0/25 Switch(Config-If-Ethernet1/0/25)#ipv6 multicast source-control access-group 8001 2． Destination control We want to confine that the users of the segment whose address is fe80::203:fff:fe01:228a/64 can not join the ff1e::1/64 group, so we can configure as follows: First, enable MLD Snooping in the VLAN where it locates (in this example, it is...
Page 380: Mld Snooping
IPv6 Multicast Protocol 44.2 MLD Snooping 44.2.1 Introduction to MLD Snooping MLD, the Multicast Listener Discovery Protocol, is used to realize multicasting in the IPv6. MLD is used by the network equipments such as routers which supports multicast for multicast listener discovery, also used by listeners looking forward to join certain multicast group informing the router to receive data packets from certain multicast address, all of which are done through MLD message exchange.
Page 381 IPv6 Multicast Protocol Configure the number of the groups in ipv6 mld snooping vlan <vlan-id> limit which the MLD Snooping can join, and the {group <g_limit> | source <s_limit>} maximum number of sources in each group. The ―no‖ form of this command no ipv6 mld snooping vlan <vlan-id>...
Page 382: Mld Snooping Examples
IPv6 Multicast Protocol no ipv6 mld snooping vlan <vlan-id> default suppression-query-time Ipv6 snooping vlan <vlan-id> static-group <X:X::X:X> [source <X:X::X:X>] interface [ethernet Configure static-group on specified port of port-channel] <IFNAME> the VLAN. The no form of the command no ipv6 mld snooping vlan <vlan-id> cancels this configuration.
Page 383 IPv6 Multicast Protocol Assume there are two multicast servers: the Multicast Server 1 and the Multicast Server 2, amongst program 1 and 2 are supplied on the Multicast Server 1 while program 3 on the Multicast server 2, using group addresses respectively the Group 1, Group 2 and Group 3.
Page 384 IPv6 Multicast Protocol Configuration of switch B is the same as the switches in case 1, and here the switch 1 replaces the Multicast Router in case 1. Assume the vlan 60 configured on it contains port 1, 2, 10 and 12, amongst port 1 is connected to multicast server, port 2 to switch2. To send Query periodically, global MLD Snooping has to be enabled while executing the mld snooping vlan 60 l2-general-querier, setting the vlan 60 to a Level 2 General Querier.
Page 385: Mld Snooping Troubleshooting
IPv6 Multicast Protocol layer 3 multicast protocols. 44.2.4 MLD Snooping Troubleshooting In configuring and using MLD Snooping, the MLD Snooping server may fail to run properly due to physical connection failure, wrong configuration, etc. The user should ensure the following: ...
Page 386: Multicast Vlan
Multicast VLAN 45. Multicast VLAN 45.1 Introductions to Multicast VLAN Based on current multicast order method, when orders from users in different VLAN, each VLAN will copy a multicast traffic in this VLAN, which is a great waste of the bandwidth.
Page 387: Multicast Vlan Examples
Multicast VLAN 2. Configure the IGMP Snooping Command Explanation Global Mode ip igmp snooping vlan <vlan-id> Enable the IGMP Snooping function on the no ip igmp snooping vlan <vlan-id> multicast VLAN. The no form of this command disables the IGMP Snooping on the multicast VLAN.
Page 388 Multicast VLAN SwitchA(config-vlan10)#switchport access ethernet 1/0/1 SwitchA(config-vlan10)exit SwitchA(config)#interface vlan 10 Switch(Config-if-Vlan10)#ip pim dense-mode Switch(Config-if-Vlan10)#exit SwitchA(config)#vlan 20 SwitchA(config-vlan20)#exit SwitchA(config)#interface vlan 20 SwitchA(Config-if-Vlan20)#ip pim dense-mode SwitchA(Config-if-Vlan20)#exit SwitchA(config)#ip pim multicast SwitchA(config)# interface ethernet1/0/10 SwitchA(Config-If-Ethernet1/0/10)switchport mode trunk SwitchB#config SwitchB(config)#vlan 100 SwitchB(config-vlan100)#Switchport access ethernet 1/0/15 SwitchB(config-vlan100)exit SwitchB(config)#vlan 101 SwitchB(config-vlan101)#Switchport access ethernet 1/0/20...
Page 389: Acl Configuration
ACL Configuration 46. ACL Configuration 46.1 Introduction to ACL ACL (Access Control List) is an IP packet filtering mechanism employed in switches, providing network traffic control by granting or denying access the switches, effectively safeguarding the security of networks. The user can lay down a set of rules according to some information specific to packets, each rule describes the action for a packet with certain information matched: ―permit‖...
Page 390: Access-List Action And Global Default Action
ACL Configuration The current firmware only supports ingress ACL configuration. 46.1.3 Access-list Action and Global Default Action There are two access-list actions and default actions: ―permit‖ or ―deny‖. The following rules apply:  An access-list can consist of several rules. Filtering of packets compares packet conditions to the rules, from the first rule to the first matched rule;...
Page 391 ACL Configuration (10) Configuring a numbered standard IPv6 access-list (11) Configuring a numbered extended IPv6 access-list (12) Configuring a standard IPv6 access-list based on nomenclature a) Create a standard IPv6 access-list based on nomenclature b) Specify multiple permit or deny rule entries c) Exit ACL Configuration Mode (13) Configuring an extended IPv6 access-list based on nomenclature.
Page 392 ACL Configuration (2) Configuring a numbered extensive IP access-list Command Explanation Global Mode access-list <num> {deny permit} icmp Creates a numbered ICMP {{<sIpAddr> <sMask>} | any-source | {host-source extended IP access rule; if the <sIpAddr>}} {{<dIpAddr> <dMask>} numbered extended access-list any-destination | {host-destination <dIpAddr>}} of specified number does not [<icmp-type>...
Page 393 ACL Configuration Creates numbered access-list <num> {deny | permit} {eigrp | gre | extended IP access rule for igrp | ipinip | ip | ospf | <protocol-num>} other specific IP protocol or all {{<sIpAddr> <sMask>} | any-source | {host-source IP protocols; if the numbered <sIpAddr>}} {{<dIpAddr>...
Page 394 ACL Configuration (4) Configuring an name-based extended IP access-list a. Create an extended IP access-list basing on nomenclature Command Explanation Global Mode Creates an extended IP access-list basing nomenclature; the ―no ip ip access-list extended <name> access-list extended no ip access-list extended <name> <name>...
Page 395 ACL Configuration [no] {deny | permit} udp {{<sIpAddr> <sMask>} | any-source | {host-source <sIpAddr>}} [s-port Creates extended {<sPort> range <sPortMin> <sPortMax>}] name-based UDP IP access {{<dIpAddr> <dMask>} any-destination rule; the no form command {host-destination <dIpAddr>}} [d-port {<dPort> | deletes this name-based range <dPortMin>...
Page 396 ACL Configuration ac<host_dmac>}|{<dmac><dmac-mask>}}[{untag then a rule will add to the current access-list; the ―no ged-eth2 tagged-eth2 untagged-802-3 tagged-802-3} [ <offset1> <length1> <value1> access-list <num>― command deletes a [ <offset2> <length2> <value2> [ <offset3> <length3> <value3> <offset4> <length4> numbered MAC extended <value4>...
Page 397 ACL Configuration [no]{deny|permit}{any-source-mac|{host-source- mac<host_smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac <host_dmac>} |{<dmac> <dmac-mask>}} [cos <cos-val> [<cos-bitmask>] [vlanId <vid-value> [<vid-mask>][ethertype<protocol>[<protocol-mas k>]]]] [no]{deny|permit} {any-source-mac Creates extended |{host-source-mac<host_smac>}|{<smac><smac- name-based MAC access mask>}} rule matching MAC frame; {any-destination-mac|{host-destination-mac<host form command _dmac>}|{<dmac><dmac-mask>}} [ethertype deletes this name-based <protocol> [<protocol-mask>]] extended MAC access rule. [no]{deny|permit} {any-source-mac|{host-source-mac<host_smac>} |{<smac><smac-mask>}}...
Page 398 ACL Configuration [no]{deny|permit}{any-source-mac|{host-source- Creates name-based mac<host_smac>}|{<smac><smac-mask>}}{any-d extended MAC access rule estination-mac|{host-destination-mac<host_dmac matching tagged ethernet 2 >}|{<dmac><dmac-mask>}}[tagged-eth2 [cos frame; form <cos-val> [<cos-bitmask>]] [vlanId <vid-value> command deletes this [<vid-mask>]] [ethertype<protocol> name-based extended MAC [<protocol-mask>]]] access rule. Creates name-based [no]{deny|permit}{any-source-mac|{host-source- extended MAC access rule <host_smac>}|{<smac><smac-mask>}} matching tagged...
Page 399 ACL Configuration {host-source-mac<host_smac>}|{<smac><smac- mac-igmp extended mac-ip mask>}} access rule; if the numbered {any-destination-mac|{host-destination-mac extended access-list <host_dmac>}|{<dmac><dmac-mask>}}igmp specified number does not {{<source><source-wildcard>}|any-source| exist, then an access-list will {host-source<source-host-ip>}} created using this {{<destination><destination-wildcard>}|any-desti number. nation| {host-destination<destination-host-ip>}} [<igmp-type>] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] access-list<num>{deny|permit}{any-source-mac| {host-source-mac<host_smac>}|{<smac><smac- mask>}}{any-destination-mac|{host-destination-m Creates a numbered mac-ip...
Page 400 ACL Configuration {any-destination-mac|{host-destination-mac protocol mac-ip <host_dmac>}|{<dmac><dmac-mask>}} protocols; if the numbered {eigrp|gre|igrp|ip|ipinip|ospf|{<protocol-num>}} extended access-list {{<source><source-wildcard>}|any-source| specified number does not {host-source<source-host-ip>}} exist, then an access-list will {{<destination><destination-wildcard>}|any-desti created using this nation| {host-destination<destination-host-ip>}} number. [precedence <precedence>] [tos <tos>][time-range<time-range-name>] Deletes this numbered no access-list <num> extended MAC-IP access rule.
Page 401 ACL Configuration name>] [no]{deny|permit}{any-source-mac|{host-source- <host_smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac Creates extended <host_dmac>}|{<dmac><dmac-mask>}}igmp name-based MAC-IGMP {{<source><source-wildcard>}|any-source| access rule; the no form {host-source<source-host-ip>}} command deletes this {{<destination><destination-wildcard>}|any-desti name-based extended nation| {host-destination <destination-host-ip>}} MAC-IGMP access rule. [<igmp-type>] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] [no]{deny|permit}{any-source-mac|{host-source- mac<host_smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac <host_dmac>}|{<dmac><dmac-mask>}}tcp Creates extended {{<source><source-wildcard>}|any-source| name-based...
Page 402 ACL Configuration {any-destination-mac|{host-destination-mac the other IP protocol; the no <host_dmac>}|{<dmac><dmac-mask>}} form command deletes this {eigrp|gre|igrp|ip|ipinip|ospf|{<protocol-num>}} name-based extended {{<source><source-wildcard>}|any-source| access rule. {host-source<source-host-ip>}} {{<destination><destination-wildcard>}|any-desti nation| {host-destination<destination-host-ip>}} [precedence<precedence>][tos<tos>][time-range< time-range-name>] c. Exit MAC-IP Configuration Mode Command Explanation Extended name-based MAC-IP access Mode Quit extended name-based exit MAC-IP access mode.
Page 403 ACL Configuration ipv6 access-list <num-ext> {deny | permit} tcp access-list. {{<sIPv6Prefix/sPrefixlen>} any-source {host-source <sIPv6Addr>}} [s-port {<sPort> | range <sPortMin> <sPortMax>}] {{< dIPv6Prefix/dPrefixlen>} any-destination {host-destination <dIPv6Addr>}} [dPort {<dPort> | range <dPortMin> <dPortMax>}] [syn | ack | urg | rst | fin | psh] [dscp <dscp>] [flow-label <flowlabel>][time-range<time-range-name>] ipv6 access-list <num-ext>...
Page 404 ACL Configuration b. Specify multiple permit or deny rules Command Explanation Standard IPv6 ACL Mode [no] {deny | permit} {{<sIPv6Prefix/sPrefixlen>} | Creates standard any-source | {host-source <sIPv6Addr> }} name-based IPv6 access rule; the no form command deletes name-based standard IPv6 access rule. c.
Page 405 ACL Configuration any-source {host-source this name-based extended IPv6 access rule. <sIPv6Addr>}} [s-port {<sPort> | range <sPortMin> <sPortMax>}] {<dIPv6Prefix/dPrefixlen> any-destination {host-destination <dIPv6Addr>}} [d-port {<dPort> range <dPortMin> <dPortMax>}] [syn | ack | urg | rst | fin | psh] [dscp <dscp>] [flow-label <fl>] [time-range<time-range-name>] [no]...
Page 406 ACL Configuration any-destination {host-destination <dIPv6Addr>}} [dscp <dscp>] [flow-label <flowlabel>] [time-range <time-range-name>] c. Exit extended IPv6 ACL configuration mode Command Explanation Extended IPv6 ACL Mode exit Exits extended name-based IPv6 configuration mode. 2. Configuring packet filtering function (1) Enable global packet filtering function Command Explanation Global Mode...
Page 407 ACL Configuration [no] absolute-periodic {Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Sunday} <start_time> to {Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Sunday} <end_time> Stop the function of the time [no] periodic range in the week.
Page 408: Acl Example
ACL Configuration 46.3 ACL Example Scenario 1: The user has the following configuration requirement: port 10 of the switch connects to 10.0.0.0/24 segment, ftp is not desired for the user. Configuration description: 1． Create a proper ACL 2． Configuring packet filtering function 3．...
Page 409 ACL Configuration any-destination-mac untagged-802-3 Switch(config)#access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any tagged-802 Switch(config)#firewall enable Switch(config)#interface ethernet1/0/10 Switch(Config-If-Ethernet1/0/10)#mac access-group 1100 in Switch(Config-If-Ethernet1/0/10)#exit Switch(config)#exit Configuration result: Switch#show firewall Firewall Status: Enable. Switch #show access-lists access-list 1100(used 1 time(s)) access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac untagged-802-3 access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff...
Page 410 ACL Configuration Switch(config)#firewall enable Switch(config)#interface ethernet 1/0/10 Switch(Config-If-Ethernet1/0/10)#mac-ip access-group 3110 in Switch(Config-Ethernet1/0/10)#exit Switch(config)#exit Configuration result: Switch#show firewall Firewall Status: Enable. Switch#show access-lists access-list 3110(used 1 time(s)) access-list 3110 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 access-list 3110 deny any-source-mac 00-12-11-23-00-00 00-00-00-00-ff-ff icmp any-source 10.0.0.0 0.0.0.255 Switch #show access-group interface ethernet 1/0/10 interface name:Ethernet1/0/10...
Page 411 ACL Configuration Switch(config)#exit Configuration result: Switch#show firewall Firewall Status: Enable. Switch#show ipv6 access-lists Ipv6 access-list 600(used 1 time(s)) ipv6 access-list 600 deny 2003:1:1:1::0/64 any-source ipv6 access-list 600 permit 2003:1:1:1:66::0/80 any-source Switch #show access-group interface ethernet 1/0/10 interface name:Ethernet1/0/10 IPv6 Ingress access-list used is 600, traffic-statistics Disable. Scenario 5: The configuration requirement is stated as below: The interface 1, 2, 5, 7 belongs to vlan100, Hosts with 192.168.0.1 as its IP address should be disabled from accessing the...
Page 412: Acl Troubleshooting
ACL Configuration Ethernet1/0/5: IP Ingress access-list used is 1, traffic-statistics Disable. Ethernet1/0/7: IP Ingress access-list used is 1, traffic-statistics Disable. 46.4 ACL Troubleshooting  Checking for entries in the ACL is done in a top-down order and ends whenever an entry is matched.
Page 413: Configuration
802.1x Configuration 47. 802.1x Configuration 47.1 Introduction to 802.1x The 802.1x protocol originates from 802.11 protocol, the wireless LAN protocol of IEEE, which is designed to provide a solution to doing authentication when users access a wireless LAN. The LAN defined in IEEE 802 LAN protocol does not provide access authentication, which means as long as the users can access a LAN controlling device (such as a LAN Switch), they will be able to get all the devices or resources in the LAN.
Page 414 802.1x Configuration Fig 47-1 The Authentication Structure of 802.1x  The supplicant system is an entity on one end of the LAN segment, should be authenticated by the access controlling unit on the other end of the link. A Supplicant system usually is a user terminal device. Users start 802.1x authentication by starting supplicant system software.
Page 415: The Work Mechanism Of 802.1X
802.1x Configuration access the LAN via the authentication server system, and deal with the authenticated/unauthenticated state of the controlled port according to the result of the authentication. The authenticated state means the user is allowed to access the network resources, the unauthenticated state means only the EAPOL messages are allowed to be received and sent while the user is forbidden to access network resources.
Page 416: The Encapsulation Of Eapol Messages
802.1x Configuration  EAP messages adopt EAPOL encapsulation format between the PAE of the supplicant system and the PAE of the authenticator system in the environment of LAN.  Between the PAE of the authenticator system and the RADIUS server, there are two methods to exchange information: one method is that EAP messages adopt EAPOR (EAP over RADIUS) encapsulation format in RADIUS protocol;...
Page 417 802.1x Configuration carry EAP messages. This kind of frame can pass through the authenticator system to transmit EAP messages between the supplicant system and the authentication server system.  EAPOL-Start (whose value is 0x01): the frame to start authentication.  EAPOL-Logoff (whose value is 0x02): the frame requesting to quit. ...
Page 418: The Encapsulation Of Eap Attributes
802.1x Configuration Fig 47-5 the Format of Data Domain in Request and Response Packets Identifier: to assist matching the Request and Response messages. Length: the length of the EAP packet, covering the domains of Code, Identifier, Length and Data, in byte. Data: the content of the EAP packet, depending on the Code type.
Page 419: The Authentication Methods Of 802.1X
802.1x Configuration 47.1.5 The Authentication Methods of 802.1x The authentication can either be started by supplicant system initiatively or by devices. When the device detects unauthenticated users to access the network, it will send supplicant system EAP-Request/Identity messages to start authentication. On the other hand, the supplicant system can send EAPOL-Start message to the device via supplicant software.
Page 420 802.1x Configuration follows:  EAP-MD5  EAP-TLS（Transport Layer Security）  EAP-TTLS（Tunneled Transport Layer Security）  PEAP（Protected Extensible Authentication Protocol） They will be described in detail in the following part. Attention:  The switch, as the access controlling unit of Pass-through, will not check the content of a particular EAP method, so can support all the EAP methods above and all the EAP authentication methods that may be extended in the future.
Page 421 802.1x Configuration Fig 47-9 the Authentication Flow of 802.1x EAP-MD5 2. EAP-TLS Authentication Method EAP-TLS is brought up by Microsoft based on EAP and TLS protocols. It uses PKI to protect the id authentication between the supplicant system and the RADIUS server and the dynamically generated session keys, requiring both the supplicant system and the Radius authentication server to possess digital certificate to implement bidirectional authentication.
Page 422 802.1x Configuration Fig 47-10 the Authentication Flow of 802.1x EAP-TLS 3. EAP-TTLS Authentication Method EAP-TTLS is a product of the cooperation of Funk Software and Certicom. It can provide an authentication as strong as that provided by EAP-TLS, but without requiring users to have their own digital certificate.
Page 423 802.1x Configuration open standard. It has long been utilized in products and provides very good security. Its design of protocol and security is similar to that of EAP-TTLS, using a server‘s PKI certificate to establish a safe TLS tunnel in order to protect user authentication. The following figure illustrates the basic operation flow of PEAP authentication method.
Page 424: The Extension And Optimization Of 802.1X
802.1x Configuration Fig 47-12 the Authentication Flow of 802.1x EAP Termination Mode 47.1.6 The Extension and Optimization of 802.1x Besides supporting the port- based access authentication method specified by the protocol, devices also extend and optimize it when implementing the EAP relay mode and EAP termination mode of 802.1x.
Page 425: The Features Of Vlan Allocation
802.1x Configuration network, while the others can not. When one user becomes offline, the other users will not be affected.  When the user-based (IP address+ MAC address+ port) method is used, all users can access limited resources before being authenticated. There are two kinds of control in this method: standard control and advanced control.
Page 426: Configuration Task List
802.1x Configuration become offline. Notes: At present, Auto VLAN can only be used in the port-based access control mode, and on the ports whose link type is Access. 2. Guest VLAN Guest VLAN feature is used to allow the unauthenticated user to access some specified resources.
Page 427 802.1x Configuration 1. Enable 802.1x function Command Explanation Global Mode dot1x enable Enables the 802.1x function in the switch and ports; the no dot1x enable no command disables the 802.1x function. dot1x privateclient enable Enables the switch force client software using private dot1x privateclient 802.1x authentication packet format.
Page 428 802.1x Configuration Command Explanation Port Mode dot1x port-method {macbased Sets port access management portbased | userbased {standard | method; command restores advanced}} MAC-based access management. no dot1x port-method Sets the maximum number of access dot1x max-user macbased <number> users for the specified port; the no no dot1x max-user macbased command restores the default setting of allowing 1 user.
Page 429 802.1x Configuration 3. Supplicant related property configuration Command Explanation Global Mode Sets the number of EAP request/MD5 frame to be sent dot1x max-req <count> before the switch re-initials authentication on no no dot1x max-req supplicant response, the no command restores the default setting.
Page 430: Application Example
802.1x Configuration 47.3 802.1x Application Example 47.3.1 Examples of Guest Vlan Applications Update server Authenticator server Ethernet1/0/3 VLAN2 VLAN10 Ethernet1/0/6 SWITCH Ethernet1/0/2 VLAN5 VLAN100 Internet User Fig 47-13 The Network Topology of Guest VLAN Notes: in the figures in this session, E2 means Ethernet 1/0/2, E3 means Ethernet 1/0/3 and E6 means Ethernet 1/0/6.
Page 431 802.1x Configuration Fig 47-14 User Joining Guest VLAN As illustrated in the up figure, on the switch port Ethernet1/0/2, the 802.1x feature is enabled, and the VLAN10 is set as the port‘s Guest VLAN. Before the user gets authenticated or when the user fails to do so, port Ethernet1/0/2 is added into VLAN10, allowing the user to access the Update Server.
Page 432: Examples Of Ipv4 Radius Applications
802.1x Configuration Switch(config)#interface ethernet1/0/2 Switch(Config-If-Ethernet1/0/2)#dot1x enable # Set the link type of the port as access mode. Switch(Config-If-Ethernet1/0/2)#switch-port mode access # Set the access control mode on the port as portbased. Switch(Config-If-Ethernet1/0/2)#dot1x port-method portbased # Set the access control mode on the port as auto. Switch(Config-If-Ethernet1/0/2)#dot1x port-control auto # Set the port‘s Guest VLAN as 100.
Page 433: Examples Of Ipv6 Radius Application
802.1x Configuration The PC is connecting to port 1/0/2 of the switch; IEEE 802.1x authentication is enabled on port1/0/2; the access mode is the default MAC-based authentication. The switch IP address is 10.1.1.2. Any port other than port 1/0/2 is used to connect to RADIUS authentication server, which has an IP address of 10.1.1.3, and use the default port 1812 for authentication and port 1813 for accounting.
Page 434: Troubleshooting
802.1x Configuration 2004:1:2:3::2, and connect the switch with any interface except interface 1/0/2 to the RADIUS authentication server. Configure the IP address of the RADIUS server to be 2004:1:2:3::3. Use the default ports 1812 and 1813 for authentication and accounting respectively.
Page 435 802.1x Configuration such login user, the user login ID and password may be wrong and should be verified and input again.
Page 436: The Number Limitation Function Of Mac And Ip In Port, Vlan Configuration
The Number Limitation Function of MAC and IP in Port, VLAN Configuration 48. The Number Limitation Function of MAC and IP in Port, VLAN Configuration 48.1 Introduction to the Number Limitation Function of MAC and IP in Port, VLAN MAC address list is used to identify the mapping relationship between the destination MAC addresses and the ports of switch.
Page 437: The Number Limitation Function Of Mac And Ip In Port , Vlan Configuration Task Sequence
The Number Limitation Function of MAC and IP in Port, VLAN Configuration extent. When malicious users frequently do MAC or ARP cheating, it will be easy for them to fill the MAC and ARP list entries of the switch, causing successful DOS attacks. To summer up, it is very meaningful to develop the number limitation function of MAC and IP in port, VLAN.
Page 438 The Number Limitation Function of MAC and IP in Port, VLAN Configuration 1. Enable the number limitation function of MAC and IP on ports Command Explanation Port configuration mode switchport mac-address dynamic maxi mum <value> Enable disable number no switchport mac-address dynamic limitation function of MAC on the ports.
Page 439 The Number Limitation Function of MAC and IP in Port, VLAN Configuration 5. Display and debug the relative information of number limitation of MAC and IP on ports Command Explanation Admin mode show mac-address dynamic count Display the number of dynamic MAC in {vlan <vlan-id>...
Page 440: Typical Examples
The Number Limitation Function of MAC and IP in Port, VLAN Configuration 48.3 The Number Limitation Function of MAC and IP in Port, VLAN Typical Examples SWITCH A SWITCH B ……… Fig 48-1 The Number Limitation of MAC and IP in Port, VLAN Typical Configuration Example In the network topology above, SWITCH B connects to many PC users, before enabling the number limitation function of MAC and IP in Port, VLAN, if the system...
Page 441: The Number Limitation Function Of Mac And Ip In Port , Vlan
The Number Limitation Function of MAC and IP in Port, VLAN Configuration 48.4 The Number Limitation Function of MAC and IP in Port, VLAN Troubleshooting Help The number limitation function of MAC and IP in Port, VLAN is disabled by default, if users need to limit the number of user accessing the network, they can enable it.
Page 442: Operational Configuration Of Am Function
Operational Configuration of AM Function 49. Operational Configuration of AM Function 49.1 Introduction to AM Function AM (Access Management) means that when a switch receives an IP or ARP message, it will compare the information extracted from the message (such as source IP address or source MAC-IP address) with the configured hardware address pool.
Page 443 Operational Configuration of AM Function 2. Enable AM function on an interface Command Explanation Port Mode Enable/disable AM function on the port. am port When the AM function is enabled on no am port the port, no IP or ARP message will be forwarded by default.
Page 444: Am Function Example
Operational Configuration of AM Function 49.3 AM Function Example Internet SWITCH Port1 Port2 HUB1 HUB2 ……… PC30 Fig 49-1 a typical configuration example of AM function In the topology above, 30 PCs, after converged by HUB1, connect with interface1 on the switch.
Page 445 Operational Configuration of AM Function...
Page 446: Tacacs+ Configuration
TACACS+ Configuration 50. TACACS+ Configuration 50.1 Introduction to TACACS+ TACACS+ terminal access controller access control protocol is a protocol similar to the radius protocol for control the terminal access to the network. Three independent functions of Authentication, Authorization, Accounting are also available in this protocol. Compared with RADIUS, the transmission layer of TACACS+ protocol is adopted with TCP protocol, further with the packet head ( except for standard packet head) encryption, this protocol is of a more reliable transmission and encryption characteristics, and is more...
Page 447: Tacacs+ Scenarios Typical Examples
TACACS+ Configuration tacacs-server authentication host Configure the IP address, listening port <ip-address> [port <port-number>] number, the value of timeout timer and [timeout <seconds>] [key {0 | 7} the key string of the TACACS+ server; <string>] [primary] the no form of this command deletes the no tacacs-server authentication host TACACS+ authentication server.
Page 448: Tacacs+ Troubleshooting
TACACS+ Configuration authentication. Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#tacacs-server authentication host 10.1.1.3 Switch(config)#tacacs-server key test Switch(config)#authentication line vty login tacacs 50.4 TACACS+ Troubleshooting In configuring and using TACACS+, the TACACS+ may fail to authentication due to reasons such as physical connection failure or wrong configurations. The user should ensure the following: ...
Page 449: Radius Configuration
RADIUS Configuration 51. RADIUS Configuration 51.1 Introduction to RADIUS 51.1.1 AAA and RADIUS Introduction AAA is short for Authentication, Authorization and Accounting, it provide a consistency framework for the network management safely. According to the three functions of Authentication, Authorization, Accounting, the framework can meet the access control for the security network: which one can visit the network device, which access-level the user can have and the accounting for the network resource.
Page 450 RADIUS Configuration show as below: Access-Request Access-Accept Access-Reject Accounting-Request Accounting-Response 11 Access-Challenge Identifier field (1 octet): Identifier for the request and answer packets. Length field (2 octets): The length of the overall RADIUS packet, including Code, Identifier, Length, Authenticator and Attributes Authenticator field (16 octets): used for validation of the packets received from the RADIUS server.
Page 451: Radius Configuration Task List
RADIUS Configuration (unassigned) Framed-AppleTalk-Zone Reply-Message 40-59 (reserved for accounting) Callback-Number CHAP-Challenge Callback-Id NAS-Port-Type (unassigned) Port-Limit Framed-Route Login-LAT-Port  Length field (1 octet), the length in octets of the attribute including Type, Length and Value fields.  Value field, value of the attribute whose content and format is determined by the type and length of the attribute.
Page 452 RADIUS Configuration To configure the encryption key for the radius-server key {0 | 7} <string> RADIUS server. The no form of this no radius-server key command will remove the configured key. 3. Configure the RADIUS server Command Explanation Global Mode radius-server authentication host...
Page 453: Radius Typical Examples
RADIUS Configuration radius-server To configure the update interval for accounting-interim-update timeout accounting. form this <seconds> command will restore default radius-server configuration. accounting-interim-update timeout 5. Configure the IP address of the RADIUS NAS Command Explanation Global Mode radius nas-ipv4 <ip-address> To configure the source IP address for no radius nas-ipv4 the RADIUS packets for the switch.
Page 454: Ipv6 Radiusexample
RADIUS Configuration Configure steps as below: Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#radius-server authentication host 10.1.1.3 Switch(config)#radius-server accounting host 10.1.1.3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable 51.3.2 IPv6 RadiusExample 2004:1:2:3::2 2004:1:2:3::1 Radius Server 2004:1:2:3::3 Fig 51-3 The Topology of IPv6 Radius configuration A computer connects to a switch, of which the IP address is 2004:1:2:3::2 and connected with a RADIUS authentication server without Ethernet1/0/2;...
Page 455: Radius Troubleshooting
RADIUS Configuration Switch(config)#aaa-accounting enable 51.4 RADIUS Troubleshooting In configuring and using RADIUS, the RADIUS may fail to authentication due to reasons such as physical connection failure or wrong configurations. The user should ensure the following:  First make sure good condition of the RADIUS server physical connection ...
Page 456: Ssl Configuration
SSL Configuration 52. SSL Configuration 52.1 Introduction to SSL As the computer networking technology spreads, the security of the network has been taking more and more important impact on the availability and the usability of the networking application. The network security has become one of the greatest barriers of modern networking applications.
Page 457 SSL Configuration TCP. If the mechanism of the data forwarding in the lower layer is reliable, the data read-in the network will be forwarded to the other program in sequence, lose packet and re-forwarding will not appear. A lot of transmission protocols can provide such kind of service in theory, but in actual application, SSL is almost running on TCP, and not running on UDP and IP directly.
Page 458: Ssl Configuration Task List
SSL Configuration 52.2 SSL Configuration Task List 1. Enable/disable SSL function 2. Configure/delete port number by SSL used 3. Configure/delete secure cipher suite by SSL used 4. Maintenance and diagnose for the SSL function 1. Enable/disable SSL function Command Explanation Global Mode ip http secure-server Enable/disable SSL function.
Page 459: Ssl Troubleshooting
SSL Configuration Firstly, SSL should be enabled on the switch. When the client tries to access the switch through https method, a SSL session will be set up between the switch and the client. When the SSL session has been set up, all the data transmission in the application layer will be encrypted.
Page 460: Ipv6 Security Ra Configuration
IPv6 Security RA Configuration 53. IPv6 Security RA Configuration 53.1 Introduction to IPv6 Security RA In IPv6 networks, the network topology is generally compromised of routers, layer-two switches and IPv6 hosts. Routers usually advertise RA, including link prefix, link MTU and other information, when the IPv6 hosts receive RA, they will create link address, and set the default router as the one sending RA in order to implement IPv6 network communication.
Page 461: Ip Security Ra Typical Examples
IPv6 Security RA Configuration Enable the debug information of IPv6 debug ipv6 security-ra security RA module, the no operation of no debug ipv6 security-ra this command will disable the output of debug information of IPv6 security RA. show ipv6 security-ra [interface Display the distrust port and whether <interface-list>]...
Page 462 IPv6 Security RA Configuration expectation after configuring IPv6 security RA:  Check if the switch is correctly configured.  Check if there are rules conflicting with security RA function configured on the switch, this kind of rules will cause RA messages to be forwarded.
Page 463: Vlan-Acl Configuration
VLAN-ACL Configuration 54. VLAN-ACL Configuration 54.1 Introduction to VLAN-ACL The user can configure ACL policy to VLAN to implement the accessing control of all ports in VLAN, and VLAN-ACL enables the user to expediently manage the network. The user only needs to configure ACL policy in VLAN, the corresponding ACL action can takes effect on all member ports of VLAN, but it does not need to solely configure on each member port.
Page 464 VLAN-ACL Configuration vacl ip access-group {<1-299> | WORD} {in | out} [traffic-statistic] vlan WORD Configure or delete IP VLAN-ACL. no vacl ip access-group {<1-299> | WORD} {in | out} vlan WORD 2. Configure VLAN-ACL of MAC type Command Explanation Global mode vacl mac access-group {<700-1199>...
Page 465: Vlan-Acl Configuration Example
VLAN-ACL Configuration 6. Clear statistic information of VLAN-ACL Command Explanation Admin mode clear vacl [in | out] statistic vlan Clear the statistic information of VACL. [<vlan-id>] 54.3 VLAN-ACL Configuration Example A company‘s network configuration is as follows, all departments are divided by different VLANs, technique department is Vlan1, finance department is Vlan2.
Page 466: Vlan-Acl Troubleshooting
VLAN-ACL Configuration Fig 54-1 VLAN-ACL configuration example Configuration example: 1) First, configure a timerange, the valid time is the working hours of working day: Switch(config)#time-range t1 Switch(config-time-range-t1)#periodic weekdays 9:00:00 to 12:00:00 Switch(config-time-range-t1)#periodic weekdays 13:00:00 to 18:00:00 2) Configure the extended acl_a of IP, at working hours it only allows to access the resource within the internal network (such as 192.168.0.255).
Page 467: Mab Configuration
MAB Configuration 55. MAB Configuration 55.1 Introduction to MAB In actual network existing the device which can not install the authentication client, such as printer, PDA devices, they can not process 802.1x authentication. However, to access the network resources, they need to use MAB authentication to replace 802.1x authentication.
Page 468 MAB Configuration 1. Enable MAB function Command Explanation Global Mode mac-authentication-bypass enable Enable the global MAB authentication mac-authentication-bypass function. enable Port Mode mac-authentication-bypass enable Enable the port MAB authentication mac-authentication-bypass function. enable 2. Configure MAB authentication username and password Command Explanation Global Mode mac-authentication-bypass...
Page 469: Mab Example
MAB Configuration mac-authentication-bypass timeout offline-detect （0｜<60-7200>） Set offline detection interval. no mac-authentication-bypass timeout offline-detect mac-authentication-bypass timeout quiet-period <1-60> Set quiet-period of MAB authentication. mac-authentication-bypass timeout quiet-period mac-authentication-bypass timeout stale-period <0-60> Set the time that delete the binding after no mac-authentication-bypass timeout the port is down.
Page 470 MAB Configuration Update Server Radius Server Internet Eth1/0/1 Eth1/0/2 Eth1/0/3 Switch2 Ethernet1/0/4 Ethernet1/0/4 Switch1 Eth1/0/1 Eth1/0/2 Eth1/0/3 Printer Fig 55-1 MAB application Switch1 is a layer 2 accessing switch, Switch2 is a layer 3 aggregation switch. Ethernet 1/0/1 is an access port of Switch1, connects to PC1, it enables 802.1x port-based function and configures guest vlan as vlan8.
Page 471 MAB Configuration resources. To implement this application, the configuration is as follows: Switch1 configuration: (1) Enable 802.1x and MAB authentication function globally, configure username and password of MAB authentication and radius-server address Switch(config)# dot1x enable Switch(config)# mac-authentication-bypass enable Switch(config)#mac-authentication-bypass username-format fixed username mabuser password mabpwd Switch(config)#vlan 8-10 Switch(config)#interface vlan 9...
Page 472: Mab Troubleshooting
MAB Configuration Switch(config-if-ethernet1/0/3)#exit Switch(config)#interface ethernet 1/0/4 Switch(config-if-ethernet1/0/4)# switchport mode trunk 55.4 MAB Troubleshooting If there is any problem happens when using MAB function, please check whether the problem is caused by the following reasons:  Make sure global and port MAB function are enabled; ...
Page 473: Pppoe Intermediate Agent Configuration
PPPoE Intermediate Agent Configuration 56. PPPoE Intermediate Agent Configuration 56.1 Introduction to PPPoE Intermediate Agent 56.1.1 Brief Introduction to PPPoE PPPoE (Point to Point Protocol over Ethernet) is a protocol that apply PPP protocol to Ethernet. PPP protocol is a link layer protocol and supply a communication method of point-to-point, it is usually selected by host dial-up link, for example the link is line dial-up.
Page 474 PPPoE Intermediate Agent Configuration may be sent to many access collector of the network. Broadband Access Server responds PADO packet: The second step, server responds PADO (PPPoE Active Discovery Offer) packet to client according to the received source MAC address of PADI packet, the packet will take sever name and service name.
Page 475 PPPoE Intermediate Agent Configuration Fig 56-1 PPPoE IA protocol exchange process 56.1.2.2 PPPoE Packet Format PPPoE packet format is as follows: Ethernet II frame Destination MAC Source MAC Type Field PPPoE Data CRC Check Sum PPPoE data …… Version Type Code Session ID Length Field...
Page 476 PPPoE Intermediate Agent Configuration PPPoE length field (2 bytes): Specify the sum of all TLV length. TLV type field (2 bytes): A TLV frame means a TAG, type field means TAG type, the table is as follows. TLV length field (2 bytes): Specify the length of TAG data field. TLV data field (the length is not specified): Specify the transmitted data of TAG.
Page 477 PPPoE Intermediate Agent Configuration Fig 56-2 PPPoE IA - vendor tag (4 bytes in each row) Add TLV tag as 0x0105 for PPPoE IA, TAG_LENGTH is length field of vendor tag; 0x00000DE9 is ―ADSL Forum‖ IANA entry of the fixed 4 bytes; 0x01 is type field of Agent Circuit ID, length is length field and Agent Circuit ID value field;...
Page 478: Pppoe Intermediate Agent Configuration Task List
PPPoE Intermediate Agent Configuration can receive only PADI, PADR and PADT packets which are sent to server. To ensure client operation is correct, it must set the port connected server as trust port, each access device has a trust port at least. PPPoE IA vendor tag can not exist in PPPoE packets sent by server to client, so we can strip and forward these vendor tags if they exist in PPPoE packets.
Page 479: Pppoe Intermediate Agent Typical Application
PPPoE Intermediate Agent Configuration pppoe intermediate-agent type self-defined remote-id {mac | hostname| string WORD} Configure the self-defined remote-id. pppoe intermediate-agent type self-defined remote-id pppoe intermediate-agent delimiter Configure the delimiter among the <WORD> fields in circuit-id and remote-id no pppoe intermediate-agent delimiter pppoe intermediate-agent format...
Page 480 PPPoE Intermediate Agent Configuration Fig 56-4 PPPoE IA typical application Both host and BAS server run PPPoE protocol, they are connected by layer 2 ethernet, switch enables PPPoE Intermediate Agent function. Typical configuration (1) in the following: Step1: Switch enables global PPPoE IA function, MAC as 0a0b0c0d0e0f. Switch(config)# pppoe intermediate-agent Step2: Configure port ethernet1/0/1 which connect server as trust port, and configure vendor tag strip function.
Page 481: Pppoe Intermediate Agent Troubleshooting
PPPoE Intermediate Agent Configuration Step5: Configure pppoe intermediate-agent identifier-string as ―efgh‖, combo mode as spv, delimiter of Slot ID and Port ID as ―#‖, delimiter of Port ID and Vlan ID as ―/‖. Switch(config)#pppoe intermediate-agent type tr-101 circuit-id identifier-string efgh option spv delimiter # delimiter / Step6: Configure circuit-id value as bbbb on port ethernet1/0/2.
Page 482: Savi Configuration
SAVI Configuration 57. SAVI Configuration 57.1 Introduction to SAVI SAVI (Source Address Validation Improvement) is a security authentication method that provides the granularity level of the node source address. It gets the trust node information (such as port, MAC address information), namely, anchor information by monitoring the interaction process of the relative protocol packets (such as ND protocol, DHCPv6 protocol) and using CPS (Control Packet Snooping) mechanism.
Page 483 SAVI Configuration 14. Enable or disable ND trust of port 15. Configure the binding number Enable or disable SAVI function Command Explanation Global mode savi enable Enable the global SAVI function, no no savi enable command disables the function. Enable or disable application scene function for SAVI Command Explanation Global mode...
Page 484 SAVI Configuration Configure the global max-slaac-life for SAVI Command Explanation Global mode savi max-slaac-life <max-slaac-life> Configure the lifetime period of the no savi max-slaac-life dynamic slaac binding at BOUND state, no command restores the default value. Configure the lifetime period for SAVI bind-protect Command Explanation Global mode...
Page 485 SAVI Configuration but does not limit the static binding number. 11. Configure the check mode for SAVI conflict binding Command Explanation Global mode savi check binding <simple | probe> Configure the check mode for the mode conflict binding, no command deletes no savi check binding mode the check mode.
Page 486: Savi Typical Application
SAVI Configuration 57.3 SAVI Typical Application In actual application, SAVI function is usually applied in access layer switch to check the validity of node source address on direct-link. There are four typical application scenes for SAVI function: DHCP-Only, Slaac-Only, DHCP-Slaac and Static binding. In network environment, users can select the corresponding scene according to the actual requirement;...
Page 487: Savi Troubleshooting
SAVI Configuration Configuration steps of SAVI DHCP-SLAAC scene: Switch1>enable Switch1#config Switch1(config)#savi enable Switch1(config)#savi ipv6 dhcp-slaac enable Switch1(config)#savi check binding probe mode Switch1(config)#interface ethernet1/0/1 Switch1(config-if-ethernet1/0/1)#ipv6 dhcp snooping trust Switch1(config-if-ethernet1/0/1)#ipv6 nd snooping trust Switch1(config-if-ethernet1/0/1)#exit Switch1(config)#interface ethernet1/0/12-20 Switch1(config-if-port-range)#savi ipv6 check source ip-address mac-address Switch1(config-if-port-range)#savi ipv6 binding num 4 Switch1(config-if-port-range)#exit Switch1(config)#exit...
Page 488: Web Portal Configuration
Web Portal Configuration 58. Web Portal Configuration 58.1 Introduction to Web Portal Authentication 802.1x authentication uses the special client to authenticate, the device uses the special layer 2 switch, the authentication server uses RADIUS server, the format of authentication message uses EAP protocol. Use EAPOL encapsulation technique (encapsulate EAP packets within Ethernet frame) to process the communication between client and authentication proxy switch, but authentication proxy switch and authentication server use EAPOR encapsulation format (runn EAP packets on Radius protocol) to...
Page 489 Web Portal Configuration 1. Enable/disable web portal authentication globally Command Explanation Global Mode webportal enable Enable/disable web portal authentication no webportal enable globally. 2. Enable/disable web portal authentication of the port Command Explanation Port Mode webportal enable Enable/disable web portal authentication no webportal enable of the port.
Page 490: Web Portal Authentication Typical Example
Web Portal Configuration 7. Delete the binding information of web portal authentication Command Explanation Admin Mode clear webportal binding {mac WORD | Delete the binding information of web interface <ethernet IFNAME portal authentication. IFNAME> |} 58.3 Web Portal Authentication Typical Example Internet RADIUS Portal...
Page 491: Web Portal Authentication Troubleshooting
Web Portal Configuration as RADIUS server‘s IP and port, and enable the accounting function. Ethernet 1/0/2 connects to pc1, the port enables web portal authentication, and configure the redirection address and port as portal server‘s IP and port, so ethernet 1/0/2 forbids all flows except dhcp/dns/arp packets.
Page 492: Vrrp Configuration
VRRP Configuration 59. VRRP Configuration 59.1 Introduction to VRRP VRRP (Virtual Router Redundancy Protocol) is a fault tolerant protocol designed to enhance connection reliability between routers (or L3 Ethernet switches) and external devices. It is developed by the IETF for local area networks (LAN) with multicast/broadcast capability (Ethernet is a Configuration Example) and has wide applications.
Page 493: Vrrp Configuration Task List
VRRP Configuration is brief and smooth, hosts within the segment can use the Virtual Router as normal and uninterrupted communication can be achieved. 59.2 VRRP Configuration Task List Configuration Task List: Create/Remove the Virtual Router (required) Configure VRRP dummy IP and interface (required) Activate/Deactivate Virtual Router (required) Configure VRRP sub-parameters (optional) （1）...
Page 494: Vrrp Typical Examples
VRRP Configuration 4. Configure VRRP Sub-parameters (1) Configure the preemptive mode for VRRP Command Explanation VRRP protocol configuration mode Configures the preemptive mode for preempt-mode {true| false} VRRP. (2) Configure VRRP priority Command Explanation VRRP protocol configuration mode priority <priority> Configures VRRP priority.
Page 495: Vrrp Troubleshooting
VRRP Configuration SWITCHB SWITCHA Interface vlan1 Interface vlan1 Fig 59-1 VRRP Network Topology Configuration of SwitchA: SwitchA(config)#interface vlan 1 SwitchA (Config-if-Vlan1)# ip address 10.1.1.1 255.255.255.0 SwitchA (config)#router vrrp 1 SwitchA(Config-Router-Vrrp)# virtual-ip 10.1.1.5 SwitchA(Config-Router-Vrrp)# interface vlan 1 SwitchA(Config-Router-Vrrp)# enable Configuration of SwitchB: SwitchB(config)#interface vlan 1 SwitchB (Config-if-Vlan1)# ip address 10.1.1.7 255.255.255.0 SwitchB(config)#router vrrp 1...
Page 496 VRRP Configuration  Verify the dummy IP address is in the same network segment of the interface‘s actual IP address.  If the examination remains unsolved, please use debug vrrp and other debugging command and copy the DEBUG message within 3 minutes, send the recorded message to the technical server center of our company.
Page 497: Ipv6 Vrrpv3 Configuration
IPv6 VRRPv3 Configuration 60. IPv6 VRRPv3 Configuration 60.1 Introduction to VRRPv3 VRRPv3 is a virtual router redundancy protocol for IPv6. It is designed based on VRRP (VRRPv2) in IPv4 environment. The following is a brief introduction to it. In a network based on TCP/IP protocol, in order to guarantee the communication between the devices which are not physically connected, routers should be specified.
Page 498: The Format Of Vrrpv3 Message
IPv6 VRRPv3 Configuration systems. In IPv6 environment, the hosts in a LAN usually learn the default gateway via neighbor discovery protocol (NDP), which is implemented based on regularly receiving advertisement messages from routers. The NDP of IPv6 has a mechanism called Neighbor Unreachability Detection, which checks whether a neighbor node is failed by sending unicast neighbor request messages to it.
Page 499: Vrrpv3 Working Mechanism
IPv6 VRRPv3 Configuration number of which is the same with ‖Count IPv6 Addr‖, and the first one of which should be the virtual IPv6 address of the virtual router. Fig 60-1 VRRPv3 message 60.1.2 VRRPv3 Working Mechanism The working mechanism of VRRPv3 is the same with that of VRRPv2, which is mainly implemented via the interaction of VRRP advertisement messages.
Page 500: Configuration
IPv6 VRRPv3 Configuration of the virtual router interface, then the virtual router will be called the IP address owner in the VRRP group; the IP address owner automatically has the highest priority: 255. The priority of 0 is usually used when the IP address owner gives up the role of master. The range of priority can be configured is 1-254.
Page 501 IPv6 VRRPv3 Configuration Configure the virtual IPv6 address and virtual-ipv6 <ipv6-address> Interface interface of VRRPv3, the no operation of {Vlan <ID> | IFNAME } this command will delete the virtual IPv6 no virtual-ipv6 interface address and interface. 3. Enable/disable the virtual router Command Explanation VRRPv3 Protocol Mode...
Page 502: Vrrp Typical Examples
IPv6 VRRPv3 Configuration 60.3 VRRPv3 Typical Examples Fig 60-2 VRRPv3 Typical Network Topology As shown in graph, switch A and switch B are backups to each other, switch A is the master of backup group 1 and a backup of backup group 2. Switch B is the master of backup group 2 and a Backup of backup group 1.
Page 503: Troubleshooting
IPv6 VRRPv3 Configuration The configuration of SwitchB: SwitchB (config)# interface vlan 1 SwitchB (config)# router ipv6 vrrp 2 SwitchB (config-router)# virtual-ipv6 fe80::3 interface vlan 1 SwitchB (config-router)# priority 150 SwitchB (config-router)# enable SwitchB (config)# router ipv6 vrrp 1 SwitchB (config-router)# virtual-ipv6 fe80::2 interface vlan 1 SwitchB (config-router)# enable 60.4 VRRPv3 Troubleshooting When configuring and using VRRPv3 protocol, it might operate abnormally because...
Page 504: Mrpp Configuration
MRPP Configuration 61. MRPP Configuration 61.1 Introduction to MRPP MRPP (Multi-layer Ring Protection Protocol), is a link layer protocol applied on Ethernet loop protection. It can avoid broadcast storm caused by data loop on Ethernet ring, and restore communication among every node on ring network when the Ethernet ring has a break link.
Page 505 MRPP Configuration Each MRPP ring has two states. Health state: The whole ring net work physical link is connected. Break state: one or a few physical link break in ring network 3. nodes Each switch is named after a node on Ethernet. The node has some types: Primary node: each ring has a primary node, it is main node to detect and defend.
Page 506: Mrpp Protocol Packet Types
MRPP Configuration 61.1.2 MRPP Protocol Packet Types Packet Type Explanation Hello packet (Health examine The primary port of primary node evokes to detect packet) Hello ring, if the secondary port of primary node can receive Hello packet in configured overtime, so the ring is normal.
Page 507: Mrpp Configuration Task List
MRPP Configuration MAC address forward list. 3. Ring Restore After the primary node occur ring fail, if the secondary port receives Hello packet sending from primary node, the ring has been restored, at the same time the primary node block its secondary port, and sends its neighbor LINK-UP-Flush-FDB packet. After MRPP ring port refresh UP on transfer node, the primary node maybe find ring restore after a while.
Page 508 MRPP Configuration Configure Hello packet timer sending hello-timer < timer> from primary node of MRPP ring, format no hello-timer ―no‖ restores default timer value. Configure Hello packet overtime timer fail-timer <timer> sending from primary node of MRPP ring, format ―no‖ restores default timer no fail-timer value.
Page 509: Mrpp Typical Scenario
MRPP Configuration Display receiving data packet statistic show mrpp statistics {<ring-id>} information of MRPP ring. Clear receiving data packet statistic clear mrpp statistics {<ring-id>} information of MRPP ring. 61.3 MRPP Typical Scenario SWITCH A SWITCH B Master Node MRPP Ring 4000 SWITCH C SWITCH D Fig 61-2 MRPP typical configuration scenario...
Page 510 MRPP Configuration Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/0/1)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/0/2)#exit Switch(Config)# SWITCH B configuration Task Sequence: Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/0/1)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/0/2)#exit Switch(Config)#...
Page 511: Mrpp Troubleshooting
MRPP Configuration Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/0/1)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/0/2)#exit Switch(Config)# 61.4 MRPP Troubleshooting The normal operation of MRPP protocol depends on normal configuration of each switch on MRPP ring, otherwise it is very possible to form ring and broadcast storm: ...
Page 512: Ulpp Configuration
ULPP Configuration 62. ULPP Configuration 62.1 Introduction to ULPP Each ULPP group has two uplink ports, they are master port and slave port. The port may be a physical port or a port channel. The member ports of ULPP group have three states: Forwarding, Standby, Down.
Page 513 ULPP Configuration wait for some times before the master port preempt the slave port. For keeping the continuance of the flows, the master port does not process to preempt by default, but turns into the Standby state. When configuring ULPP, it needs to specify the VLAN which is protected by this ULPP group through the method of MSTP instances, and ULPP does not provide the protection to other VLANs.
Page 514: Ulpp Configuration Task List
ULPP Configuration Fig 62-2 VLAN load balance 62.2 ULPP Configuration Task List 1. Create ULPP group globally 2. Configure ULPP group 3. Show and debug the relating information of ULPP 1. Create ULPP group globally Command Expalnation Global mode ulpp group <integer> Configure and delete ULPP group no ulpp group <integer>...
Page 515 ULPP Configuration Configure the preemption delay, preemption delay <integer> the no operation restores the no preemption delay default value 30s. Configure sending control control vlan <integer> VLAN, no operation restores the no control vlan default value 1. protect vlan-reference-instance Configure the protection VLANs, <instance-list>...
Page 516: Ulpp Typical Examples
ULPP Configuration Show flush type and control VLAN show ulpp flush-receive-port received by the port. clear ulpp flush counter interface Clear the statistic information of the flush <name> packets. debug ulpp flush {send | receive} Show the information of the receiving interface <name>...
Page 517 ULPP Configuration enabled, this topology forms a ring. For avoiding the loopback, SwitchA can configure ULPP protocol, the master port and the slave port of ULPP group. When both master port and slave port are up, the slave port will be set as standby state and will not forward the data packets.
Page 518: Ulpp Typical Example2
ULPP Configuration SwitchC configuration task list: Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/0/2 Switch(Config-vlan10)#exit Switch(Config)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)# ulpp flush enable mac Switch(config-If-Ethernet1/0/2)# ulpp flush enable arp Switch(config-If-Ethernet1/0/2)# ulpp control vlan 10 62.3.2 ULPP Typical Example2 SwitchD SwitchB E1/0/1 E1/0/2 SwitchC Vlan 1-100 Vlan 101-200 E1/0/1...
Page 519: Ulpp Troubleshooting
ULPP Configuration Switch(Config-Mstp-Region)#exit Switch(Config)#ulpp group 1 Switch(ulpp-group-1)#protect vlan-reference-instance 1 Switch(ulpp-group-1)#preemption mode Switch(ulpp-group-1)#exit Switch(Config)#ulpp group 2 Switch(ulpp-group-2)#protect vlan-reference-instance 2 Switch(ulpp-group-1)#preemption mode Switch(ulpp-group-2)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)#switchport mode trunk Switch(config-If-Ethernet1/0/1)#ulpp group 1 master Switch(config-If-Ethernet1/0/1)#ulpp group 2 slave Switch(config-If-Ethernet1/0/1)#exit Switch(Config)#interface Ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#switchport mode trunk Switch(config-If-Ethernet1/0/2)# ulpp group 1 slave Switch(config-If-Ethernet1/0/2)# ulpp group 2 master Switch(config-If-Ethernet1/0/2)#exit...
Page 520 ULPP Configuration information of 3 minutes and the configuration information, send them to our technical service center.
Page 521: Ulsm Configuration
ULSM Configuration 63. ULSM Configuration 63.1 Introduction to ULSM ULSM (Uplink State Monitor) is used to process the port state synchronization. Each ULSM group is made up of the uplink port and the downlink port, both the uplink port and the downlink port may be multiple.
Page 522: Ulsm Configuration Task List
ULSM Configuration Fig 63-1 ULSM using scene 63.2 ULSM Configuration Task List 1. Create ULSM group globally 2. Configure ULSM group 3. Show and debug the relating information of ULSM 1. Create ULSM group globally Command explanation Global mode ulsm group <group-id> Configure and delete ULSM group no ulsm group <group-id>...
Page 523: Ulsm Typical Example
ULSM Configuration 3. Show and debug the relating information of ULSM Command Explanation Admin mode Show the configuration information of show ulsm group [group-id] ULSM group. Show the event information of ULSM, the debug ulsm event operation disables shown no debug ulsm event information.
Page 524: Ulsm Troubleshooting
ULSM Configuration Switch(Config)#ulpp group 1 Switch(ulpp-group-1)#protect vlan-reference-instance 1 Switch(ulpp-group-1)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)# ulpp group 1 master Switch(config-If-Ethernet1/0/1)#exit Switch(Config)#interface Ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)# ulpp group 1 slave Switch(config-If-Ethernet1/0/2)#exit SwitchB configuration task list: Switch(Config)#ulsm group 1 Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)#ulsm group 1 downlink Switch(config-If-Ethernet1/0/1)#exit Switch(Config)#interface ethernet 1/0/3 Switch(config-If-Ethernet1/0/3)#ulsm group 1 uplink...
Page 525: Mirror Configuration
Mirror Configuration 64. Mirror Configuration 64.1 Introduction to Mirror Mirror functions include port mirror function, flow mirror function. Port mirror refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port.
Page 526: Mirror Examples
Mirror Configuration 2. Specify mirror source port Command Explanation Global mode monitor session <session> source {interface <interface-list>} {rx| tx| both} Specifies mirror source port; the no no monitor session <session> source command deletes mirror source port. {interface <interface-list>} 3. Specify flow mirror source Command Explanation Global mode...
Page 527: Device Mirror Troubleshooting
Mirror Configuration Switch(config)#monitor session 4 source interface ethernet 1/0/15 access-list 120 rx 64.4 Device Mirror Troubleshooting If problems occur on configuring port mirroring, please check the following first for causes:  Whether the mirror destination port is a member of a TRUNK group or not, if yes, modify the TRUNK group.
Page 528: Rspan Configuration
RSPAN Configuration 65. RSPAN Configuration 65.1 Introduction to RSPAN Port mirroring refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port. It is more convenience for network administrator to monitor and manage the network and diagnostic after the mirroring function achieved.
Page 529 RSPAN Configuration 2. Normal mode: To configure the RSPAN destination port in the RSPAN VLAN. Thus, datagrams in the RSPAN VLAN will be broadcasted to the destination port. In this mode, the destination port should be in RSPAN VLAN, and the source port should not be configured for broadcasting storm control.
Page 530: Rspan Configuration Task List
RSPAN Configuration Reflector Port: The local mirroring port between the RSPAN source and destination ports, which is not directly connected to the intermediate switches. 65.2 RSPAN Configuration Task List Configure RSPAN VLAN Configure mirror source port Configure mirror destination port Configure reflector port Configure remote VLAN of mirror group 1.
Page 531: Typical Examples Of Rspan
RSPAN Configuration monitor session <session> To configure the interface to reflector reflector-port <interface-number> port; The no command deletes the monitor session <session> reflector port. reflector-port 5. Configure remote VLAN of mirror group Command Explanation Global Mode monitor session <session> To configure remote VLAN of mirror remote vlan <vid>...
Page 532 RSPAN Configuration intermediate switch is not fixed. Datagrams can be broadcasted in the RSPAN VLAN through the loopback, which is much more flexible. The normal mode configuration is show as below: Solution 1: Source switch: Interface ethernet 1/0/1 is the source port for mirroring. Interface ethernet 1/0/2 is the destination port which is connected to the intermediate switch.
Page 533 RSPAN Configuration RSPAN VLAN is 5. Switch(config)#vlan 5 Switch(Config-Vlan5)#remote-span Switch(Config-Vlan5)#exit Switch(config)#interface ethernet 1/0/9 Switch(Config-If-Ethernet1/0/9)#switchport mode trunk Switch(Config-If-Ethernet1/0/9)#exit Switch(config)#interface ethernet 1/0/10 Switch(Config-If-Ethernet1/0/10)#switchport access vlan 5 Switch(Config-If-Ethernet1/0/10)#exit Solution 2: Source switch: Interface ethernet 1/0/1 is the source port. Interface ethernet 1/0/2 is the TRUNK port, which is connected to the intermediate switch. The native VLAN should not be a RSPAN VLAN.
Page 534: Rspan Troubleshooting
RSPAN Configuration data may not be carried by the destination switch. RSPAN VLAN is 5. Switch(config)#vlan 5 Switch(Config-Vlan5)#remote-span Switch(Config-Vlan5)#exit Switch(config)#interface ethernet 1/0/6-7 Switch(Config-If-Port-Range)#switchport mode trunk Switch(Config-If-Port-Range)#exit Destination switch: Interface ethernet1/0/9 is the source port which is connected to the source switch. Interface ethernet1/0/10 is the destination port which is connected to the monitor.
Page 535 RSPAN Configuration VLAN for the TRUNK ports.
Page 536: Sflow Configuration
sFlow Configuration 66. sFlow Configuration 66.1 Introduction to sFlow The sFlow (RFC 3176) is a protocol based on standard network export and used on monitoring the network traffic information developed by the InMon Company. The monitored switch or router sends date to the client analyzer through its main operations such as sampling and statistic, then the analyzer will analyze according to the user requirements so to monitor the network.
Page 537 sFlow Configuration applied the global configuration. The ―no sflow destination‖ command restores to the default port value and deletes the IP address. 2. Configure the sFlow proxy address Command Explanation Global Mode sflow agent-address Configure the source IP address applied by the sFlow proxy;...
Page 538: Sflow Examples
sFlow Configuration sflow counter-interval <interval-vlaue> Configure the max interval when sFlow performing statistic sampling. The ―no‖ form no sflow counter-interval of this command deletes 8. Configure the analyzer used by sFlow Command Explanation Global Mode sflow analyzer sflowtrend Configure the analyzer used by sFlow, the no sflow analyzer sflowtrend no command deletes the analyzer.
Page 539: Sflow Troubleshooting
sFlow Configuration 66.4 sFlow Troubleshooting In configuring and using sFlow, the sFlow server may fail to run properly due to physical connection failure, wrong configuration, etc. The user should ensure the following:  Ensure the physical connection is correct  Guarantee the address of the sFlow analyzer configured under global or port mode is accessible.
Page 540: Sntp Configuration
SNTP Configuration 67. SNTP Configuration 67.1 Introduction to SNTP The Network Time Protocol (NTP) is widely used for clock synchronization for global computers connected to the Internet. NTP can assess packet sending/receiving delay in the network, and estimate the computer‘s clock deviation independently, so as to achieve high accuracy in network computer clocking.
Page 541: Typical Examples Of Sntp Configuration
SNTP Configuration RFC2030; SNTP client multicast and unicast are not supported, nor is the SNTP server function. 67.2 Typical Examples of SNTP Configuration SNTP/NTP SNTP/NTP SERVER SERVER … … SWITCH SWITCH SWITCH Fig 67-2 Typical SNTP Configuration All switches in the autonomous zone are required to perform time synchronization, which is done through two redundant SNTP/NTP servers.
Page 542: Ntp Function Configuration
NTP Function Configuration 68. NTP Function Configuration 68.1 Introduction to NTP Function The NTP (Network Time Protocol) synchronizes timekeeping spans WAN and LAN among distributed time servers and clients, it can get millisecond precision. The introduction of event, state, transmit function and action are defined in RFC-1305. The purpose of using NTP is to keep consistent timekeeping among all clock-dependent devices within the network so that the devices can provide diverse applications based on the consistent time.
Page 543 NTP Function Configuration 2. To configure NTP server function Command Explication Global Mode server {<ip-address> <ipv6-address>} [version To enable the specified time server of <version_no>] [key <key-id>] time source. server {<ip-address> <ipv6-address>} 3. To configure the max number of broadcast or multicast servers supported by the NTP client Command Explication...
Page 544 NTP Function Configuration ntp authentication-key <key-id> md5 To configure authentication key for NTP <value> authentication. no ntp authentication-key <key-id> ntp trusted-key <key-id> To configure trusted key. no ntp trusted-key <key-id> 7. To specified some interface as NTP broadcast/multicast client interface Command Explication vlan Configuration Mode...
Page 545: Typical Examples Of Ntp Function
NTP Function Configuration debug ntp packets [send | receive] To enable debug switch of NTP packet no debug ntp packets [send | receive] information. debug ntp adjust To enable debug switch of time update no debug ntp adjust information. debug ntp sync enable debug switch...
Page 546: Ntp Function Troubleshooting
NTP Function Configuration Switch(config)#ntp server 192.168.1.11 Switch(config)#ntp server 192.168.2.11 68.4 NTP Function Troubleshooting In configuration procedures, if there is error occurred, the system can give out the debug information. The NTP function disables by default, the show command can be used to display current configuration.
Page 547: Dnsv4/V6 Configuration
DNSv4/v6 Configuration 69. DNSv4/v6 Configuration 69.1 Introduction to DNS DNS (Domain Name System) is a distributed database used by TCP/IP applications to translate domain names into corresponding IPv4/IPv6 addresses. With DNS, you can use easy-to-remember and signification domain names in some applications and let the DNS server translate them into correct IPv4/IPv6 addresses.
Page 548: Dns Configuration Task List
DNSv4/v6 Configuration without having to know how the machine will actually locate them. The Domain Name System distributes the responsibility for assigning domain names and mapping them to Internet Protocol (IP) networks by designating authoritative name servers for each domain to keep track of their own changes, avoiding the need for a central register to be continually consulted and updated.
Page 549 DNSv4/v6 Configuration 3. To configure/delete domain name suffix Command Explanation Global Mode ip domain-list <WORD> To configure/delete domain name suffix. no ip domain-list <WORD> 4. To delete the domain entry of specified address in dynamic cache Command Explanation Admin Mode clear dynamic-host {<ip-address>...
Page 550: Typical Examples Of Dns
DNSv4/v6 Configuration 9. Monitor and diagnosis of DNS function Command Explanation Admin Mode and Configuration Mode To show the configured DNS server show dns name-server information. To show the configured DNS domain show dns domain-list name suffix information. To show the dynamic domain name show dns hosts information of resolved by switch.
Page 551 DNSv4/v6 Configuration configurations are as below: first to enable DNS dynamic domain name resolution function on switch, and configure DNS server address, then with some kinds of tools such as PING, the switch can get corresponding IPv4/IPv6 address with dynamic domain name resolution function.
Page 552: Dns Troubleshooting
DNSv4/v6 Configuration 69.4 DNS Troubleshooting In configuring and using DNS, the DNS may fail due to reasons such as physical connection failure or wrong configurations. The user should ensure the following:  First make sure good condition of the TACACS+ server physical connection; ...
Page 553: Summer Time Configuration
Summer Time Configuration 70. Summer Time Configuration 70.1 Introduction to Summer Time Summer time is also called daylight saving time, it is a time system for saving energy sources. In summer the time is advanced 1 hour to keep early hours, reduce the lighting, so as to save electrolighting.
Page 554: Examples Of Summer Time
Summer Time Configuration 70.3 Examples of Summer Time Example1: The configuration requirement in the following: The summer time from 23:00 on April 1th, 2012 to 00:00 on October 1th, 2012, clock offset as 1 hour, and summer time is named as 2012. Configuration procedure is as follows: Switch(config)# clock summer-time 2012 absolute 23:00 2012.4.1 00:00 2012.10.1 Example2:...
Page 555: Monitor And Debug
Monitor and Debug 71. Monitor and Debug When the users configures the switch, they will need to verify whether the configurations are correct and the switch is operating as expected, and in network failure, the users will also need to diagnostic the problem. Switch provides various debug commands including ping, telnet, show and debug, etc.
Page 556: Traceroute6
Monitor and Debug please refer to traceroute command chapter in the command manual. 71.4 Traceroute6 The Traceroute6 function is used on testing the gateways passed through by the data packets from the source equipment to the destination equipment, to verify the accessibility and locate the network failure.
Page 557: Debug
Monitor and Debug Show the recent command history of all users. Use clear history all-users command to clear the command history of all users saved show history all-users [detail] by the system, the max history number can be history all-users max-length command.
Page 558: System Log
Monitor and Debug 71.7 System log 71.7.1 System Log Introduction The system log takes all information output under it control, while making detailed catalogue, so to select the information effectively. Combining with Debug programs, it will provide a powerful support to the network administrator and developer in monitoring the network operation state and locating the network failures.
Page 559 Monitor and Debug encounter an power failure. Information in the log buffer zone is critical for monitoring the system operation and detecting abnormal states. Note: the NVRAM log buffer may not exist on some switches, which only have the SDRAM log buffer zone. It is recommended to use the system log server.
Page 560: System Log Configuration
Monitor and Debug  Up/down interface, topology change, aggregate port state change of the interface are notifications warnings  Outputted information from the CLI command is classified informational  Information from the debugging of CLI command is classified debugging Log information can be automatically sent to corresponding channels with regard to respective severity levels.
Page 561: System Log Configuration Example
Monitor and Debug Configure the log host output channel Command Description Global Mode Enable the output channel of the logging {<ipv4-addr> | <ipv6-addr>} [ facility log host. The ―no‖ form of this <local-number> ] [level <severity>] command will disable the output logging {<ipv4-addr>...
Page 562 Monitor and Debug information with a severity equal to or higher than warnings to this log server and save in the log record equipment local1. Configuration procedure: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 100.100.100.1 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#logging 100.100.100.5 facility local1 level warnings Example 2: When managing VLAN the IPv6 address of the switch is 3ffe:506::1, and the IPv4 address of the remote log server is 3ffe:506::4.
Page 563: Reload Switch After Specified Time
Reload Switch after Specified Time 72. Reload Switch after Specified Time 72.1 Introduce to Reload Switch after Specifid Time Reload switch after specified time is to reboot the switch without shutdown its power after a specified period of time, usually when updating the switch version. The switch can be rebooted after a period of time instead of immediately after its version being updated successfully.
Page 564: Debugging And Diagnosis For Packets Received And Sent By Cpu
Debugging and Diagnosis for Packets Received and Sent by CPU 73. Debugging and Diagnosis for Packets Received and Sent by CPU 73.1 Introduction to Debugging and Diagnosis for Packets Received and Sent by CPU The following commands are used to debug and diagnose the packets received and sent by CPU, and are supposed to be used with the help of the technical support.
Page 565: Debugging And Diagnosis For Packets Received And Sent By Cpu
Debugging and Diagnosis for Packets Received and Sent by CPU no debug driver {receive | send} Turn off the showing of the CPU receiving sending packet informations.

This manual is also suitable for:

S63 series